Comcover Awards for Excellence 2012

Case studies of award winning agencies

Foreword

I am pleased to present to you Comcover’s second case study booklet. It showcases the risk management practices of the award winners from Comcover’s Awards for Excellence program in 2011.

The Comcover Awards for Excellence recognise and reward those agencies that demonstrate innovation and leadership in the field of risk management.

Each of these award winning agencies has put forward examples of excellence that highlight how it approached the challenges of implementing effective risk frameworks, programs and systems.

Nominations in the 2011 Awards program reflected the importance of ensuring an agency’s approach to managing risk is aligned with its strategic objectives.

A number of winning agencies in the Enterprise-Wide Risk Management Category identified the need to review and update their frameworks to reflect changes to their operating environment. As a result there is a greater focus on accountability and responsibility for managing risk; a clear understanding of the importance of integrating risk with other governance processes; and recognition of the benefit in aligning the agency’s risk framework with its outcomes.

Award winners in this year’s Risk Initiative Category are diverse. Each has demonstrated that by having the appropriate systems and processes in place to manage risk, it is possible to develop a culture where the consideration of risk provides opportunity for agency improvement.

A key objective of the Awards program is to facilitate the sharing of information. I encourage agencies to read the case studies and make contact with award winners to gain further insight into how they have influenced better management of risk within their agency.

Comcover will draw on the experience of each of the award winners to help demonstrate examples of better practice for our education program, and in the future development of better practice tools and templates.

Robert Higgins
Manager
Comcover

ENTERPRISE-WIDE RISK MANAGEMENT CATEGORY

Highly Commended - Department of Agriculture, Fisheries and Forestry

Highly Commended - Australian Taxation Office

Honourable Mention - Department of Immigration and Citizenship

Honourable Mention - Department of Human Services

Department of Agriculture, Fisheries and Forestry

Highly Commended

Overview

In 2009, the Secretary of the Department of Agriculture, Fisheries and Forestry (DAFF), made revitalising the agency’s risk management framework a priority. At the heart of this was a comprehensive review of how the agency approached and managed risks.

The agency acknowledged its previous risk management framework, while sound, was process-oriented and complex. A new risk management framework was needed that would build a more agile, effective, adaptive
and resilient organisation. Three guiding principles were identified:

  • Risk management should be part of everyday decision-making and not seen as a ‘bolt-on’ process.
  • DAFF should adopt a positive risk culture, moving from risk aversion to working with known and
    calculated risks.
  • Staff should be empowered to actively manage risks as part of everyday decision-making.

DAFF’s new risk management framework is underpinned by regular communication from the Secretary and the Executive, which sends a strong message about the importance of risk management, and ensures attention and resources are dedicated to the task.

The Risk Management Framework—creating the foundation to effectively manage risk

DAFF’s new governance framework has integrated the management of risk into all key business functions, processes, systems, programs and projects. This means the Secretary, in consultation with the Executive Management Team (EMT), can determine, communicate and review DAFF’s risk appetite in response to what is a dynamic operating environment.

The Risk Policy set out in the Chief Executive Instructions, identifies risk management as an essential part of the agency’s strategic approach. The policy makes sure the Department is well placed to understand and better manage its risks and fulfill its accountability requirements.

Integrating risk management

By integrating risk management vertically and horizontally into its governance, planning and performance management processes, DAFF made sure risk management became a mandated part of business planning at the agency.

It did this by bringing the three separate elements of business planning, business risks and business reporting, onto one platform. This new system, called ‘e-plan’, allowed corporate information to be automatically populated into planning, risk and performance plans, and removed any possibility for human error.

It also allowed risk levels to be automatically calculated, with users able to select sources of risk from drop down boxes. This allowed risk profiles to be calculated in minutes rather than days, and areas of risk growth to be easily identified and treated.

While the new system supports and integrates risk more effectively into day-to-day business, DAFF has not changed its existing integration model, which still allows risk information to flow through the Department smoothly and be readily accessible by all senior executives.

DAFF regularly reviews, evaluates and updates its revamped risk management framework documents and processes. Thanks to the successful implementation of ‘e-plan’, the review of risks has now become automated and far easier to manage. Risk information is always in real time and relevant to day-to-day business.

Championing risk initiatives

DAFF has worked to create a positive risk culture that emphasises the benefits of risk management in achieving the organisation’s objectives. It has embedded risk in the agency’s framework. Importantly, the Secretary and the Executive drive this culture in the Department by championing risk initiatives and processes.

Implementing strategies, plans and processes

Crucial to DAFF’s successful implementation of a new and agency-wide risk management program, is the top down commitment from the Secretary and Executive to providing the necessary financial, technical and human resources needed to manage risk effectively and efficiently.

