Strategic governance of risk: Lessons learnt from public sector audit
Please direct enquiries through our contact page.
Grant Hehir, Auditor-General for Australia, attended the Institute of Internal Auditors-Australia ‘Public Sector Internal Audit Conference’ on 31 July 2018, and presented an opening keynote session titled Strategic governance of risk: Lessons learnt from public sector audit. The accompanying paper to the speech, which was delivered against a conference theme of ‘internal auditor as a trusted advisor’, is available here.
The importance of effective risk management has been highlighted in many reviews of organisational failure. Most recently, in the private sector by the April 2018 Australian Prudential Regulation Authority (APRA) Prudential Inquiry into the Commonwealth Bank of Australia and prior to that, in the public sector in Professor Peter Shergold’s August 2015 report, Learning from Failure: why large government policy initiatives have gone so badly wrong in the past and how the chances of success in the future can be improved. These reviews have focussed on the importance of not just having good risk processes, but also strong governance and clear accountability to establish effective risk culture. Not surprisingly, some Auditor-General reports have similar findings. This work suggests some key indicators of an effective risk culture, including:
- the board and its sub-committees engaging with risk through establishing risk appetite and tolerance, along with active oversight and challenge of management responses to emerging risks;
- clear responsibilities and accountabilities for risk and an effective performance framework linked to risk outcomes;
- monitoring implementation of risk treatments, changes in risk ratings, and emerging risks;
- proactive, not just reactive, approaches to risk;
- learning from your own and others’ mistakes;
- fit-for-purpose management arrangements, which are consistently communicated; and
- adequate resourcing with a focus on building staff capability.
This paper will consider the lessons underlying these indicators through an analysis of the APRA inquiry, Dr Peter Shergold’s Learning from Failure and a number of Auditor-General reports.
Why an effective risk culture is important
Positive risk culture means improved accountability, governance, performance, resilience and financial management. Effective risk management is core because of how it drives strategic and operational planning.
Good risk managers, supported by organisations with positive risk culture, prevent or reduce failure, resulting in improved outcomes. Positive risk culture is also an enabler of innovation. If staff are afraid to fail, they are unlikely to take calculated risks and be innovative. If an organisation is unclear about its risk tolerance, it cannot expect innovation. Good risk managers produce innovative outcomes, because their entity’s risk tolerance allows for failure, remediation and learning where the decision making in the risk management process was sound.
Identify and manage threats, and capitalise on opportunity
Organisations with positive risk culture can more easily and more quickly identify, evaluate and manage threats and opportunities. A positive risk culture will result in staff who are vigilant, regularly monitoring and documenting the implementation of risk treatments, changes in risk ratings and emerging risks. Entities with positive risk culture foster confident staff who raise suggestions relating to new or identified risks. The APRA prudential inquiry noted that one indicator of sound risk culture is when information on risk flows freely without fear of blame. Positive risk culture means decreased potential for unacceptable or undesirable behaviours such as fraud and harassment.
Productivity and efficiency
An organisation with positive risk culture identifies risks more quickly, resulting in more agile management. Decision making is better informed, and staff feel empowered to make difficult decisions, reducing time lost to indecision. These factors will generate productivity and efficiency.
Consequences of ineffective risk culture
The consequences of poor risk culture are damaging. Something observed in the Commonwealth Bank by APRA was wide spread complacency, which APRA suggests bred over-confidence and a lack of appreciation for non-financial risks. The Home Insulation Program is an example of a particularly poor outcome. Auditor-General’s Report No. 12 of 2010–11 Home Insulation Program assessed key aspects of the establishment and administration of Home Insulation Program by the Department of the Environment, Water, Heritage and the Arts, as well as the transition of the program to the Department of Climate Change and Energy Efficiency. This audit report found that there were a number of contributing factors that impacted on the success of the program, one of which was underestimation of key program risks. As a key learning, that audit noted that a clear understanding and acceptance of the level of inherent risk and potential consequences of realised risks in the program by all key stakeholders, including government, can avoid reactive program changes following implementation. This approach requires realistic and accurate reporting of circumstances by departments and agencies to key stakeholders.
What positive risk culture looks like
Positive risk culture is where risk appetites and tolerances are clearly defined and communicated, in an environment where staff have the capabilities to deliver risk management that is consistent with those appetites and tolerances. Entities with positive risk culture effectively identify, assess, monitor and manage risk across all levels, identify risks before they are realised, and focus on the lessons to be learnt when risk management doesn’t achieve the desired results.
