PGPA Act review final report - a better APS?
In mid-September 2018, the final report of the Independent review into the operation of the Public Governance, Performance and Accountability Act 2013 and Rule (the review) was publicly released.
To recap, the review (by David Thodey AO and Elizabeth Alexander AM) was to examine whether the operation of the PGPA Act and Rule is achieving the objects of the Act, to identify legislative or other changes that could enhance public sector performance and accountability and to examine how the Act and Rule has been implemented.
Review consultation draft report
Earlier, in June, the reviewers issued a consultation draft report (draft report) and sought feedback and submissions on the draft report. The findings included that:
the Commonwealth Risk Management Policy has improved government risk management practices, but the pace of reform is patchy across entities and too slow
more work is needed to embed effective risk management into policy development and program management
officials at all levels need to be incentivised to better engage with risk
the APS overall remains too risk averse
stronger governance was the key to improve risk management and public service outcomes overall, and
important governance elements included improving the functioning and independence of entity audit and risk committees and the transparency and accountability of public reporting.
My comments on the draft report (and my submission to the review) can be found on this blog.
In short, I considered that too much of the focus was on process oriented solutions (directive processes, committees and Chief Risk Officers (CROs)) and that improving risk management maturity requires increased emphasis on accountability and capacity building within organisations to ensure that risk/governance is everyone’s job.
Final review report
In response to the draft report, the review received a further 58 submissions (in addition to the 69 received prior to June). And what does the review conclude?
The review (and recommendations) still substantially reflects the draft report, however there are some nuanced differences which positively broaden the responsibility for good governance to those reporting to entity committees, and also recommends a greater oversight role for the Parliamentary Joint Committee of Public Accounts and Audit (JCPAA). In relation to the Commonwealth Risk Management Policy, the review (again) left a more detailed consideration for another day.
Risk management
The review maintained its emphasis on public sector leaders ‘stepping up’ to drive and shape risk culture. No arguments from me about this, but my mantra remains that it must be supported by appropriate communication, a workable and useable framework, adequate resourcing and incentives, decision making and accountability.
However, the review now acknowledges this to some extent by making further references to the Learning from failure report by Professor Peter Shergold AC[1], and noting that ‘..a fully developed risk culture needs to be supported by employees with the right skills and capacity to engage with risk’.
Further, at pages 22-23, the review also refers to Professor Shergold’s views in relation to CROs, namely that:
To be successful, Chief Risk Officers should be sufficiently senior and have a good understanding of the operations of their entity and the government’s objectives in relation to the entity’s purposes.
Chief Risk Officers should have the authority to effectively challenge decisions that may affect the entity’s risk profile, and lead discussions across the entity on what risks can be accepted and managed and when management engagement is required. They should be tasked with developing a control framework for the implementation of major projects, and overseeing the development, monitoring and maintenance of risk management plans, within their entity. We acknowledge that Professor Shergold expressed similar views…
…As noted by Professor Shergold, where accountable authorities appoint a Chief Risk Officer, it is essential that the individual responsibilities of officials for risk management are reinforced. A Chief Risk Officer should not take on responsibility for managing risk across the entity, or be a convenient person to blame for any negative risk event or organisational failure. (my emphasis)
Risk and audit committees
Not surprisingly, the review recommendations in relation to risk and audit committees were the subject of many entities’ submissions. On risk committees, some entities echoed my concerns about the need for clarity of roles of the risk committee and other stakeholders. The review noted this, stating that:
Where an accountable authority establishes a separate risk committee, there needs to be clarity about the respective roles of the audit committee, the risk committee and the Chief Risk Officer (if one is appointed), with clear lines of communication established between them. Any such arrangements should also not diminish the responsibility of the accountable authority, senior management and other officials to manage and engage with risk as an integral part of their responsibilities.
Entities were much more concerned about, and did not agree with, the draft review’s recommendation for an entirely ‘independent’ audit committee – with all members not being an official or employee of the entity. Many entities considered that a balanced mix of independents and employees/officers was more appropriate.
The review maintained the need for full independence:
While the governance arrangements for audit committees for corporate Commonwealth entities are different to those for non-corporate Commonwealth entities, we believe that all accountable authorities should take advantage of the role that their audit committee can play in each of the areas covered by their remit. An effective audit committee will bring important insights to the business of the entity. It will help the entity manage its risk profile as well as reviewing the appropriateness of the entity’s financial and performance reporting. We believe these positive impacts are best realised where audit committee members are independent of the business and have relevant broad experience and expertise. The potential benefits to be harvested should far outweigh any additional costs involved (my emphasis)
I am not sure how such ‘potential benefits’ will accrue just from independence per se – if the committee is already well run, has an independent chair and majority, and has clarity of its role and authority, where is the ‘value add’? How can or will such ‘value’ be measured?
Annual reports
Recommendation 32 now proposes that:
The Senate should increase its scrutiny of performance information reported by Commonwealth entities in Senate Estimates hearings. Accountable authorities should provide a statement to these hearings, that summarises entities’ performance over the reporting period, outlines areas where performance has met expectations, areas where performance expectations have not been achieved and future actions to improve performance reporting.
This could be a useful addition to entity accountability, subject to surviving the ‘wordsmithing’ of senior management, the accountable authority, ministerial advisers and the minister.
Department of Finance support to entities
Recommendation 39 removed an earlier suggestion that Finance continue its communities of practice and one-on-one interactions with entities about the PGPA Act framework. Finance is still required to enhance and review guidance material and ‘boost’ the department’s internet and web based presence. The review also added a new vague recommendation 40:
The Department of Finance should leverage its corporate knowledge in continuing to support the ongoing implementation of the PGPA Act framework.
There are also three new recommendations (50-52) dealing with the finance law, future capital enhancements and aligning reporting requirements.
Conclusion - a better accountability mousetrap?
Governance, whether for a public, private or NFP organisation, can and should be subject to regular review and improvement. The review has provided an important opportunity to consider the operation and implementation of the PGPA Act, which fundamentally overhauled APS governance in 2014.
The review recommendations are appropriately aimed at further strengthening APS accountability, with an increased emphasis on adopting some private sector governance practices. The flavour of the review report will also be relevant to the current APS review, also involving Mr Thodey.
I remain concerned that the emphasis on process and its perceived potential benefits (relative to increased efforts in other areas) is somewhat overstated. Further, that while the different public vs. private sector challenges and risks are acknowledged, looking to the private sector for governance solutions may not necessarily be ‘the answer’.
My reservations about this are somewhat supported by the daily examples of appalling governance practices highlighted by Counsel assisting the Royal Commission into Financial Services, and from evidence reluctantly extracted from highly paid senior managers of well resourced financial service providers subject to stringent APRA and ASIC compliance requirements. I therefore struggle with the review’s comments at p.19 that:
The corporate sector has strong commercial incentives to have robust risk management and engagement practices. The consequences for getting it wrong can be significant, from commercial consequences such as loss of market share, to financial penalties for noncompliance with regulation. Proper engagement with risk is critical in both the private and public sectors, and in both the cost can be substantial where risks are not well managed. The private sector is more advanced in balancing downside risk (the likelihood and consequences of things going wrong) with upside risk (potential for, and gains from, things going well) and the public sector can learn from the private sector in this area. (my emphasis)
For now, the PGPA Act status quo remains while the review report is next considered by Government and the Parliament.
Stay tuned…
[1] See Professor Peter Shergold AC, Learning from Failure: Why large government policy initiatives have gone so badly wrong in the past and how the chances of success in the future can be improved, 2015
lick here to edit.