Ross Wilkinson charts a Victorian Government agency’s journey to better risk management
A new requirement has been imposed on all reporting agencies of the Victorian State Government in relation to the application of their risk management regimes. Each agency head must attest via their annual report to their responsible minister that their risk management processes are satisfactory.
Guidance and direction was provided as to what must be attested to and when and where this attestation would be made – but not how agencies were to achieve this.
This is the story of why this occurred and the journey of one mythical agency, the Department of Getting Going Every Day, (DOGGED), to attestation.
VAGO investigations
In 2003, the Victorian Auditor General’s Office, VAGO, investigated the state of risk management practices across all agencies in the Victorian Government. The report found that while there was some observance of risk management practices in agencies, it was not systemic nor consistent, and AS/NZ 4360 was not explicitly identified as the model to be applied.
In 2006 VAGO conducted a follow-up investigation to identify advancement from the position identified in the 2003 report. The second investigation identified that improvements had been made but further work needed to be done across agencies to bring practices up to a consistent and reliable level. It also recommended that a “whole of government” risk management framework be developed to drive risk management across all government agencies.
The framework
TheVictorian Government Risk Management Framework (VGRMF) was adopted and published in July 2007. Among other things, it created a requirement for agency heads to attest annually: boards and departmental Secretaries of entities to whom the framework applies are required to provide an attestation in annual reports – as part of the report of operations – that agencies understand, manage and control key risk exposure consistent with the Australian/New Zealand Risk Management Standard (or designated equivalent), and that a responsible body or audit committee verifies that view.
These requirements are documented in the Standing Direction 4.5.5 of the Minister for Finance.
This requirement was simplified to prove the following elements for all agencies
• Risk management processes in place consistent with AS/NZS 4360 or designated equivalent;
• An internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposure; and
• The risk profile of DOI has been critically reviewed within the last 12 months.
The “designated equivalent” is a reference to the proposed introduction of ISO 31000 because the Minister for Finance has not designated any other standard as an equivalent to AS/NZS 4360 to date.
Standing directions
Because the VGRMF is a guideline document, it needs to be mandated in some way to make implementation a requirement. This was achieved by the Responsible Minister through Standing Direction 4.5.5 (SD 4.5.5) which provides as follows:
Public Sector Agencies to which the VGRMF applies are required to implement and maintain risk management governance, systems and reporting requirements as contained within the VGRMF. Relevant Public Sector Agencies must:
(a) conduct an annual review of their obligations under this Direction;
(b) identify and rectify any failure or deficiency in complying with this Direction; and
(c) provide an attestation that their risk identification and management plan is consistent with Australian/New Zealand Standard 4360:2004 or equivalent.
Attestation: the DOGGED case study
The Victorian Managed Insurance Authority (VMIA), in its role as principal RM adviser to the government, led a series of workshops on the attestation requirement and processes to meet the requirement. The actual process to achieve attestation was not detailed outside of the information in the Framework and SD 4.5.5.
The process required two paths before the agency head could attest:
• Management assurance to the agency head
• Independent verification of that assurance
What was important was a recognition in the workshops that varying levels of compliance with AS/NZ 4360 and the VGRMF existed across agencies and that any agency attestation process would need to have regard for the level of maturity of that agency.
DOGGED engaged Protiviti, a commercial risk management consultancy, to advise, develop and guide on a process to achieve attestation. It quickly became apparent that the process in year one was going to be time-critical, so a decision was made that the preferred process recommended by Protiviti be amended to respond to the year-one issues.
