Reports and publications

Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.

View reports and publications

Insights

The aim of audit insights is to communicate lessons from our audit work to make it easier for people working within the Australian public sector to apply those lessons.

View ANAO Insights

Work program

The ANAO work program outlines potential and in-progress work across financial statement and performance audit.

View the work program

Careers

Our staff add value to public sector effectiveness and the independent assurance of public sector administration and accountability, applying our professional and technical leadership to have a real impact on real issues.

View Careers

About us

The Australian National Audit Office (ANAO) is a specialist public sector practice providing a range of audit and assurance services to the Parliament and Commonwealth entities.

About Us

The objective of the Risk Framework and associated programs of risk management activities is to support effective risk management across all ANAO operations.

1. ANAO Risk Management Policy 2025–27

The purpose of the Australian National Audit Office (ANAO)1 is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance.

Understanding, adapting, and responding to changes in our operating environment is critical to delivering on the ANAO’s purpose. To respond to these changes within our environment, and enable considered decision-making, we must identify, assess, and manage current and emerging risks. Effective risk management is fundamental to achieving our purpose and improving our performance — and is the responsibility of all ANAO employees.

Risk management plays an important role in shaping the ANAO’s strategic direction — it informs evidence-based decision-making and is embedded into our business-as-usual practices. The ANAO also recognises the fundamental link between the nature of auditing and risk management — where auditing is about applying risk thinking to what is being presented — to guide risk allocation appropriately. To support risk management across the organisation, the ANAO has formalised its approach to managing risk in the ANAO Risk Management Framework (RMF).

The RMF complies with the Commonwealth Risk Management Policy (CRMP)2 and adopts elements of International Standard 31000 – Risk Management (ISO 31000:20218). ISO31000 defines risk as ‘the effect of uncertainty on objectives. In the context of the ANAO, this is the possibility of an event or activity having an adverse impact to such an extent that it prevents the ANAO from achieving its purpose and outcomes.

The RMF specifies why we undertake risk management and explains how ANAO employees are expected to do so. The RMF integrates risk management practices into governance practices; informal and formal decision making; business-as-usual and audit activities; and within the ANAO’s strategic business planning, policy advice, and project management.

Overall, the ANAO has a low-risk appetite in its business-critical activities. The RMF is reviewed biennially, while our Enterprise Risk Register (ERR) acts as a ‘live’ document which is regularly updated to reflect our risks and operating environment. The RMF and the ERR are regularly reported on to the Executive Board of Management (EBOM), ANAO subcommittees, and the Audit Committee. The ANAO’s ongoing approach to monitoring risk enables the Executive to implement mitigation plans and introduce additional controls to bring enterprise risks rated above our tolerance levels back to an acceptable level.

The RMF facilitates proactive engagement with enterprise and operational risks and supports a positive ANAO risk culture which is reinforced by the ANAO’s values of excellence, integrity and respect.

Dr Caralee McLiesh PSM

Auditor-General

2. Overview of ANAO Risk Management Documents

2.1 ANAO Risk Management Framework

The purpose of the ANAO RMF is to set out how risk management is embedded across the ANAO for all business operations and decision-making. The RMF also outlines the relevant components and arrangements that enable the ANAO to design, implement, monitor, review and continually improve risk management across the organisation. The RMF assists the Auditor-General to meet the requirements set out in section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the CRMP.

2.2 ANAO Risk Management Policy

The ANAO Risk Management Policy (the Policy) defines our organisational approach to risk management and links the RMF to our purpose, strategic planning framework and objectives. The Policy also defines the ANAO’s risk appetite and risk tolerance and recognises the fundamental link between the nature of auditing and risk management — where auditing is about applying risk thinking to what is being presented to guide resource allocation appropriately.

The policy is endorsed by the Auditor-General.

2.3 ANAO Enterprise Risk Register

The RMF is supported by the Enterprise Risk Register (ERR). The ERR identifies, outlines, and assesses relevant strategic and operational risks of the ANAO. The ERR is a ‘live document’ and is updated regularly to reflect the current risk mitigation and control framework. The Corporate Management Group (CMG) maintains the ERR on behalf of EBOM. The latest endorsed version of the ERR is published on the ANAO website.

2.4 ANAO Risk Analysis Tools

The ERR is supported by the ANAO’s Risk Analysis Tools. The tools outline a Risk Evaluation Matrix which uses two additional assessment tools (consequence rating scale and likelihood analysis scale) to assist in the classification of the assigned risk rating of each risk within the ERR. The risk evaluation matrix applies a rating based on the analysis of likelihood and consequence. The ANAO Risk Analysis Tools are published on Audit Central.

3. The ANAO Risk Management Framework

The ANAO RMF — incorporating the Policy and the ERR — enables the ANAO to identify, respond to, and manage risk.

