The Commonwealth Risk Committee (the CRC) met on 11 June 2026 via Microsoft Teams to discuss the following matters:
Shared Risk Framework
The Committee reviewed and endorsed the shared risk framework and risk register developed to support whole-of-government fuel security preparedness. The strong level of cross-APS collaboration in developing the register was noted and the Committee agreed that both the framework and register are sufficiently mature to progress to the COO Committee.
Key findings in the development of the framework are that entities are effectively managing the specific shared risks through existing controls and largely business as usual responses. Agencies with higher exposure have implemented targeted governance arrangements, including dedicated taskforces, to support risk management and the collection of operationally relevant data. At this stage, no additional whole of APS controls were considered necessary.
The Committee agreed to progress the Framework and draft register to COO Committee and adapt the Framework for use in future events. The Committee also supported the continued development of the shared risk framework for future cross government use, including consideration of standardised language, structures and approaches to enable greater consistency and interoperability across entities.
Commonwealth Cyber Security Uplift
The Department of Home Affairs provided an update on progress under Horizon one of the Cyber Security Strategy and the launch of Horizon two which is focused on strengthening APS cyber capability, improving policy frameworks, enhancing investment prioritisation, and protecting systems of government significance. Members discussed the importance of maintaining and uplifting cyber security in an increasingly complex global threat environment and noted the importance of ensuring areas of highest risk are prioritised in resource constrained agencies.
The Evolution of the Essential Eight
The Australian Signals Directorate (ASD) updated the Committee on the evolving nature of cyber threats to the Australian Public Service and the proposed approach to modernise the Essential Eight guidance for release in October 2026. As APS agencies adopt foundational cyber security measures, the next stage is to lift the bar from one-size-fits-all compliance-based models to principle- and risk-based approaches appropriate for the agency.
Next meeting
27 August 2026
Lead agency contact
CRC Secretariat
Department to Finance
Risk and Insurance Branch
1800 651 540 (Option 4)