Enterprise Risk Management
Direction and guidance on the department’s enterprise risk management requirements.
Changes since previous version
2019 Jun – updated reference to the new Strategy and Delivery division and deputy secretary as well as to the revised risk standard ISO31000 (no significant changes).
2017 Jun update:
- improved clarification of roles and responsibilities and included requirement to use the risk matrix to ensure consistency in risk ratings across the department
- simplified and shortened procedures, and simplified risk matrix.
Previous title: Enterprise Risk Management in the Department of Education and Communities.
Enterprise Risk Management Procedures - 7/5/21
Risk Management Policy, 91/090 (S.062), 24/4/91
- Policy statement
- The department is committed to proactively managing risk, ensuring sufficient resources are available to foster innovation and efficiencies in our operations and build the best education system in Australia, from early childhood to vocational and tertiary learning.
- Enterprise risk management is an integral part of sound management practice, and an essential element of good corporate governance. It must be integrated into business planning, decision-making and reporting functions across the department.
- This policy must be read in conjunction with other policies and procedures that exist for a number of specific risk-related functions and activities including, but not limited to, business continuity, child protection, fraud and corruption control, insurance, project management, and work health and safety.
- Audience and applicability
- All staff, contractors and consultants.
- The international standard for risk management, ISO31000:2018, defines risk as the effect of uncertainty on objectives. Risk is an event that may impact the department’s objectives.
- This policy is part of the enterprise risk management framework, which also includes other guiding documents such as practice standards, to support the effective management of risk within the department and ensure compliance with NSW Treasury TPP-20-08 Internal Audit and Risk Management Policy for the General Government Sector.
- In accordance with TPP-20-08, the department has established and maintained a risk management framework that is appropriate for the department and is consistent with ISO31000:2018.
- The Chief Risk Office, in consultation with the Risk Leadership Group and the Audit and Risk Committee, oversees this policy and framework.
- Responsibilities and delegations
Risk management is the responsibility of all staff, with some staff having specific responsibilities and accountabilities.
- is ultimately responsible and accountable for department risk management
- is accountable for establishing and maintaining an appropriate enterprise risk management framework that is consistent with ISO31000:2018
- attests to NSW Treasury the department’s compliance with TPP-20-08.
Line 1: Functions that own and manage risks
- All staff must:
- understand the department’s Enterprise risk management framework, including this policy, to support risk-informed decision-making within their operations
- identify, manage, monitor and escalate (if appropriate) risks and issues within their work areas in accordance with this policy and the department’s risk management framework
- consider risk as part of any strategic, operational and project-based activities to inform decisions and prioritise actions
- use the likelihood, consequence, velocity and control effectiveness tables in the risk management framework to evaluate risks, so there is a consistent basis for escalating and de-escalating risks across the department. Where required, areas can provide more detailed information by enhancing the tables.
- Line management (supervisors, managers, principals and directors):
- have detailed knowledge of risks within their areas of responsibility
- are accountable for the effectiveness and efficiency of the controls that manage those risks
- identify new or emerging risks to ensure timely action.
- Senior management (Secretary, Executive, Deputy Secretaries and Executive Directors):
- identify and manage existing, new, or emerging risks within their areas of responsibility and influence
- ensure risk controls are managed effectively and efficiently and implement actions or treatments where there are identified gaps
- oversee the effective implementation of the risk management framework within their business area to support risk-informed decision-making
- allocate adequate resources to enable line management and staff to manage their risks, as well as to prioritise the implementation of the risk management framework in the department.
- Line 2 support functions:
- develop and support the implementation of functional policies and procedures
- help management develop processes and controls to manage risks and issues
- provide training and advice on risk management processes
- monitor the effectiveness of controls, prompt remediation of gaps and accuracy and completeness of reporting
- implement and manage line 2 controls.
- Chief Risk Office:
- develops, maintains and implements the department's enterprise risk management framework
- oversees activities associated with embedding the risk management framework in the department, including operationalising the department’s risk appetite statement
- provides expertise, support, monitoring and challenge on risk-related matters
- provides insight to the Executive and leadership teams through specialist risk advisory and consultancy services
- builds risk management capability and consistency across the department by providing training and development programs.
- Risk Leadership Group:
- supports the Chief Risk Office by driving and improving the implementation of the department’s risk management framework in their divisions and the department
- supports the implementation of enterprise risk management process through risk identification, management, monitoring and escalation within their division and the department.
- Chief Audit Executive:
- provides strategic leadership and manages the department's internal audit function.
- Internal Audit:
- provides independent, timely and useful information to management and the Audit and Risk Committee on the effectiveness of the risk management framework, including the design and operational effectiveness of controls
- provides independent and objective advisory services to help management improve the department’s business performance (the Internal Audit Charter provides detailed roles and responsibilities).
- Audit and Risk Committee:
- monitors, reviews and provides guidance about the department’s governance processes, risk management and internal control frameworks and external accountability obligations (the Audit and Risk Committee Charter provides detailed roles and responsibilities).
Line 2: Functions that support and oversee risk management
Line 3: Functions that provide independent assurance
- Monitoring and review
- The Chief Risk Office monitors the implementation of this policy, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.
Chief Risk Office