The RMF describes how risk management is embedded across the ANAO for all business operations and decision-making — across all levels of staff. It outlines the relevant components and arrangements that enable the ANAO to design, implement, monitor, review and continually improve risk management across the organisation. In accordance with the CRMP, the RMF includes:

  • a summary of the ANAO’s approach to risk management;
  • details on the application of the RMF (including the ANAO’s risk appetite and tolerance);
  • details on how the ANAO manages shared risks;
  • details on the ANAO’s strong and positive risk culture;
  • details on the management of the RMF; and
  • a summary of the key risk management roles and responsibilities.

3.1 Consultation

The RMF, the Policy, and the ERR have been developed in consultation with:

  • EBOM members and other ANAO Senior Executive Staff;
  • ANAO governance committees (see Figure 1); and
  • key representatives from stakeholder groups representing quality control, professional development, human resources, and the agency security advisor.

The consultation methodologies applied within the RMF align with the requirements of ISO 31000.

3.2 Risk Management Contact Officer

Any queries about the ANAO’s risk management arrangements should be directed to the Senior Director, Governance in the first instance at governance@anao.gov.au.

4. ANAO Approach to Risk Management

4.1 Purpose, environment, and context

Risk management within the ANAO is one of our core strengths, supported by multi-level and internal review across all major audits, procurements, and projects. Risk management is integrated into our governance structure, including through our subcommittees. The chair of each subcommittee ensures that risks relevant to the subcommittee’s responsibilities are sufficiently managed, analysed, captured, reported, and efficiently escalated (as required) to the AuditorGeneral.

EBOM continually monitors the environment in which the ANAO operates, adjusting the ANAO’s risk appetite and risk tolerance as necessary. EBOM also reviews and updates enterprise risk ratings as required to reflect changes to the likelihood and consequence ratings of each risk. The ANAO’s ongoing approach to monitoring risk enables EBOM to implement risk mitigation plans. Risk mitigation plans strengthen existing controls and introduce additional controls to bring enterprise risks rated above our tolerance levels back to an acceptable level.

The Audit Committee, supported by the ANAO’s internal audit function, receives all internal audit reports and directs senior leaders to provide information (as necessary) to ensure and satisfy itself that risk is being actively managed. The Audit Committee provides independent advice and reports directly to the Auditor-General.

The Auditor-General takes the advice of EBOM and the Audit Committee and establishes the ANAO’s risk appetite and risk tolerance and oversees implementation of the RMF. Operational risk management occurs in line with the defined roles and responsibilities outlined in the RMF, while the ERR contains owners and tolerances for each identified enterprise-level risk. All ANAO staff have a general responsibility to practice active risk management. Staff are supported by mandatory risk management training which is completed on commencement with the ANAO and annually.

The importance of risk management to good governance is underpinned by the accountability provisions applying to the ANAO under the PGPA Act. Key aspects of the ANAO’s governance and risk management environment are:

  • section 16 of the PGPA Act, which requires the ANAO to establish and maintain appropriate governance systems and internal controls for the oversight and management of risk;
  • the Commonwealth Risk Management Policy (2023);
  • the ANAO Protective Security Policy Framework;
  • the ANAO’s Corporate Plan and Annual Performance Statements (sections 35 and 39 of the PGPA Act);
  • the Auditor-General Instructions and delegations (sections 20A and 110 of the PGPA Act);
  • organisation-wide (enterprise/strategic) plans, including the:
    • ANAO Audit Manual;
    • Business Continuity Plan;
    • Workforce Plan;
    • Work Health and Safety (WHS) Plan;
    • Fraud and Corruption Framework;
    • Group Business Plans; and
  • individual performance agreements.

4.2 Risk management and the strategic planning framework

The ANAO considers that effective management of risk is integral to achieving its purpose. Risk management is embedded within the ANAO’s strategic planning framework.

Figure 1: ANAO’s strategic planning framework

 

All elements of the ANAO’s strategic planning framework include a consideration of the ANAO’s risk appetite and risk tolerance. Understanding the ANAO’s risk appetite and risk tolerance is critical to setting the risk management tone within the ANAOs enabling frameworks comprising policies, procedures and other guidance materials. The ANAO uses a clear and consistent tone to support staff to understand the relationship between the strategic planning framework and their individual roles and responsibilities in managing risk through effective decision-making.

4.3 ANAO governance structure and other risk-related documents

The Auditor-General takes advice from EBOM on the RMF, the ERR, and in determining the ANAO’s risk appetite and risk tolerance. The RMF identifies specific responsibilities for key positions (primarily senior executive staff) across the ANAO, while the ERR assigns risk control owners for each enterprise risk. In addition, all ANAO staff have a general responsibility to practice active risk management and support a positive risk culture.

The Professional Services Group and the audit service groups have primary responsibility for managing audit risk, in accordance with the ANAO Audit Manual. Each individual audit work plan assesses audit and operational risks and mitigation strategies, and risk is reassessed throughout the audit. Responsibility for managing audit and operational risk is assigned to the responsible engagement executive.

