The modern understanding of risk management has its origins in the insurance industry. Following World War II, the industry focused management attention on more rigorous efforts to reduce accidents and damage to equipment along with worker's compensation and third-party liability. As Russell Gallagher noted in a seminal article on risk management in 19561:
From catastrophic accidents involving executive personnel to little losses of pilferage and breakage, from obvious hazards of damaged machinery to hidden dangers of impaired good will, there is a wide and complicated range of problems calling for specialized analysis and for executive action.
Broadly, risk management is the culture, processes and structures directed towards realising potential opportunities while managing adverse effects.2 The Australian Public Service (APS) manages risk and delivers long-term results for citizens while being responsive to the government of the day. Public servants are required to be proactive and forward thinking when developing policy advice, delivering services and managing the workforce. Consequently, risk management is an essential public service skill that is practised daily. Ahead of the Game: Blueprint for the Reform of Australian Government Administration highlighted that the practice of risk management in the APS has, at times, become reactive, short term and process focused.3
The consequences of poor risk management can affect safety, as well as incur financial, administrative and/or reputational costs. Organisationally, remediating poor risk management is often expensive, complex, disruptive and lengthy. The Royal Commission into the Home Insulation Program (HIP) was established in December 2013 following claims that the deaths of four people may have arisen from programme implementation. The Royal Commission found that the identification and management of risks under HIP was seriously deficient.4 The Royal Commission followed other inquiries by a Senate Committee, the Australian National Audit Office (ANAO) and by Dr Allan Hawke.5
The recently released Commonwealth Risk Management Policy (CRMP)6 supports the Public Governance, Performance and Accountability Act 2013 (PGPA Act) framework, and requires the accountable authority of an Australian Government entity to establish and maintain appropriate systems and internal controls for the oversight and management of risk. The CRMP applies to all non-corporate Government entities and provides guidance to agencies on the establishment of appropriate risk-management frameworks to achieve compliance under the PGPA Act. Implementation of the CRMP is central to improving the quality of risk management across the APS.
This chapter reports on the state of risk-management capability in the APS, focusing on CRMP implementation. It assesses the elements of APS culture and practice that are necessary to improve risk-management capability.
The Commonwealth Risk Management Policy
The PGPA Act establishes the requirement for all Australian Government agencies to formalise how they manage risk. It has key objectives of improving the quality of planning, performance information and evaluation within government to improve accountability to Ministers, the parliament and the public and to ensure internal processes are more streamlined, risk based and better focused.7
The CRMP supports the PGPA Act framework by setting out the expectations for Australian Government agencies managing risk. It clarifies what is needed for agencies to implement their own effective risk framework. In particular, it requires agencies to define: agency tolerance for risk (including for government and community); agency ownership of risk; and agency engagement with risks for which it cannot take full responsibility.
Effective from 1 July 2014, all non-corporate Australian Government entities must comply with the CRMP, which supports the requirements of Section 16 of the PGPA Act. The CRMP sets out nine elements which non-corporate Australian Government entities must comply with to establish appropriate levels of risk oversight:
- establishing a risk-management policy
- establishing a risk-management framework
- defining responsibility for managing risk
- embedding systematic risk management into business processes
- developing a positive risk culture
- communicating risk
- understanding and managing shared risk
- maintaining risk-management capability
- reviewing and continuously improving the management of risk.
The CRMP provides a focus for consistently improving maintenance of appropriate systems and internal controls for the oversight and management of risk across the APS.
1 Gallagher, R 1956, ‘Risk Management: A new phase of cost control’, Harvard Business Review, vol. 34, no. 5, pp. 75–86.
2 Standards Australia 2009, AS/NZS ISO 3100:2009 Risk Management—Principles and Guidelines, SAI Global, Sydney, viewed 18 September 2014.
3 Advisory Group on Reform of Australian Government Administration 2010, Ahead of the Game: Blueprint for the Reform of Australian Government Administration, Commonwealth of Australia, Canberra.
4 Hanger, I 2014, Report of the Royal Commission into the Home Insulation Program, Commonwealth of Australia, Canberra, pp. 308, 321.
5 Hanger, I 2014, Report of the Royal Commission into the Home Insulation Program, Commonwealth of Australia, Canberra, p. 15.
6 Department of Finance 2014, Commonwealth Risk Management Policy, Commonwealth of Australia, Canberra, viewed 21 October 2014, http://www.finance.gov.au/comcover/risk-management.