De-centralised risk management in the Australian Government

This post builds on Centralised or de-centralised risk management in your enterprise? by listing mandated and other risk management processes likely to be in place in an Australian Government agency. These processes are necessarily part of de-centralised risk management in the organisation, whether or not there is any attempt at ‘enterprise’ risk management.

The Commonwealth Risk Management Policy is silent on the subject of de-centralised risk management processes within an agency. Risk management is mandated for certain themes and activities. The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

What to read first: Centralised or de-centralised risk management in your enterprise?

Australian Government Version 2.0 Beta

The Commonwealth Risk Management Policy is silent on the subject of de-centralised risk management processes within an agency.

Life would be very difficult if the Policy required a single integrated process, as a number of other directives mandate risk management for particular purposes. The sources recommend specific process details not applicable to other risk themes.

Risk management is mandated for certain themes and activities.

It is usual, helpful, and even mandatory, to have a risk management process for some risk themes, regardless of any desire to integrate or standardise risk management across the agency. If the enterprise-wide risk management arrangements are not suitable, there can be a separate risk process when one is mandated.

This list is meant to identify common cases of risk assessment mandated for each Australian Government agency. I have also heard of mandated privacy risk assessments, and there are probably many others that I’ve missed. Please comment with suggestions for further rows in this table.

Type Mandate Why mandated
Electronic security Australian Government Information Security Manual [ISM]

All information is held on behalf of the whole of the Australian public. In many cases, the ‘customer’ did not choose to provide the information. In other cases, national interests require information secrecy.

Loss of confidence in the security any one agency reduces confidence across the whole of the Government.

There are relatively busy interconnections and flows between agencies, consistent with privacy legislation.

The Information Security Manual [ISM] February 2019 frequently refers to risk management, encouraging organisations to ‘consider security risks discussed in this document and apply security controls where appropriate within a risk management framework in accordance with their business requirements and threat environment’. [Page 7 of the consolidated PDF download].

Security Control 1526 requires that ‘System owners monitor security risks and the effectiveness of security controls for each system’ [ibid, page 9].

The ISM gives a range of references to well-known risk standards and to the Protective Security Policy Framework [PSPF] on pages 7–8. Between the ISM and PSPF, there is no prescribed way of managing security risk that might differ from the methods of ERM. Neither is there a statement that security risk and enterprise risk must be mapped in the same way, nor that all risks be listed in the same risk register.

Some electronic security risk treatments are themselves mandatory. In theory, the mandated measures are results of electronic security risk assessment for the government as a whole.

Protective security Protective Security Policy Framework [PSPF] Mandatory Requirements GOVSEC‑01 and GOVSEC‑03 As for electronic information.
Public assets are involved. Government people and property are targets of special significance.

The 2018 Protective Security Policy Framework [PSPF] at GOVSEC‑01 ‘Role of accountable authority’ includes a requirement for the ‘accountable authority’ [CEO] to manage security risks, to meet specific expectations for the protection of public assets and of the national interest. The guidelines reference the Commonwealth Risk Management Policy and GOVSEC‑03 Security planning and risk management.

The official guidance for GOVSEC‑03 defines a ‘risk management process’, and recommends a single risk management process for all security risks [C.1 3b and C.2 12]. At the same time, it recommends elements within that risk management process that are specific to security, such as assets, threats, vulnerabilities [C.2.3 20]. Those extra elements are established and useful within security risk management. For all of these reasons, Australian Government organisations usually have a security risk management process that works independently of any attempts at ‘enterprise’ risk management. In practice, it is common for Australian Government electronic information security to be managed in process separate from the process for other protective security, drawing on separate histories and standards such ISO 27005 and NIST SP 800‑30.

Fraud Rule 10 under the Public Governance Performance and Accountability Act 2013 It is generally public assets at risk from fraud. Where there is potential for fraud against a citizen (say) via an agency activity, the agency has a very clear obligation to manage the fraud risk to the citizen.

The key words are:

…a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by…‘conducting fraud risk assessments…and developing and implementing a fraud control plan that deals with identified risks.

The 2017 Commonwealth Fraud Control Policy Guidance in Resource Management Guide 201, Part 5 prescribes fraud risk assessment at lest every two years [paras 27–28, pages C9–C10], and states that:

Entities are responsible for determining the risk assessment approach that is most appropriate for their circumstances [para 28]

It is important to avoid looking at fraud in isolation from the general business of the entity [para 31].

