Discrete risk management processes within an enterprise (Australian Government)

The Commonwealth Risk Management Policy is silent on the subject of discrete risk management processes within an agency. Risk management is mandated for certain themes and activities. The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

This article builds on discrete risk management processes within an enterprise by listing mandated and other risk management processes likely to be in place in an Australian Government agency.


The Commonwealth Risk Management Policy is silent on the subject of discrete risk management processes within an agency.

Life would be very difficult if the Policy required a single integrated process, as a number of other directives mandate risk management for particular purposes. The sources recommend specific process details not applicable to other risk themes.

Mandated risk management processes in Australian Government agencies

Risk management is mandated for certain themes and activities.

It is usual, and very helpful, to have a discrete risk management process for each of those themes, regardless of any desire to integrate or standardise risk management across the agency.

This list is meant to identify common cases of risk assessment mandated for each Australian Government Agency. I have also heard of mandated privacy risk assessments, and there are probably many others that I’ve missed. Please comment with suggestions for further rows in this table.


Type

Mandate

Why mandated

Electronic security
Australian Government Information Security Core Policy (formerly the Information Security Manual [ISM]) All information is held on behalf of the whole of the Australian public. In many cases, the ‘customer’ did not choose to provide the information. In other cases, national interests require information secrecy.

Loss of confidence in the security any one agency reduces confidence across the whole of the Government.

There are relatively busy interconnections and flows between agencies, consistent with privacy legislation.


The Core Policy (INFOSEC 1 through INFOSEC 7) do not say directly that risks must be assessed using risk management concepts. However, there is a clear implication that such risks will have been assessed. For instance, INFOSEC 6 includes ‘…measures must match the assessed security risk…’. Independent reviewers will have clear expectations for up-to-date security risk assessment and monitoring of risk treatments. Risk assessment is an established part of electronic security discipline.

Some electronic security risk treatments are themselves mandatory. In theory, the mandated measures are results of electronic security risk assessment for the government as a whole.


Protective security
PSPF Mandatory Requirements GOV-4 and GOV-6 As for electronic information.
Public assets are involved. Government people and property are targets of special significance.

GOV-6 cites ISO 31000 and HB 167:2006 Security risk management. The Commonwealth Risk Management Policy is also cited in the supporting guidance. There is a prescribed scale of ‘business impact levels’, which should be used, though not necessarily to the exclusion of other consequence measures more fitted to the unique objectives of the agency.

PSPF does not prescribe further risk management process detail beyond those references and the business impact level.

HB 167 is a very useful security-specific extension to the concepts in ISO 31000, adding concepts such as assets, attackers, and threats.


Fraud
Rule 10 under the Public Governance Performance and Accountability Act 2013 It is generally public assets at risk from fraud. Where there is potential for fraud against a citizen (say) via an agency activity, the agency has a very clear obligation to manage the fraud risk to the citizen.

The key words are:

‘…a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by…‘conducting fraud risk assessments…and developing and implementing a fraud control plan that deals with identified risks’.

Resource Management Guide 201 (1 July 2014) cites ISO 31000 and includes:

‘Entities are responsible for determining the risk assessment approach that is most appropriate for their circumstances’ [6.5]

‘Fraud risk should not be looked at in isolation from the general business of the entity’ [6.3].

While this blog advocates a discrete thematic risk assessment for fraud, there is no specific conflict with the RMG, as the thematic fraud risk assessment should recognise the specific business of the entity.


Workplace Health and Safety
Workplace Health and Safety Act 2011

The central Australian Government agency is Comcare.

The Act applies to all organisations in Australia, not just Government agencies.

The Act talks about identifying and reducing risks, not ‘risk assessment’ or ‘risk management’. However, it does demand that responsible officers understand and control the risks of the business, equivalent to a demand for risk management. The absence of an effective and demonstrated risk management process for WHS is likely to be taken as an indication of failure to protect safety as required by the Act.

Some guidelines are published by Comcare and by Safe Work Australia (look for ‘How to manage WHS risks’). The recommendations are not the same as common recommendations for business-related risks.


