2.1. Risk management

Risk management is the culture, processes and structures that are directed towards realising potential opportunities while managing adverse effects.[6] Risk management is an essential part of effective corporate governance. Although ultimate accountability for the management of risk remains with the Chief Executive/Board, the Chief Executive/Board will generally seek assurance from the Audit Committee that management has in place policies and arrangements designed to demonstrate that the operation of an entity's risk management arrangements are appropriate and operationally effective. This assurance role can extend to assisting the overall alignment and integration of risk management plans and the integration of risk management into business planning and program implementation activities. Better practice committees will also generally have a key role in providing assurance that management has in place effective risk management practices when implementing high risk projects, programs and/or activities.

Better practice tip: Audit Committee’s risk management responsibilities

For the Audit Committee to effectively meet its risk management responsibilities, it is important that the committee fully understands the:

• Chief Executive/Board's approach and attitude to the management of risks by the entity, including the entity's assessment of risks; and
• arrangements in place for the management of its risks, particularly the entity's highest risks.

Where the Chief Executive/Board agrees that the Audit Committee will have an assurance role in relation to individual projects, programs or activities, it is important that the committee’s role is formalised and included in the governance arrangements for the project, program or activity.

Review of an entity's management of fraud risks is generally undertaken as an integral part of an Audit Committee's risk management responsibilities. An Audit Committee can play a key role in securing awareness that fraud control interacts and links with other governance frameworks across the entity. [7] This is consistent with the Commonwealth Fraud Control Guidelines, which indicate that ‘Fraud risk should not be looked at in isolation from the general business of the agency but should be considered as an aspect of the agency's broader risk assessment processes, including the agency's security risk assessment.'[8]

Audit Committee risk management responsibilities

An Audit Committee’s responsibilities in relation to risk management would generally be to: review whether management has in place a current and comprehensive enterprise risk management framework [9] and associated procedures designed to ensure that the identification and management of the entity's business and financial risks, including fraud, are effective; where agreed by the Chief Executive/Board, determine whether a sound and effective approach has been followed in managing the entity's major risks including those associated with individual projects, program implementation, and activities; [10] assess the impact of the entity's enterprise risk management framework on its control environment and insurance arrangements; determine whether a sound and effective approach has been followed in establishing the entity's business continuity planning arrangements, including whether business continuity and disaster recovery plans have been periodically updated and tested; review the entity's fraud control arrangements and satisfy itself the entity has appropriate processes or systems in place to capture and effectively investigate fraud-related information; and review reports on fraud from the entity's Fraud Manager that outline any identified allegations of fraud, the status of any ongoing investigations and any changes to identified fraud risk in the entity.

Part 3 includes committee and management checklists in relation to risk management fraud control (pages 77 to 84).

 

---

Previous: The Audit Committee's functions and responsibilities

Next: Internal control