A sneak peek at the 2023 model of the Commonwealth Risk Management Policy

The first Commonwealth risk management policy to apply to Commonwealth entities (the Commonwealth Risk Management Policy or CRMP) initially rolled off the legislative assembly line on 1 July 2014, as part of the PGPA Act reforms.  

As manager of the Comcover Commonwealth risk dealership at the time, it was great to see CRMPv.1 (the RiskVW) launched at last in the governance market. As far as first models go, the aim was to provide an initial risk management vehicle for all non-corporate Commonwealth entities to drive around in. She was principles based and largely reflected the relevant international risk standard at the time, so that risk practitioners could initially be familiar with the key concepts yet also allowed for considerable customisation to suit each entity’s needs.

The nine parts of the RiskVW were as follows:

1.       Establishing a risk management policy

2.       Establishing a risk management framework

3.       Defining responsibility for managing risk

4.       Embedding systemic risk management into key business processes

5.       Supporting the development of a positive risk culture.

6.       Effectively communicating and consulting about risk.

7.       Understanding and managing shared risks

8.       Maintaining risk management capability.

9.       Reviewing and continuously improving the management of risk.

Initial takeup of the RiskVW was slow, as entities grappled with the new specs and how to get the best out of them. Some entities just put them out in the parking lot with all the other PGPA governance models and admired them from afar. However, by 2016, most entities had taken the RiskVW for a few drives, with some really scaling up their risk management support teams.

However, every first model is prone to weaknesses, and the RiskVW was no exception. While the chassis was relatively sound, difficulties arose in a few key areas.

Firstly, many entity owners thought that all they had to do to achieve their annual risk management compliance certificate was to have the RiskVW (policy and framework) sit visibly on the PGPA parking lot, keep it relatively clean and report on it when necessary.  Little, if any, resources were put towards regular maintenance or test drives. Problems then started to arise when entities needed to start it up and it just wouldn’t go..

Secondly, not many people took the RiskVW for a drive. This was for a number of reasons. While everyone was told they should drive it, no-one was really sure who was supposed to at any particular time, where they should drive it to and/or who they should take with them. Further, many didn’t want to as they had better /other things to do and even more didn’t know how to, as risk driver training was often non-existent or not encouraged, no-one could find the entity instruction book on the intranet or even understand how to apply it when they found it.  

Thirdly, if the RiskVW was used, it was often driven separately from the other vehicles in the governance fleet (strategic planning, business planning, project planning etc), or as an afterthought.  

The culmination of the above three faults led to performance failures relating to positive risk culture, communications about risk, managing shared risks and maintaining risk management capability.

Some of these faults were noted in a 2018 Review of the PGPA assembly line, and a recommendation was made to review and plan for the delivery of the second generation RiskVW.

During 2021-22, Comcover led a design team of entities and other external stakeholders to rebuild the RiskVW, focusing on five key areas: Culture, leadership and behaviour; Shared risk; Engagement with risk; Effectiveness of risk controls; and Communication and the appropriate escalation of risk.

The consultation process has now led to the soft release by the Department of Finance of RiskVWv.2 with the full release scheduled for 1 January 2023.

So what is under the hood? The nine elements are set out below.

Element one: Risk management must be embedded into the decision making activities of an entity.

Element two: Entities must formalise their approach to the management of risk in a risk management framework.

Element three: An entity’s risk management framework must support a culture where risk is managed and communicated across all levels of the entity and individuals are encouraged to adopt positive risk behaviours.

Element four: An entity’s risk management framework must clearly define the risk management responsibilities of officials.

Element five: The effectiveness of controls must be periodically reviewed.

Element six: Entities must collaborate to manage shared risks.

Element seven: Entities must implement arrangements for identifying, managing and escalating emerging risks.

Element eight: Entities must maintain an appropriate level of risk management capability

Element nine: An entity’s risk management approach must be regularly reviewed.

The key driver (pardon the pun..) of this RiskVWv.2 is about improving the maturity of existing risk management systems. New features focused on this outcome include an emphasis on incorporating risk management into decision making activities, stronger links to individual accountability, and much more emphasis on collaboration with others, particularly in relation to risks shared by entities.

Additionally, much more after sales service is required, with regular maintenance checks required on risk controls, on the overall condition of the entity’s risk vehicle and on driver capability. Lastly, entities are also required to ensure that the windscreen is clear enough to assess emerging risks..

So that’s the next generation RiskVW.  I’ll be looking forward to taking a few test drives in 2023...