12. Risk Management

In accordance with the Fraud Guidance contained in the CFCF, the department must:

  • undertake a fraud risk assessment at least every two years
  • develop it’s fraud risk assessments and FCCP using a methodology consistent with the relevant recognised standards
  • reassess fraud risks with any change in organisation structure, or any major new or changed policies
  • review and refine its fraud risk strategies on an on-going basis in light of its experience with continuing or emerging fraud vulnerabilities
  • consider the outcomes of the fraud risk assessment in the development of the annual audit work programme, and
  • ensure that employees engaged in agency fraud risk assessments acquire or possess a Certificate IV in Government (Fraud Control) or equivalent qualifications at a minimum.

12.1 Fraud Risk Assessment Process

The department conducts a fraud risk assessment programme that incorporates all divisions.

Fraud Risk Assessments are conducted ‘face-to-face’ with each division. This enables the division to raise any concerns directly with the fraud control team to ensure clarity and accuracy in compiling the assessment.

To maximise the effectiveness of the fraud risk assessment process, the assessments will:

  • be comprehensive, covering as far as possible, all potential fraud risks in all divisions at all locations
  • comply with relevant Commonwealth Standards
  • separately consider inherent risk and internal control
  • identify potential treatments to mitigate any unacceptable risks, and
  • achieve an overall ranking of identified fraud risks and provide fraud minimisation strategies, where required.

The department’s divisions and Senior Management are responsible for ensuring that the strategies and/or actions plans developed during the course of a fraud risk assessment process are continually reviewed, actioned and updated where necessary.

12.2 Risk Management Framework

The department’s Risk Management Framework consists of a set of components that support and sustain risk management throughout the organisation. It includes the relevant Departmental Policy 1.1, the Risk Management Guidelines and supporting material such as the Risk Reference Card, Risk Identification and Planning Tool and other tools to manage risks below the divisional level.

The department manages its risks at three levels:

Strategic Risks

Strategic risks relates to the ’big picture’. They are linked to the goals and objectives of the organisation and are primarily future orientated. At the Strategic Level, the department reviews and establishes its Strategic Priorities, which are articulated in the Strategic Plan. These priorities, as well as other external and internal inputs, are used to develop the Strategic risks in a way that is cognisant of ‘top down’ and ‘bottom up’ dimensions. Strategic risks are the responsibility of the Secretary and involve the management of high level risks and opportunities that impact on the department’s ability to achieve its strategic objectives.

Divisional Risks

Divisional Risks relate to risks that impact on a division’s capacity to achieve its divisional strategy and deliverables. A subset of divisional risks that are recognised by divisions as having the greatest potential to impact on the divisions are considered significant and should be escalated appropriately for oversight.

Operational Risks

Operational level risks are those risks that can affect the implementation of policies, programmes, projects, and other activities within the department. The department has established protocols for risk management across these specific activities. Specialist frameworks act as relevant guides for conducting risk assessments based on work of this nature. The department’s risk hierarchy and their inter-relationships are depicted below.

Share this Page