In 2014, for the first time, the APS Employee Census (employee census) sought a more detailed understanding of employee perceptions of risk management in their agency. Figure 3.1 shows employee perceptions of their supervisors' support for risk management. SES employees, perhaps due to greater visibility of the way risk is managed within the agency, were more positive about the management of risks. EL and APS 1–6 employees were less positive. The gap in how employees perceive risk is lower when the focus is on risks within a workgroup. It may be that agencies will need to make more effort to communicate agency level approaches to risk.
Figure 3.1. Employee perceptions of risk-management behaviours—supervisors, 2014
Source: Employee census
Figure 3.2 shows employee perceptions of their senior leaders' risk-management behaviour. Again, SES employees were substantially more positive than EL or APS 1–6 employees.
Figure 3.2. Employee perceptions of risk-management behaviours—senior leaders, 2014
Source: Employee census
Figure 3.3 shows employees perceptions of how their agency manages business risks in general. The trend in perceptions is similar to those outlined in figures 3.1 and 3.2.
Figure 3.3. Employee perceptions of agency risk-management processes, 2014
Source: Employee census
Figure 3.4 shows employee perceptions of how risk is managed in the immediate workgroup and whether employees know where to access policies related to risk. Overall, there was a strong positive response from all classifications on knowing where to access information on risk management. In terms of knowing who to talk to about business risks that impact on the workgroup, APS 1–6 employees were less likely to agree than either EL or SES employees. EL employees, in turn, were less likely to agree than SES employees.
When looking at how employees in the work area respond to risk, EL employees were less positive than SES, although comparable to APS 1–6 employees.
Figure 3.4. Employee perceptions of risk-management behaviours—work area, 2014
Source: Employee census
Overall, SES employees were consistently more positive regarding risk-management processes in their agency than were EL or APS 1–6 employees. Conversely, APS 1–6 employees were generally the least positive on how risk is managed within their agencies and workgroups.
Developing a positive risk culture
The APS Values require a commitment to service and accountability. The Australian Public Service Commissioner's Directions 2013, clauses 1.2(h) and 1.5(c), determines the scope or application of the APS Values. This requires APS employees to have regard to their duties and responsibilities, identify and manage areas of potential risk and demonstrate that their actions and decisions reflect appropriate consideration.
The APS Values underpin the CRMP which defines a positive risk culture as one that ‘promotes an open and proactive approach to managing risk that considers both threat and opportunity.’18 Agency risk-management frameworks are important in this regard but they rely on managers being held to account for their effective implementation. In a capability maturity sense, risk-mature agencies have a culture of openness, awareness and sensitivity to organisational risks and awareness of responsibilities to stakeholders and the public. In these agencies, proactive risk management is systematically incorporated into strategic planning processes and championed by senior executives such that it is an instinctive aspect of agency culture at all levels.
Culture as a barrier to effective risk management
When asked to identify the barriers to improving risk management in their agency, the majority of agencies reported barriers related to organisational culture and workforce capability. This reinforces the findings from ANAO reports19 highlighting that improving risk management is not simply a matter of adding additional checks and balances in existing processes. Rather it involves:
- sustainable change that must take place in the way leaders and managers focus on risk
- the workforce being aware of and capable of managing risk
- the culture of the agency being positively disposed toward sharing the information that is essential to actively identifying and managing risk. In response to the APS risk management survey, one agency expressed it this way:
The major barriers to improving risk management are the capacity and incentive of personnel to manage risks at all levels, technology and cultural barriers to sharing information of risks and controls, and developing the practical skills of leaders to move beyond risk as a compliance activity and embed it as a core element of basic management and leadership.
Other barriers agencies identified to effective risk management included:
- not elevating risk to the appropriate level
- ensuring risk was managed at the appropriate level
- the sense that employees were unable to raise risks without adverse consequences.
These comments suggest that the APS, generally speaking, has a compliance oriented and bureaucratic approach to managing risk that is a potential barrier to improving risk-management performance. One agency observed that:
Historically, there has been a fundamentally ‘risk averse’ culture evident in the Department, which in part is a reflection of the broader APS culture in this area. Risk management is seen as compliance, ‘tick the boxes’ exercise and an ‘add on’ to real work rather than seeing active management of risk as a critical part of the day to day way we manage our core business.
The case study on the National Blood Authority (NBA) outlines an approach to addressing cultural barriers to risk management through employee engagement. The NBA adopted an approach to improving the quality of risk management that was driven by the senior leadership but owned by all employees.
Independent assessment of the implementation and internal feedback from employees suggest that one outcome of this approach is a workforce that is both more knowledgeable about the nature of business risks and more collaborative in addressing them.
National Blood Authority: Risk management
The National Blood Authority (NBA) manages the risks associated with the delivery of a secure, safe and sustainable blood supply for Australia. It is responsible for managing an administered budget in excess of $1 billion within a complex stakeholder environment.
The NBA's risk-management framework emphasises:
- commitment of senior leadership
- a process that optimises employee involvement and ownership
- the creation of a positive organisational culture
- improvements in risk-management accountability and governance—in relation to decision-making and outcomes.
