An entity’s risk management framework must clearly define the risk management responsibilities of officials.
This Guide was developed for Chief Risk Officers (CROs), accountable authorities and executive teams of Commonwealth entities. It articulates the value of a CRO in the Australian Public Service, sets out a better practice approach to how entities can ensure a CRO is successful in their role, and outlines the desired attributes, roles and responsibilities of a CRO.
The Guide acknowledges there is no one size fits all approach to the role of the Commonwealth CRO. It outlines how the role of a CRO can provide critical capability within an entity in the Commonwealth’s dynamic landscape.
A Chief Risk Officer
A CRO plays an important advisory role in supporting the accountable authority to achieve a positive risk culture within an entity. They are most effective when they have:
- a sound understanding of their entity’s business related processes
- informed judgement on how to engage in risk as part of the business process, not as an add-on or discretionary process.
CROs should be sufficiently senior and have a good understanding of the operations of their entity and the government’s objectives in relation to the entity’s purpose. CROs should also have the authority to effectively challenge decisions that may affect the entity’s risk profile, and lead discussions across the entity on what risk can be accepted and managed.
Critical success factors that assist a CRO to meet their responsibilities include having:
- direct access to, and the trust of, the accountable authority and senior management in notifying them of any significant breach of, or material deviation from, the risk management framework of the entity
- access to all parts of an entity that have the potential to engage in or generate material risk
- appropriate delegation and sufficient resources to support the effective execution of their responsibilities.
Defines how an entity views risk management
A CRO assists the accountable authority establish how officials view risk and the risk taking behaviors in an entity. This includes defining how officials in an entity:
- view risk as an opportunity as well as a threat
- develop an appropriate risk culture, encouraging desired behaviors such as speaking up and learning from mistakes
- achieve an appropriate level of risk management maturity that reflects the entity’s risk profile and emphasises that risk is about continuous learning and embracing opportunities.
An influencer of decision making
A CRO is an advisor on the management of risk, they are not the owner of an entity’s risks. CROs provide a critical role in guiding and influencing risk-based decisions.
To realise the value of a CRO, the accountable authority should reinforce the CRO’s role:
- is one of risk oversight, not ownership
- applies insight to decisions. For example, an effective CRO is involved early in conversations on issues that may impact the achievement of an entity’s objectives
- works across an entity to ensure consistency in the approach to risks and the quality of risk information to support robust decision making
- is a trusted advisor to the accountable authority and while they may not necessarily be part of the executive team, they have the authority to support the executive in making risk informed decisions.
A solution seeker and champion for risk taking
The CRO should encourage and develop processes to support appropriate risk taking so all officials in the entity consider:
- new proposals or initiatives in line with the risk appetite and tolerance(s) of the entity
- opportunities to the entity offered by new proposals or initiatives
- consequences, including potential reputational damage to the entity and/or broader Commonwealth, should a proposal fail.
A shared risk awareness steward
A CRO is integral to ensuring shared risks, those where more than one entity, or areas within an entity, have influence or are exposed, are identified and managed. This may involve:
- designing and implementing a tailored approach to support the identification of shared risks, the relevant stakeholders and the mitigation strategies to adequately manage these risks
- establishing appropriate governance structures to identify and manage shared risk
- tracking improvements on how shared risks are managed in the entity.
An advocate of emerging risks
The CRO informs their executive of emerging and future risks by:
- monitoring the Commonwealth’s dynamic and constantly changing operating environment
- optimising the use of risk sensing tools such as
- environmental scanning
- scenario modelling.
A CRO is not the owner of the entity’s risks but rather an advisor on risk management matters. A CRO provides a critical role in guiding and influencing risk based decisions, working closely with the accountable authority to identify, measure and evaluate all key current, emerging and future risks.
A CRO role is a position of significant influence and provides critical capability to an executive team. A CRO supports the accountable authority to influence the culture of an entity by providing objective advice on the performance and behaviors of people, processes and systems in their entity.
Attributes of a CRO
A CRO, in conjunction with other executives, should define, articulate and model attributes and behaviors which help drive and, where necessary, change the culture of the entity.
Attributes listed below are not exhaustive and, dependent on the size and risk complexity of the entity, should be considered when appointing and designing the role of a CRO.
Roles and responsibilities of CROs
CROs play a key role supporting accountable authorities to deliver their strategic objectives and purpose. This includes the allocation of responsibility for implementing the risk management framework for the entity, and making it clear that all officials have a responsibility to actively manage risk as part of their daily duties, regardless of their role or position.
Key roles and responsibilities of a CRO should include the following:
Accountabilities of a CRO
A CRO is accountable for the design and implementation of effective systems of risk management within the entity.
Key accountabilities for a CRO should include the following:
CRO responsibilities in implementing the Commonwealth Risk Management Policy
Section 16 of the Public Governance and Accountability Act 2013 (PGPA Act) provides that accountable authorities of all Commonwealth entities must establish and maintain appropriate systems of risk oversight, management and internal control for the entity.
- Non-corporate Commonwealth entities must comply with the Commonwealth Risk Management Policy
- Corporate Commonwealth entities are not required to comply but should align with this policy as a matter of good practice
A Chief Risk Officer has a key role and responsibility to help implement the requirements outlined in the Commonwealth Risk Management Policy. The purpose of the policy is to embed risk management into the culture and work practices of entities to improve decision making in order to maximize opportunities and better manage uncertainty