Projects subject to Gateway Reviews
Requirements for Gateway Reviews are determined by the (elected) Government on advice from the Department of Finance. Public assets (taxpayer funds) and Government credibility are at stake.

Risk management methods for projects are not prescribed. Management of risk within the project will be subject to critical scrutiny, probably by people experienced in PRINCE2 or PMBOK. There may be an expectation that risk management (among other aspects of project management) will be subject to independent expert validation. Independent validation may be at portfolio or programme level, rather than separate for each project.

Requirements for Gateway Review are assessed partly on the basis of a Risk Potential Assessment Tool. This sort of tool is an example of risk scoring and case streaming to trigger different levels of control and governance for different projects. It is not itself a risk assessment method for use within projects or programmes. The Tool does not identify or treat specific risks within or from the proposed project, but ideally it would draw on a real risk assessment generated within the project.

For any Australian Government agency, I also recommend a discrete risk management process for:

  • Each project, programme, and the agency project portfolio (or change portfolio). The scoping and approach should have regard to the Perspectives defined in M_o_R (and hence PRINCE2), or a similar model. (A future article will talk about the Perspectives defined in Chapter 6 of M_o_R.)
  • Each procurement and contract. During the formation stages, procurement and contract risk management can be approached in about the same way as project risk management. During the life of an asset or contract, the risk management is part of risk management for ‘business as usual’.
  • Business continuity. I recommend use of a specialised approach to business continuity risk assessment. The aim is to commit to necessary business continuity preparations with a minimum of delay. The risk-based decisions to be made are relatively simple, and they must be made immediately if there is no continuity plan in current operational readiness. Providing government services without a working business continuity plan in place is like making your clients come to a building without a fire escape. There is little time for agonising and arguing. A business continuity risk need not be much concerned with hazards and scenario likelihoods. It is more important to establish a target recovery time for each service for a simple list of potential disruption scenarios. Each of those scenarios (e.g. loss of a specific building) could have an unlimited number of causes. The specific causes make no difference to the necessary recovery preparations. Preparation measures (risk treatments) follow directly from the target recovery times. The magic words are ‘Business Impact Analysis’.

But that’s not the main thing

The preceding list of narrowly defined risk management applications ignores the primary objectives and activities of the agency—the most important subject for risk management. The Commonwealth Risk Management Policy and responsible management each require that the risks to and from the agency’s main business are also understood and acted upon.

The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

There is particular regard to wider community and Government interests as well as those of the ‘enterprise’ (agency) itself. Sensibly enough, the Policy avoids diluting the message in jargon and buzzwords, such as ‘implement enterprise risk management’, which so often imply the priority of methods and systems over effectiveness.

Achieving all of that will probably require more than a single high level ‘agency risk assessment’, or even Division and regional risk assessments. A comprehensive recommendation for agency management of all risk will follow in a later topic.

Further Reading

Main articles on the topic: 1. Discrete risk management processes within an enterprise (Everyone) 2. Shapes for discrete risk management processes (Everyone) 3. Examples of discrete risk management processes (Everyone) 4. Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)

Some other main topics

What is Risk Management?

Coming soon: Scoping a risk management activity; ERM and RM; RM across an organisation, without a central register; Context setting, Objectives, expected and acceptable outcomes, priorities and tradeoffs.

All pages on ‘Discrete risk management processes within an enterprise’

Articles for everyone Discrete risk management processes within an enterprise (Everyone) Shapes for discrete risk management processes (Everyone) Examples of discrete risk management processes (Everyone) Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)
Supplements for reader streams
For Risk Specialists: Risk management processes within an enterprise (Risk Specialists)
For CRMA Candidates: Risk management processes within an enterprise (CRMA)
For CRISC Candidates: Risk management processes within an enterprise (CRISC)
Extras for risk specialists: Vocabulary (Risk Specialists) COSO and ISO 31000 on discrete risk management processes (Risk Specialists) ERM and discrete risk management processes (Risk Specialists)

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: Risk management processes within an enterprise (Executives)
For Australian Government readers: Risk management processes within an enterprise (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *