Risk management in the Australian Government

Risk management is rational for any human activity, even government. In the Australian Government, risk management is mandated by law as a general practice.

The legal prescriptions are sensible, not too prescriptive, and resemble the best global advice on the topic. However, risk management in the Australian Government has some unique features, not necessarily unique levels of success. Risk management in Government gains strength from the absence of profit and survival pressures, but also suffers the weaknesses said to be widespread in business risk management.

The Government and the Australian Public Service are notoriously ‘risk averse’, which has a specific meaning. That meaning is not the same as avoiding risk or minimising uncertainty.

The Australian Government stream within the Clear Lines is for Australian Government agencies, that is, with for Australian Public Service. It is not addressed to the elected Government in the Parliament, Cabinet and Ministry.

Depending on your role, you may also want to look at the articles What is risk management? (for everyone or for risk specialists).

Australian Government risk management is mandated by law and by the Commonwealth Risk Management Policy. The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management. Australian Government agencies have specific motivations to ‘manage risk’ Risk management is de-centralised between and within Australian Government agencies ‘Risk averse’ means sensitive to criticism, while numb to achievement Recommended reading

What to read first: What is risk management?

Australian Government Version 2.0 Beta

Australian Government risk management is mandated by law and by the Commonwealth Risk Management Policy.

The law is the Public Governance, Performance and Accountability Act 2013, Section 16. The Commonwealth Risk Management Policy has been adopted in support of Section 16 of the Act. The Policy is supported by an Implementation Guide.

There are other government-wide directives that mandate management of risk in particular themes, using particular concepts.

The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

The Commonwealth Risk Management Policy pays particular regard to wider community and Government interests, along with the interests of the ‘enterprise’ (agency) itself. Sensibly enough, the Commonwealth Risk Management Policy avoids diluting the message in jargon and buzzwords. It does not say ‘implement enterprise risk management’. Words like that too often imply the priority of methods and systems over effectiveness, and there has been too much of that already.

The Commonwealth Risk Management Policy demands more than a single high-level ‘agency risk assessment’, or even Divisional and regional risk assessments. Like other authorities on enterprise risk management, it doesn’t say whether risk management should be a single enterprise process or distributed throughout the enterprise, and doesn’t acknowledge the de-centralisation question at all.

Australian Government agencies have specific motivations to ‘manage risk’.

The real motivations for risk management in the Australian Government don’t match the aspirations of the Commonwealth Risk Management Policy.

Australian Government agencies have three main motivations for managing risk:

  1. To limit the frequency of embarrassing failures and incidents that would attract criticism.
  2. To meet explicit regulatory requirements that demand formal risk management on specific themes, such as security and fraud risks.
  3. To be seen to meet Government expectations that agencies will manage risk, because ‘risk management’ is a ‘good practice’.

The first motive, avoiding embarrassment, makes perfect sense. Potential incidents are rated on the level of embarrassment and criticism, not on the real-world effect on any objective that can be declared important. This interpretation of risk consequence is exactly the infamous ‘risk aversion’ in Australian Government agencies. The motive to avoid embarrassment and criticism, results in a lot of good risk-based decisions while blocking others. This kind of risk management does not always work through a recognisable risk management process.

The second motive, regulatory compliance, also make sense. It produces useful risk management within finite spaces. It tends to align with the motivation to minimise embarrassments, while also allowing for systematic and more-or-less rational decision-making. The risk management processes have a real purpose, so they are generally successful in achieving that purpose.

The third motive, ‘good practice’, generates a lot of useless busy-work that gets in the way of making decisions with awareness of uncertainties and their effects on any objectives. It is a force against the successful management of risk.

There are some big gaps between these three motivations. From the perspective of ISO 31000 and the Commonwealth Risk Management Policy, the most important motivations for risk management are missing. As a result, Australian Government agency risk management does not fill all the roles to which ‘risk management’ aspires.