Responsibility for coordinating risk management across the Department lies with DAFF’s Business Assurance
& Risk Branch. It funds the dedicated Risk Management Team (RMT), which has three full-time officers. The RMT coordinates and provides risk management advice and support across the agency.

The Department has also formed a risk branch to drive the biosecurity reform process and has various
specialist areas.

The RMT developed an organisation-wide strategy to implement, monitor, review and continuously improve
the Enterprise-wide Risk Management Framework. In implementing this strategy the RMT:

  • Reviews and updates risk management methodologies and tools.
  • Implements and monitors DAFF’s risk management program, including specialist risk activities.
  • Analyses risk information and prepares a range of risk reports.
  • Communicates risk information.
  • Provides risk management learning and development opportunities.

Communication and training

As part of its efforts to effectively communicate risk information, DAFF consults widely with both internal and external stakeholders to make sure risk sensitivity and emerging issues and opportunities are included in risk analysis. External stakeholders include agriculture, food and fibre industries, other Australian and state government agencies, consumer and community interest groups, and those involved across the biosecurity spectrum.

The agency established a divisional risk network to champion risk management, and to provide points of contact for all risk issues. It also provides feedback to the RMT on risk initiatives and risk mentoring.

DAFF carries out risk management training to make sure staff members have the knowledge and skills they need to effectively manage risk in business operations, and offers a tiered risk management training program for all staff.

As well as ‘Risk 101’ and risk scenario training, the Department also provides training on its risk tools.

Once developed and released from the development platform, training was provided on the new system ‘e-plan’, which was designed to be intuitive and simple to use. One of its primary objectives was to reduce red tape and streamline the whole planning, risk and reporting functions. Feedback indicates all of these objectives have been met.

Business continuity

DAFF has successfully developed an agency-wide risk management framework that supports its business objectives.

The agency’s risk profiling and reporting framework is a key input into business planning and performance management activities. Strategic and key business risks are regularly reviewed, with risk assessment a normal part of the annual business planning and reporting cycle.

As part of its business continuity program, DAFF undertakes a risk based Business Impact Analysis to identify critical functions, dependencies, workarounds and the maximum acceptable outage times. All divisional executive managers and key divisional staff were involved in this process, and the outcomes endorsed by the Secretary and EMT in November 2009.

The Department regularly tests its business continuity framework by working through scenarios. These culminate in an annual live exercise that is held late in the year. Exercise scenarios are based on potential risk events and an exercise planning team that includes representatives from affected divisions are formed to plan, organise and evaluate the exercise. All live exercises are also evaluated externally, with lessons learned used in the annual review and update of the business continuity framework.

Results

DAFF’s revitalised risk management framework and program has ensured risk management has become a part of everyday decision making processes. Risk management is integrated into the planning and reporting process of the department, and links the agency’s management of risk within the overarching governance structures.

Championed by the Secretary, there is a top-down commitment to risk management that is complemented by training and communication activities for all staff. This has helped to foster a positive approach to risk, with the increasing realisation the Department should not be risk averse but have a better understanding of its risks, so it can take known and calculated risks.

The introduction of ‘e-plan’ has dramatically reduced the amount of administration and errors the legacy systems had built in. All business planning, risk and reporting functions are now in ‘real time’, which means information is up-to-date and 100% accurate. This gives further reassurance to the Executive.

The Department has also seen improvements in how staff view risk training. Since the Department started running ‘Risk 101’ training just over a year ago, more than 750 officers (from SES Band 2 to APS 2) have taken part. The training is now being rolled out nationwide to front line officers, who have had risk training added as part of their workplace agreement.

Australian Taxation Office

Highly Commended

Overview

The Australian Taxation Office (ATO) has over 20 000 staff across 25 business lines. It manages millions of transactions every year from registrations and lodgments though to payments, refunds and debts.

Given the scale of its operations, the agency already had a well-embedded and mature risk management capability and culture in its compliance areas, which had been recognised internationally. The challenge for the ATO was to introduce an enterprise-wide risk management framework that continued to develop its management of compliance risks, while extending it to cover all enterprise risks in an increasingly complex organisation.

The ATO’s enterprise-wide risk management approach was designed to:

  • Strengthen the integration of risk management activity across all areas of the ATO.
  • Understand the range of risks as a ‘system’.
  • Manage risks and take advantage of opportunities that arose from that understanding.

The Risk Management Framework—creating the foundation to effectively manage risk

Risk categories

To make sure all risks were considered, the ATO developed a schema of enterprise risk categories that organised risk information into 22 categories. One of the key features of the framework is that it is enterprise wide, and operates independently of organisational structures.

