The ANAO’s report No. 24 2020-21, The Australian Taxation Office’s Management of Risks Related to the Rapid Implementation of COVID-19 Economic Response Measures, provides public sector job applicants with valuable information about risk management. When pitching for APS Executive Level and above roles, referencing risk management will help demonstrate you meet Work Level Standards. This referencing also applies to similar level roles in state, territory and local government, and tertiary education institutions.
The report gives insights into how risks are formally managed during a crisis, when changes are made to major programs that affect millions of Australians.
As the report points out, “Risks may arise from workforce redeployment, IT system development and data integrity, stakeholder engagement and coordination, adapting service delivery, potential internal and external fraud, and non-compliance with regulatory requirements.” Whether you are referring to pandemic-related experience or not, consider what risks you analysed, assessed, and monitored.
What is risk?
The Taxation Ombudsman explains that “Risk can be defined as the effect of uncertainty on objectives” and is considered a key governance and management tool for both the private and public sectors.
Uncertainty is an element of complexity. When explaining the context of an example, applicants need to convey what made a situation complex. Uncertainty may be one part of that complexity, which in turn raises risk management.
Background to the ANAO report
Reason for the report: “The COVID-19 pandemic and the pace and scale of the Australian Government’s response impacts on the risk environment faced by the Australian public sector. This audit is one of five performance audits conducted under phase one of the ANAO’s multi-year strategy that will focus on the effective, efficient, economical and ethical delivery of the Australian Government’s response to the COVID-19 pandemic.”
Main finding: “The ATO has been effective in managing risks related to the rapid implementation of COVID-19 economic response measures.”
APS Risk Management
For some roles, knowledge of risk management-related law, policies and procedures is essential. For others, some knowledge and understanding that influences daily work practices are needed.
The ANAO report provides a summary of this knowledge. It states that:
“Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the accountable authority must establish and maintain:
- an appropriate system of risk oversight and management for the entity; and
- an appropriate system of internal control for the entity; including by implementing measures directed at ensuring officials of the entity comply with the finance law.”
“This legislative requirement is supported by the Commonwealth Risk Management Policy, which sets out nine elements that non-corporate Commonwealth entities must comply with in order to establish an appropriate system of risk oversight and management.
- Establishing a risk management policy
- Establishing a risk management framework
- Defining responsibility for managing risk
- Embedding systematic risk management into business processes
- Developing a positive risk culture
- Communicating and consulting about risk
- Understanding and managing shared risk
- Maintaining risk management capability
- Reviewing and continuously improving the management of risk.”
“The stated goal of the Commonwealth Risk Management Policy is to embed risk management as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making.”
There is a wealth of information available on risk management policies, risk assessment tools, and risk management concepts, principles and processes. As an applicant, look for this information as it relates to the relevant organisation and jurisdiction.
The ANAO report sets out details of the ATO’s Enterprise Risk Management Framework (ERMF), which is built on four pillars – governance, informing decisions, culture, and data-driven insights. The framework includes a four-step methodology to support the identification and management of risks. It is supported by guidance documents and tools, including a Risk Tolerance Guide and various templates.
To provide nuanced responses, applicants need to understand different levels of risk and how they are assessed. This terminology can then inform, and be incorporated into, responses. Terminology may differ, but the ATO material provides a useful example.
The ATO’s ERMF distinguishes between three levels of risk — strategic, enterprise, and business.
- A strategic risk is one that “may impact the achievement of our purpose and/or 2024 aspirations. They are informed by our external environment, determined by the ATO Executive and included in the ATO’s corporate plan.”
- An enterprise risk is one that “has a material impact on the achievement of an ATO strategic objective…Enterprise risks are linked to one or more strategic objectives in the corporate plan.
- Business risks are “All other risks associated with the day-to-day operations of the ATO. This may be at the group, business line, team or project level.”
A Victorian Government Risk Management Framework explains in its hierarchy of risks, that
“Risks can involve short and long term impacts and may have event based, recurrent, creeping (becomes more serious over time) or emerging features.”
The hierarchy of risks ranges from Agency-specific risks up to risks of State significance. The explanations of this hierarchy point to the scope of risk impact and level of responsibility.
- “Agency specific risks are risks that can be managed entirely within a single agency’s operations and can generally be well understood and effectively managed with straight forward risk management processes.
- Inter-agency risks are risks shared by two or more agencies that require coordinated management by more than one agency and may include systemic risks. The responsibility for managing an inter-agency risk is shared by all the relevant agencies and will benefit from a coordinated response where one agency takes a lead role.
- Systemic risks are risks that have implications for all parts of government operations, requiring a high level of management and coordination between agencies. As with inter agency and state significant risks agencies are responsible for contributing to the identification and management of systemic risks, as appropriate.
- State significant risks are risks where the potential consequences or impacts of the risk on the community, the Government and the private sector are so large as to be of state significance. A state significant risk can be the extension of an existing agency risk which, beyond a certain threshold, becomes severe enough to have state wide implications or it could be the aggregation of many agency specific risks.”
Part of assessing risks is to apply a rating of a risk’s consequences – Low, Medium or High – based on available data or information, and of the likelihood of a given risk occurring, ranging from Rare to Almost certain.
There is a range of risk management concepts that may be relevant to an applicant’s work, including: risk appetite, risk profile, risk culture, risk maturity. Read risk management frameworks and policy documents for explanations of these terms.
Demonstrating risk management
Part of demonstrating leadership, accountability and strategic thinking is to consider risk, to identify, manage and evaluate risk in decision making and delivery of outcomes. The scope of these actions will depend on a person’s area of responsibility and the type of work carried out. While risk management may not be overtly mentioned in duties lists, applicants should be considering what risks relate to their work and what actions they take, even unconsciously, to reduce risk consequences.
Even if business risks and risk management do not seem relevant to your role, there may well be health and safety risks to consider. As WorkSafeSA points out, “Risk is the possibility that harm (death, injury or illness) might occur when people are exposed to a hazard.” Hazard management is a continuous process and is “essentially a problem-solving process aimed at defining problems (identifying hazards), gathering information about them (assessing the risks) and solving them (controlling the risks).
Considering hazard or risk management as problem-solving is a useful way to demystify risk management as something complicated and what senior people do. Thinking of examples in terms of defining, gathering information, and solving the problem, helps with identifying relevant experience and then using the STAR or CAR structure to explain it.
Managing risk goes beyond identifying and assessing, as the ANAO report makes clear. Monitoring and reviewing risks are critical, particularly during a crisis. The focus needs to be not only on current risks, but on emerging and longer-term risks. The ANAO report discusses the ATO’s consideration of the future: recovery, transitioning post-pandemic, the impact of COVIC-19 on the ATO’s operations, and the long term impacts on ATO and Government’s objectives.
This material points to the need for applicants to consider the ongoing risk management issues relevant to any role they are applying for during 2021. Your ability to identify, analyse and problem-solve risks may give you a competitive edge in the job-hunting stakes.