LIGHTHOUSE PRINCIPLE: RISK MANAGEMENT
(based on ASX Principle 7)
Recognising and managing risk
Our risk management and strategic planning are integrated. The Auditor-General assumes ultimate responsibility for our Risk Management Framework. The Office Executive sets the organisation’s Risk Appetite Statement (RAS) and ensures strategic risks are identified, assessed and treated in accordance with the agreed RAS.
The Office Executive regularly reviews the enterprise risk register which is supported by detailed analysis of each strategic risk, taking into account the underlying business risks. The Audit and Risk Committee provides independent advice to the Auditor-General on the risk and internal control frameworks.
Our Risk Management Framework
Our Risk Management Framework is developed in line with NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03), the Risk Management Toolkit (TPP 12-03), the Australian/New Zealand Risk Management Standard (AS/ NZS ISO 31000:2009), and the Accounting Professional and Ethical Standards Board’s professional risk management standard (APES 325 Risk Management for Firms).
During 2016–17, we
- reassessed our strategic risks in line with our revised strategic plan and expanded mandate
- better integrated risk management with our strategic and business planning processes, including incorporating risk identification in the annual strategic planning process
- rolled out an operational risk register template to ensure consistency in approach within the business, and that feeds into our strategic risk register.
Our insurance cover is provided by the Treasury Managed Fund in respect of:
- workers’ compensation according to NSW statute
- property (full replacement, new for old, consequential loss, and business continuity costs or losses of revenue)
- liability, including but not limited to public liability, professional indemnity and directors and officers liability
- motor vehicles
- miscellaneous losses including those due to staff dishonesty, personal accident, and protection for local and overseas travel.
Exposures not included are:
- illegal activities
- wear and tear and inherent vice
- pollution (not being sudden and accidental pollution).
In 2016–17, our six key strategic risks remained unchanged and were:
- failure to anticipate, manage and live up to stakeholder expectations and to fulfil our mandate
- failure to achieve efficiencies and demonstrate value for money
- our audit opinions and reports do not meet our quality standards
- internal governance failure
- failure to effectively manage our workforce
- inability to adapt to and influence changes in audit mandate.
Risk management and internal control attestation
To provide additional assurance that the Audit Office’s Risk Management Framework and related controls are operating properly, two attestations are completed each year.
The first is an annual attestation by the Auditor-General on the quality of the Audit Office’s risk management and internal audit processes. This is based on our compliance with the core requirements of NSW Treasury Policy 15-03 Internal Audit and Risk Management Policy (see our Internal Audit and Risk Management Attestation statement in appendix nine). The second is a Management Internal Control Sign-Off which is completed annually in line with the Audit Office’s financial statements and covers the financial year. Managers sign off on the implementation of internal controls as they relate to their business area and staff compliance with our policies (see independent assurance and corporate reporting).
The year ahead
In 2017–18, we will:
- establish clear processes to elevate new significant and emerging business risks to strategic risks on a timely basis
- reassess our Risk Appetite Statement including reviewing our audit risk appetite
- clarify what our risk appetite looks like on a day to day basis by developing risk tolerances
- look at ways to improve staff engagement with risk and embed a mature risk culture
- review our risk management policies
- finalise our enterprise risk management framework.