Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Auditor-General Report No. 3 of 2003–04
Management of Risk and Insurance
Published
Wednesday 27 August 2003
Portfolio
Across Entities
Entity
Across Entities
The objectives of the audit were to evaluate the administrative systems and frameworks in Commonwealth organisations used in the management of risk and insurance. Specifically, the audit evaluated the adequacy and effectiveness of: the development and application of risk management and insurance frameworks and plans within organisations; organisations' records for the determination of risk treatments, including insurance cover; and procedures, and their application, for actively managing risk exposures and insurance experience.
Summary
Risk Management
Risk management is the term applied to a logical and systematic method of establishing the risk context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities. Risk management is considered to be an integral part of good management practice and a key element of good corporate governance.
How are risk and insurance linked?
Insurance is one of the risk treatment strategies available to organisations. Organisations should consider a variety of treatment strategies including the most cost effective combination of:
- deciding to avoid or eliminate exposure to the risk;
- developing treatments to reduce and control the impacts of any losses that could result from exposure to the risk; and
- transferring the potential loss associated with the risk to a third party.
Insurable risk is any risk that can be covered by an insurance policy. This may include:
- damage to property and persons;
- professional and public liability;
- security threats to personnel; and
- threats to business safety, such as cash arrangements, vandalism, theft, and illegal entry.
Commonwealth government requirements for risk and insurance
Risk management in the Commonwealth public sector is not new. The introduction of the Australian and New Zealand Standard 4360:1995 on Risk Management in 1995 (updated in 1999); the establishment of Comcover in the Commonwealth public sector; and an organisation¬wide approach to the management of risk are significant events in the introduction of modern risk management practices in the Commonwealth public sector. The establishment of Comcover has also emphasised the need to link risk management and insurance practices at an organisation¬wide level.
Most Commonwealth organisations have been required to take out insurance for insurable risks of a general insurance nature since late 1998 and insure workers' compensation matters since 1988, through Comcover and Comcare respectively. Comcover's active promotion of organisation-wide risk management since 1999, has given organisations the opportunity to raise the maturity of risk management to a level at which they can seek to refine existing plans and procedures to better link risk treatments (such as insurance) to the organisations' risk exposures and priorities.
Improved links between risk management and insurance are driven by increasing insurance costs and reductions in available cover, particularly, for public liability risks. Organisations also seek to improve risk management and their corporate governance frameworks and practices, to enhance overall results.
Audit objectives and scope
The objectives of the audit were to evaluate the administrative systems and frameworks in Commonwealth organisations used in the management of risk and insurance. Specifically, the audit evaluated the adequacy and effectiveness of:
- the development and application of risk management and insurance frameworks and plans within organisations;
- organisations' records for the determination of risk treatments, including insurance cover; and
- procedures, and their application, for actively managing risk exposures and insurance experience.
This audit was also undertaken by the ANAO to provide recommendations for improvement (where necessary), and identify and disseminate better practice observations. Accordingly, recommendations and opportunities for improvement arising from better practice observations are identified in this Report. In keeping with the arrangements made for this type of audit, findings are presented generically and are not attributed to individual agencies.
The audit focused on examining the application of risk management and insurance practices in five small to medium-sized Commonwealth organisations. The organisations selected were clients of Comcover, with:
- two organisations being governed by the CAC Act; and
- three organisations covered by the FMA Act.
Survey of 50 Commonwealth organisations
In addition, a survey was undertaken of risk management and insurance practices in 50 organisations to provide an overview of the systems and frameworks that Commonwealth organisations use (refer to Appendix 3 for the survey methodology and background information). The 50 organisations surveyed are referred to as the Commonwealth group throughout this Report. Information from the survey is used throughout this Report to provide more widely applicable comment on the issues arising from the audit of five organisations. As a result, the ANAO considers that this Report identifies areas of opportunity for all Commonwealth organisations in their own risk management and insurance frameworks, based on the lessons learnt from the organisations that have been audited.
Audit conclusion
The initiatives, such as the establishment of Comcover and other developments in risk management practices, as well as changes in the insurance market, have resulted in organisations introducing organisation-wide risk management practices and general insurance activities since 1998. Despite the stimulus that this created to apply sound management practices, the maturity of risk management and insurance practices across the five organisations audited (and of the 50 organisations surveyed) generally needed to be improved.
Overall, based on the five organisations audited, the ANAO concluded that general insurance frameworks and practices had the greatest potential to be improved, notwithstanding the training, education and consulting support provided by Comcover. Organisations audited had at least applied basic OHS and workers' compensation frameworks and, in some cases, had good frameworks and practices in place. The quality of risk management frameworks and practices tended to be better than general insurance practices but were often not as sound, or as well supported, as OHS and workers' compensation frameworks.
Despite the divergence of activities undertaken by the organisations audited and surveyed, consistent principles and objectives were established, by all organisations, for the management of risk and insurance. However, the level of maturity of the practices of these organisations varied significantly. A major factor that contributed to a lack of maturity in risk management practices was the dominance of management ‘silos', which limited the ability to take an organisation-wide perspective.
The ANAO observed some significant improvements in the consideration of factors that could vary the cost of general insurance between the 2001–2002 and 2002–2003 annual renewal exercises in the organisations audited. While, Comcover provides guidance to its client organisations regarding risk profile, level of insurance and deductibile, the ANAO found that the cost of insurance and level of deductibles was generally not being considered by organisations in relation to their risk profile, or their incidents and claims experience.
The audit also concluded that, based on the organisations audited and in most cases the organisations surveyed, improvements are required in relation to:
- better understanding and articulation of the links between risk and insurance;
- better utilising risk management in business planning;
- consistently applying the risk and insurance frameworks in a timely manner;
- improving record-keeping and reporting of risk management and insurance activities;
- reviewing risk and insurance practices and performance on a regular basis;
- better resourcing of risk management and general insurance activities; and, most importantly,
- an improved level of promotion and participation in applying the risk management framework by senior management.
Recent audits and studies conducted by State Audit Offices and CPA Australia identify similar findings and opportunities for public sector organisations in Australia.
Recommendations
The ANAO made eight recommendations aimed at improving the risk management and insurance activities of organisations by ensuring organisations: develop frameworks and improve existing frameworks; increase the level of senior management involvement; track costs and develop budgets; review resourcing levels; provide periodic awareness training to all staff; improve the application of the frameworks; and improve reporting, monitoring and review.
Organisation responses
Each organisation audited received a management letter outlining findings, conclusions and recommendations specific to their organisation. The organisations agreed with the conclusions and recommendations and have advised the ANAO of action being taken to address the recommendations. The organisations audited have also generally agreed with the findings, conclusions and recommendations presented in this Report, while noting that some recommendations would involve resource issues that they would need to address.