Risk management is mandated for certain themes and activities.
It is usual, helpful, and even mandatory, to have a risk management process for some risk themes. These thematic risk management processes are important regardless of any desire to integrate or standardise risk management across the agency. They have real work to do.
|This list is meant to identify risk assessment processes mandated for each Australian Government agency. The list is not complete. Please comment with suggestions for further themes with mandatory risk management.
Why mandated: All information is held on behalf of the whole of the Australian public. In many cases, the ‘customer’ did not choose to provide the information, but was compelled to do so, either by law or to obtain a government entitlement. In other cases, national interests require information secrecy.
Loss of confidence in the security any one agency reduces confidence across the whole of the Government.
There are relatively busy interconnections and flows between agencies, consistent with privacy legislation.
- The Information Security Manual [ISM] June 2020
frequently refers to risk and directly addresses risk in Govern principles G4 and G5 [page 6]
- Security Control 1526 requires that ‘System owners monitor security risks and the effectiveness of security controls for each system’ [page 8].
- The ISM has a paragraph on international standards for information security and risk [page 2]. Between the ISM and PSPF, there is no prescribed way of managing security risk that might differ from the methods of ERM. Neither is there a statement that security risk and enterprise risk must be mapped in the same way, nor that all risks be listed in the same risk register.
- Some electronic security risk treatments are themselves mandatory. In theory, the mandated measures are results of electronic security risk assessment for the government as a whole.
Mandate: Protective Security Policy Framework [PSPF] Mandatory Requirements GOVSEC‑1 and GOVSEC‑3.
Why mandated: Mandated as for electronic information. Public assets are involved. Government people and property are assets of special significance.
- The 2020 Protective Security Policy Framework [PSPF] at GOVSEC‑1 ‘Role of accountable authority’ includes a requirement for the ‘accountable authority’ [CEO or board] to:
- ‘determine their entity’s tolerance for security risks
- manage the security risks of their entity, and
- consider the implications their risk management decisions have for other entities, and share information on risks where appropriate.’
- The guidelines reference ISO 31000, HB 167, and the Commonwealth Risk Management Policy and GOVSEC‑3 Security planning and risk management.
- Guidance for GOVSEC‑3 (Annex A) defines a ‘risk management process’, and recommends a single risk management process for all security risks. At the same time, it recommends elements within that risk management process that are specific to security, such as assets, threats, vulnerabilities. Those extra elements are established and useful within security risk management. For all of these reasons, Australian Government organisations usually have a security risk management process that works independently of any attempts at ‘enterprise’ risk management. In practice, it is common for Australian Government electronic information security to be managed in process separate from the process for other protective security, drawing on separate histories and standards such as ISO 27005 and NIST SP 800‑30.
Mandate: Section 10 of the Public Governance Performance and Accountability Rule 2014
Why mandated: It is generally public assets at risk from fraud.
Where agency activity exposes a citizen to third-party fraud risk, the agency has a very clear obligation to manage the fraud risk to the citizen.
- The key words are: …a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by…conducting fraud risk assessments…and developing and implementing a fraud control plan that deals with identified risks…
- The 2017 Commonwealth Fraud Control Policy Guidance (Resource Management Guide No. 201), Part 5 prescribes fraud risk assessment at least every two years (27‑28), and states that:
- Entities are responsible for determining the risk assessment approach that is most appropriate for their circumstances 
- It is important to avoid looking at fraud in isolation from the general business of the entity .
- While the Clear Lines advocate a special-purpose risk assessment for fraud, there is no specific conflict with the official guidance, as the thematic fraud risk assessment should recognise the specific business of the entity.
Mandate: Privacy (Australian Government Agencies—Governance) APP Code 2017, issued by the Australian Information Commissioner.
Why mandated: Agencies must limit the privacy risks falling on the individuals and other entities required to disclose sensitive information to the government. Explicit privacy risk management is required within a mandated Privacy Impact Assessment.
- ‘APP’ refers to the Australian Privacy Principles. The Code is supported by a Guide to undertaking privacy impact assessments. Privacy impact assessments are about compliance with privacy legislation as well as about real-world risk.
Workplace health and safety
Why mandated: The Act applies to all organisations in Australia, not just Government agencies.
- The Workplace Health and Safety Act 2011 talks about identifying and reducing risks, not ‘risk assessment’ or ‘risk management’. However, it does demand that responsible officers understand and control the health and safety risks of the business, equivalent to a demand for health and safety risk management. The absence of an effective and demonstrated risk management process for WHS is likely to be taken as an indication of failure to protect safety as required by the Act. Some guidelines are published by Comcare and by Safe Work Australia. The recommendations are not the same as common recommendations for business-related risks.
Projects subject to Gateway Reviews
Why mandated: Public assets (taxpayer funds) and Government credibility are at stake.
- Risk management methods for projects are not prescribed. Management of risk within the project will be subject to critical scrutiny, probably by people experienced in PRINCE2 or PMBOK. There may be an expectation that risk management (among other aspects of project management) will be subject to independent expert validation. Independent validation may be at portfolio or programme level, rather than for a single project.
- Requirements for Gateway Review are assessed partly on the basis of a Risk Potential Assessment Tool. This sort of tool is an example of ‘risk scoring’ and ‘case streaming’ to trigger different levels of control and governance for different projects. It is not itself a risk assessment method for use within projects or programmes. The Tool does not identify or treat specific risks within or from the proposed project, but ideally it would draw on a real risk assessment generated within the project.
Recommended non-mandatory risk management processes for projects, procurements, and business continuity
For any Australian Government agency, the Clear Lines also recommend a discrete risk management process for:
- Each project, programme, and the agency project portfolio (or change portfolio). The scoping and approach should have regard to the Perspectives defined in M_o_R, and hence in PRINCE2 Perspectives defined in Chapter 6 of M_o_R. (Read about the Perspectives.)
- Each procurement and contract. During the formation stages, procurement and contract risk management can be approached in the same way as project risk management. The same can be done at the end of a contract, or at review points. During the working life of an asset or contract, asset and contract operation are part of risk management for ‘business as usual’.
- Business continuity. The Clear Lines recommend a specialised approach to business continuity risk assessment. The aim of such an assessment is to commit to necessary business continuity preparations with a minimum of delay, without investing too much. The risk-based decisions to be made are relatively simple, and they must be made immediately if there is no continuity plan ready for immediate activation in an incident. There is little time for agonising and arguing. A business continuity risk assessment need not be much concerned with hazards and scenario likelihoods. It is more important to establish a target recovery time for each service, and to address a simple list of the potential disruption scenarios (e.g. loss of a specific building or data centre). Each of those scenarios could have an unlimited number of causes, with unknown likelihoods. The specific causes make no difference to the necessary recovery preparations. All you need to know is which scenarios have enough overall likelihood to demand a continuity plan. The continuity plans and preparation measures (risk treatments) follow directly from the target recovery times for each service. The magic words are ‘Business Impact Analysis’. A Business Impact Analysis (BIA) is not a risk assessment, as it pays almost no attention to likelihoods. The BIA simply assumes that services will be disrupted, and focuses on the recovery time.