Capability Reviews assess the risk-management capability of agencies in the context of how organisational performance is managed. In particular, they ask if an agency has high-quality, timely and well-understood performance information, supported by analytical capability, that allows it to track and manage risk across its delivery system.
An agency's approach to risk management is also considered more broadly, specifically in terms of managing strategic, enterprise-wide risk. Indeed, the Capability Review programme was established partly because the public service had experienced significant failures in delivery resulting from problems in risk management at multiple points across organisational systems.15
Capability Reviews have brought a fresh perspective on risk management in the public service, reflecting the contributions of private sector managers in senior review teams and extensive consultation with external stakeholders, who often comment on the overall risk averse approach of agencies. In summary, the Capability Reviews conducted to date have shown that agencies have been moving to address risk through frameworks, systems and instructions such that some agencies now have well developed systems for operational risk management.
The Department of the Treasury, for example, has:
… a sound risk management framework and processes at the departmental, group and divisional levels. The Executive Board considers and updates the departmental risks, group specific risks and work health and safety risks at least twice a year.16
The Australian Taxation Office uses a risk assessment approach for mapping stakeholders based on size and their likely compliance with tax legislation. Similarly, the Department of Immigration and Border Protection has identified enterprise wide risks and implemented a new risk-management framework that provides consistency in managing risk.
Despite these examples, risk management remains a developmental area for the majority of agencies, most notably in terms of managing strategic, whole-of-agency risks as opposed to project-specific or operational risks. Capability Reviews have also identified that in some departments routine decision making has been elevated to senior executives resulting in disempowerment and reduced development opportunities for middle management. Although sometimes justified as a risk-mitigation strategy, this approach is a risk in and of itself that could lead to the inadequate development of middle managers and produce the opposite result to that initially intended. Capability Reviews have found that many agencies have a risk-averse culture and need consistent leadership in support of setting appropriate levels of appetite for risk.
Agency Capability Reviews led 11 agencies to take action to lift risk-management capability. Post review actions by agencies range from implementing risk-management policies, plans, processes, frameworks and reporting procedures to developing and adopting risk tolerance and risk appetite statements. Multiple agencies have also focused on reviewing risk frameworks to enable greater levels of innovation.
APS Risk Management Survey
In May 2014, the Commission administered a short survey of agencies to generate a consistent high-level picture of risk-management practice across the APS against the core elements of the CRMP. The survey focused on the nature of risks faced by APS agencies, the way in which risk is managed and the level at which it is managed. The main findings from the 79 agencies that completed the survey were:17
- 23% of agencies reported they did not have a documented formal risk appetite statement;
26% were developing a statement; and 49% had published risk appetite statements.
- 7% of agencies did not have an agency-wide risk-management plan; and 23% did not have local risk-management plans (these were predominantly smaller agencies).
- 35% of agencies annually reviewed agency risks; 6% reviewed their risks less frequently;
13% of agencies used a variable schedule for assessing their risks; 34% of agencies reviewed their risks more frequently—in one case as frequently as weekly.
- 34% of agencies reviewed local risk-management plans annually; 25% reviewed them more frequently; 10% used a variable scheduled for reviewing these plans; 1% of agencies reviewed local plans less frequently than annually.
- 59% of agencies standardised their local risk-management plans and predominantly managed them at Executive Level (EL) or SES Band 1 level.
- 53% of agencies used a ‘pre-treatment’ view of strategic risk to drive organisational resource allocation.
- 16% of agencies did not include risk-management considerations in their agency's resource allocation.
- 43% of agencies included risk management as a component of formal individual performance assessments.
- 23% of agencies had not identified barriers to improving risk-management capability.
These findings indicate that a considerable body of work is needed by some agencies before they meet the requirements of the CRMP. These elements are focused on the extent to which agencies have the appropriate business processes in place to effectively manage risk.
15 Australian National Audit Office 2010, Green Loans Program, performance audit report no. 9 2010–11, Commonwealth of Australia, Canberra; Australian National Audit Office 2010, Home Insulation Program, performance audit report no. 12 2010–11, Commonwealth of Australia, Canberra.
16 Australian Public Service Commission 2013, Capability Review: The Treasury, Commonwealth of Australia, Canberra, viewed 18 September 2014, http://www.apsc.gov.au/publications-and-media/current-publications/tsy.
17 Not all agencies provided a response to every question so percentages do not total 100.