The objective of the audit was to assess how effectively selected public sector entities manage risk. To form a conclusion against the audit objective, the ANAO adopted the following high-level audit criteria:
- the selected entities’ risk management policies and frameworks meet the requirements of the Commonwealth resource management framework, including the Commonwealth Risk Management Policy;
- the selected entities’ business operations and key business processes are informed by considerations of risk; and
- the selected entities have established a supporting risk culture.
This performance audit is one of three audits in the ANAO’s work program that address key aspects of the implementation of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). These audits have been identified by the Joint Committee of Public Accounts and Audit (JCPAA) as priorities of the Parliament and will assist in keeping the Parliament, government and the community informed on implementation of the resource, risk and performance management frameworks introduced by the PGPA Act.
Four non-corporate Commonwealth entities were selected for inclusion in the audit: the Department of Employment (Employment), the Department of Health (Health), the Australian Communications and Media Authority (ACMA), and the Australian Fisheries Management Authority (AFMA).
The four entities involved in the audit have met or mostly met the majority of the 22 specific requirements of the Commonwealth Risk Management Policy, with further work required by three entities (Health, ACMA and AFMA) to fully realise the Policy’s goal of embedding risk management as part of the entity’s culture, where the shared understanding of risk leads to well-informed decision making.
- Employment has a mature and integrated approach to the identification and management of risk and has implemented a range of measures to build its risk capability, including an enterprise-wide risk management system. There is entity-level oversight of the operation of the risk management policy and framework through an internal governance committee which has reported regularly to the department’s Executive Committee on the adequacy of the risk framework and associated processes.
- Health has an ongoing program to strengthen and fully operationalise its risk management framework and capability, following reviews in 2014 and 2016 which identified scope for improvement. Key risks are regularly considered by Health’s Executive Committee in its consideration of specific departmental strategies and plans. There remains scope for a more structured approach to reporting on and reviewing enterprise-level risks and the status of risk controls and treatments.
- ACMA’s key risks are reviewed quarterly by the senior executive as part of a regular cycle, and the Authority is in the process of reviewing its risk management policy. ACMA included a risk tolerance statement in its 2015 risk management guide but has not yet developed a risk appetite statement. ACMA’s risk management guidance provides a high-level description of risk management, but limited practical guidance on how staff should manage risk.
- Sustainability risks were regularly considered by the AFMA Commission in its consideration of specific fisheries management strategies and plans. As with Health, there remains scope for a more structured approach to reporting on and reviewing enterprise-level risks, controls and treatments. Risk management guidance available on the Authority’s intranet was minimal and not up to date, and AFMA does not have formal learning and development programs in risk management for staff. The Authority should address these impediments to the development of a positive risk management culture.
Each of the selected entities has continued to develop its risk management policies, framework and capability since the release of the Commonwealth Policy in July 2014. As a result of these efforts Employment has met, and Health and ACMA have mostly met, the requirement of policy element five and the overarching goal of the Commonwealth Policy—relating to the development of a positive and embedded risk culture. AFMA has partly met the requirement of policy element five and the overarching policy goal.
A number of areas for improvement have been identified for the selected entities, and more general matters which may also warrant attention by other Commonwealth entities. The two categories of learnings address: for the selected entities, measures which would improve compliance with the policy requirements; and, for all public sector entities, key learnings focusing on strengthening risk management capability, culture and performance.