ANAO governance committees

The ANAO’s governance structure and practices support the Auditor-General in the effective oversight of the organisation in delivering its purpose.

In practice, EBOM ensures organisational accountability and transparency through oversight of its subcommittees. All subcommittees provide oversight to specific areas of strategic operations and are responsible for identifying and managing risk on an ongoing basis (as outlined within subcommittee terms of reference). ANAO subcommittees are required to be aware of and consider enterprise level risks through the ANAO’s ERR, in accordance with the RMF. Committees report to EBOM through summary reports and meeting minutes.

Audit Committee

The Audit Committee provides independent advice to the Auditor-General, including reviewing the appropriateness of the ANAO’s financial and performance reporting, systems of risk oversight and management, and systems of internal control.

Corporate Plan and Annual Report

The Corporate Plan is the ANAO’s primary planning document and sets out how we will achieve our purpose over a four-year period. The Corporate Plan is complemented by the annual audit work program, which reflects the ANAO’s audit strategy and deliverables for the coming financial year.

The Corporate Plan articulates the purpose of the ANAO and the environment within which the ANAO operates. It outlines our intended capability investments, including the plans and strategies we will implement to achieve our purpose. The plan also details the planned activities and performance of the ANAO, including the measures we use to assess our performance. It also provides an overview of the ANAO’s risk oversight and management systems.

The Corporate Plan is regularly considered as a part of the risk analysis process. Consulting the Corporate Plan allows the setting of realistic delivery timelines for strategies and key deliverables against the broader view of our operating environment. The ANAO reports on its performance annually via its Annual Report.

ANAO Audit Manual and policies

Risk management within ANAO audits is governed by the ANAO Auditing Standards. The requirements under these standards are adopted into audit work through policies contained in the ANAO Audit Manual.

For the ANAO, independence is central to the quality of each audit. Independence is both institutional and individual. It reflects the position of the Auditor-General (and the ANAO) as set out in the Auditor-General Act 1997. It requires the avoidance of circumstances that could compromise any member of the audit team’s actual and perceived ability to act with integrity and exercise objectivity and professional scepticism. The ANAO Auditing Standards and the ANAO Independence Policy require staff and contractors engaged in audits to comply with the relevant provisions of the Accounting Professional & Ethics Standard Board APES 110 Code of Ethics for Professional Accountants relating to independence.

The ANAO’s commitment to high ethical and professional standards underpins the quality of its work. Any threat to independence must be evaluated and safeguards applied to reduce the threat to an acceptable level.

ANAO Fraud and Corruption Strategy and Fraud and Corruption Framework

The Auditor-General has statutory responsibilities under the PGPA Act and section 10 of the Public Governance, Performance and Accountability Rule 2014 (the Fraud and Corruption Rule) to establish and maintain an appropriate system of fraud and corruption control for the ANAO.

The ANAO Fraud and Corruption Strategy and Fraud and Corruption Framework define the ANAO’s principles of effective fraud and corruption control, key roles and responsibilities, and how the ANAO expects to mitigate and manage fraud and corruption risks. The Strategy and Framework describe the ANAO’s approach to preventing, detecting, and responding to fraud and corruption, and how we evaluate our control measures and response. The ANAO has a zero-tolerance for fraud and corruption.

The ANAO’s fraud and corruption control arrangements are a critical component of the ANAO RMF.

4.4 Embedding risk management

The ANAO’s management of risk is embedded into existing business processes (including business-as-usual practices) by using consistent language, approaches, and documentation. The application and embedding of risk management across the ANAO is supported by the following documents:

  • ANAO Audit Manual and Auditing Standards, including the Independence Policy;
  • ANAO Quality Framework and plan;
  • ANAO Parliamentary Engagement Strategy;
  • ANAO Procurement Policy;
  • ANAO Work Health and Safety Policies;
  • ANAO Protective Security Policy Framework;
  • ANAO Integrity Framework;
  • ANAO Business Continuity Management Planning Guidelines; and
  • ANAO Fraud and Corruption Framework.

5. Application of the Risk Management Framework

5.1 Applying the RMF

Risks need to be managed in the context of achieving organisational objectives and should include consideration of positive aspects of risk management (opportunities) as well as negative aspects (threats).

The RMF is the primary source of guidance for staff in managing operational risk. The RMF has been designed to support staff to:

  • understand how the ANAO identifies, responds to, and manages risk;
  • understand the connection between the Policy and Framework, ERR and Risk Analysis Tools; and
  • understand, accept, and manage risk as part of their everyday decision-making processes.

Defining the ANAO’s risk appetite and tolerance (including Risk Appetite Statement)

Risk appetite is the amount of risk an entity is willing to accept or retain to achieve its objectives. It is a statement or series of statements that describes the entity’s attitude towards risk taking. The ANAO’s risk appetite is captured within the Policy and the ANAO’s Risk Appetite Statement. Both elements capture what the ANAO’s Executive consider to be acceptable risk-taking.

