The Commonwealth Risk Management Policy is silent on the subject of de-centralised risk management processes within an agency.
Life would be very difficult if the Policy required a single integrated process, as a number of other directives mandate risk management for particular purposes. The sources recommend specific process details not applicable to other risk themes.
Risk management is mandated for certain themes and activities.
It is usual, helpful, and even mandatory, to have a risk management process for some risk themes, regardless of any desire to integrate or standardise risk management across the agency. If the enterprise-wide risk management arrangements are not suitable, there can be a separate risk process when one is mandated.
|This list is meant to identify common cases of risk assessment mandated for each Australian Government agency. I have also heard of mandated privacy risk assessments, and there are probably many others that I’ve missed. Please comment with suggestions for further rows in this table.|
|Electronic security||Australian Government Information Security Manual [ISM]||
All information is held on behalf of the whole of the Australian public. In many cases, the ‘customer’ did not choose to provide the information. In other cases, national interests require information secrecy.
Loss of confidence in the security any one agency reduces confidence across the whole of the Government.
There are relatively busy interconnections and flows between agencies, consistent with privacy legislation.
The Information Security Manual [ISM] February 2019 frequently refers to risk management, encouraging organisations to ‘consider security risks discussed in this document and apply security controls where appropriate within a risk management framework in accordance with their business requirements and threat environment’. [Page 7 of the consolidated PDF download].
Security Control 1526 requires that ‘System owners monitor security risks and the effectiveness of security controls for each system’ [ibid, page 9].
Some electronic security risk treatments are themselves mandatory. In theory, the mandated measures are results of electronic security risk assessment for the government as a whole.
|Protective security||Protective Security Policy Framework [PSPF] Mandatory Requirements GOVSEC‑01 and GOVSEC‑03||
As for electronic information.
Public assets are involved. Government people and property are targets of special significance.
The 2018 Protective Security Policy Framework [PSPF] at GOVSEC‑01 ‘Role of accountable authority’ includes a requirement for the ‘accountable authority’ [CEO] to manage security risks, to meet specific expectations for the protection of public assets and of the national interest. The guidelines reference the Commonwealth Risk Management Policy and GOVSEC‑03 Security planning and risk management.
The official guidance for GOVSEC‑03 defines a ‘risk management process’, and recommends a single risk management process for all security risks [C.1 3b and C.2 12]. At the same time, it recommends elements within that risk management process that are specific to security, such as assets, threats, vulnerabilities [C.2.3 20]. Those extra elements are established and useful within security risk management. For all of these reasons, Australian Government organisations usually have a security risk management process that works independently of any attempts at ‘enterprise’ risk management. In practice, it is common for Australian Government electronic information security to be managed in process separate from the process for other protective security, drawing on separate histories and standards such ISO 27005 and NIST SP 800‑30.
|Fraud||Rule 10 under the Public Governance Performance and Accountability Act 2013||It is generally public assets at risk from fraud. Where there is potential for fraud against a citizen (say) via an agency activity, the agency has a very clear obligation to manage the fraud risk to the citizen.|
The key words are:
…a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by…‘conducting fraud risk assessments…and developing and implementing a fraud control plan that deals with identified risks.
The 2017 Commonwealth Fraud Control Policy Guidance in Resource Management Guide 201, Part 5 prescribes fraud risk assessment at lest every two years [paras 27–28, pages C9–C10], and states that:
Entities are responsible for determining the risk assessment approach that is most appropriate for their circumstances [para 28]
It is important to avoid looking at fraud in isolation from the general business of the entity [para 31].
While the Clear Lines advocate a special-purpose risk assessment for fraud, there is no specific conflict with the official guidance, as the thematic fraud risk assessment should recognise the specific business of the entity.
|Workplace Health and Safety||Workplace Health and Safety Act 2011. The central Australian Government agency is Comcare.||The Act applies to all organisations in Australia, not just Government agencies.|
The Act talks about identifying and reducing risks, not ‘risk assessment’ or ‘risk management’. However, it does demand that responsible officers understand and control the risks of the business, equivalent to a demand for risk management. The absence of an effective and demonstrated risk management process for WHS is likely to be taken as an indication of failure to protect safety as required by the Act.
|Projects subject to Gateway Reviews||Requirements for Gateway Reviews are determined by the (elected) Government on advice from the Department of Finance.||Public assets (taxpayer funds) and Government credibility are at stake.|
Risk management methods for projects are not prescribed. Management of risk within the project will be subject to critical scrutiny, probably by people experienced in PRINCE2 or PMBOK. There may be an expectation that risk management (among other aspects of project management) will be subject to independent expert validation. Independent validation may be at portfolio or programme level, rather than separate for each project.
Requirements for Gateway Review are assessed partly on the basis of a Risk Potential Assessment Tool. This sort of tool is an example of risk scoring and case streaming to trigger different levels of control and governance for different projects. It is not itself a risk assessment method for use within projects or programmes. The Tool does not identify or treat specific risks within or from the proposed project, but ideally it would draw on a real risk assessment generated within the project.
For any Australian Government agency, I also recommend a discrete risk management process for:
But that’s not the main thing
The preceding list of narrowly defined risk management applications ignores the primary objectives and activities of the agency—the most important subject for risk management. The Commonwealth Risk Management Policy and responsible management each require that the risks to and from the agency’s main business are also understood and acted upon.
The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.
There is particular regard to wider community and Government interests as well as those of the ‘enterprise’ (agency) itself. Sensibly enough, the Commonwealth Risk Management Policy avoids diluting the message in jargon and buzzwords, such as ‘implement enterprise risk management’, which so often imply the priority of methods and systems over effectiveness.
Achieving all of that will probably require more than a single high level ‘agency risk assessment’, or even Division and regional risk assessments.