The purpose of the Australian National Audit Office is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance.

Understanding, adapting and responding to changes in our operating environment is critical to delivering on the ANAO’s purpose. To respond to these changes within our environment, and enable considered decision-making, we must identify, assess and manage emerging risks. Effective risk management is fundamental to achieving our purpose and improving our performance — and is a responsibility of all ANAO employees.

Risk management plays an important role in shaping the ANAO’s strategic direction, contributes to evidence-based decision-making and is embedded into business-as-usual practices. The ANAO also recognises the fundamental link between the nature of auditing and risk management — where auditing is about applying risk thinking to what is being presented, to guide risk allocation appropriately. To support risk management across the organisation, the ANAO has established a Risk Management Framework.

The ANAO’s Risk Management Framework is based on adherence to the International Standard on Risk Management, ISO 31000:2018. This standard defines risk as ‘the effect of uncertainty on objectives’. In the context of the ANAO, this is the possibility of an event or activity having an adverse impact to such an extent, that it prevents the ANAO from achieving its purpose and outcomes.

The framework is also consistent with the Commonwealth Risk Management Policy. The Commonwealth Risk Management Policy supports the requirements of section 16 of the Public Governance, Performance and Accountability Act 2013 which requires accountable authorities of entities to establish and maintain systems and appropriate internal controls for the oversight and management of risk.

The ANAO’s approach to managing risk (the Risk Management Framework) identifies why we undertake risk management and how ANAO employees are expected to do so. The framework integrates risk management practices into governance practices; informal and formal decision making; business-as-usual and audit activities; and within the ANAO’s strategic business planning, policy advice and project management.

Overall, the ANAO has a low-risk appetite in its business-critical activities. The ANAO Risk Management Framework is reviewed biennially, while our Enterprise Risk Register acts as a ‘live’ document that is continually updated to reflect our risks and operating environment. The framework and register are regularly reported on within ANAO subcommittees, and to the Executive Board of Management (EBOM) and Audit Committee. The ANAO’s ongoing approach to monitoring risk enables the Executive to implement mitigation plans and introduce additional controls to bring enterprise risks rated above our tolerance levels back to an acceptable level.

The Risk Management Framework allows the ANAO to proactively engage with enterprise and operational risk. Proactive and open engagement with risk assists to foster a positive risk culture. A positive risk culture — which encourages experimentation, risk, trial and error — is supported by our workplace behaviours and the ANAO’s values of excellence, integrity and respect.

Grant Hehir
Auditor-General

ANAO Risk Management Policy

The ANAO Risk Management Policy (the policy) is a key element required within the Commonwealth Risk Management Policy and is important to ensuring a shared understanding of risk across the ANAO.

The policy defines our organisational approach to risk management and links the ANAO’s Risk Management Framework to our purpose, strategic planning framework and objectives. In addition, the policy defines the ANAO’s risk appetite and risk tolerance; and contains an outline of the key accountabilities and responsibilities for managing and implementing the ANAO’s Risk Management Framework. The policy is endorsed by the Auditor-General.

The policy also recognises the fundamental link between the nature of auditing and risk management — where auditing is about applying risk thinking to what is being presented, to guide risk allocation appropriately.

ANAO Risk Management Framework

The purpose of the ANAO Risk Management Framework (the framework) is to set out how risk management is embedded across the ANAO for all business operations and decision-making. The framework outlines the relevant components and arrangements that enable the ANAO to design, implement, monitor, review and continually improve risk management across the organisation. The framework has been developed to assist the Auditor-General to meet the requirements set out in section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Commonwealth Risk Management Policy (issued by the Department of Finance).

The Commonwealth Risk Management Policy supports the requirements of section 16 of the PGPA Act, which requires accountable authorities of entities to establish and maintain an appropriate system of risk oversight and an appropriate system of internal control for the entity. Under the Commonwealth Risk Management Policy, non-corporate Commonwealth entities must comply with several elements, which reflect the fundamentals of effective risk management. The framework has been designed to reflect these requirements and in addition, to meet the standards set out in the International Standard on Risk Management — ISO 31000:2018 (ISO 31000).

ANAO Enterprise Risk Register

The framework is supported by the Enterprise Risk Register (ERR). The ERR identifies, outlines and assesses relevant strategic and operational risks of the ANAO. The ERR is a ‘live document’ — reflective of the current risk mitigation and control framework. The ERR is maintained by the Corporate Management Group (CMG) on behalf of EBOM. The latest, endorsed version of the ERR can be found on the ANAO website.