The ANAO has a low-risk appetite in relation to matters that directly impact the reputation of the office and our ability to support the Parliament effectively. These matters include quality, non-compliance and maintaining independence.

The ANAO has a medium-risk appetite towards matters that have the potential to improve our efficiency and effectiveness without compromising integrity, quality and the delivery of the ANAO’s purpose.

Risk tolerance is the level (or levels) of risk taking acceptable to achieve a specific objective or manage a category of risk. Risk tolerance represents the practical application of risk appetite and is typically aligned to categories of risk such as strategy, financial, people or reputation.

While risk appetite usually involves qualitative statements, risk tolerance operationalises the statements by using quantitative measures where possible, to better enable monitoring and review. Risk appetite sets the tone for risk taking in general, whilst risk tolerance informs:

  • expectations for mitigating, accepting and pursuing specific types of risk;
  • boundaries and thresholds of acceptable risk taking; and
  • actions to be taken or consequence for acting beyond approved tolerances.

The ANAO’s risk tolerance is captured within our ERR, against our strategic and operational risks.

Variations in risk rating and risk tolerance within the Enterprise Risk Register

EBOM recognises that, in some instances, within the ERR there may be overall risk evaluations that result in the risk rating being higher than the established risk tolerance.

Where the risk rating is higher than the risk tolerance within the ERR — the EBOM must consider this variation and, if accepted, both the agreement and risk treatment must be documented within the EBOM minutes.

 

ANAO Risk Appetite Statement

The purpose of the ANAO is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament and thereby contribute to improved public sector performance.

The Parliament and public sector have high expectations of us. Effectively engaging with and managing risk is central to achieving our purpose, and key to meeting parliamentary and community expectations.

Our risk appetite is the level and type of risk we are willing to accept to achieve our objectives. It describes our attitude towards risk taking and helps us to understand what constitutes acceptable risk taking in our day-to-day work and in achieving our strategic priorities.

At the ANAO, we have determined that our appetite for risk is low for matters relating to the reputation of the office and our ability to support the Parliament effectively and medium for matters that have the potential to improve our efficiency and effectiveness. We recognise that in some circumstances it is not possible or desirable to eliminate all risk and through accepting some degree of risk we can seize opportunities, promote efficiencies and support innovation.

5.2 Understanding the Enterprise Risk Register and Risk Analysis Tools

The RMF is supported by the ERR which contains relevant strategic and operational risks of the ANAO. The ERR displays the risk; category of risk (i.e., strategic, operational, legislative, etc); causes; controls; control owner; likelihood rating; consequence rating; risk rating; risk tolerance; risk acceptance — and where necessary, risk mitigation plan and risk mitigation plan owner. The ERR is supported by the ANAO Risk Analysis Tools. The tools provide:

  • a five-by-five assessment risk evaluation matrix (aligned to the ANAO’s operating environment);
  • a consequence rating scale (qualitative tool), likelihood analysis (quantitative tool) and control effectiveness analysis; and
  • a guide to determine the appropriate action required (including reporting requirements) based on risk evaluation matrix.

The ERR assigns control owners who are responsible for reporting to EBOM, the Chief Risk Officer and the Auditor-General on a schedule determined by and according with the severity of the risk rating.

5.3 Identifying and treating risk

Risk identification

The aim of risk identification is to develop a comprehensive list of events that may occur and, if they do, are likely to have an impact on the objectives of the ANAO. Risk identification includes an initial risk assessment, followed by an initial risk analysis.

Risk assessments identify risks by using a combination of established methods, which may include (but are not exclusive to) environmental scanning, consultation, and root cause analysis. The RMF requires that risk assessments be undertaken in all key activities including when:

  • planning and conducting audits, including reporting to the Parliament;
  • assessing specific work health and safety implications or concerns;
  • conducting high value procurement activities3;
  • major or significant projects;
  • undertaking business continuity and disaster recovery planning; and
  • assessing protective security requirements.

The main objective of risk analysis is to separate the minor acceptable risks from the major ones, and to provide data to assist in the assessment, evaluation, and treatment of the risk. Controls are embedded within current business processes and are identified as part of the risk evaluation process. Controls should evidence their ability to effectively modify the risk.

Following a risk analysis, the risk rating determines the risk owners and required reporting obligations (Table 1). The risk owner is then responsible for deciding if a formal assessment is required and if so, which methods and information will be relied on. The risk owner is also responsible for ensuring the assessment is documented, control owners identified, and any mitigating risk treatments applied.

Risk treatment

Risk treatment is a risk modification process. It involves selecting and implementing one or more treatment options. Once a treatment has been implemented it becomes a control. Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits.

Where risk treatment options impact stakeholders, those stakeholders will be involved in the decision-making process. The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented. Common risk treatment options include but are not limited to avoid; remove the source; change probabilities; modify the consequences; increase to pursue an opportunity; retain via informed decision; and share the exposure. Additional risk treatment options for audits, including audit-specific risk controls and risk monitoring may also be used to treat audit risks.