The NBA's approach emphasises the importance of identifying, analysing and treating enterprise risks at the appropriate management level. This is complemented by project and contract-specific risk assessments. At the core of the approach is a risk register used by employees on an ongoing basis to record identified risks and resulting actions. Risks beyond the scope of the level of the organisation at which they were identified are elevated to the next level for assessment. The organisation undertakes a three-phase annual review of risks, led by the General Manager, to reinforce the approach.
Reviews, both internal and independent, of NBA's risk-management framework have demonstrated the effectiveness of the approach and the importance of engaging employees at all levels across the organisation.
Embedding risk management into business processes
Maturity models used to assess risk identify risk-mature organisations as those in which the risk-management framework is defined and integrated with agency operations. Risk management is therefore part of the agency's business planning, budgeting and reporting processes. Similarly, CRMP encourages agencies to embed systematic risk into business processes. The objective of effective risk management is to improve organisational performance by:
Considering risk is an integral element of the overall management capability of an entity and must include, and not be limited to, each of the following: strategic planning; the establishment of governance arrangements; policy development; programme delivery and decision making.20
The case study on the Department of Agriculture (Agriculture) shows a commitment over time to embedding risk management into business processes. Agriculture's approach addresses the barriers to risk identified earlier and demonstrates how these have been incorporated into business processes to improve performance. Agriculture identified four benefits of a more mature approach to risk management: increased visibility of risks; improved financial outcomes; increased workforce capability in managing risk; and the ability to share knowledge on better risk management across the APS.
Department of Agriculture: Enterprise-wide risk management
The Department of Agriculture (Agriculture won the Enterprise-wide risk management category at the 2012 Comcover Awards for Excellence, after being highly commended in 2011 and receiving an honourable mention in 2010.
In 2009, Agriculture set out to revitalise its risk-management framework. The goal was to create a more agile, effective, adaptive and resilient department. The strategic approach was to enshrine risk management in all aspects of work, in particular the idea that risk is everyone's business. It signalled a shift in Agriculture's risk policy from a process-driven, descriptive approach to an accountability-based approach for managing risks.
The identification of strategic priorities and risks is now a key part of the department's annual business-planning cycle. Strategic priorities and risks are communicated as business planning begins. This process better aligns divisions with the department's strategic goals and more clearly defines business objectives and deliverables. Through the development of low-cost technology, business planning, risk assessment and reporting are combined in one system, known as ‘e-plan’. The e-plan allows the Executive to quickly be informed of risk hotspots across the department and the sources of risks. Risk training is promoted as an e-module and forms part of the new starter induction package.
Agriculture's risk assessment process is designed to identify: contexts for internal and external risk management; risks in each division's strategic and operational contexts; treatments and strategies to implement business plans and opportunities, and balance these against risks.
The risk assessment process includes regular review of the risk profile by the Secretary and Executive Management Committee. The department seeks to: re-allocate resources for high-priority risk areas; respond quickly to external pressures; and communicate and consult with stakeholders on emerging risks.
Over time, Agriculture has matured in the way it manages risk. The benefits of this have been realised in these areas:
Greater visibility of risks. Strategic and operational risks are linked through a top-down, bottom-up approach to make high and medium risks in the department more visible. Strategic risks are also better aligned with the business planning cycle and shape Agriculture's key objectives and deliverables.
Financial benefits. The department's increasing risk maturity is resulting in many benefits. For example, the number of insurance claims fell by around half during the past four years, from around 80 in 2008–09 to around 40 in 2011–12. Meanwhile, its benchmarking discount rose dramatically during the same period from around $40,000 in 2008–09 to around $245,000 in 2011–12.
Increase capability. Training has dramatically improved the quality of risk assessments and knowledge across the department. In the past, officers were not accurately describing their risk statements, but now they more consistently set them out as source/risk/impact. Risk levels are also more uniformly described for the particular risk identified. The introduction of an e-learning module has reduced the demands for in-person training by the risk team. The e-learning training has also reduced the pressures on the risk team, allowing members to focus more on strategic priorities and risk across the department.
Shared learning across the APS. In 2012–13, 17 agencies visited the department to review its approach to enterprise-wide risk management and the tools and methods Agriculture has developed. The risk team also receives requests for risk workshops from across Australia. In this way the department shares its experience with other agencies allowing others to learn the lessons of implementation and management.
18 Department of Finance, 2014, Commonwealth Risk Management Policy—Public Governance, Performance and Accountability, Department of Finance, Commonwealth of Australia, Canberra, p. 15, viewed 18 September 2014, http://www.finance.gov.au/comcover/risk-management.
19 Australian National Audit Office 2011, Home Insulation Program, audit report no. 12 2010–11, Commonwealth of Australia, Canberra; Australian National Audit Office 2011, Medicare Compliance Audits, audit report no. 26 2013–14, Commonwealth of Australia, Canberra.
20 Department of Finance, 2014, Commonwealth Risk Management Policy—Public Governance, Performance and Accountability, Department of Finance, Commonwealth of Australia, Canberra, p.14, viewed 18 September 2014, http://www.finance.gov.au/comcover/risk-management.