ANAO Risk Analysis Tools

The ERR is supported by the ANAO’s Risk Analysis Tools. The tools outline a Risk Evaluation Matrix, that uses two additional assessment tools (consequence rating scale and likelihood analysis scale) to assist in the classification of the assigned risk rating of each risk within the ERR. The risk evaluation matrix applies a rating based on the analysis of likelihood and consequence. 

The ANAO Risk Management Framework (the framework) — including the ANAO Risk Management Policy and the ANAO Enterprise Risk Register — enables the ANAO to identify, respond to, and manage risk.

The framework sets out how risk management is embedded across the ANAO for all business operations and decision-making — across all levels of staff. It outlines the relevant components and arrangements that enable the ANAO to design, implement, monitor, review and continually improve risk management across the organisation. In accordance with the Commonwealth Risk Management Policy, the framework includes:

• a summary of the ANAO’s approach to risk management;
• details on the application of the framework (including the ANAO’s risk appetite and tolerance);
• details on how the ANAO manages shared risks;
• details on the ANAO’s strong and positive risk culture;
• details on the management of the framework; and
• a summary of the key roles and responsibilities in managing risk.

1.1 Legislation and Resources

The framework has been designed in accordance with:

• the international risk management standard — principles and guidelines (ISO31000:2018);
• the Public Governance, Performance and Accountability Act 2013; and
• the Commonwealth Risk Management Policy.

1.2 Consultation

The ANAO Risk Management Policy, Risk Management Framework and Enterprise Risk Register have been developed in consultation with: EBOM members and other ANAO Senior Executive Staff; ANAO governance committees (see Figure 1); ANAO Audit Committee; and key representatives from stakeholder groups representing quality control, professional development, human resources, and the agency security advisor. The consultation methodologies applied within this framework align with the requirements as set out in ISO31000.

The ANAO Risk Management Framework is endorsed by the Auditor-General.

1.3 Contact Officer

Any queries about ANAO risk management should be directed to the Senior Executive Director, Corporate Management Group (CMG).

2.1 Purpose, environment and context

The purpose of the Australian National Audit Office is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance.

Risk management within the ANAO is one of our core strengths, supported by multi-level and independent review across all major audits, procurements, and projects. Risk is integrated into our governance structure through our subcommittees. The chair of each subcommittee ensures that risks are sufficiently managed, analysed, captured, reported, and efficiently escalated (as required) to the Auditor-General.

EBOM continually monitors the environment in which the ANAO operates, adjusting the ANAO’s appetite and tolerance as necessary. The ANAO’s ongoing approach to monitoring risk enables EBOM to implement mitigation plans. Risk mitigation plans strengthen existing controls and introduce additional controls to bring enterprise risks rated above our tolerance levels back to an acceptable level.

The Audit Committee, supported by the ANAO’s internal audit function, receives all internal audit reports and directs senior leaders to provide information (as necessary) to ensure and satisfy itself that risk is being actively managed. The committee provides advice, assurance and reports directly to the Auditor-General.

The Auditor-General takes the advice of EBOM and the Audit Committee and establishes the ANAO’s appetite and tolerance for risk and oversees the implementation of the framework. Operational risk management occurs in line with the defined roles and responsibilities outlined in this framework, while the Enterprise Risk Register assigns owners and tolerances for identified enterprise-level risks. All ANAO staff have a general responsibility to practise active risk management — a responsibility that staff are prepared for through ongoing training.

The importance of risk management to good governance is underpinned by the accountability provisions applying to the ANAO under the PGPA Act. Key aspects of the ANAO’s governance and risk management environment are:

• section 16 of the PGPA Act, which requires the ANAO to establish and maintain appropriate governance systems and internal controls for the oversight and management of risk within the ANAO;
• the Commonwealth Risk Management Policy (2014) and RMG 211 — Implementing the Commonwealth Risk Management Policy;
• Protective Security Policy Framework;
• the ANAO’s Corporate Plan and Annual Performance Statements (sections 35 and 39 of the PGPA Act);
• the Auditor-General Instruction’s and Procedural Guidance (section 110 of the PGPA Act);
• organisation-wide (enterprise/strategic) plans (i.e., ANAO Audit Manual, Business Continuity Plan, Workforce Plan, WHS Plan, COVID-Safe Plan Fraud Control Plan, Group Plans and Project Plans etc.); and
• individual performance agreements.