In the Department of Finance’s Benchmarking Survey 2017 — Risk Management Capability Maturity Levels, ‘optimal’ risk culture is where ‘the culture of the entity is one that demonstrates and promotes an open and proactive approach to managing risk that considers both threat and opportunity’, where ‘examples of good risk management practice are communicated by senior executives’ and where ‘individuals that excel in demonstrating good risk management practice in their day-to-day responsibilities are rewarded.’ Different organisations have different risk appetites and strategies. Positive risk culture will not look the same in every entity, and will involve different things at each level of an entity. In particular, the management and governance arms of an organisation each have distinct and vital roles to foster effective risk culture.
The board and its sub-committees engage with risk through establishing risk appetite and tolerance and active oversight and challenge of management responses to emerging risks
The board should have systems in place which provide assurance that risks are being actively managed in a way that is consistent with its desired tone on risk and its strategic plans for risk appetite and tolerance. According to Comcover, the Australian Government’s general insurance fund, the development of a risk appetite statement that incorporates risk tolerances that are tailored to an entity’s particular circumstances is an important milestone towards an effective risk framework that assists decision making.
In Auditor-General Report No. 6 of 2017–18 The Management of Risk by Public Sector Entities, the ANAO found that the development of the Department of Health’s 2015 risk appetite statement involved extensive internal consultation. The audit report noted that the statement included information on the enterprise risk appetite, risk themes and scaling, and supporting a risk-aware culture. The ANAO found this was effective in communicating expectations to departmental staff.
Once the board has established tone, appetite and tolerance on risk, it should ensure that business is conducted in a way that is consistent with that framework.
There must be a clear tone on risk communicated and a culture of leading by example that resonates throughout the organisation. In its prudential inquiry, APRA commented that the board must be able to effectively challenge senior management, which can happen only if the board is well informed. APRA observed that the Commonwealth Bank board did not receive alerts on incidents or themes that might indicate underlying or emerging risks. APRA recommended that the board ensure it receives adequate non-financial risk information, including early indicators of emerging risks, to support constructive debate and challenge.
In Auditor-General Report No. 25 of 2017–18 Australian Electoral Commission’s Procurement of Services to Conduct the 2016 Federal Election, the ANAO found that the Australian Electoral Commission accepted IT security risk above its usual tolerance of ‘medium’. The level of IT security risk accepted by the Australian Electoral Commission on behalf of the Australian Government, and the extent of the non-compliance with the Australian Government IT security frameworks, was not transparent. The wording used in some of the internal records and published materials generated confidence in the security of the system whereas the underlying assessments indicated significant risk.
Auditor-General Report No. 31 of 2017–18 Managing Mental Health in the Australian Federal Police illustrates the importance of ensuring that business is conducted consistently with the risk framework at every level of the entity. Risks to employee mental health were formally identified in October 2016 following the increasing number and cost of accepted Comcare psychological injury claims and a growing Comcare premium. As at August 2017, the Australian Federal Police’s Enterprise Risk Profile identified mental health injury as one of 22 entity level risks. The audit report found that risk controls had been documented, and further treatments were proposed. However, entity level recognition of mental health was not consistently reflected in functional risk assessment and treatment plans. Four functional areas, which were among those with the highest number and cost of compensation claims for mental health injuries, did not specifically identify mental health as an area of risk in their risk assessment and treatment plans.
In order for the board to effectively engage with risk they must establish risk appetite and tolerance that are tailored to an entity’s particular circumstances, and these appetites and tolerances must be effectively communicated through every level of the organisation. This communication has to flow both up-to and down-from the board — the board must have assurance that risk in being managed in accordance with its risk framework. In order to provide oversight and challenge management’s implementation of risk frameworks, the board must be well informed about how risk is being managed in the organisation.
Audit and risk committees
Positive risk culture requires governance committees that support that risk culture. This includes effective coordination and communication among committees, as well as clarity surrounding and definition between the roles and responsibilities of committees. Audit committees in particular should hold management to account in addressing and closing out audit issues. The APRA prudential inquiry highlighted that is it important for committees to engage in constructive and challenging debate.
APRA found deficiencies in these areas within the Commonwealth Bank that resulted in part from relying on the expertise of individual committee members and gaps in the flow of information. The ANAO has also identified inconsistent practice in the role that public sector audit committees play in assuring good risk practices. Audit committees in non-board governed public sector entities often include members of management as committee members. These members of management can have direct control over the parts of the business that they oversee as audit committee members.
Until recently, it was not uncommon for such individuals to even chair the committee. To have effective governance, these individuals have to be able to separate their management and governance committee roles. This is particularly difficult where one line manager has to challenge another over their respective areas of responsibility.