This process was:
• Executives nominated responsible divisional business representatives
• A workshop was conducted encompassing: a simplified AS4360; a history and guiding principles of attestation; requirements of evidence sheet requirements; a discussion and examples of application of 4360; and the outline for a way forward and support
• Follow-up meetings with business representatives (to reinforce substance over form)
• Business representatives engaged division heads
• Risk management review/assessment and business confirmation with executive sign-off
• Additional interviews with key personnel to further support satisfactory nature of internal corporate controls
• Risk management recommendation
• Independent verification
Roles and responsibilities
DOGGED identified the principal roles across the department that were to be fulfilled during the attestation process. These were:
Risk management staff are to be a conduit for any process matters and information; coach-nominated business representatives; oversee the process; validate divisional evidence and assurance recommendations.
The divisional executive is to have ownership of processes and risks; provide evidence of knowledge and application of 4360; and assurance of the effectiveness of RM.
Audit and assurance was to provide verification of the management assurance.
The Secretary was to make attestation in the annual report.
Practical management of the process
The process was designed to test and demonstrate knowledge and application of risk management techniques in business activities across the whole of DOGGED. This was done by the use of an evidence sheet whereby divisions could identify documents that show use of 4360 elements, where the documents could be physically or electronically accessed and the purpose of the document.
The evidence sheet also had the capability to check the elements of 4360 against each piece of evidence as a form of self assessment if the nominated business representatives felt confident to undertake this.
As part of the validation of evidence, an assurance-based assessment model was used by risk management to assess compliance with the elements of 4360.
Two documents from each evidence list were selected to be produced and discussed during the validation phase of the process. The business representatives had to demonstrate how 4360 was visible in each document. Every division had to produce its annual business plan and one other key document for assessment. This provided some level of consistency during the validation phase.
Each line item in the assessment control document was then assessed by risk management as either complying, partially complying or not complying with 4360. Partial compliance meant substantially complying but some element was missing so as to not get that item over the line.
The overall results for each division were tabulated by risk management and conveyed to the respective division heads for discussion and confirmation. Once agreement was achieved from all division heads, risk management prepared the summary report and assurance briefing, making the attestation recommendation to the agency head.
Independent verification.
DOGGED’s Audit and Assurance Branch engaged its contract internal auditors to separately conduct an investigation of the attestation process conducted by risk management and the application of risk management in departmental operations and activities. The contract auditors assessed the process undertaken and evidence compiled to support the recommendation for attestation.
The audit of the risk management control framework and business applications provided the contract auditors with a benchmark against which it could assess the viability of the attestation recommendation put to the agency head.
The reports indicated that there was sufficient information and evidence gathered in the management assurance process that it was reasonable to reach the conclusion that attestation could be made in the annual report by the agency head.
However, the audit of risk management activities found that there was more that could be done to bring DOGGED to a higher level of risk management performance and that an improvement program should be developed and implemented – including the integration of the VGRMF into the DOGGED RM Framework.
The contract auditors and the risk management executive team attended a meeting of the agency’s audit committee. Based on the audit reports and management assurance report and explanation and questions, the audit committee resolved to verify the management assurance to the agency Head that he could make the attestation. There was some negotiation over exact wording as part of this verification.
Lessons learned
DOGGED intends holding a “lessons learned workshop” with the various participants to discuss the development of the Year Two Onwards Attestation Program.
Further comment will be sought from Executive Management and Audit and Assurance over program improvement before the permanent Attestation Program is developed and implemented. Clearly, timeliness will be an essential element that will provide for a more comprehensive program, with the likely outcome being a stronger focus on divisional self-assessment.
At the same time that this is occurring, DOGGED will be developing a work improvement program to further develop and enhance risk practices across the agency. This will serve to improve the delivery capability of programs and activities and provide greater assurance confidence for future attestations.
The year-one program was viewed as a learning opportunity for both the attestation requirement and the agency’s risk management program.
Co-operation at all levels across the organisation was excellent and nominated business representatives were able to recognise shortcomings in procedures or to downgrade assessments during the evidence validation phase.
Ross Wilkinson is currently the acting Risk Manager for the Department of Transport, Victorian Government. Any views and opinions expressed in this article are his alone and do not reflect those of the Department of Transport
News