The environment in which PM&C operates is complex and dynamic, and PM&C actively engages with risk in a responsive manner. It is not possible or desirable to eliminate some of the risks inherent in our activities. Acceptance of some risk is often necessary to foster innovation and efficiencies within business practices. PM&C has a medium appetite and tolerance for its risks, with the exception of the risk to the health and safety of our people, which remains low.
The Executive Board determines our risk appetite and tolerance, and oversees enterprise risks that may affect our ability to achieve our purpose. The Audit and Risk Committee provides advice to the Secretary and senior executives on the appropriateness of PM&C’s system of risk oversight and strategies to manage key risks.
The Chief Risk Officer is responsible for embedding risk management as part of the culture of PM&C and ensures that fit for purpose risk policies, frameworks and tools are in place to support all staff to effectively identify and manage risk.
PM&C’s risk management framework is aligned to the Commonwealth Risk Management Policy. During 2022–23, PM&C will review and update the policy and framework, and tools, to ensure they are fit for purpose and continue to enhance the integration of risk management into existing processes.
The environment in which PM&C operates is complex and dynamic and PM&C actively engages with risk in a responsive manner.
Enterprise Risk | Management of the risk |
---|---|
Enterprise Risk 1 We do not provide an environment that cultivates a positive culture or behaviours to support the safety and wellbeing of our people. |
Over the past 2 years, PM&C has invested heavily in the wellbeing of our staff, with initiatives that cover physical health, environmental hazards, mental health, and personal development. Encouraging APS Census results indicate our efforts have been effective, and we have ongoing plans to maintain positive wellbeing results. This includes implementing the many-faceted APS Mental Health Capability Framework, the Parliamentary Workplace Support Service, and wellbeing-focussed communications campaigns. |
Enterprise Risk 2 We do not have the capability or capacity to deliver and meet emerging priorities. |
PM&C is progressing with major projects to improve capacity by building capability in our people. These projects will address workforce management and planning, organisational psychology and management capability, and additional resourcing as a mitigation. |
Enterprise Risk 3 We are not influential and fail to lead, collaborate and anticipate policy direction. |
PM&C effectively utilises mechanisms such as the Secretary’s Board, the Secretaries Committee on National Security, the Secretaries Strategic Security Committee, and the First Secretaries Group. We also maintain a highly visible and proactive presence with APS agencies, such as boosting collaboration in the APS through the Priorities Delivery Unit. PM&C has detailed plans, business processes, and clearance protocols to ensure we maintain productive relationships with Ministers’ offices and stakeholders in APS agencies. We routinely monitor our compliance and quality, and use our annual stakeholder survey to find any areas for improvement. |
Enterprise Risk 4 We are not able to maintain the confidence and trust of the Prime Minister, the Government or the public. |
|
Enterprise Risk 5 We do not have effective, efficient, and fit-for-purpose IT systems and services. |
PM&C has ongoing investments in capital and people, including hardware redundancy and testing for failover and recovery systems, and cross-skilling programs. The Forward Capital Plan ensures planned upgrades and hardware replenishment are measured and appropriate for our current and anticipated needs. |
Enterprise Risk 6 We fail to protect our information and IT systems. |
Security and reliability are core considerations of PM&C’s IT Architecture Board. PM&C maintains an industry standard defensive in-depth stance and conducts regular pressure and penetration testing. PM&C continues to improve security measures with enhancements to authentication and access protocols for secure networks and document systems. |