While all staff contribute to the way risks are managed, senior staff in key positions are expected to have a clear view of the risk treatment (where applied) and its effectiveness in operation.

Table 1: Risk rating, actions, and risk owners

Risk rating

Action required

Risk owner

Extreme

Unacceptable level of risk and activity should stop immediately while mitigation plan is developed. Requires immediate escalation to EBOM. A mitigation plan owner is assigned with weekly reporting to risk owner on control effectiveness and mitigation plan/s.

Auditor-General

High

Acceptable level of risk, providing controls are in place to reduce risk to as low as possible. Allocated to a control owner with monthly reporting to EBOM on control assurance or mitigation plan/s. Reports are also provided to the Audit Committee for noting.

Deputy Auditor- General

Medium

Risk managed by an established, tailored control regime and reported quarterly to EBOM.

Group Executive Directors

Low

Risk managed by routine controls and reviewed annually or after significant change.

All staff and contractors
     

6. Shared Risks

In the ANAO RMF, shared risks refer to those risks that extend beyond a single entity, requiring collaborative effort of shared oversight and management.

The ANAO delivers capacity-building activities to the Audit Board of the Republic of Indonesia (BPK) and the Auditor General’s Office of Papua New Guinea (AGO) in partnership with the Department of Foreign Affairs and Trade (DFAT). Risks related to these activities are shared with DFAT and managed through regular meetings; joint committees; advice and updates on any potential security risks to the ANAO’s deployed staff; and DFAT’s engagement of in-country security service providers.

The data requirements for audits mean that the ANAO needs to work with agencies on shared risks related to the protection, management and access to their data for which ANAO becomes the custodian.

For example, the ANAO utilises the ICT infrastructure — which is located within the ANAO’s offices — of certain entities to facilitate the secure storage and transmission of security-classified information and data. This approach gives these entities confidence that their information is being handled appropriately and minimises the risk to the ANAO that classified information is improperly stored or transmitted.

Additionally, situations may arise where other entities detect threats or concerns that also relate to the ANAO. If there is an instance when a security vulnerability has been detected in a system common to another agency and the ANAO, collaboration may occur to find suitable risk treatments where our business impacts align.

Shared risks are agreed and documented, and reviewed regularly to ensure risk treatments remain fit-for-purpose.

The Auditor-General and the ANAO engage with other jurisdictions’ Auditors-General on risks in the public sector environment which may impact on the successful delivery of audit mandates. The ANAO identifies factors with potential to change its operating environment, preparing anticipatory responses where changes will affect the way the ANAO operates. These changes include those impacting accounting and audit standards. Being an active member of associations such as the Australasian Council of Auditors-General (ACAG) and the International Organisation of Supreme Audit Institutions (INTOSAI) helps manage this risk in a shared manner, whilst providing many ancillary benefits for cross-jurisdictional learning and collaboration.

7. Risk Culture

7.1 Overview

Risk culture refers to the shared attitudes, values and behaviours that characterise how an entity considers risk in its day-to-day activities. The ANAO aims to foster a positive risk culture characterised by an open and active approach to managing risk. It considers both ‘threat’ and ‘opportunity’ and enables all ANAO staff to appropriately identify, assess, communicate, and manage risk.

Senior management and staff with specific risk management roles and responsibilities under the ANAO RMF are responsible for supporting a positive risk culture through initiatives and processes. All senior staff should actively provide feedback through normal reporting channels on external interactions with key stakeholders regarding areas of potential risk. It is important that all staff (including contractors) understand, accept, and manage risk as part of their everyday decision-making processes.

Figure 2 outlines the initiatives undertaken by the ANAO to foster a strong and positive risk culture and the associated responsibilities of all staff in supporting this culture.

Figure 2: Attributes of a strong and positive risk culture

Attributes of a strong and positive risk culture

Commonality of purpose, values and ethics

The extent to which an employee’s individual interests, values and ethics are aligned with the organisations risk strategy, appetite, tolerance and approach.

ANAO actions:

  • Demonstrate strong risk leadership and commitment
  • Establish the ANAO Risk Management Framework

Staff responsibilities:

  • Understood the ANAO Risk Management Framework
  • Be alert to new risks / open to reassessing current risks

Universal adoption and application

Whether risk is considered in all activities, from strategic planning to day-to-day operations, in every part of the organisation.

ANAO actions:

  • Establish policies that are integrated into operations
  • Outline staff responsibilities and accountability

Staff responsibilities:

  • Understand existing ANAO policies and operations
  • Understand individual roles and responsibilities

A learning organisation

How and if the collective ability of the organisation to manage risk more effectively is continuously improving.

ANAO actions:

  • Provide ongoing training
  • Continuously review, monitor and improve risk management approaches

Staff responsibilities:

  • Attend training
  • Maintain a culture of risk awareness and support the monitoring of risks

Timely, transparent and honest communications

People are comfortable talking openly and honestly about risk, evaluating risks, and using common risk vocabulary that promotes shared understanding.