APRA noted that within the Commonwealth Bank the former CEO placed high priority on vertical empowerment of executive committee members to run their own businesses, which when combined with an atmosphere of collegiality and high levels of trust in peers, resulted in a lack of healthy constructive challenge within the executive committee and an inclination for group executives to not raise concerns outside their own area, at least until these concerns had reached a crisis point.
The participation of management as members of audit committees raises the risk of similar behaviours in the public sector which, if not explicitly addressed, could undermine the effectiveness of audit committees. It also raises the risk that non-executive committee members will defer to the expertise and knowledge of executive members.
To support the board to oversee effective risk culture, committees need to be clearly defined. Audit committees need to hold management to account, ensure that individual committee members play their role, irrespective of their executive responsibilities, and ensure that executive responsibilities do not prevent members from engaging in constructive debate.
Define clear responsibilities and accountabilities for risk and an effective performance framework linked to risk outcomes
In an organisation with effective risk culture, everyone clearly understands who holds relevant responsibilities and accountabilities for risk. As noted above, there are important differences between private sector companies and many public sector entities in regards to governance. While private sector companies have a governing board separate from management, many public sector entities have an accountable authority which carries out many of the functions of both the board chair and the CEO. This presents a unique challenge for public sector officials to balance their board and management roles.
APRA’s review highlights the importance of these different roles in risk management. The board role is about strategic governance, setting the risk appetite and tolerance along with holding management to account. The CEO’s role is to provide leadership and direction to employees and to control the institution’s overall risk-taking activities in line with the board’s agreed appetite and tolerance. The ANAO’s observation is that when there is tension between these roles in public entities, the CEO/management role tends to dominate with a consequent reduction in effective governance.
While public sector entities do have ministers who will play the strategic role of a private sector board, ministers rarely involve themselves with the vital risk roles of communication, conformance and compliance in which boards must engage. One of Peter Shergold’s conclusions in Learning from Failure was that entities should gauge their ministers’ appetites for risk on individual programs and across their portfolio. Such an approach would fill part of the gap from not having a board.
Many non-board governed public entities have executive committees which include ‘board’ in their title and attempt to have the executive committee play both executive and governance roles. However, as discussed above, the issues APRA identified with the Commonwealth Bank’s executive committee in its dealing with whole-of-group management issues suggest it may be difficult to imagine that public sector executive committees could consistently play the role for boards envisaged in the APRA report as well as that of a management committee.
In the ANAO’s experience it can take some time to develop an executive team that has the trust and cohesion required to be an effective executive committee. This is made more difficult where there is a lack of continuity in teams. The challenge is even greater where the executive team also plays the board role, given the governance role of boards requires even more robust engagement on performance and conformance.
In addition to these key structural challenges, at the management level the ANAO has identified many occasions where there has been a lack of clear definition of accountabilities and responsibilities for risk. In Auditor-General Report No. 31 of 2017–18 Managing Mental Health in the Australian Federal Police, the ANAO noted that there was a lack of clarity as to which aspects of risk treatments the functional areas were responsible for. For example, Australian Capital Territory Policing’s (ACTP) risk treatment plan for risks to employee physical and mental health stated that ‘Risk Treatment initiatives being undertaken through enterprise wide Organisational Health projects […] will contribute to covering this risk for ACTP’, but did not specify how the initiatives would specifically reduce ACTP’s risks.
There are also many areas of good practice. In Auditor-General Report No. 6 of 2017–18 The Management of Risk by Public Sector Entities, the ANAO noted that the Department of Employment, the Department of Health, and the Australian Fisheries Management Authority clearly outlined responsibilities for managing and reporting on risk as part of their respective risk management frameworks. Their risk frameworks addressed key responsibilities relating to:
- the review and update of risk management policies and frameworks, and individual risk plans and risk treatments; and
- descriptions of key positions, including senior executives, program/policy/project managers and risk owners, department committees (such as the executive committees and audit committees), and business areas.
That said, the ANAO also found that in practice there was variability in the application of this approach and responsibilities were often assigned to work areas. The ANAO noted that entities should consistently assign responsibility to individuals or positions, in line with the requirement of their frameworks.
Perhaps in response to the challenge of ensuring appropriate accountability and responsibility for risk, chief risk officers have emerged as part of some organisations’ risk management frameworks. However, it is difficult to imagine how a single individual in a large and diverse government department can assume the accountability for delivering on the active management of risk treatments across the whole organisation. Organisations should take care that individuals accountable for management of risk do not face a diffusion of accountability through roles such as the chief risk officer.
