LIGHTHOUSE PRINCIPLE: RISK MANAGEMENT
(based on ASX Principle 7)
Recognising and managing risk
Our risk management and strategic planning are integrated. The Auditor-General assumes ultimate responsibility for our risk management framework. The Office Executive sets the organisation’s Risk Appetite Statement (RAS) and ensures strategic risks are identified, assessed and treated in accordance with our risk management framework.
The Office Executive regularly reviews the enterprise risk register which is supported by detailed analysis of each strategic risk, taking into account the underlying business risks. The Audit and Risk Committee provides independent advice to the Auditor-General on the risk and internal control frameworks.
Our risk management framework
Our risk management framework is developed in line with NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03), the Risk Management Toolkit (TPP 12-03), the Australian/New Zealand Risk Management Standard (AS/ NZS ISO 31000:2018), and the Accounting Professional and Ethical Standards Board’s professional risk management standard (APES 325 Risk Management for Firms).
During 2017–18, we
- finalised our enterprise risk management framework including reviewing our risk appetite statement and updating our risk management policy
- reassessed our strategic risks in line with our Corporate Plan 2017–2020 and local government mandate
- work more closely with our operational areas to help them better understand and manage their risks
- continued to monitor the effectiveness of controls to mitigate risks
- better integrated risk management with our strategic and business planning processes, including incorporating risk identification in our strategic planning process
- assessed the Audit Office’s risk maturity and developed a roadmap to improve risk culture and practices
- continued to work towards a better understanding of our risk universe.
Our insurance cover is provided by the Treasury Managed Fund in respect of:
- workers’ compensation according to NSW statute
- property (full replacement, new for old, consequential loss, and business continuity costs or losses of revenue)
- liability, including but not limited to public liability, professional indemnity and directors and officers liability
- motor vehicles
- miscellaneous losses including those due to staff dishonesty, personal accident, and protection for local and overseas travel.
Exposures not included are:
- illegal activities
- wear and tear
- inherent vice
- pollution (not being sudden and accidental pollution).
In 2017–18, our six key strategic risks were reassessed as follows:
- our insights are not relevant and do not result in a demonstrable improvement in public administration
- our audits are not defensible resulting in lost credibility, trust and confidence by government and the public
- we do not act according to our own ethical standards and are not transparent and beyond reproach damaging our reputation
- we are not efficient such that we don’t keep pace in a contestable environment
- we cannot develop or access required capabilities compromising our ability to achieve our objectives
- loss of confidential information (including client and personal staff information) and integrity resulting in legal or regulatory breaches, unable to continue business or reputational damage.
Risk management and internal control attestation
To provide additional assurance that the Audit Office’s risk management framework and related controls are operating properly, two attestations are completed each year.
The first is an annual attestation by the Auditor-General on the quality of the Audit Office’s risk management and internal audit processes. This is based on our compliance with the core requirements of NSW Treasury Policy 15-03 Internal Audit and Risk Management Policy (see our Internal Audit and Risk Management Attestation statement in Appendix Nine).
The second is a Management Control Questionnaire which is completed annually in line with the Audit Office’s financial statements and covers the financial year. Management complete the questionnaire on the implementation of internal controls as they relate to their business area and staff compliance with our policies.
The year ahead
In 2018–19, we will:
- assess and select an appropriate integrated enterprise risk management technology system
- continue to embed risk management practices throughout the organisation and establish dynamic and consistent risk reporting which is both bottom up and top down
- enhance risk reporting to better support robust discussions on strategic and key operational risks
- incorporate risk velocity into our regular risk reports
- roll out risk management training to staff
- continue to identify emerging and monitor existing operational, project and strategic risks and assess the effectiveness of mitigating controls.