ANAO actions:

  • Provide consistent and clear messaging on risk
  • Invite feedback on risk management and approaches

Staff responsibilities:

  • Keep up to date with important risk messaging
  • Escalate risks and provide feedback on risk approaches
     

7.2 Maintaining a culture of risk awareness

All staff and contractors should be familiar with the ANAO’s approach to risk management — including the risks identified in the ERR. All staff and contractors should continuously scan their environment for new risks and reassess existing risks relative to their environment. In the first instance, staff should raise any suggestions relating to new or identified risks with their executive director and/or CMG — who will liaise with the appropriate risk owner as necessary.

7.3 Mandatory and refresher training

All staff are required to complete mandatory risk management training. A focus of this training is to improve awareness and identification of the differences between the risk to achieving the ANAO’s corporate plan objectives and the risks impacting the agencies being audited. An eLearning module on risk management is available to all staff and must be completed annually. This module can be accessed at any time as an introduction or refresher of the RMF.

CMG can provide face-to-face training for staff undertaking risk management duties or performing a risk assessment (formal or informal). Additional training on audit specific risks will be mandatory for auditors upon commencement in the role and every year thereafter on a refresher basis.

8. Managing the Framework

8.1 Reporting processes

Reporting is a critical part of the RMF. Reporting provides EBOM with awareness of how the ANAO is progressing against risk management objectives and supports managers to make informed decisions. Reporting on enterprise risks primarily occurs through EBOM subcommittees. All EBOM subcommittees provide oversight to specific areas of strategic operations and are responsible for identifying and managing risk on an ongoing basis. ANAO subcommittees manage enterprise level risks through the ANAO’s ERR and in accordance with the RMF. Subcommittees report to EBOM through summary reports and meeting minutes. This reporting is supported by regular reviews of the ERR.

Risks rated as ‘High’ or above and strategic category risks are monitored by EBOM and the Audit Committee. The risk owners have responsibility for monitoring reports and directing resources to risk mitigation strategies and integrating these into existing processes. CMG coordinates high-level reporting on the ERR and the progress of risk mitigation strategies.

The management of audit risk is governed by audit standards and the Audit Manual. Compliance with the ANAO audit standards and the Audit Manual is reviewed as part of regular quality assurance processes that are considered at the Quality Committee and through to the EBOM. The ANAO Quality Report is published annually on the ANAO website — the report’s purpose is to demonstrate the ANAO assessment of the implementation and operating effectiveness of the elements of the ANAO Quality Assurance Framework and plan.

Internal Audit undertakes a rolling program of audits and provides insights into risk management within the audit reports prepared for the Audit Committee.

8.2 Monitoring processes

The ANAO takes an integrated approach to the monitoring of risks across the organisation, and the monitoring of risks into existing business processes and ANAO enabling frameworks (i.e., policies, procedures, and guidance materials). Risks are continually monitored by EBOM, the Audit Committee, governance subcommittees and ANAO staff in alignment with the ANAO governance structure and with the key roles and responsibilities outlined within the RMF.

8.3 Review and evaluation processes

To ensure that RMF is maintained in accordance with the CRMP, it requires ongoing monitoring and review.

Reviews of the RMF ensure that:

  • the Policy and the ERR are reflective of the ANAO’s internal and external environment;
  • the risk management practices are effective;
  • reports provide the information necessary for decision making and continuous improvement; and
  • risk management continues to effectively contribute to achieving the ANAO’s purpose.

A full review of the RMF (including risk appetite and risk tolerance) is conducted every two years — and includes a review of the Policy, the RMF and the ANAO Risk Analysis Tools. The ERR (including strategic and operational risks) is reviewed annually. There is a mid-year review by EBOM of the effectiveness of controls implementation.

Review processes related to risk are coordinated by CMG, in consultation with Senior Executive Staff — including the EBOM; Chief Risk Officer; ANAO governance committees; Audit Committee; and key representatives from stakeholder groups representing quality control, professional development, human resources, and the agency security advisor.

Evaluating the RMF

The ANAO is committed to continuous improvement. Evaluating the RMF (and related documents such as the Policy, Risk Analysis Tools and the ERR) is a key component of the review process.

Evaluations focus on whether the documents are:

  • compliant with the mandatory requirements in the PGPA Act and CRMP;
  • achieving their intended purpose;
  • being implemented as planned; and
  • changing the culture and behaviours as expected.

Evaluations are supported by data gathered through the APSC Employee Census, reporting to EBOM, governance subcommittees, and through the reviewing of internal audit outcomes.

Assessing risk management performance

The measurement of risk management performance involves two key activities — measuring compliance and measuring maturity.