The APRA inquiry discusses the importance of accountability for risk outcomes and driving risk culture. In particular, it recommends stronger accountabilities for risk management with clearer links to remuneration outcomes. While this approach to remuneration may be effective in private sector corporations, in most of the public sector the lack of performance-related remuneration makes this approach to accountability difficult. When failures occur in the public sector there can be a lack of transparency around the implications for those responsible. The ANAO regularly observes at parliamentary inquiries into Auditor-General reports that there is no one appearing before the relevant committee from the entity who was ‘there at time’ and the focus of responses to questions tends to be to explain what things happen and not the consequence of them, particularly not accountability consequences.
Accountability is vital to risk outcomes and risk culture. Responsibilities and accountabilities for risk must be clearly defined for an organisation to have effective risk culture. In the public sector, where the lines between board and management are not as clear-cut as the private sector, officials need to be vigilant that strategic, communication and compliance risk roles are each given adequate attention. Entities should also be cautious to ensure that team structures or catch-all positions such as Central Risk Officers do not diffuse accountability for risk.
Monitor implementation of risk treatments, changes in risk ratings, and emerging risks
Effective risk culture requires that entities regularly monitor and document the implementation of risk treatments, changes in risk ratings and emerging risks. Good risk management frameworks have built-in periodic review and a structured approach to testing, monitoring, and reporting on risks.
In Auditor-General Report No. 30 of 2017–18 Design and Governance of the National Water Infrastructure Development Fund, the ANAO found that the Department of Agriculture and Water Resources had undertaken risk management planning for the National Water Infrastructure Development Fund in a manner that made it difficult for the department to monitor the implementation of risk treatments. Evidence had not been retained demonstrating that risks identified in risk management plans had been formally monitored at the program level since the fund began in 2015. Additional risks arising from incorporating 2016 election commitments had not been assessed in risk registers. As a key learning for all entities, that audit report noted that entities should regularly monitor and document the implementation of risk treatments, changes in risk ratings and emerging risks.
The importance of monitoring implementation is also illustrated by Auditor-General Report No. 23 of 2017–18 Delivery of the Moorebank Intermodal Terminal and Auditor-General Report No. 45 of 2016–17 Replacement Antarctic Vessel. In both cases, the risks of removing competition from the procurement process and mitigations for these risks were identified, but those risk mitigation strategies were not effectively implemented. This resulted in the inability in both cases to demonstrate value for money in the respective procurements.
To realise effective risk culture, entities must regularly monitor implementation of risk treatments, including that risk mitigations are appropriately actioned. Entities must regularly monitor changes in risk ratings, and emerging risks, especially when there are significant changes to environmental factors. Entities should ensure that provisions are also made to monitor the effectiveness of risk activities when planning risk management for a particular project or activity.
Be pre-emptive, rather than just reactive
To effectively manage risk, an entity must be constantly scanning its environment to identify new risks, and regularly re-assess existing risks. Reactive approaches to risk are little more than damage control, or issues management. Auditor-General Report No. 6 of 2017–18 The Management of Risk by Public Sector Entities provides an example of better practice: the Department of Employment’s use of risk ‘premortems.’ A ‘premortem’ begins with the assumption that a project has been implemented and failed. The work group then identifies the reasons for the failure. In this way the group is able to constructively focus on the key risks involved in meeting the objectives of a program or activity — openly discussing causes of failure, without ascribing blame.
In Learning from Failure, Peter Shergold notes: ‘Moving from a culture of issues management to one of risk management is difficult: it involves thinking systematically rather than reactively and identifying opportunities and not just threats.’ This was something identified in APRA’s prudential inquiry, which noted that the Commonwealth Bank’s approach to operational and compliance risk was focused on reacting to losses and incidents, rather than proactively identifying, measuring and managing risks. The Commonwealth Bank acknowledged to the inquiry a focus on process rather than on mitigating risk, and interviewees noted that the risk function ‘couldn’t see the forest from the trees’ and was ‘consumed by process’.
One way that a pre-emptive approach is implemented is through the idea of ‘failing fast’ and/or ‘pivoting’. Ideally, risk management would identify and mitigate possible causes for the downfall of a project before it begins, but sometimes this will not be possible. In these instances, decision makers need a strong, positive risk culture, where issues are flagged and taken seriously as early as possible so that the project can be changed in some fundamental way to avert failure, or simply so that the project can be cancelled before any more time, effort, or funding is allocated.
To establish effective risk culture, entities should avoid reactive risk management, and take a pre-emptive approach by routinely assessing new risks, and re-assessing identified risk. This should allow entities to recognise potential failure early and minimise the fall-out, or prevent it entirely.
