In relation to the maintenance of appropriate systems and internal controls for the oversight and management of risk, the 2011 ANAO report on the HIP made this observation about risk management13:
The potential consequences of residual risks, where significant, should be clearly communicated to, and understood by, key stakeholders, such as Ministers and central agencies, so that treatments reflect the Government's risk appetite. … In an uncertain environment, the assessment of a program's risk profile often changes during further development of a policy proposal and its implementation.
The issue identified here relates to the way in which risk is communicated to key stakeholders, in particular the need to identify the way risk profiles may shift with changing circumstances and the need to communicate these changes through programme or project implementation. The report of the Royal Commission into HIP made similar comments about the need to continually reassess risk. It also emphasised the importance of clear communication with Ministers, including in respect of risk.14
Broadly, there are two audiences for communicating risk—internal and external. Internally, risk conversations are necessary to inform good management. Externally, risk conversations with stakeholders are necessary to ensure risk is managed in accordance with the risk appetite of those stakeholders.
Internal risk conversations are about ensuring risk is part of the consideration of issues and part of normal routine. It should not be an exception. Processes such as programme and project planning, corporate planning, policy development and implementation planning all provide valuable opportunities to test and record an agency's appetite for risk, and the key risks relevant to activities and projects. Programme and project implementation plans, along with corporate planning processes, need to pay explicit regard to risk identification and assessment, and ensure planning processes routinely produce good quality risk outputs.
External risk conversations involve setting a risk appetite for the agency and testing that with the authorising environment. In particular, it involves establishing and maintaining appropriate risk frameworks and systems to ensure risks are communicated to the responsible Minister and other stakeholders.
13 Australian National Audit Office 2011, Home Insulation Program, audit report no. 12 2010–11, Commonwealth of Australia, Canberra, p. 175.
14 Hanger, I 2014, Report of the Royal Commission into the Home Insulation Program, Commonwealth of Australia, Canberra, p. 311.