Discrete risk management processes within an enterprise (supplement for the Australian Government)

The Commonwealth Risk Management Policy is silent on the subject of discrete risk management processes within an agency. Risk management is mandated for certain themes and activities. The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

What to read first: Discrete risk management processes within an enterprise

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.

This article builds on discrete risk management processes within an enterprise by listing mandated and other risk management processes likely to be in place in an Australian Government agency.

The Commonwealth Risk Management Policy is silent on the subject of discrete risk management processes within an agency.

Life would be very difficult if the Policy required a single integrated process, as a number of other directives mandate risk management for particular purposes. The sources recommend specific process details not applicable to other risk themes.

Mandated risk management processes in Australian Government agencies

Risk management is mandated for certain themes and activities.

It is usual, and very helpful, to have a discrete risk management process for each of those themes, regardless of any desire to integrate or standardise risk management across the agency.

This list is meant to identify common cases of risk assessment mandated for each Australian Government Agency. I have also heard of mandated privacy risk assessments, and there are probably many others that I’ve missed. Please comment with suggestions for further rows in this table.



Why mandated

Electronic security
Australian Government Information Security Core Policy (formerly the Information Security Manual [ISM]) All information is held on behalf of the whole of the Australian public. In many cases, the ‘customer’ did not choose to provide the information. In other cases, national interests require information secrecy.

Loss of confidence in the security any one agency reduces confidence across the whole of the Government.

There are relatively busy interconnections and flows between agencies, consistent with privacy legislation.

The Core Policy (INFOSEC 1 through INFOSEC 7) do not say directly that risks must be assessed using risk management concepts. However, there is a clear implication that such risks will have been assessed. For instance, INFOSEC 6 includes ‘…measures must match the assessed security risk…’. Independent reviewers will have clear expectations for up-to-date security risk assessment and monitoring of risk treatments. Risk assessment is an established part of electronic security discipline.

Some electronic security risk treatments are themselves mandatory. In theory, the mandated measures are results of electronic security risk assessment for the government as a whole.

Protective security
PSPF Mandatory Requirements GOV-4 and GOV-6 As for electronic information.
Public assets are involved. Government people and property are targets of special significance.

GOV-6 cites ISO 31000 and HB 167:2006 Security risk management. The Commonwealth Risk Management Policy is also cited in the supporting guidance. There is a prescribed scale of ‘business impact levels’, which should be used, though not necessarily to the exclusion of other consequence measures more fitted to the unique objectives of the agency.

PSPF does not prescribe further risk management process detail beyond those references and the business impact level.

HB 167 is a very useful security-specific extension to the concepts in ISO 31000, adding concepts such as assets, attackers, and threats.

Rule 10 under the Public Governance Performance and Accountability Act 2013 It is generally public assets at risk from fraud. Where there is potential for fraud against a citizen (say) via an agency activity, the agency has a very clear obligation to manage the fraud risk to the citizen.

The key words are:

‘…a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by…‘conducting fraud risk assessments…and developing and implementing a fraud control plan that deals with identified risks’.

Resource Management Guide 201 (1 July 2014) cites ISO 31000 and includes:

‘Entities are responsible for determining the risk assessment approach that is most appropriate for their circumstances’ [6.5]

‘Fraud risk should not be looked at in isolation from the general business of the entity’ [6.3].

While this blog advocates a discrete thematic risk assessment for fraud, there is no specific conflict with the RMG, as the thematic fraud risk assessment should recognise the specific business of the entity.

Workplace Health and Safety
Workplace Health and Safety Act 2011

The central Australian Government agency is Comcare.

The Act applies to all organisations in Australia, not just Government agencies.

The Act talks about identifying and reducing risks, not ‘risk assessment’ or ‘risk management’. However, it does demand that responsible officers understand and control the risks of the business, equivalent to a demand for risk management. The absence of an effective and demonstrated risk management process for WHS is likely to be taken as an indication of failure to protect safety as required by the Act.

Some guidelines are published by Comcare and by Safe Work Australia (look for ‘How to manage WHS risks’). The recommendations are not the same as common recommendations for business-related risks.

Projects subject to Gateway Reviews
Requirements for Gateway Reviews are determined by the (elected) Government on advice from the Department of Finance. Public assets (taxpayer funds) and Government credibility are at stake.

Risk management methods for projects are not prescribed. Management of risk within the project will be subject to critical scrutiny, probably by people experienced in PRINCE2 or PMBOK. There may be an expectation that risk management (among other aspects of project management) will be subject to independent expert validation. Independent validation may be at portfolio or programme level, rather than separate for each project.

Requirements for Gateway Review are assessed partly on the basis of a Risk Potential Assessment Tool. This sort of tool is an example of risk scoring and case streaming to trigger different levels of control and governance for different projects. It is not itself a risk assessment method for use within projects or programmes. The Tool does not identify or treat specific risks within or from the proposed project, but ideally it would draw on a real risk assessment generated within the project.

For any Australian Government agency, I also recommend a discrete risk management process for:

  • Each project, programme, and the agency project portfolio (or change portfolio). The scoping and approach should have regard to the Perspectives defined in M_o_R (and hence PRINCE2), or a similar model. (A future article will talk about the Perspectives defined in Chapter 6 of M_o_R.)
  • Each procurement and contract. During the formation stages, procurement and contract risk management can be approached in about the same way as project risk management. During the life of an asset or contract, the risk management is part of risk management for ‘business as usual’.
  • Business continuity. I recommend use of a specialised approach to business continuity risk assessment. The aim is to commit to necessary business continuity preparations with a minimum of delay. The risk-based decisions to be made are relatively simple, and they must be made immediately if there is no continuity plan in current operational readiness. Providing government services without a working business continuity plan in place is like making your clients come to a building without a fire escape. There is little time for agonising and arguing. A business continuity risk need not be much concerned with hazards and scenario likelihoods. It is more important to establish a target recovery time for each service for a simple list of potential disruption scenarios. Each of those scenarios (e.g. loss of a specific building) could have an unlimited number of causes. The specific causes make no difference to the necessary recovery preparations. Preparation measures (risk treatments) follow directly from the target recovery times. The magic words are ‘Business Impact Analysis’.

But that’s not the main thing

The preceding list of narrowly defined risk management applications ignores the primary objectives and activities of the agency—the most important subject for risk management. The Commonwealth Risk Management Policy and responsible management each require that the risks to and from the agency’s main business are also understood and acted upon.

The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

There is particular regard to wider community and Government interests as well as those of the ‘enterprise’ (agency) itself. Sensibly enough, the Policy avoids diluting the message in jargon and buzzwords, such as ‘implement enterprise risk management’, which so often imply the priority of methods and systems over effectiveness.

Achieving all of that will probably require more than a single high level ‘agency risk assessment’, or even Division and regional risk assessments. A comprehensive recommendation for agency management of all risk will follow in a later topic.

Parent articles

Discrete risk management processes within an enterprise

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. A risk management process has a scope and objectives. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Index to the topic Discrete risk management processes within an enterprise

Leave a Reply

Your email address will not be published. Required fields are marked *