PM&C operates in a dynamic and fast-paced environment. There is inherent risk in everything we do and it is not possible, or necessarily desirable, to eliminate all risks. We strive to achieve the right balance between engaging with risk to promote efficiency and innovation within our business practices, while delivering on government priorities, being accountable and upholding integrity.
Risk oversight and management
The Executive Board determines PM&C’s risk appetite and tolerance to provide guidance to staff on the level of acceptable risk for the nature of our business. The executive encourages PM&C employees and teams to appropriately balance positive risk engagement, which promotes innovation and efficiency, with risk control and mitigation to uphold trust in public service institutions.
PM&C leaders and governance committees play an important role in overseeing key risks, matters of strategic and operational importance, and the achievement of objectives.
During 2024–25, we will continue to mature and promote effective risk management practice by ensuring our risk management policy and framework and supporting tools are fit-for-purpose and support effective decision-making.
We will continue to ensure that we manage our 6 enterprise risks (Table 1) in accordance with relevant policies and guidance, and that we remain aware of emerging risks, including climate risk and shared risk. Through education and consultation, PM&C strives to understand how these risks intersect with the work we are responsible for, and identify how these risks can be managed and reported on to meet legislated requirements.
| Enterprise risk | Management of the risk |
|---|---|
| Enterprise risk 1 We are not influential and fail to lead, collaborate and anticipate policy direction. Enterprise risk 2 We are not able to effectively support government operations. | PM&C effectively uses mechanisms such as the Secretaries Board and Chief Operating Officers Committee. We also maintain a highly visible and proactive presence with APS agencies. PM&C has detailed plans, business processes and clearance protocols to ensure we maintain productive relationships with ministers' offices and stakeholders in APS agencies. We routinely monitor our compliance and quality, and use our annual stakeholder surveys to identify any areas for improvement. |
| Enterprise risk 3 We do not provide an environment that cultivates a positive culture or behaviours to support the safety and wellbeing of our people or continued high level of integrity, accountability and compliance. | PM&C continues to invest in the wellbeing of our staff, with initiatives that cover physical health, diversity, environmental hazards, mental health and personal development. Encouraging APS Employee Census results indicate our efforts have been effective, and we have ongoing plans to maintain positive wellbeing results. PM&C is committed to promoting integrity across the department. We provide multiple reporting channels that allow for the referral of wellbeing, compliance and integrity matters to dedicated areas for support and necessary action. |
| Enterprise risk 4 We do not have the capability or capacity to deliver and meet emerging priorities. | PM&C is progressing with major projects to improve capacity by building capability in our people. These projects will address workforce management and planning, organisational psychology and management capability. |
| Enterprise risk 5 We do not have effective, efficient and fit-for-purpose IT systems and services. | PM&C has ongoing investments in capital and people, including hardware redundancy and testing for failover and recovery systems, and cross-skilling programs. The forward capital plan ensures planned upgrades and hardware replenishment are measured and appropriate for our current and anticipated needs. |
| Enterprise risk 6 We fail to protect our information, personnel and physical environment and assets. | Security and reliability are core considerations for the department and PM&C maintains a defensive, in-depth stance that meets industry standards on IT security, and conducts regular pressure and penetration testing. PM&C continues to improve security measures with enhancements to authentication and access protocols for secure networks and document systems. PM&C ensures that its processes and systems are fit-for-purpose and remain in step with relevant security requirements. |