Finance Minister's Foreword
I am pleased to release the Commonwealth Risk Management Policy.
This policy supports section 16 of the Public Governance, Performance and Accountability Act 2013, which requires accountable authorities of Commonwealth entities to establish and maintain appropriate systems and internal controls for the oversight and management of risk.
Risk is inherent in all government activities. Government cannot provide essential services that the community and public need without engaging with risk. Therefore, managing risk is a key role of the Australian Public Service in the important work we do and is a core skill of every public official.
Risk management is fundamental to good governance and needs to be reflected in the behaviours and culture of the Australian Public Service. Good risk management supports the better delivery of government services through more effective decision-making, greater preparedness for unexpected events and supports innovation. To achieve this, risk management also needs to be practical and tailored to each entity’s needs.
It is important that Commonwealth entities collaborate to manage risk. This includes working together to manage the significant, shared and emerging risks facing our nation.
I commend the Commonwealth Risk Management Policy to Commonwealth Government officials and I thank you for your diligence in managing risk. I encourage officials of all levels to read this policy and engage with risk to support your entity in achieving its objectives.
The purpose of this policy is to embed risk management into the culture and work practices of entities to improve decision making in order to maximise opportunities and better manage uncertainty.
The elements of this policy outline its requirements. Entities should tailor their risk management arrangements to suit the nature of their operations and the risks they face.
This document is intended to be used within Commonwealth entities by all staff and officials at all levels, including:
- accountable authorities
- senior executives
- risk practitioners
- officials responsible for government operations, projects, programs and regulations
- audit and/or risk committee members.
Scope and application
This document sets out the principles and mandatory requirements for managing risk in undertaking the activities of government.
Non-corporate Commonwealth entities must comply with this policy.
Corporate Commonwealth entities are not required to comply with this policy, but should align their risk management frameworks and systems with this policy as a matter of good practice.
This policy supports section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) which states that ‘the accountable authority of a Commonwealth entity must establish and maintain an appropriate system of risk oversight, management and internal control for the entity.’
Embedding risk management into the decision making activities of an entity enables risk to be managed in a repeatable and consistent way when designing, implementing, delivering and undertaking government initiatives. The level of complexity in how risk management is embedded into decision making should be proportionate to the nature and severity of the risks faced. It should also consider the maturity of the entity’s culture and framework for managing risk.
It is particularly important that risk management is embedded into an entity’s activities including projects, strategic and operational planning, governance arrangements, performance management, regulatory oversight, program and policy design and implementation.
An entity’s risk management framework is a set of components and arrangements that articulate the directions and approach for managing risk. It should be practical and tailored to the entity. Risk management frameworks will differ depending on the size and the operations of an entity as well as the nature and complexity of the risks they face.
An entity’s risk management framework should include a risk management policy and a risk appetite statement. A risk management policy is a statement of the overall intentions and direction of an organisation in relation to risk management. A risk appetite statement describes the overarching amount and types of risk an entity is willing to accept in order to achieve its objectives. It is supported by risk tolerance statements that operationalise an entity’s risk appetite by specifying the levels of risk taking that are acceptable.
An entity’s culture should promote an open and proactive approach to risk that fosters collaboration, encourages debate and values independent views. In order for risk management to be effective, it needs to align with the entity’s strategic goals and be part of the organisational culture, internal policies, decision making and individual’s behaviour.
Culture is shaped by the behaviours and attitudes of leaders. The desired culture for managing risk should be clearly defined and demonstrated by the executive in a form that is communicated and actively promoted to staff. An entity’s internal policies should also be aligned to its desired culture.
The responsibility for a consistent approach to the management of risk lies with officials at all levels. What good risk management looks like will vary dependent on an individual’s role, the nature of their work and the seniority of the position they hold.
Responsibility for managing risks should be clearly defined and should include at a minimum:
The individual (or governing body) ultimately responsible for having systems of risk management and oversight in place, including determining risk appetite and tolerance, and promoting a positive risk culture.
Chief risk officer (if applicable)
Is responsible for the framework and governance for managing risk and provides an advisory role to support the accountable authority in understanding an entity’s capability to manage risk in-line with its risk profile.
Are responsible for reviewing, monitoring and managing risks within their respective business units. More specifically, they are required to facilitate risk conversations, promote a positive risk culture and embed risk management into the day to day decision making process of their respective business unit.
Are responsible for monitoring and reviewing the appropriateness of an entity’s system of risk oversight.
Risk Committees (if applicable)
Are responsible for monitoring and reviewing an entity’s risk profile and advising on the management of key risks.
The risk management function
Is responsible for designing, building and implementing an entity’s risk management framework and developing the entity’s capability to manage risk.
Are accountable for managing, monitoring, reporting and escalating risks.
Are responsible for implementing and maintaining effective controls, including assessing their effectiveness and monitoring and reporting on performance.
Are responsible for implementing and monitoring treatments where the controls in place are ineffective and further mitigation activities are required.
Are responsible for managing and escalating risks in their daily work.
Entities should ensure that:
- the controls in place are effective and proportionate to the level of risk to be managed
- that preventative, detective or corrective controls are in place
- each control has a clearly designated owner who regularly reports on the implementation, testing and effectiveness of the control.
Entities should ensure that risks are periodically reviewed and monitored. Risks are ultimately managed through controls. The success of managing risks relies on the effectiveness of controls and these controls being monitored. The frequency of control reviews should be guided by the nature, velocity and severity of the risks.
Shared risks are those risks extending beyond a single entity which require a collaborative effort of shared oversight and management. These include risks that extend across entities and may involve other sectors and jurisdictions.
The management of shared risks should be agreed by all parties involved. Accountability and responsibility for the management of these risks should be identified and accepted by those best positioned to manage them.
Considering and planning for emerging risks is an important part of the risk management process. Identifying and monitoring emerging risk enables entities to manage the uncertainty and impact of these risks.
Entities should consider seeking a range of perspectives on emerging risks and incorporate the consideration of these emerging risks into their risk management framework and governance arrangements.
Effective risk management requires an entity to maintain an appropriate level of capability to administer its risk management framework and to manage its risks. The nature and scale of this capability includes governance, processes, staffing, education and systems.
Risk management capability must be regularly considered in the context of an entity’s current resource and capability profile and be commensurate with the characteristics and complexity of its risk profile.
A process of continual review is important to ensure an entity’s risk management framework, approach and controls are relevant, effective and address emerging risks and changes in an entity’s operating environment.
Reviews should be conducted regularly and be informed by experience and lessons learned.