Enterprise management
Direction and guidance on the frameworks, procedures and standards designed to ensure compliance with department objectives in relation to enterprise risk management, legislative compliance, business continuity, enterprise data governance, evaluation, and fraud and corruption control.
Audience
All staff, contractors and consultants engaged by the department.
| Version | Date | Description of changes | Approved by |
|---|---|---|---|
| V04.0.0 | 26/07/2024 |
Under the 2023 Policy and procedure review program, this policy is consolidated with the Evaluation, Enterprise Data, Business Continuity Management, Legislative Compliance and the Fraud and corruption control policies. Policy name changed from Enterprise risk management, converted into new template and improved readability. |
Chief Risk Officer |
Document history
2022 Oct 17 - updated the policy statement and the Enterprise Risk Management Framework to more closely align to ISO31000:2018 Risk Management Guidelines.
2021 May 07 - updated policy in line with international standard ISO31000:2018 and NSW Treasury TPP-20-08 Internal Audit and Risk Management Policy for the General Government Sector. Updated to clarify the risk hierarchy and reporting cadence.
Removed implementation document: Enterprise Risk Management Procedures, which was replaced by: Enterprise Risk Management Framework.
2019 Aug - made typographical changes and updated contact details to policy statement.
2019 Jun - updated reference to the new Strategy and Delivery division and deputy secretary as well as to the revised risk standard ISO31000 (no significant changes).
2017 Jun update:
- improved clarification of roles and responsibilities and included requirement to use the risk matrix to ensure consistency in risk ratings across the department
- simplified and shortened procedures, and simplified risk matrix.
Previous title: Enterprise Risk Management in the Department of Education and Communities.
Superseded documents
Enterprise Risk Management Procedures - 7/5/21
Risk Management Policy, 91/090 (S.062), 24/4/91
- Policy statement
- Effective risk management arrangements support the department to achieve its objectives by identifying and managing risks to increase the likelihood and impact of positive events (opportunities) and mitigate the likelihood and impact of negative events (risks).
- The following principles outlined in the enterprise risk management framework must be incorporated into day-to-day processes to enable the department to manage the effects of uncertainty on its objectives:
- Risk management must be integrated in all the department’s activities.
- The department must take a structured and comprehensive approach to risk management to achieve consistent and comparable results.
- The risk management framework and process must be customised to the department’s needs and its internal and external context.
- The risk management framework and process must be inclusive of relevant stakeholders’ knowledge, views and perceptions in managing risks.
- The risk management process must be dynamic and allow changes to be considered and actioned in an appropriate and timely manner.
- The inputs to risk management based on historic and current information, as well as on future expectation and therefore the best available information. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders to support timely decisions.
- Human and cultural factors significantly influence risk management across the department and must be considered at all stages of the risk management process.
- Risk management must continually be improved through learning and experience.
- The department is responsible for applying and implementing key legislation. The responsible officer of the relevant business unit has primary responsibility for legislative compliance.
- The department must build organisational resilience and enhance continuity of critical business services at an acceptable level by being able to anticipate, prepare for, respond to, recover from and adapt to disruptions.
- Data and information the department collects or acquires must be stored and effectively managed.
- Department programs, projects, strategies, policies and initiatives must be evaluated for their effectiveness in improving education outcomes for students and supporting the effective, efficient, appropriate and transparent use of public resources.
- The department must apply risk management principles and develop, implement and maintain an effective fraud and corruption control system, incorporating prevention, early detection and effective responses to fraud and corruption events in ways that achieve optimal outcomes for the department.
- Context
- The following procedures support this policy:
- Enterprise data standards
- Enterprise risk management framework
- Evaluation
- Fraud and corruption control procedures and framework
- Legislative compliance
- Resilience and business continuity management
- The relevant legislation, standards and guidelines include:
- NSW Treasury Policy Paper TPP20-08 Internal Audit and Risk Management Policy for the General Government Sector
- International Standard, ISO 31000:2018 Risk Management – Guidelines
- International Standard, ISO 22301 Business Continuity Management Systems
- NSW Treasury Policy and Guidelines: Evaluation
- NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy
- Australian Standard AS 8001:2021 Fraud and corruption control
- Public Service Commission’s Code of Ethics and Conduct for NSW Government Sector Employees
- Independent Commission Against Corruption Act 1998
- Public Interest Disclosures Act 2022
- NSW Climate Change Act 2023
- Government Sector Finance Act 2018 – (has a regulation stating agencies must prepare climate-related disclosures that include risk management).
- The following procedures support this policy:
- Policy contact
- Enterprise risk management
Chief Risk Officer
Chiefriskoffice@det.nsw.edu.au
Legislative compliance
Manager, Privacy & Compliance, Legal Services
legal@det.nsw.edu.au
Resilience and business continuity management
Director, Controls Monitoring Advisory
Chiefriskoffice@det.nsw.edu.au
Enterprise data
Manager Data Governance
Centre for Education Statistics and Evaluation
CESEPolicy@det.nsw.edu.au
Evaluation
Director, Evaluation and Effectiveness, Centre for Education Statistics and Evaluation
info@cese.nsw.gov.au
Fraud and corruption control
Director, Controls Monitoring Advisory
Chiefriskoffice@det.nsw.edu.au
- Enterprise risk management
- Monitoring the policy
- The relevant responsible officers and policy owners as outlined in section 3 monitor the implementation of the relevant policy, regularly review its contents to ensure relevance and accuracy, and update it as needed.