The obvious missing motivation is to get better enterprise performance and outcomes. Performance and outcomes are themselves problematic in government. Government agencies generally don’t have numerical ’bottom lines’ or share prices, and alternative performance measures are easily disputed or ignored. In the end, performance and outcomes are generally understood qualitatively, subjectively, or even emotionally, without being spelled out in measures.

A further missing motivation is to get better outcomes for Australia. The short list of real-world motivations did not recognise the ‘risk’ considerations in development of policy and regulation, even though policy and regulation represent the most important risk-based management within government. Despite that, policy and regulation probably take uncertainty into account very well, just not as ‘part of risk management’.

Almost no-one in the Australian Public Service thinks of improving Australia with policy and regulation when they see ‘risk management’ on the agenda. That’s true despite the Commonwealth Risk Management Policy, which says clearly enough that ‘risk management’ must look outward to community and stakeholder interests—that is, to the achievement of Government objectives.
The Clear Lines emphasise the objectives within the ISO 31000 definition of risk as ‘the effect of uncertainty on objectives’. The Clear Lines identify objectives as performance outcomes, then identify the effects—risk consequences—as different levels of success and failure in achieving those objectives. To that extent, the Clear Lines fill the gap in ‘risk management’ as practiced within Australian Government agencies. The Clear Lines also give risk management busy-work the respect it deserves: none at all.

The Clear Lines follow with the Australian ISO guidelines on risk management, SA/SNZ HB 436:2013 Risk management guidelines – Companion to AS/NZS ISO 31000:2009, more or less. Australian Government agencies generally don’t. At the same time, Clear Lines recognise de-centralised risk management, which is common in Australian Government agencies. HB 436 doesn’t recognise de-centralised risk management. The Clear Lines also have a simple approach to risk appetites and tolerances, a topic left rather unclear by ISO 31000 and HB 436.

Risk management is de-centralised between and within Australian Government agencies.

Another feature of risk management in Australian Government agencies is that the risk management effort is distributed throughout each agency’s organisation structure. In each agency, there are many independent risk management processes, with separate risk registers. (Well, a lot of them are supposed to exist. Many are never actually developed to useful maturity, or even started.)

Divisions, Branches, and Sections within an agency’s hierarchy are each expected to maintain their own ‘risk assessment’, for instance supporting annual ‘business plans’. The same is true for Projects, Programmes, and Portfolios, where risk management is a respected core component of management. Beyond that, there are separate thematic risk assessments for topics like security, fraud, and safety, each developed for their own purposes, often using specialised approaches, with varying amounts of success.

Read about De-centralised risk management in the Australian Government, in depth

There are also separate agencies within the broader Australian Government managing a category of risk on behalf of the whole Government. For example, the Australian Signals Directorate assesses Government information security risks, and treats them through publishing the Australian Government Information Security Manual (the ISM). The ISM includes mandatory information security measures in the same way that any risk management process defines risk treatment measures. That element of risk management work replaces work that would otherwise be done less expertly inside each agency.

De-centralised risk management is not often explained in authoritative sources. The push is always toward a single enterprise view of risk, with a bias to centralisation or standardisation within each enterprise.

The Clear Lines make sense of de-centralised risk management, and show a way to integrate de-centralised risk processes for an enterprise view of risk. The Clear Lines support risk management by decision-makers, and decision-makers are properly decentralised through each agency. The Clear Lines do not support centralisation and standardisation of ‘risk management’, nor reliance on risk specialists.

‘Risk averse’ means sensitive to criticism, while numb to achievement.

The Australian Government and the Australian Public Service are notoriously ‘risk averse’. That is usually seen as unwillingness to try something new, even when the potential benefits are high. As risk managers know, avoiding change is not necessarily a low-risk strategy, especially when the world is changing.

All surprises are regarded as highly undesirable negative consequences, regardless of tangible effects. What matters is the subjective surprise and the justification for critical outrage, whether real or synthetic. Subjective surprise is particularly unwelcome when it arises from having finally decided to try something new.