  • Measuring Compliance: This provides assurance that staff are complying with the Risk Management Policy directives (assisted by internal audits into compliance). A report on the percentage of staff who have completed mandatory training is generated by CMG at the end of each month and is provided to all GEDs and the Learning & Development Working Group. The completion of all mandatory training by staff is also a requirement of the ANAO Performance and Career Development Policy and Procedures. Staff are required to confirm they have completed all mandatory training when recording the outcomes of their end of cycle discussions with their manager. Staff who have not completed all mandatory training are not able to complete the annual performance cycle; and
  • Measuring Maturity: This measures the maturity of the RMF against the Comcover Benchmarking Survey and the APSC Employee Census results.

Insurance

When conducting the annual review of the ERR, the ANAO also reviews organisational insurance arrangements with Comcover. This is an integral part of the review process and includes consideration of any insurance claims made during the preceding period.

9. Roles and Responsibilities

Key risk management roles and responsibilities are shown in the table below.

Position

Roles and responsibilities

Auditor-General
  • Overall responsibility for establishing and maintaining the ANAO’s RMF.
  • Approves the RMF.
  • Defines risk appetite and tolerance every two years or as required.
  • The risk owner for ‘extreme’ risks and associated mitigation plans.
  • Considers risks as part of corporate planning processes.
  • Receives reporting on the control environment for enterprise risks and risk mitigation plans.
  • Demonstrates and promotes a risk management culture.

Deputy Auditor- General

(Chief Risk Officer)
  • The risk owner for ‘high’ risks and associated mitigation plans.
  • Provides reporting on the control environment for enterprise risks and risk mitigation plans.
  • Regularly monitors risks as part of a standing agenda item for governance committees.
  • Supports the Auditor-General and the Audit Committee in their risk management roles and responsibilities.
  • Leads the design, implementation and embedding of risk policies and frameworks within the ANAO.
  • Demonstrates and promotes a positive risk management culture through communication and consultation.
  • Oversees the continuous improvement of risk management capability and awareness across the ANAO.

Chief Operating Officer Corporate Management Group

(COO CMG)
  • Supports the Executive (including Auditor-General, Deputy Auditor-General and EBOM) in their risk management roles and responsibilities.
  • Facilitates the monitoring of control effectiveness.
  • Maintains the ERR on behalf of EBOM.
  • Maintains a risk reporting framework to enable regular reporting of key risks, and the management of those risks, to senior management.
  • Ensures risk management is incorporated into internal staff training programs.
  • Monitors the completion of mandatory training for all staff, and
  • Ensures that the appropriate level of insurance cover is maintained for all identified risks where there is an insurable consequence.

Group Executive Directors
  • The risk owner for ‘medium’ risks and associated mitigation plans.
  • Supports the review of the ANAO Risk Management documents including: ANAO Risk Policy, RMF, ERR and Risk Analysis Tools.
  • Maintains key responsibilities in the ‘controls’ which are detailed within the ERR.
  • Supports the implementation and embedding of risk policies and frameworks within the ANAO through leadership.
  • Promotes a positive risk management culture throughout the ANAO.
  • Oversees the continuous improvement of risk management capability and awareness across the ANAO.

Executive Directors

(EDs)

(Signing officers)
  • Ensures that appropriate risk management practice is an integral part of audit program activity and certifies that requirements of the RMF have been met in the conduct of the audit.
  • Ensures implementation of controls within their branch and/or areas of responsibility.

Audit Managers
  • Promotes a positive risk management culture within the service group/branch.

Professional Services Group
  • Provides quality assurance services that ensure audits comply with risk requirements of the Audit Manual.
  • Assesses emerging risks identified across quality assurance reviews in line with the risk management framework.

Chief Finance Officer
  • Supports COO CMG to ensure that the appropriate level of insurance cover is maintained for all identified risks where there is an insurable consequence.
  • Reviews the Fraud Control Framework for compliance with PGPA Act requirements.

Senior Director, Governance
  • Day-to-day management of risk on behalf of COO CMG.
  • Develops and maintains the key documents associated with risk including the Policy, RMF, ERR and Risk Analysis tools.
  • Conducts a bi-annual review of the RMF and an annual (or as-needs-basis) review of the ERR.
  • Coordinates reporting for governance committees on identified risks.
  • Provides targeted support (including training options) to areas with high-risk exposure.

Risk owners
  • The risk owner is the person assigned the responsibility for the day-to-day management of a risk, including completing a formal risk assessment on identified risks.
  • Risk owners are responsible for the overall coordination of the management of the risk including:
    • Providing assurance that controls are effective.
    • Mitigation plans are progressing into controls.
    • Monitoring of the environment to identify if there are any indicators the risk might eventuate.
    • Reporting as required under the RMF.

All staff

(including contractors and outsourced service providers)
  • The risk owner for ‘low’ risks and associated mitigation plans.
  • Understands and adheres to all procedural and policy guidance relevant to the role they are performing.
  • Reports incidents to managers as they become aware of them.
  • Understands the risks being managed in their area of operation either through direct identification and assessment, or by gaining an understanding of the relevance of activities to risk management from their manager.
  • Required to undertake and complete all mandatory training as determined by the ANAO.