2.2 Risk management and the strategic planning framework

The ANAO considers that effective management of risk is integral to achieving its purpose. Risk management is embedded within the ANAO’s strategic planning framework.

Figure 1: ANAO’s strategic planning framework

All elements of the ANAO’s strategic planning framework include a consideration of the ANAO’s appetite and tolerance for risk. Understanding the ANAO’s appetite and tolerance for risk is critical to setting the risk management tone within ANAO enabling frameworks (i.e., policies, procedures and guidance materials). The ANAO uses a clear and consistent tone to support staff to understand the relationship between the strategic planning framework and their individual roles and responsibilities in managing risk through effective decision making.

2.3 ANAO governance structure and other risk-related documents

The Auditor-General takes advice from EBOM when establishing the Risk Management Framework, the ERR and determining the ANAO’s appetite and tolerance for risk. The framework identifies specific responsibilities for key positions (primarily senior executive staff) across the ANAO, while the ERR assigns control owners for each enterprise risk. In addition, all ANAO staff have a general responsibility to practice active risk management and support a positive risk culture.

The Professional Services and Relationships Group and the audit service groups have primary responsibility for managing audit risk. Each individual audit work plan assesses operational risks and mitigation strategies, and risk is assessed at all audit review points. Responsibility for managing operational audit risk is assigned to responsible engagement executive.

ANAO governance committees

The ANAO’s governance structure and practices support the Auditor-General in the effective oversight of the organisation in delivering its purpose.

In practice, EBOM ensures organisational accountability and transparency through oversight of its subcommittees. All subcommittees provide oversight to specific areas of strategic operations and are responsible for identifying and managing risk on an ongoing basis (as outlined within subcommittee terms of reference). ANAO subcommittees are required to be aware of and consider enterprise level risks through the ANAO’s ERR, in accordance with the Risk Management Framework. Committees report to EBOM through summary reports and meeting minutes.

All ANAO business-as-usual procedural guidance materials and policies are endorsed by EBOM. Procedural guidance materials assist staff to proactively identify and assess risk in all activities, supporting informed decision-making.

Audit Committee

The Audit Committee provides independent assurance and advice to the Auditor-General, including reviewing the appropriateness of the ANAO’s financial and performance reporting, systems of risk oversight and management, and systems of internal control.

Corporate plan and annual report

The corporate plan is the ANAO’s primary planning document and sets out how we will achieve our purpose over a four-year period. The corporate plan is complemented by the annual audit work program, which reflects the ANAO’s audit strategy and deliverables for the coming financial year.

The corporate plan articulates the purpose of the ANAO and the environment within which the ANAO expects to operate. It outlines our intended capability investments, including the plans and strategies we will implement to achieve our purpose. The plan also details the planned activities and performance of the ANAO, including the measures we use to assess our performance. It also provides an overview of the ANAO’s risk oversight and management systems.

The corporate plan is regularly considered as a part of the risk analysis process. Consulting the corporate plan allows the setting of realistic delivery timelines for strategies and key deliverables against the broader view of our operating environment. The ANAO reports on its performance through its annual report.

ANAO Audit Manual and policies

Risk management within ANAO audits is governed by the ANAO Auditing Standards. The associated guidance material for these standards is adopted into audit work through specific policies. For performance audits, financial statement audits and performance statement audits, the ANAO Audit Manual contains risk guidance applicable to audit and assurance work.

For the ANAO, independence is an element central to the quality of each audit. Independence is both institutional and individual. It reflects the position of the Auditor-General (and the ANAO) as set out in the Auditor-General Act 1997. It requires the avoidance of circumstances that could compromise any member of the audit team’s ability to act with integrity and exercise objectivity and professional scepticism. The ANAO Auditing Standards and the ANAO Independence Policy require staff and contractors engaged in audits to comply with the relevant provisions of the Accounting Professional & Ethics Standard Board, APES 110 Code of Ethics for Professional Accountants relating to independence.

The ANAO’s commitment to high ethical and professional standards underpins the quality of its work. Any threat to independence must be evaluated and safeguards applied to reduce the threat to an acceptable level.