Learn from mistakes
To foster an effective risk culture, entities must seek to learn from their own mistakes and successes, and the mistakes and successes of others. In Auditor-General Report No. 30 of 2017–18 Design and Governance of the National Water Infrastructure Development Fund, the ANAO noted that the Department of Agriculture and Water Resources (Agriculture), and the Department of the Prime Minister and Cabinet took adequate steps to identify lessons learned from previous programs and reviews that informed the design of the National Water Infrastructure Development Fund. As part of the research undertaken during the development of the Agricultural Competitiveness and Developing Northern Australia White Papers, the respective taskforces identified recent and current inquiries and reviews of potential relevance. For example, the ANAO found that Agriculture’s research highlighted the importance of completing a cost-benefit analysis before making Commonwealth capital investments in water infrastructure, which was identified through the ANAO’s audit report of the Adelaide Desalination Plant.
Recording and analysing risk incidents, near misses and lessons learned can provide valuable insights to management, governance committees, and the board on risk management performance and the effectiveness of the risk management framework. Auditor-General Report No. 6 of 2017–18 The Management of Risk by Public Sector Entities noted that the selected entities did not systematically record and analyse risk incidents, issues or events to inform periodic evaluation of their respective risk management frameworks. For example, employees of the Australian Fisheries Management Authority interviewed by the ANAO indicated that reporting on risks occurred on a case-by-case basis. When interviewed, employees of the Department of Employment indicated that senior management adopted a supportive and constructive approach when risk events and incidents were reported, but from the ANAO’s review of a selection of risk events it was not evident that risk events routinely triggered a review of the risk plan. As a key learning for all entities, this audit report concluded that recording and analysing risk incidents and lessons learned can provide valuable insights to management and the audit committee on risk management performance and the effectiveness of the risk management framework.
Auditor-General Report No. 11 of 2016–17 Tiger — Army’s Armed Reconnaissance Helicopter commented on sharing lessons learned. Government approval for the acquisition of the Armed Reconnaissance Helicopter was on the basis that it was a low-risk, off-the-shelf platform. The ANAO conducted a performance audit report of the Tiger acquisition in 2005–06, and concluded that Tiger was more developmental than off-the-shelf and this heightened exposure to schedule, cost and capability risks, both for the acquisition of the aircraft and its sustainment.
The Department of Defence (Defence) developed a Lessons Learned Report on the Tiger acquisition in April 2015. This internal report highlighted the ‘rushed’ nature of the initial through-life support contract negotiations, which resulted in a flawed outcome for the Tiger Fleet’s sustainment. The findings and recommendations of the Lessons Learned Report contain valuable insights for Defence on the design and management of its contracting and sustainment arrangements. The audit report noted that there was no evidence that these lessons were communicated outside of the Program Office to current sustainment managers of other Defence platforms, or were available to future sustainment managers within Defence. In the 2016–17 audit, the ANAO commented that there remains scope for Defence to communicate lessons learned to relevant internal stakeholders.
Performance audits play an important role in stimulating improvements in the administration and management of public sector entities as well as providing independent assurance to the Parliament on the administration of programs. Recommendations in audit reports highlight actions that are expected to improve entity performance when implemented. Where an entity has agreed to a recommendation, implementation of that recommendation should be timely and in line with its intended outcome to achieve the benefits envisaged. Often, when the ANAO conducts a follow up audit, there are recommendations from the previous audit report which entities had agreed to implement, that have not been implemented.
For example, the objective of Auditor-General Report No. 43 of 2017–18 Domestic Passenger Screening—Follow-Up was to examine the extent to which the Department of Infrastructure and Regional Development, and the Department of Home Affairs, had implemented the recommendations from Auditor-General Report No. 5 of 2016–17 Passenger Security Screening at Domestic Airports. Due to the significance of the findings from the 2016–17 audit, the associated recommendations, and the response from the department advising that a number of initiatives to address the shortcomings identified were already underway, it was expected that the department would act quickly to address and remediate the issues identified. The ANAO noted that timely implementation was necessary if the audited entity was to achieve full value from the agreed recommendations. As at March 2018, the department had implemented one and partially implemented four of the five recommendations made in the initial audit. Consequently, the follow-up audit report identified that while the department had made progress, it was not yet well placed to provide assurance that passenger screening was effective and that screening authorities were compliant.
Auditor-General Report No. 9 of 2016–17 Community Pharmacy Agreement: Follow-on Audit examined the Department of Health’s implementation of recommendations from Auditor-General Report No. 25 of 2014–15 Administration of the Fifth Community Pharmacy Agreement, in the context of the negotiation and implementation of the Sixth Community Pharmacy Agreement. More encouragingly than the previous example, as at May 2016, the ANAO had assessed six of the eight recommendations as implemented, with the ANAO noting that the department completed the necessary action in a timely manner.
