The key elements of the department’s risk oversight and management system are summarised in Figure 4 and explained in detail below.

Figure 4 - Risk oversight and management

Audit Committee

The department’s Audit Committee has been established under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) to provide independent assurance to the Clerk and Deputy Clerk as to the department’s financial and performance reporting responsibilities, risk oversight and management, and system of internal control. The Audit Committee consists of two Members of the Executive and three independent Members. The Committee is required to meet at least four times per year and it is supported by a secretariat of departmental officers.

Risk Management Policy and Framework, Risk Management Plan

The department has adopted a Risk Management Policy and Framework to ensure that systematic and effective consideration is given to risks and potential opportunities as an integral part of well-informed departmental management, planning and decision-making. The Risk Management Policy and Framework meets legislative and other regulatory requirements that apply to the department under the PGPA Act and through the Commonwealth Risk Management Policy. It defines the department’s risk appetite and level of risk tolerance, and allocates responsibility for aspects of risk planning and mitigation to staff at various levels.

The Risk Management Policy and Framework is complemented by the department’s Risk Management Plan, which comprises a detailed analysis of the likelihood and consequences of the department’s key strategic risks, and the treatments to be applied in each case. The Risk Management Policy and Framework and Risk Management Plan are available to all staff via the department’s intranet.

Fraud Control Plan and Fraud Risk Assessment

The department’s Fraud Control Plan outlines strategies and processes for preventing and detecting fraud and for investigating and reporting instances of fraud should they occur. Responsibility for implementing and monitoring aspects of the plan is allocated among senior staff of the department including the Clerk, SES officers and the Chief Financial Officer. The accompanying Fraud Risk Assessment identifies and assesses key fraud risks and treatments. Fraud risk and responsibilities under the Fraud Control Plan are drawn to the attention of staff through regular training and refresher courses.

Strategic Internal Audit Plan

A Strategic Internal Audit Plan has been developed by the department’s internal auditor under the auspices of the Audit Committee. It lists performance, compliance and information technology audits to be conducted during the period 2015-18. The aim of the Strategic Internal Audit Plan is to support existing assurance frameworks while assisting with identifying and addressing department-wide risks and control issues. The Strategic Internal Audit Plan was developed by the internal auditor on the basis of existing risk documentation and interviews with senior staff of the department, and will be subject to annual reviews to ensure it continues to be aligned with areas of highest priority. The outcomes of these audits, and any recommendations arising, will be reported to the Audit Committee for its consideration.

Comcover Risk Management Benchmarking Survey

With the introduction of the PGPA Act, the completion of the Comcover annual Risk Management Benchmarking Survey is mandatory. The Benchmarking Programme is based on a six level maturity model, as illustrated below:

Figure 5 - Increasing level of risk maturity

The results from this survey in 2015 indicate that the Department has reached a risk maturity of Developed. The average maturity level of all survey participants in 2015 is Integrated. The Department has set a target state of risk maturity to reach within the next 12 months of Systematic. The elements that the Department will focus on during the next 12 months are:

1. Maintaining risk management capability

2. Developing a positive risk culture

3. Understanding and managing shared risk