2.4 Embedding risk management

The ANAO’s management of risk is embedded into existing business processes (including business-as-usual practices) by using consistent language, approaches, and documentation. The application and embedding of risk management across the ANAO is supported by the following documents:

• ANAO Audit Manual and Auditing Standards, including the Independence Policy;
• ANAO Quality Framework and plan;
• ANAO Parliamentary Engagement Strategy;
• ANAO Procurement Policy;
• ANAO Work Health and Safety Policies;
• ANAO Protective Security Policy Framework;
• ANAO Integrity Framework;
• ANAO Business Continuity Management Planning Guidelines; and
• ANAO Pandemic Action Plan.

3.1 Applying the framework

Risks need to be managed in the context of achieving organisational objectives and should include consideration of positive aspects of risk management (opportunities) as well as negative aspects (threats).

The framework is the primary source of guidance for staff in managing operational risk. The framework has been designed to support staff to:

• understand how the ANAO identifies, responds to, and manages risk;
• understand the connection between the Risk Management Policy and Framework, Enterprise Risk Register and Risk Analysis Tools; and
• understand, accept, and manage risk as part of their everyday decision-making processes.

3.1.1 Defining the ANAO’s risk appetite and tolerance (including Risk Appetite Statement)

Risk appetite is the amount of risk an entity is willing to accept or retain to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude towards risk taking. The ANAO’s risk appetite is captured within the ANAO’s Risk Management Policy and the ANAO’s Risk Appetite Statement. Both elements capture what the ANAO’s Executive consider to be acceptable risk-taking.

The ANAO has a low-risk appetite.

Risk tolerance is the level (or levels) of risk taking acceptable to achieve a specific objective or manage a category of risk. Risk tolerance represents the practical application of risk appetite and is typically aligned to categories of risk such as strategy, financial, people or reputation.

While risk appetite usually involves qualitative statements, risk tolerance operationalises the statements by using quantitative measures where possible, to better enable monitoring and review. Risk appetite sets the tone for risk taking in general, whilst tolerance informs:

• expectations for mitigating, accepting and pursuing specific types of risk;
• boundaries and thresholds of acceptable risk taking; and
• actions to be taken or consequence for acting beyond approved tolerances.

The ANAO’s risk tolerance is captured within our Enterprise Risk Register, against our strategic and operational risks.

3.1.2 Variations in risk rating and risk tolerance within the Enterprise Risk Register

EBOM recognises that, in some instances, within the Enterprise Risk Register there may be overall risk evaluations that result in the risk rating being higher than the established risk tolerance.

Where the risk rating is higher than the risk tolerance within the Enterprise Risk Register — the EBOM must consider this variation and, if accepted, both the agreement and risk treatment documented within the EBOM minutes.

3.2 Understanding the Enterprise Risk Register and Risk Analysis Tools

The framework is supported by the Enterprise Risk Register (ERR). The ERR outlines relevant strategic and operational risks of the ANAO. The ERR displays the risk; category of risk (i.e., strategic, operational, legislative, etc); causes; controls; control owner; likelihood rating; consequence rating; risk rating; risk tolerance; risk acceptance — and where necessary, risk mitigation plan and risk mitigation plan owner. The ERR is supported by the ANAO Risk Analysis Tools. The tools provide:

• a five-by-five assessment risk evaluation matrix (aligned to the ANAO’s operating environment);
• a consequence rating scale (qualitative tool), likelihood analysis (quantitative tool) and control effectiveness analysis; and
• a guide to determine the appropriate action required (including reporting requirements) based on risk evaluation matrix.

The ERR assigns control owners who are responsible for reporting to EBOM, the Chief Risk Officer and the Auditor-General on a schedule determined by the severity of the risk rating.

3.3 Identifying and treating risk

Risk identification

The aim of risk identification is to develop a comprehensive list of events that may occur and, if they do, are likely to have an impact on the objectives of ANAO. Risk identification includes an initial risk assessment, followed by an initial risk analysis.

Risk assessments identify risks by using a combination of established methods, which may include (but are not exclusive to) environmental scanning, consultation, and root cause analysis. The framework requires that risk assessments be undertaken in all key activities including when:

• planning and conducting audits including reporting to the Parliament;
• assessing specific work health and safety implications or concerns;
• conducting significant procurement activities;
• major or significant projects;
• undertaking business continuity and disaster recovery planning; and
• assessing protective security requirements.

