Our approach to risk management
PM&C operates in a dynamic and fast-paced environment. There is inherent risk in everything we do and it is not possible, or necessarily desirable, to eliminate all risks. We strive to achieve the right balance between engaging with risk to promote efficiency and innovation within our business practices, while delivering on Government priorities.
PM&C is committed to engaging with risk in a way that enables us to be accountable, to act with integrity, and uphold the reputation of the department.
Back to topRisk oversight and management
The Executive Board determines our risk appetite and tolerance, and oversees enterprise risks that may affect our ability to achieve our purpose. By clearly identifying our risk appetite and tolerance, we are able to positively and consistently engage with risk.
The Executive Board has identified and oversees 6 enterprise risks (Table 1), which are managed in line with the PM&C Risk Management Policy and Framework.
As a critical part of our risk oversight and management, the Audit and Risk Committee provides independent advice to the Secretary and senior executives on the appropriateness of PM&C’s system of risk oversight and strategies to manage key risks.
We will continue to promote effective risk management by ensuring we have fit-for-purpose risk policies, frameworks and tools are in place to support all staff to effectively identify and manage risk.
Our risk culture involves being curious, thoughtful and deliberate when it comes to seizing opportunities and managing threats. All staff – including managers, secondees and contractors – play a crucial role in applying sound risk management principles and practices in their daily activities. Each person’s efforts enhance and strengthen our desired risk culture. PM&C supports our people in risk management by providing fit-for-purpose policy, tools, guidance and ongoing training.
PM&C also recognises that it must actively manage emerging categories of risk. Through education and consultation, PM&C strives to understand how these risks intersect with the work we are responsible for, and identify how these risks can be managed and reported on to meet legislated requirements.
During 2023–24, we will further mature our risk management policy and framework (and associated tools) to ensure they are fit-for-purpose, and continue to enhance and embed the integration of risk management into existing processes.
| Enterprise risk | Management of the risk |
|---|---|
| Enterprise risk 1 We are not influential and fail to lead, collaborate, and anticipate policy direction. | PM&C effectively uses mechanisms such as the Secretaries Board, the Secretaries Committee on National Security, the Secretaries Strategic Security Committee, and the First Secretaries Group. We also maintain a highly visible and proactive presence with APS agencies. PM&C has detailed plans, business processes and clearance protocols to ensure we maintain productive relationships with ministers’ offices and stakeholders in APS agencies. We routinely monitor our compliance and quality, and use our annual stakeholder surveys to find any areas for improvement. |
| Enterprise risk 2 We are not able to maintain the confidence and trust of the Prime Minister, the Government or the public. | |
| Enterprise risk 3 We do not provide an environment that cultivates a positive culture or behaviours to support the safety and wellbeing of our people. | PM&C continues to invest in the wellbeing of our staff, with initiatives that cover physical health, environmental hazards, mental health and personal development. Encouraging APS Employee Census results indicate our efforts have been effective, and we have ongoing plans to maintain positive wellbeing results. This includes implementing the many-faceted APS Mental Health Capability Framework, the Parliamentary Workplace Support Service, and wellbeing-focused communications campaigns. |
| Enterprise risk 4 We do not have the capability or capacity to deliver and meet emerging priorities. | PM&C is progressing with major projects to improve capacity by building capability in our people. These projects will address workforce management and planning, organisational psychology and management capability, and additional resourcing as a mitigation. |
| Enterprise risk 5 We do not have effective, efficient and fit-for-purpose IT systems and services. | PM&C has ongoing investments in capital and people, including hardware redundancy and testing for failover and recovery systems, and cross-skilling programs. The forward capital plan ensures planned upgrades and hardware replenishment are measured and appropriate for our current and anticipated needs. |
| Enterprise risk 6 We fail to protect our information and IT systems. | Security and reliability are core considerations and PM&C maintains a defensive, in-depth stance that meets industry standards on IT security, and conducts regular pressure and penetration testing. PM&C continues to improve security measures with enhancements to authentication and access protocols for secure networks and document systems. |