Audit Committee
  • Reviews whether there is a current and comprehensive risk management system in place including associated procedures for effective identification and management of strategic and operational risks.
  • Determines whether a sound and effective approach has been followed in establishing business continuity planning arrangements, including whether business continuity and disaster recovery plans have been periodically updated and tested.

Quality Committee
  • Assesses emerging risks identified across audits in line with the RMF.

Internal Audit
  • Performs in-depth reviews on key controls mitigating enterprise level risks reporting to the Audit Committee and EBOM.
  • Includes risk management focus into all audits, where risks are being managed and assess the management of those risks against the RMF.
  • Provides a means through which EBOM can monitor the application of the RMF across major projects and procurements.
   

10. Key Terms

The following terminology applies throughout the RMF and reflects both the ISO 31000:2018 Standards and ANAO vocabulary.

Term

Definition

BAU

Business as usual operations in reference to all ongoing operational activities.

  • This term does not provide an assessment of the activities but refers to the ongoing regular or automated application of processes, guidance, and instruction.

Consequences

Outcome of an event affecting objectives (ISO 31000:2018).

  • A consequence can be certain or uncertain and can have positive or negative, direct, or indirect effects on objectives.
  • Consequences can be expressed qualitatively or quantitatively.
  • Any consequence can escalate or decline in impact severity over time.

Control

Measure that maintains and/or modifies risk (ISO 31000:2018).

  • Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions that maintain and/or modify risk.
  • Controls may not always exert the intended, or assumed, modifying effect.

Event

Occurrence or change of a particular set of circumstances (ISO 31000:2018).

  • An event can have one or more occurrences and can have several causes and several consequences.
  • An event can also be something that is expected and which does not happen, or something that is not expected which does happen.
  • An event can be a risk source.

Enterprise Risk

Overarching risks, derived from considerations associated with the ANAO’s purpose, delivery expectations and resource requirements.

Risk Assessment

The process of risk: identification, analysis, and evaluation.

  • Can be formal or informal. Informal assessments are typically undertaken by subject matter experts and decision makers when considering the governance which a decision may require.
  • Involves an assessment of risk events to determine required response.

Issue/Incident

An event that has occurred that has taken the ANAO outside its tolerances/risk appetite.

Likelihood

Chance of something happening (ISO 31000:2018).

  • Likelihood refers to the chance of something happening. It can be defined or measured objectively or subjectively, qualitatively, or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).

Mitigation

Measures or actions that affect a change on the impact or the likelihood of a risk event.

  • Risk treatments are typically referred to as mitigations and may be interchanged with the same principle, i.e.: risk treatment plan and risk mitigation plan both aim to effect a change on the impact or likelihood.
  • When a treatment or mitigation has been deployed as planned it becomes a control.

Operational Risk

A risk that may eventuate within the ANAO’s operations and control.

Risk

The effect of uncertainty on objectives (ISO 31000:2018).

  • An effect is a deviation from the expected. It can be positive, negative or both, and can address, create, or result in opportunities and threats.
  • Risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood.

Risk Acceptance

An informed decision to accept the consequences and the likelihood of a particular risk.

Risk Analysis

A process to comprehend the nature of risk and to determine the level of risk (AS/NZS ISO 31000:2009).

Risk Avoidance

An informed decision to withdraw from, or to not become involved in, a risk situation.

Risk Identification

Process of finding, recognising, and describing risks (AS/NZS ISO 31000:2009).

Risk Management

Coordinated activities to direct and control organisational risk (ISO 31000:2018).

Risk Owner

Person or entity with the accountability and authority to manage a risk (AS/NZS ISO 31000:2009).

Risk Register

A Risk Register provides a repository for recording each risk and its attributes, evaluation, and treatments.

Risk Source

Element which alone or in combination has the intrinsic potential to give rise to risk (AS/NZS ISO 31000:2009).

Risk Treatment

Process to modify risk (AS/NZS ISO 31000:2009).

  • See Mitigation.

Shared Risk

A risk with no single owner, where more than one entity is exposed to or can significantly influence the risk. (Commonwealth Risk Management Policy)

Stakeholder

Person or organisation that can affect, be affected by, or perceive themselves to be affected by, a decision or activity (ISO 31000:2018).

Strategic Risk

A risk that may eventuate outside of the ANAO’s control with consequences for the ANAO achieving its purpose and objectives.
   

Footnotes

1 The ANAO Corporate Plan outlines how the ANAO intends to deliver against its purpose.

2 The Commonwealth Risk Management Policy supports the Public Governance, Performance and Accountability Act 2013 (Cth) s.16, which requires accountable authorities of Commonwealth entities to establish and maintain appropriate systems of risk oversight, management and internal control for the entity.

3 Any procurement where the value is, or is likely to be, greater than $80k.