APRA’s chair noted arrogance in the Commonwealth Bank’s culture which manifested as complacency and overconfidence. These attributes are likely to cause leaders to be reluctant to change, reluctant to respond to signals that indicate issues, and reluctant to learn from failure. To support effective risk culture, APRA said that leaders need to have a culture of challenging and striving for best practice in risk identification and remediation.
A certain degree of failure is unavoidable. Entities must use their own failure and the failures of others as a point of learning to prevent history from repeating itself. An important part of this is that entities should be open about their failures and share their learnings so that other parts of the sector, or simply other parts of their own entity, can learn from them. Additionally, analysing an agency’s failures can help to identify patterns and potentially the root cause, improving that entity’s long-term performance. The first step towards learning from failure, is acknowledging failure, the second is to implement reparative measures, such as Auditor-General or internal audit report recommendations, and the third is to analyse and learn from the experience.
In this context I find it disappointing the number of times an entity response to audit findings is to suggest they already knew about the problem and were in the process of fixing it, when clearly the audit evidence demonstrates that the lesson came from the audit. Dismissing the value of review undermines the importance of responding to findings and can drive a culture of complacency. It encourages an arrogant culture that the entity has nothing to learn from others.
Fit-for-purpose risk management arrangements which are consistently communicated
Under Comcover’s Commonwealth Risk Management Capability Maturity Model, one of the key elements of an ‘optimal’ element four: embedding systematic risk management into business processes, is that the entity’s risk appetite statement, including its tolerances and limits for different categories of risk, are used consistently across the entity to inform decision making. On multiple occasions, the ANAO has observed weaknesses in risk management, despite entities having good risk management policies. Weaknesses in risk culture can break down the connection between policy and practice. Causes may be inaccessibility of risk policies, poor communication of the board’s expectations, or management not ‘walking the talk’ on risk policy - which APRA identified as a key cultural characteristics that inhibited healthy risk management in the Commonwealth Bank.
If staff are to be compliant, risk policies and procedures have to be documented in a way that management and staff can easily identify their responsibilities. This was an area of weakness identified by APRA in the Commonwealth Bank. The Bank acknowledged to the inquiry that it’s operational and compliance risk management policies were documented in a complex manner, making them difficult to implement effectively. APRA noted that the Commonwealth Bank’s Operational Risk Management Framework ‘How to Guide’ was 119 pages long and contained a significant amount of detail on the steps necessary to undertake key operational risk management activities.
In Auditor-General Report No. 30 of 2017–18 Design and Governance of the National Water Infrastructure Fund, the ANAO found that despite departmental guidance to the contrary, identified risk treatments were combined with, and were indistinguishable from, current controls. There was no timetable for implementation of risk treatment, and treatment owners were not identified. That audit report recommended that the department update the risk management plan for the National Water Infrastructure Development Fund to reflect departmental risk management guidance.
As discussed previously with respect to accountability, one way to encourage compliance is to use the entity’s performance management framework to make risk culture a vested interest for individuals. This is another of the characteristics Comcover identifies as representing ‘optimal’ risk culture — where individuals that excel in demonstrating good risk management practice in their day-to-day responsibilities are rewarded. In Auditor-General Report No. 6 of 2017–18 Management of Risk by Public Sector Entities, the ANAO observed that the Department of Employment had made Risk management one of the criteria used to judge the recipients of the Secretary’s award for innovation.
Heavily centralised, process and compliance driven risk management creates additional risk of a ‘tick-the-box’ culture where there is no onus on individuals to actively consider and manage risk. Peter Shergold noted that ‘reliance on process at the expense of informed professional judgement destroys individual autonomy, diffuses responsibility and compromises the future success of new policies or programs from the start.’ He acknowledged that the Commonwealth’s Public Governance, Performance and Accountability Act 2013 has brought legislative and procedural changes to improve risk management, but believed there is still work to be done to embed culture and behaviours.
APRA made a similar comment, noting that the Commonwealth Bank’s operational risk and compliance functions had a heavy procedural bias. APRA notes that this is evidenced by rules-based policies containing very detailed, step-by-step processes that foster a ‘form over substance’ approach to risk management.
On the other hand, highly decentralised, free flowing risk management creates uncertainty and makes it difficult for the board to ensure risk management is consistent with strategic policy. There will always be tension between where to set minimum, mandatory compliance and where to encourage flexible, individual judgement. The entity’s leaders have to find a balance that matches their entity’s risk appetite and tolerance, and implement the necessary infrastructure to support it. One of their strongest levers to get the balance right will be effective risk culture and a key part of this culture must be a rigorous expectation of compliance wherever the minimum mandatory requirements are set.
