Recent assessments of risk-management capability suggest this is an area in which the APS needs to improve. In the 2013 State of the Service Agency Survey (agency survey), 70% of APS agencies identified a need to improve their risk-management capability. Separately, the 2013 Comcover Risk Management Benchmarking Survey reported that three-quarters of agencies were below their desired level of risk-management capability.
More broadly, a number of reports by the ANAO identified instances where risk management within the APS could have been better handled.8 A key point that emerged from these reports is that while risks may have been appropriately assessed at the start of a project, often the project teams failed to keep the risks and controls up-to-date or recognise the implications of material changes in the risk environment that could affect success.
The Report of the Royal Commission into the Home Insulation Program called for steps to avoid failures in managing programme risk. The report stated that necessary steps include regular and ongoing engagement with risks so that risks are not simply named and dismissed; risk cannot be abrogated—if another party is identified as able to mitigate an identified risk it does not remove responsibility to manage that risk and ensure that others are doing the same; and that individuals need to be responsible for risk management.9
The following sections examine the practice of risk from five perspectives:
- the maturity of risk-management processes
- insights from the ANAO
- agency Capability Reviews
- a survey of APS agencies that focused on the way risk is managed and the level at which it is managed
- employee perceptions of risk management.
Assessments of risk-management maturity
In 2011 and 2013, the Australian Public Service Commission (the Commission) asked agencies to assess their risk-management capability using a capability maturity model approach. This approach assesses risk-management capability through three mechanisms not available through other methods: capability assessments are made over time; agencies self-assess their current maturity level for each capability and the maturity level they believe they require to conduct business effectively; and when looked at across the APS the capability maturity model approach assists in identifying systemic areas of weakness to which resources can be allocated with greatest effect.
By comparing current capability at more than one point in time (that is, current capability as assessed in 2011 and current capability as assessed in 2013), a judgement of whether agency capability has ‘matured’ can be made. This assessment also allows agencies to evaluate progress of earlier capability investments. By comparing their required level of capability maturity over time (as opposed to their assessment of their current capability), agencies can identify how their changing business context has influenced their capability requirements. This assists agencies to critically assess their likely future business and what it means for investment decisions in their business processes.
Table 3.1 shows that marginally fewer agencies in 2013 (28%) than in 2011 (32%) assessed their current level of risk-management capability as meeting organisational requirements.
|Capability||At required level
(% of agencies)
|Need to mature one level
(% of agencies)
|Need to mature two or more levels
(% of agencies)
|Source: Agency survey|
In 2011, risk management showed the smallest gap between current and required capability of the six capability areas assessed with the largest gaps reported by regulatory and small operational agencies. The same comparison between agency assessments of current and required risk-management capability for 2013 showed that while the gap was the second smallest across all the areas assessed, the largest gaps were now reported by large and small operational agencies.
Separately, in Comcover's annual risk-management benchmarking survey of Australian Government agencies, which uses a more detailed capability maturity approach to assess elements of risk-management practice, agencies assess their capability maturity for 10 practice elements against five levels: informal; basic; top down; structured; risk intelligent. The 2013 Comcover survey data indicates that while agencies' average capability levels improved—from 6.27 in 2010 to 6.82 in 2013 on a scale of 0 to 10—the gap between average capability and desired capability remains around 10%. Further, approximately three-quarters of agencies surveyed did not achieve their target capability level in 2013. Change over time, however, suggests the gap between current and required risk-management capability is closing.
Overall, the two approaches to assessing the maturity of risk-management capability across the APS confirm that it is improving, although more work is needed to close the gap between current risk-management capability and the maturity agencies believe they require to improve agency performance.