While the Clear Lines advocate a special-purpose risk assessment for fraud, there is no specific conflict with the official guidance, as the thematic fraud risk assessment should recognise the specific business of the entity.

Workplace Health and Safety Workplace Health and Safety Act 2011. The central Australian Government agency is Comcare. The Act applies to all organisations in Australia, not just Government agencies.

The Act talks about identifying and reducing risks, not ‘risk assessment’ or ‘risk management’. However, it does demand that responsible officers understand and control the risks of the business, equivalent to a demand for risk management. The absence of an effective and demonstrated risk management process for WHS is likely to be taken as an indication of failure to protect safety as required by the Act.

Some guidelines are published by Comcare and by Safe Work Australia (look for ‘How to manage WHS risks’). The recommendations are not the same as common recommendations for business-related risks.

Projects subject to Gateway Reviews Requirements for Gateway Reviews are determined by the (elected) Government on advice from the Department of Finance. Public assets (taxpayer funds) and Government credibility are at stake.

Risk management methods for projects are not prescribed. Management of risk within the project will be subject to critical scrutiny, probably by people experienced in PRINCE2 or PMBOK. There may be an expectation that risk management (among other aspects of project management) will be subject to independent expert validation. Independent validation may be at portfolio or programme level, rather than separate for each project.

Requirements for Gateway Review are assessed partly on the basis of a Risk Potential Assessment Tool. This sort of tool is an example of risk scoring and case streaming to trigger different levels of control and governance for different projects. It is not itself a risk assessment method for use within projects or programmes. The Tool does not identify or treat specific risks within or from the proposed project, but ideally it would draw on a real risk assessment generated within the project.

For any Australian Government agency, I also recommend a discrete risk management process for:

  • Each project, programme, and the agency project portfolio (or change portfolio). The scoping and approach should have regard to the Perspectives defined in M_o_R (and hence PRINCE2), or a similar model. (A future article will talk about the Perspectives defined in Chapter 6 of M_o_R.)
  • Each procurement and contract. During the formation stages, procurement and contract risk management can be approached in about the same way as project risk management. During the life of an asset or contract, the risk management is part of risk management for ‘business as usual’.
  • Business continuity. I recommend use of a specialised approach to business continuity risk assessment. The aim is to commit to necessary business continuity preparations with a minimum of delay. The risk-based decisions to be made are relatively simple, and they must be made immediately if there is no continuity plan ready for immediate activation in an incident. Providing government services without a working business continuity plan in place is like making your clients come to a building without a fire escape. There is little time for agonising and arguing. A business continuity risk need not be much concerned with hazards and scenario likelihoods. It is more important to establish a target recovery time for each service, and to address a simple list of potential disruption scenarios. Each of those scenarios (e.g. loss of a specific building) could have an unlimited number of causes. The specific causes make no difference to the necessary recovery preparations. Preparation measures (risk treatments) follow directly from the target recovery times. The magic words are ‘Business Impact Analysis’.

But that’s not the main thing

The preceding list of narrowly defined risk management applications ignores the primary objectives and activities of the agency—the most important subject for risk management. The Commonwealth Risk Management Policy and responsible management each require that the risks to and from the agency’s main business are also understood and acted upon.

The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

There is particular regard to wider community and Government interests as well as those of the ‘enterprise’ (agency) itself. Sensibly enough, the Commonwealth Risk Management Policy avoids diluting the message in jargon and buzzwords, such as ‘implement enterprise risk management’, which so often imply the priority of methods and systems over effectiveness.

Achieving all of that will probably require more than a single high level ‘agency risk assessment’, or even Division and regional risk assessments.


Parent articles

Centralised or de-centralised risk management in your enterprise?

What is Enterprise Risk Management? What is a ‘risk management process’? Centralised and de-centralised approaches: ERM as an enterprise-level risk management process Centralised ERM Decentralised risk management processes throughout the enterprise Decentralised but standardised risk management processes through the enterprise. How you end up with one or the other The good and bad in each approach: The common problem is a long path from trigger event to enterprise outcome. ERM as a ‘top level’ risk management process is incomplete. Centralised ERM is ok, but has big problems. Decentralised risk management processes need an enterprise view created. Creating the enterprise view Decentralised but standardised risk management processes are not a solution. The bottom line: decentralised is smart, but there are conditions to meet.

Risk specialists Version 2.0 Beta

Main article on Decentralised risk management processes within an enterprise