This attitude matches directly the expressed interests of stakeholders, specifically the voting public as informed by news reporting. A similar attitude is shown by opposition members of parliament when grandstanding either in Question Time or in ‘Senate Estimates’. The opposition members tend to focus on even more trivial matters than news reporters. A favourite target is mis-use of credit cards by employees. Neither news reporters nor the opposition parties pay much attention to whether Government policies and public services are working well or badly for Australians on a large scale.

Risk specialists will know that ‘risk aversion’ driven in this way does not necessarily mean maximising the predictability of outcomes. Like other tax-raising governments, Australian Government actually takes on enormous risks, precisely when the risks are too big for anyone else in the country to handle. Possibly it takes on some big risks without quite knowing it, when undertaking major projects and when shifting policy quickly.

Evaluation of outcomes, good or bad, is a relatively unimportant activity in the higher levels of the Australian Government. It has been said of formal policy evaluations that they only ever make a difference when a politician uses an unfinished evaluation as an excuse for delaying a decision. That sort of story tells you quite a lot about the attitude to ‘risk’ as the effect of uncertainty on objectives. The objectives are not really very important at all. The version of ‘risk’ that matters is minimising the frequency and painfulness of surprises that will be seized up on by critics with an even shorter-term idea of what to get worked up about.

Policy development and even project management are sophisticated within the Australian Government, despite having equivocal reputations, but may not demonstrate the best of ‘risk management’ as described by ISO 31000.

The Clear Lines are not expert in this area, especially not on evaluation and strategic policy, having spent most of their years in day-to-day delivery of well-defined Government services. Please reply with references to more informed and authoritative views on these topics.

Recommended reading

If you find yourself required to act on the Commonwealth Risk Management Policy, but have insufficient understanding of risk management, the following authoritative resources will help close the gap as quickly as possible:

  • SA/NZS HB 436 Risk management guidelines – Companion to AS/NZS ISO 31000:2009. This is a comprehensive handbook for risk management in Australia, with ISO endorsement, and it quotes every word of ISO 31000:2009 itself, so you don’t need to buy ISO 31000:2009 separately. However, like ISO 31000:2009 (and its 2017 revision), the handbook gives little attention to risk appetite, which is a major focus of the Commonwealth Risk Management Policy.
  • COSO ERM – Understanding and Communicating Risk Appetite (2012), authors Larry Rittenberg and Frank Martens. This is a free online resource. It has much more to say about risk appetite than COSO ERM (2004) itself. But be warned that risk appetite is a confusing and controversial topic, and this single publication will not settle arguments. Like most sources on risk appetite, it is inconsistent even with itself.

Your official Australian Government source is Comcover, which is part of the Department of Finance. I have been to some good Comcover training courses, but I haven’t seen a specific Comcover document that combines definitive authority with the full scope of risk management.

This blog is written for an audience that includes people in your situation. In the blog I attempt to explain the basics in a fair way, with due regard to the established sources. Sometimes conventional and historical practice is in conflict with the authoritative sources. That difference appears to be the main source of confusion in risk management. The blog tends to focus on those areas. You need to bear in mind that the blog is not authoritative.

If you are a potential member of the Institute of Internal Auditors, I recommend that you enrol in the IIA’s CRMA program as early as possible. The CRMA program includes a good education in core risk management concepts, especially in ‘enterprise risk management’ (ERM), which is effectively required by the Commonwealth Risk Management Policy, without using the buzzwords. I cannot say the same for the ISACA CRISC program, which is also fine, but in a very different way.

Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

Everyone Version 1.0 Beta

Next article for Australian Government

De-centralised risk management in the Australian Government

The Commonwealth Risk Management Policy is silent on the subject of centralised or de-centralised risk management processes within an agency. But that’s not the main thing Division, Branch, Section risk management processes

Australian Government Version 2.1 Beta

Main article on What is Risk Management?

Leave a Reply

Your email address will not be published.

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.