In addition, once high-level tone, tolerance and appetite for risk are established, those strategic goals must be effectively communicated to staff. Senior leaders must be capable of communicating the board’s desired tone through every level of the organisation in a personal and authentic manner. The board or accountable authority establishes tone on risk culture through internal and external communications, and their attitude and actions surrounding risk management issues, including how the board and management monitors and requires mitigation of key risks. This was found to be a point of weakness in the Commonwealth Bank by APRA, who commented that the bank’s tone at the top was unclear, and that the board did not insist on improvement. Management must successfully communicate the board’s tone and lead by example, including learning from mistakes. In the risk management cycle, leaders need to monitor if the message on risk sounds the same at the bottom as it does at the top.
An example of inconsistent communication comes from the cyber security space. Since 2013–14, the ANAO has conducted four performance audits to assess the cyber resilience of 14 different government entities. These audits assessed both IT general controls and the entities’ implementation of the mandatory ‘Strategies to Mitigate Targeted Cyber Intrusions’, which are required by the Protective Security Policy Framework. The audits have consistently identified high levels of non-compliance with mandatory requirements. In addition, all non-corporate Commonwealth entities are required to undertake an annual point in time self-assessment against the requirements of the Protective Security Policy Framework. The ANAO’s 2017–18 interim report on key financial controls of major entities noted that eleven entities reported that they were compliant, seven entities reported partial compliance and five entities reported that they were not compliant. That is a significant level of acknowledged non-compliance.
There are many messages from senior public sector officials in the cyber security space that could be interpreted as suggesting compliance with mandatory requirements is not a priority. As such, it is unsurprising that the ANAO sees inconsistent behaviour in relation to compliance with the Protective Security Policy Framework. The top, the Australian Government, has set the tone and appetite on risk via the policy, but that tone is not being clearly advocated by senior officials.
Auditor-General Report No. 42 of 2016–17 Cybersecurity Follow-up Audit highlighted the characteristics of entities who achieve cyber resilience. Entities that operate in a cyber-resilient environment are better positioned to protect their core business processes from cybersecurity risks. Beyond compliance, these entities demonstrate positive risk culture in the cyber space by implementing effective governance arrangements to support prioritising cybersecurity and managing cybersecurity risks while still focusing on delivering core business outcomes. The effective governance arrangements this audit highlighted were:
- informing key stakeholders of the consequences of an unsecure ICT environment and not being compliant with the Top Four mitigation strategies;
- sharing the responsibility of cybersecurity risks between stakeholders;
- clearly defining accountabilities for cybersecurity; and
- involving key stakeholders when making investment decisions about cybersecurity initiatives.
I think it is detrimental to the desired outcome when the ANAO produces reports assessing entities’ compliance against mandatory standards (of which cyber security is one example), which the Parliament, the Government or the entities themselves have set, and entity leadership responses include comments such as ‘the issues are minor’, ‘the ANAO are in the weeds’, or that the entity ‘already knew about it’. Such responses do not model the tone at the top you would expect in an entity with a positive risk culture. In the era of devolution and principles based regulatory frameworks it is reasonable to expect that mandatory requirements are just that. An entity’s leadership making comments that compliance is not essential will result in the message being amplified throughout the organisation.
Effective risk culture requires risk management that fits the entity, and that the risk function informs business activity consistently across the entity. While most of the public services has the guidance and procedures in place, these entities will not realise the benefits if there is inconsistent application of their risk framework. To have effective risk culture, management have to:
- ‘walk the talk’ on risk management;
- make policies accessible and not overly complex to implement;
- identify treatment owners and timelines for risk treatment;
- use the entity’s performance framework or other incentives to encourage excellence in risk management; and
- communicate expectations on risk effectively.
Entities have to find the balance that works for them between mandatory compliance and individual judgement in such a way that there is both assurance for the board that risk is being effectively managed and there is responsibility on individuals to actively think about and manage risk.
Adequate resourcing with a focus on building staff capability
Entities must adequately resource risk management. Resourcing of risk activities is vital to achieve a rating of ‘optimal’ in elements one, eight and nine of Comcover’s Commonwealth Risk Management Capability Maturity Model.
In Auditor-General Report No. 6 of 2017–18 The Management of Risk by Public Sector Entities, the ANAO noted that the Department of Employment (Employment) and the Department of Health (Health) had staff resources dedicated to risk management, and that Employment, Health and the Australian Communications and Media Authority had risk management guidance, templates and dedicated risk hot lines or email addresses.
