The Risk Management Juggernaut Rolls on: Commonwealth Government Embraces ISO 31000

facebook Twitter LinkedIn RSS

The move to standardised risk management continues. The Federal Government (Government) has this month released the Commonwealth Risk Management Policy (Policy). This Policy attempts to make uniform the motley collection of the risk management frameworks of many Commonwealth Entities (Entities), and to align them with industry standards such as ISO AS/NZS 31000:2009 – Risk Management – principles and guidelines. Marching in under the ‘reducing red tape banner’, the Policy also supports the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act), and Comcover (the Government’s general insurance fund).

What is significant about this move is that it confirms what most executives have come to realise over the past five to ten years – that risk management is not a passing fad. It is now written into multiple laws and regulations and is a management discipline that is definitely here to stay.

Financial services licensees have been required to implement risk systems since the introduction of the financial services reform laws in 2002, and ASX listed entities have been required to disclose the existence (or otherwise) of their risk systems since the ASX Corporate Governance Principles and Recommendationswere first introduced in 2003. The latest edition of the ASX Corporate Governance Principles (3rd Ed, 2014)(CGPRs) which commenced on 1 July 2014 has in fact further extended the risk management obligations and disclosure requirements of listed entities (see our previous blog on the CGPRs). The anti-money laundering and counter-terrorism financing (AML/CTF) laws that were introduced in 2006 were written on the presumption (and it was a big presumption) that businesses actually had risk management systems in place (see our previous blog on the AML/CTF laws).

Evidence of the momentum of the risk management juggernaut now extends beyond commercial entities. Formal risk management systems are now a requirement for many not-for-profit entities as part of their funding arrangements, including those in the community housing sector who are already subject to a governance, risk and compliance regime far more onerous than required of ASX listed entities. Risk management is now also becoming flavour of the month in other key sectors such as education and health.

So if, as an executive, you are not familiar with formal risk management principles (usually referenced in Australia to the ISO 31000 standard) you are probably missing a key implement in your management toolbox. In other words, knowledge of risk management principles is now required of executive managers as much as understanding financial statements and the basics of workplace relations and workplace health and safety (WHS) laws.

The good news is that if you are familiar with WHS, by definition you must be familiar with risk management because WHS laws are risk-based, requiring organisations to: 

  • identify safety hazards;
  • consider the likelihood of the hazard occurring;
  • consider the impact (consequence) if the hazard was to occur; and 
  • put in place controls and treatment plans to manage the hazard.

See the CompliSpace whitepaper for more information on WHS laws.

The rationale behind the Government’s embrace of risk management processes has been its desire to ‘reduce red tape’. In a speech to launch the Policy, the Parliamentary Secretary to the Minister for Finance, Michael McCormack, described the Policy and the PGPA Act as working together so that ‘agencies are obliged to be aware of risk and are accountable for developing mechanisms to manage it’. Mr McCormack describes the benefits of a more focused approach to managing risk as including:

  • a more productive, innovative and efficient public sector; and
  • the realisation of the Commonwealth’s strategic objectives.

The benefit for many in this move towards a standard risk management framework, is that there is certainty – the requirements are law. The Minister for Finance, Mathias Cormann states that the Policy seeks to strengthen the risk management practices of Entities by encouraging officials to ‘engage with risk in a positive and transparent way’. This means that the Commonwealth Entities will be able to adopt industry frameworks, software, training and compliance products for their risk management policies – a positive for businesses that will be engaging with government. As for the policy itself, it sets out nine elements of risk management varying from ‘Establishing a risk management policy’ to ‘Developing a positive risk culture’, terms that many should be familiar with. 

The implementing law – the PGPA Act, aims to modernise the Commonwealth’s current financial accountability, performance and reporting framework. It replaces the models for financial management established through the Financial Management and Accountability Act 1997 (Cth) and the Commonwealth Authorities and Companies Act 199(Cth). The Policy is a guide to achieving compliance under the PGPA Act, but in effect, mandates the industry-standard approach. Although corporate Commonwealth Entities (such as the ABC) are not (yet) required to comply, the Policy recommends that they review and align their risk management frameworks and systems with it as a matter of good practice – perhaps a sign of things to come. Comcover’s 2008 edition ‘Better Practice Guide of Risk Management‘ is being updated to reflect the elements in the Policy.

If you would like more information on risk management, CompliSpace has written a series of articles, which chronicle the emergence of the industry standard risk management in the past years.

Compliance with Current and Future Child Protection Laws – Embedding a Child Protection Culture. How can this be achieved?

Financial Services Updates

Financial Services Updates