Reviews of risk management in the APS have highlighted that at times the practice is reactive, short-term and process focused. The recent Royal Commission into the HIP highlighted that the identification and management of risks in the programme was deficient. The introduction of the CRMP, which applies to all non-corporate Australian Government entities, provides guidance to agencies on the establishment of appropriate risk-management frameworks to achieve compliance under the PGPA Act. The effective implementation of the CRMP by all APS agencies is central to improving the quality of risk management across the APS.
The CRMP requires agencies to define their risk appetite and risk tolerance as well as identify who is responsible for determining these. Defining agency risk appetite and tolerance needs to include engagement with the agency's Minister. The risk conversation must cascade through the agency to inform process and practice.
More fundamentally, however, agencies need to develop a positive risk culture where conversations about risk are open and supported by a leadership climate that encourages risk to surface and be appropriately addressed. Improving risk management across the APS also requires management to focus on continuously monitoring risk profiles in line with changing circumstances rather than approaching risk as a one off, compliance-oriented assessment. It also requires agencies to keep stakeholders informed of changes, in particular Ministers.
This chapter shows that work is needed by most agencies in closing the gap between current practice and CRMP requirements. There are, however, positive examples of agencies tackling enterprise risk management as a central component of business reform. There are also examples of agencies integrating the lessons of previous reviews to deliver good outcomes for government and citizens. Many foundation pieces are already in place to improve risk-management capability across the APS. Substantial effort, driven by senior leaders who model appropriate behaviours, is required to address cultural deficiencies in many agencies.