Sub-categories carry risk descriptions that clarify what the impact would be if a business outcome were not achieved. An Enterprise Risk Owner (typically SES Band 2) is appointed for each risk category. All risks identified at enterprise, operational and tactical levels map to the most relevant risk category and are subject to the risk management process. This makes sure mitigation strategies and controls remain effective.

Rating risk

The ATO recognises that risk management occurs at all levels of decision-making. Through the use of risk matrices that vary in complexity, risks can be defined, rated and managed at the enterprise, operational and tactical levels, with varying levels of effort. This ensures a more cost effective use of resources, by spending less time on simple risks and more on complex and important risk decisions.

Tailored consequence criteria

Complementing the ATO’s risk rating matrices are tailored consequence criteria for each of the 22 risk categories. These consequence criteria allow accurate articulation of risk tolerances and therefore accurate rating of the ATO’s risks.

The ATO’s Enterprise Risk Management approach provides:

  • A framework to categorise, manage and report all risks in a consistent and systematic way irrespective of organisational structures.
  • Minimal overlap of risks by organising risks into ‘pools’ under the risk categories.
  • Cost effective use of resources, focusing resources on the higher priority risks and less on risks within tolerance.
  • A mechanism for escalating knowledge gained from intelligence activities to risk owners for quick action.
  • A system view of risks, including how risks may drive and impact each other.
  • A vehicle to integrate specialist risks such as tax technical decision-making, OH&S, business continuity and security.
  • A map of risk events from drivers through to business impact.
  • A visual reminder that each category of identified risk requires consideration.

Accountability and responsibility

The ATO’s enterprise-wide risk management system hinges on everyone in the organisation—from senior leaders to individual employees—being accountable and responsible for risk.

Second Commissioners are Portfolio Risk Leaders and:

  • Oversee and resolve issues across a portfolio of enterprise risks.
  • Emphasise the importance of, and embed risk management into, governance activities, planning, resource allocation, and reporting.
  • Instigate independent risk assessments.

Accountability for specific enterprise risks rests with the Enterprise Risk Owners. These people are typically Deputy Commissioners (Senior Executive Service Band 2). By making risk categories independent of organisational structures, the ATO has enabled a more flexible approach to managing risks and provided an end-to-end view of them. This encourages greater communication between risk owners and risk managers across the agency and has led to a more considered, consistent and integrated approach to risk management.

Risk managers are appointed to specific risk areas. They are responsible for implementing risk treatments, identifying and assessing risks and the effectiveness of controls, and providing advice to enterprise risk owners on the status of operational risks within their categories.

All employees play a role in managing risks, and some have specific risk responsibilities.

Overarching these specific day-to-day responsibilities is the Chief Knowledge Officer, who is formally accountable as the capability leader for risk management practice within the ATO. This Officer receives advice on the agency’s risk management capability from the Risk and Intelligence Forum, which is made up of SES (Band 1) officers. And finally, the ATO’s Audit Committee oversees internal governance and assurance policy to monitor and evaluate internal controls, including risk management.

Integrating risk management into business

Consideration of enterprise risks is incorporated into the ATO’s annual planning, budgeting and review processes, ensuring considerations of priority and resource allocation are made for the management of the risks. The enterprise risk categories ensure that this process is deliberate in encompassing the range of corporate risks.

The ATO has developed a one-stop shop approach to storing and managing risk information.

Built on Microsoft SharePoint, the new Enterprise Risk Register is an active real-time resource for all providers and users of risk information. It is a collaborative platform that allows multiple perspectives and integration with risk assessments and related records.

The Register is structured around ATO risk categories and features:

  • Central and accessible recording of all enterprise and operational risks—mapped to the risk category.
  • Identification of major risk interdependencies, similarities in risks but different approaches to treatments, and potential duplication of risks and some potential risk gaps.
  • Search function, reporting function, announcements and alerts.
  • Storage of supporting reports.
Resourcing

A small corporate risk team manages and guides the implementation of enterprise risk management. This includes developing risk policy, procedures and support tools, developing and implementing the risk register, collaborating with learning and development professionals in risk training product development, delivering risk training and providing ongoing advice and guidance on risk matters.

At an operational level risk committees review risk assessments, including new and emerging ones, relevant to their role and specific areas of responsibility.

At an enterprise-wide level, enterprise risk owners identify the most significant risks (including emerging ones) and these are considered in corporate forums. Discussion of these risks builds a wider understanding across the senior leadership group of the risk landscape and systemic shifts or trends.