Auditor-General Report No. 31 of 2017–18 Managing Mental Health in the Australian Federal Police found that the Australian Federal Police (AFP) did not have arrangements to ensure resources and funding were aligned to key mental health risks. The audit found that while the AFP allocates centralised funding to the Organisational Health function to resource mental health support activities, and each functional and geographical area may choose to allocate a portion of its annual operating budget to employee mental health, there is no information or assurance that funding is being spent in line with risk. The ANAO recommended that the AFP develop arrangements to align employee mental health and wellbeing resources to areas assessed as highest risk.
Technological advances over the last decade have enabled the collection of large datasets that present opportunities for analysis to reveal trends, patterns and associations. As the Australian public service moves to increased capability in the data analytics space, entities should consider how investment in these new technologies can assist them in their identification of risk, and their strategic management of risk.
Effective risk management requires staff who are capable of executing the strategic risk policies of the entity. Establishing strategies to improve participation in risk-related learning and development programs can help to maintain risk management capability. To build internal capability, management should provide practical guidance on how staff should manage risk. This was an area of weakness identified in the APRA prudential review of the Commonwealth Bank. During the inquiry, interviewees noted that policies had been provided to the business units to implement without sufficient training, with one interviewee noting that new policies were developed and simply ‘thrown out there’ to be implemented.
In Auditor-General Report No. 6 of 2017–18 The Management of Risk by Public Sector Entities, the ANAO observed that Employment had placed extensive risk management guidance on its intranet to help staff manage risks and risk treatments. The ANAO noted that Employment operated and maintained an integrated, enterprise-wide risk management system to aid in managing its risks, concluding that the system was mature and provided Employment with the capability to record, manage and report on risks, risk treatments, risk events and risk plan owners. It is important to note that systems do not have to be this sophisticated to be effective. Systems have to be fit-for-purpose, which will depend on size of the entity and its risk profile. Employment’s learning and development program included offerings on risk management. Departmental officials were regular participants in both internal and external risk management forums, seminars and courses. The ANAO found that both Health and the Australian Communications and Media Authority had a variety of learning and development programs available for staff, including eLearning courses developed by Comcover and entity-specific workshops.
Resourcing risk management activities is essential to building staff capability that enables effective risk culture. This includes the methods by which the entities identifies risk, as well as ensuring that resources are aligned to identified risk areas. It is key that learning and development resources are allocated to ensure that staff feel confident enacting the entity’s risk management framework.
Measuring risk culture
Culture is inherently intangible, so measuring it can be challenging. In Auditor-General Report No. 6 of 2017–18 The Management of Risk by Public Sector Entities the ANAO observed that the Department of Employment’s risk management framework outlined the way the department intended to measure its risk culture. This included:
- staff census results;
- internal and external audits;
- measures of compliance;
- regular reviews and monitoring of risk practices throughout the department; and
- engagement with training offered.
Another way to measure risk culture is through the use of a proxy: the effectiveness of risk management activities. This audit report also noted that none of the audited entities had mechanisms in place to measure the performance of risk management strategies. The ultimate measure of effective risk culture is successful projects. Effective risk management depends on effective risk culture, and to be successful in its endeavours, an entity must manage risk well.
A positive risk culture is essential to effective risk management. Effective risk management is essential for organisational success. The analysis in this paper shows examples of the issues with respect to poor risk management identified by the APRA Prudential Review of the Commonwealth Bank that can be seen in the public sector, both through Professor Shergold’s report, Learning from Failure, and many Auditor-General reports. While the ANAO has also identified areas of good practice in public sector risk management, there is still much to be done to ensure that the public sector has embedded, effective risk management. This paper has drawn on evidence that points to some indicators of effective risk management, the most poignant of these include that:
- the board and its sub-committees engage with risk through establishing risk appetite and tolerance, and provide active oversight and challenge of management responses to emerging risks;
- responsibilities and accountabilities for risk are clearly defined, including an effective performance framework that is linked to risk outcomes;
- officials are vigilant that strategic, communication and compliance risk roles are each given appropriate attention, especially where individual officials are responsible for dual roles of management and governance;
- the entity’s approach to risk management is pre-emptive and includes routinely assessing new risks, and re-assessing identified risk, allowing entities to recognise potential failure early;
- the entity is open to both external and internal feedback, including criticism, acknowledges their mistakes, and uses both their own and others’ failures as catalysts for change and learning;
- management acknowledge the effect that their actions and attitudes have on their staff and effectively communicate the board’s risk management arrangements by ‘walking the talk’ on risk, resulting in the board’s risk frameworks being used consistently across the entity to inform decision making; and
- the entity prioritises risk management by allocating resources to ensure staff have the capabilities and subject matter expertise to execute the strategic risk policies of the entity.