Product Description
Section 16 of the Public Governance, Performance and Accountability Act, 2013 requires that the accountable authority of a Commonwealth entity must establish and maintain:
a) An appropriate system of risk oversight and management for the entity
b) An appropriate system of internal control for the entity
including by implementing measures directed at ensuring officials of the entity comply with the finance law.
This framework has been developed to reflect these requirements, as well as those outlined in the Commonwealth Risk Management Policy, issued by the Department of Finance.
Consistent with the international standard ISO 31000:2009, this framework outlines the Department’s approach to effective risk management and provides the basis for integrating it into everyday PM&C business activities.
Risk Appetite and Tolerance
The risk assessment process must consider the Department’s risk appetite. Risk appetite identifies the rating of risks which can be considered as either generally acceptable (given the effectiveness of current controls) or generally unacceptable (in which case additional mitigation strategies will be required). The risk appetite is built into the Department’s risk matrix
Risk Assessment
Assessing risk involves developing an understanding of the risk and consideration of the cause and source of risk, their positive and negative consequences and the likelihood that those consequences can occur.
A formal risk assessment is to be undertaken and documented in the following circumstances:
- When undertaking policy development for consideration by the Government
- When developing policies and procedures or arranging events that may have workplace health and safety implications
- When undertaking procurement over $10,000
- When undertaking procurement where there is a contingent liability requirement
- When undertaking programme design and delivery (including grants administration) consistent with the Programme Risk Framework
- As input into divisional operational plans
- When undertaking business continuity and disaster recovery planning
- When undertaking security management activities
- when establishing a task force
Risk Treatment
Risk treatment involves selecting one or more options to modify or manage the risks. Options can include:
- Avoiding the risk by deciding not to start or continue with an activity
- Accepting the risk and putting in place mitigation strategies to pursue an opportunity
- Retaining the risk after informed consideration
- Removing the source of the risk
- Changing the likelihood of a risk event occurring through mitigation strategies
- Changing the consequence should a risk event occur through mitigation strategies
- Sharing the risk with third parties e.g. though contract terms or insurance
Risk Monitoring and Review
Both monitoring and review of identified risks and implementation of treatments should be planned as part of the risk management process and involves:
- Ensuring controls and mitigation strategies are effective and efficient and meet the needs of the Department
- Analysing lessons learnt from risk events, organisational changes, trends, successes and failures
- Taking account of organisational changes and the impact on existing risks including their controls and treatments
- Identifying emerging risks
For more information about the Department’s Risk Management services, please visit the Risk Teams Portal on the Department’s intranet.