The main objective of risk analysis is to separate the minor acceptable risks from the major ones, and to provide data to assist in the assessment, evaluation, and treatment of the risk. Controls are embedded within current business processes are identified as part of the risk evaluation process. Controls should evidence their ability to effectively modify the risk.

Following a risk analysis, the risk rating determines the risk owners and required reporting obligations (Table 1). The risk owner is then responsible for deciding if a formal assessment is required and if so, which methods and information will be relied on. The risk owner is also responsible for ensuring the assessment is documented, control owners identified, and any mitigating risk treatments applied.

Risk treatment

Risk treatment is a risk modification process. It involves selecting and implementing one or more treatment options. Once a treatment has been implemented it becomes a control. Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits.

Where risk treatment options impact stakeholders, those stakeholders will be involved in the decision-making process. The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented. The most common used treatment options in risk management include avoid; remove the source; change probabilities; modify the consequences; increase to pursue an opportunity; retain via informed decision and share the exposure.

While all staff contribute to the way risks are managed, senior staff in key positions are expected to have a clear view of the risk treatment (where applied) and its effectiveness in operation.

Table 1: Risk rating, actions, and risk owners

The ANAO does not engage in activities that involve shared inter-entity or cross-jurisdictional risks. An exception to this is the ANAO’s capacity building activities to the Audit Board of the Republic of Indonesia (BPK) and the Auditor General’s Office of Papua New Guinea (AGO). These activities are managed through a partnership agreement with the Department of Foreign Affairs and Trade (DFAT). Risks related to these activities are shared with DFAT and managed through regular meetings; joint committees; advice and updates on any potential security risks to the ANAO’s deployed staff; and DFAT’s engagement of in-country security service providers.

The Auditor-General and the ANAO engage with other jurisdictions’ Auditors-General on risks in the public sector environment which may impact on the successful delivery of audit mandates. The ANAO identifies factors with potential to change its operating environment, preparing anticipatory responses where changes will affect the way the ANAO operates. These changes include those impacting accounting and audit standards. Being an active member of associations such as the Australasian Council of Auditors-General (ACAG) and the International Organisation of Supreme Audit Institutions (INTOSAI) helps manage this risk in a shared manner, whilst providing many ancillary benefits for cross-jurisdictional learning and collaboration.

Risk culture refers to the shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities. The ANAO aims to foster a positive risk culture. A positive risk culture promotes an open and active approach to managing risk — it considers both ‘threat’ and ‘opportunity’ and enables all staff across the entity to appropriately identify, assess, communicate and manage risk.

Senior management and other identified individuals are responsible for supporting a positive risk culture through initiatives and processes. All senior staff should actively provide feedback through normal reporting channels on external interactions with key stakeholders regarding areas of potential risk. It is important that all staff (including contractors) understand, accept, and manage risk as part of their everyday decision-making processes. Initiatives

Figure 1 outlines the initiatives undertaken by the ANAO to foster a strong and positive risk culture and the associated responsibilities of all staff in supporting this culture.

5.1 Maintaining a culture of risk awareness

All staff and contractors should be familiar with the ANAO’s approach to risk management — including the risks identified in the ERR. All staff and contractors should continuously scan their environment for new risks and reassess existing risks relative to their environment. In the first instance, staff should raise any suggestions relating to new or identified risks with their executive director and/or CMG — who will liaise with the appropriate risk owner as necessary.

5.2 Mandatory and refresher training

All staff are required to complete mandatory risk management training. A focus of this training is to improve awareness and identification of the differences between the risk to achieving the ANAO’s corporate plan objectives and the risks impacting the agencies being audited. An eLearning module on risk management is available to all staff and must be completed annually. This module can be accessed at any time as an introduction or refresher of the ANAO Risk Management Framework.

CMG can provide face-to-face training for staff undertaking risk management duties or performing a risk assessment (formal or informal). Additional training on audit specific risks will be mandatory for auditors upon commencement in the role and every year thereafter on a refresher basis.

Figure 2: Attributes of a strong and positive risk culture

6.1 Reporting processes

Reporting is a critical part of the framework. Reporting provides EBOM with awareness of how the ANAO is progressing against risk management objectives and supports managers to make informed decisions. Reporting on enterprise risks primarily occurs through EBOM subcommittees. All EBOM subcommittees provide oversight to specific areas of strategic operations and are responsible for identifying and managing risk on an ongoing basis. ANAO subcommittees manage enterprise level risks through the ANAO’s ERR and in accordance with the framework. Subcommittees report to EBOM through summary reports and meeting minutes. This reporting is supported by regular reviews of the ERR.

