 |
|||
|
                |
  |
|||||
 |
 |
 |
 |
 |
 |
 |
|||||
| Speeches & Papers |  |
||||
|
Home > About Us > Speeches & Papers |
 |
|
DIRECTION OF RISK MANAGEMENT IN THE VICTORIAN PUBLIC SECTOR; AND IDENTIFYING AREAS OF AUDIT INTEREST Presentation to By Des Pearson Overview • Accountability framework and the Auditor-General • About risk management • 2003 audit results • Conduct of our 2007 audit • Key challenges Our accountability framework • Under Westminster parliamentary system. power is vested in government and ministers. • Executive Government decides on the direction and management of State resources and must account to the Parliament for its actions. • Parliament reviews performance through debates and joint parliamentary committees. • Public as against private sector accountability. Role of the Auditor-General • Auditing in the public interest. • Principal aim: To conduct quality financial and performance audits on public sector organisations and comprehensively report to Parliament. • A key link in the accountability process. • Constitutional safeguard to serve interests of Parliament. • Arguably the most “independent” powers for an Auditor-General in Australia • Formal relationship with the Public Accounts and Estimates Committee (PAEC). Audit coverage Around 650 agencies with: • assets – $185 billion • liabilities - $58 billion • revenue – $51 billion • expenses – $45 billion. (Office budget output appropriation $27 million 2007-08.)
Comparison with private companies Selecting areas of prospective audit interest • Perform sector environmental scan. • Consider public sector performance against the Government’s established vision and goals articulated in Growing Victoria Together document. • Assess emerging trends, risks, challenges and other factors which may influence achievement of vision/goals. • Consider capability and resources of public sector agencies such as work force management and the impact of joined-up government service delivery.  Risk and risk management • Risk is the chance of something happening that will have an impact on the achievement of organisational objectives. • Risk management involves the systematic identification, evaluation and management of both risks and opportunities for business improvement, and is a key aspect of good corporate governance. • The above explanation is derived from the Australian and New Zealand risk management standard AS/NZ Standard 4360:2004 and, I am sure, it is quite familiar to you all. Public sector risks are those things that could happen and could have an adverse effect on government objectives. The key government objectives are those highlighted by the Growing Victoria Together document: A vision for Victoria to 2010 and beyond. Risk management enables government to formally deal with those risks that could limit or stop it from achieving its economic, social and environmental goals. Victorian public sector risk management framework • Financial Management Act 1994. • Victorian Managed Insurance Authority Act 1996. • Public Administration Act 2004. The Victorian public sector operates within a risk management framework that is based on laws; ministerial directions and guidelines. The Financial Management Act 1994 and the Victorian Managed Insurance Authority Act 1996 note that departments and public bodies must develop, implement and keep under review a risk management strategy. The 2005 Standing Directions of the Minister for Finance under the Financial Management Act 1994 provide directions in relation to the: role of the audit committee; internal audit; and development of enterprise-wide risk management framework. The Public Administration Act 2004 states that “the board of a public entity is required to inform the minister and department head of any known major risks”. Departments and agencies are required to: • annually review their system of risk management and internal control • adopt the AS/NZ Standard 4360:2004 • audit committee to be chaired by an independent member – oversee effective operations of the risk management framework • audit committee – to approve internal audit plan – based on risk profile The Government decided in 2005 that the AS/NZ Standard 4360:2004 was to be applied across the Victorian public sector. In 2006, the State Services Authority published a good practice guide for board members of Victorian public entities, titled Welcome to the board: your introduction to the good practice guide on governance for Victorian public sector entities. This guide indicated that boards are required to: • integrate risk management into the entity’s strategic planning process • notify the minister of known risks to the effective operation of the board • monitor and review the effectiveness and currency of internal financial and operational risk management compliance and reporting systems. 2003 audit: What our Office did • Examined risk management across 61 organisations via questionnaire. • Conducted a number of case studies – departments and agencies. • Reviewed state-sector risk management structures and processes. In 2003 risk management was not yet a mature business • Less than 40 per cent had appropriate risk management strategies in place. • 33 percent did not explicitly identify and assess their key risks. • Just 28 per cent were effectively implementing their strategies. • No clear understanding of statewide risks. The 2003 audit found that while most organisations had started to address risk management in some way: • risk management was not yet an established or mature business discipline, and most public sector organisations did not rigorously assess risks and evaluate risk controls • there was no clear understanding of statewide risks, and no single explicit mechanism to collect and analyse significant risks to the State • there was no assurance that statewide risks in a portfolio had been identified. Recommendations from the 2003 audit The development of a state-sector risk management framework/guidelines for: • identifying • assessing • managing statewide risks. By statewide risks we mean those risks that are significant or widespread and their consequences extend beyond one department or agency. The 3-levels of statewide risks are: • Agency level risks - can become state-sector risks because of their significance (i.e. major project) • inter-agency risks - are those where departments and agencies need to cooperate in managing risks associated with shared policy objectives (i.e. the Government’s Fairer Victoria Statement requires a number of departments to deliver social services) • Whole-of-government risks - require a coordinated response led by a central agency (i.e. emergency). The 2003 audit also recommended: • risk management guidelines (enterprise-level) • adoption of formal risk management approaches. In relation to risk management within public sector organisations, the audit recommended that: • the Government provide public sector organisations with clear risk management guidelines, processes and procedures • departments and agencies adopt formal risk management approaches - appropriate to the organisation’s level of risk • departments and agencies rigorously evaluate risks and risk treatments, linking risk criteria to government policy and organisational objectives. Our 2007 follow-up audit Audit objective We undertook a follow-up audit to determine whether departments and agencies have made satisfactory progress in: • developing appropriate risk management frameworks • applying risk management principles in their organisations. What we did Audited 25 organisations: • 10 departments • Victorian Managed Insurance Authority • 14 agencies. The follow-up audit involved: • examining answers to 15 questions covering risk management strategies, governance and effective implementation, as well as state-sector risks • interviewing risk managers and executives • examining all supporting material • discussing preliminary risk management assessments with each organisation • all departments were included in the audit because of their significance; some departments were covered in 2003 • all 14 agencies, including the Victorian Managed Insurance Authority, were covered in 2003. Risk management is an accepted practice In discussing matters with departments and agencies’ representatives and audit committees, we are aware that generally Victorian public sector organisations have: • adequate risk management policy and framework in place that explains • the scope; roles and responsibilities of executive management, boards, audit committees and internal audit; reporting requirements; link to strategic planning … • executive management or boards that take a lead and are involved in risk management • a risk manager and/or coordination unit • audit committees and internal audit with clear roles and responsibilities • produced regular risk reports for executive and audit committees – monthly or quarterly or bi-annually. The AS/NZ 4360:2004 is the Standard used by the Victorian public sector Departments and agencies are required to adopt the AS/NZ Standard 4360:2004 to identify, assess and manage risks In 2005, the Government decided that departments and agencies were to use the Australian and New Zealand Risk Management Standard AS/NZ 4360:2004 to identify, assess and manage risks. We are aware that the application of the Standard needs improvement. It appears that more emphasis is placed on: • risk assessment (identification, analysis and evaluation) • than on the management of risks (risk treatment, monitoring and review). Comprehensive risk management guidelines would benefit the Victorian public sector Risk management guidelines are required to improve quality and consistency of risk management practice in the Victorian public sector. As already noted, some guidance has been provided by: • legislation (requirement to have a risk management framework) • ministerial guidelines (role of audit committees and internal audit) • government decisions (requirement to adopt the Standard). However, the practices of departments and agencies could be further improved if comprehensive guidelines were developed that provided clear direction on: • the content of policy and risk management frameworks • the roles of the secretary, boards, executive management, risk coordinators/risk units, audit committees and internal audit • applying risk management standards to the whole organisation • linking risk assessments to corporate goals • developing enterprise risk registers and risk profiles • the content of risk reports to executive management and audit committees. We need to understand and deal with state-sector risks At the moment, the Victorian public sector does not have a statewide risk management framework As such, the Government cannot be assured that all state-sector risks are identified, assessed, managed and brought to its attention The Government manages financial and insurable risks via the Financial Management Act and the Victorian Managed Insurance Authority Act, and related ministerial directions and guidelines. Policy risks are managed via the Cabinet briefing process. Relationship management and cooperative arrangements also deal with key risks. The key message is that in the absence of a statewide risk management framework and guidelines, the Government cannot be assured that all state-sector risks are identified, assessed, managed and bought to the attention of the Government. A clear risk management approach to statewide risks is needed A clear statewide risk management framework is needed to help departments and agencies deal with: • agency risks • inter-agency risks • whole-of-government risks. The Department of Treasury and Finance (DTF) is developing a statewide risk management strategy and framework, and has appointed a project director to develop the statewide risk management strategy and framework by 30 June 2007. Moving to enterprise-wide risk management  Risk management is being applied more broadly within public sector organisations: • the insurance and financial areas were the first to formally manage risks • later, risk management was applied to operational and compliance risks • today, Victoria is moving toward adopting an enterprise-wide risk management approach that: • covers the whole organisation • includes all risks, including strategic risks linked to corporate goals • is integrated with corporate governance arrangements. The challenge for the Victorian public sector is to consider how best to identify, assess and manage statewide risks. In summary Three views • Risk management is evolving and improving • Challenges to be embraced • What are the enablers? Evolving and improving • Good progress at agency level. • July 2007, statewide risk management strategy and framework • Firm foundations established: • adoption of AS/NZ 4360:2014 • audit committee, risk management framework, • internal audit and risk profile in place. Challenges • Progressing from risk assessment to management of risk. • Improving quality and consistency of risk management practice. • Addressing inter-agency and whole-of-government issues. Tools/enablers • Communication and coordination. • Leverage others - Victorian Managed Insurance Authority, State Services Authority, Victorian Auditor-General’s Office. • Purposefully share experiences. |
|
|
|
|