Risks rated as ‘High’ or above and strategic category risks are monitored by EBOM and the Audit Committee. The risk owners have responsibility for monitoring reports and directing resources to risk mitigation strategies and integrating these into existing processes. CMG coordinates high-level reporting on the ERR and the progress of risk mitigation strategies.

The management of audit risk is governed by audit standards in the Audit Manual. Compliance with the ANAO audit standards and the Audit Manual is reviewed as part of regular quality assurance processes that are considered at the Quality Committee and through to the EBOM. The ANAO Quality Report is published annually on the ANAO website — the report’s purpose is to demonstrate the ANAO assessment of the implementation and operating effectiveness of the elements of the ANAO Quality Assurance Framework and plan.

Internal Audit undertakes a rolling program of audits and provides insights into risk management within the audit reports prepared for the Audit Committee.

6.2 Monitoring processes

The ANAO takes an integrated approach to the monitoring of risks across the organisation, the monitoring of risks into existing business processes and ANAO enabling frameworks (i.e., policies, procedures and guidance materials). Risks are continually monitored by EBOM, the Audit Committee, governance subcommittees and ANAO staff — in alignment with the ANAO governance structure and with the key roles and responsibilities outlined within the framework.

6.3 Review and evaluation processes

To ensure that this framework is maintained in accordance with the Commonwealth Risk Management Framework, it requires ongoing monitoring and review.

Reviews of the framework ensure that:

• the policy and register are reflective of the ANAO’s internal and external environment;
• the risk management practices are effective;
• reports provide the information necessary for decision making and continuous improvement; and
• risk management continues to effectively contribute to achieving the ANAO’s purpose.

A full review of the framework (including risk appetite and tolerance) is conducted every two years — and includes a review of the ANAO Risk Management Policy, ANAO Risk Management Framework and the ANAO Risk Analysis Tools. The Enterprise Risk Register (including strategic and operational risks) is reviewed annually. There is a mid-year review by EBOM of the effectiveness of controls implementation.

Review processes related to risk are coordinated by CMG, in consultation with Senior Executive Staff — including the Executive Board of Management (EBOM); Chief Risk Officer; ANAO governance committees; Audit Committee; and key representatives from stakeholder groups representing quality control, professional development, human resources, and the agency security advisor.

6.3.1 Evaluating the ANAO Risk Management Framework

The ANAO is committed to continuous improvement. Evaluating the Risk Management Framework (and related documents such as the Risk Management Policy, Risk Analysis Tools and Enterprise Risk Register) is a key component of the review process.

Evaluations focus on whether the documents are:

• achieving their intended purpose;
• being implemented as planned; and
• changing the culture and behaviors as expected.

Evaluations are supported by data gathered through the ASPC Employee Census, reporting to EBOM, governance subcommittees and through the reviewing of internal audit outcomes.

6.3.2 Assessing risk management performance

The measurement of risk management performance involves two key activities — measuring compliance and measuring maturity.

• Measuring Compliance: This provides assurance that staff are complying with the Risk Management Policy directives (assisted by internal audits into compliance). A report on the percentage of staff who have completed mandatory training is generated by CMG at the end of each month and is provided to the SED CMG, all GED/SEDs and the Learning & Development Working Group. The completion of all mandatory training by staff is also a requirement of the ANAO Performance and Career Development Policy and Procedures. Staff are required to confirm they have completed all mandatory training when recording the outcomes of their end of cycle discussions with their manager. Staff who have not completed all mandatory training are not able to complete the annual performance cycle.
• Measuring Maturity: This measures the maturity of the Risk Management Framework against the Comcover Benchmarking Survey and the APSC Employee Census results.

6.3.3 Insurance

When conducting the annual review of the ERR, the ANAO also reviews organisational insurance arrangements with Comcover. This is an integral part of the review process and includes consideration of any insurance claims made during the preceding period.

Key roles and responsibilities for the management of risk are shown in the table below.

The following terminology applies throughout the Risk Management Framework and reflects both the ISO 31000:2018 Standards and ANAO vocabulary.

Appendix 1 Enterprise Risk Register