Department of Finance

Chief Risk Officer’s Guide

Risk and Control Operating Model

Implementing the commonwealth risk management policy

The Commonwealth Risk Management Policy

Section 16 of the Public Governance and Accountability Act 2013 (PGPA Act) provides that
accountable authorities of all Commonwealth entities must establish and maintain appropriate
systems of risk oversight, management and internal control for the entity.
 Non-corporate Commonwealth entities must comply with the Commonwealth Risk Management
Policy.
 Corporate Commonwealth entities are not required to comply but should align with this policy
as a matter of good practice.

Establishing a risk management policy

Entity requirements to Role of the risk function
meet policy Chief Risk Officer / Head of Risk
Independent review of PGPA Act 2013
Rec 13 “Accountable authorities,
particularly of large Commonwealth
entities, or entities with complex risks,
should consider appointing a Chief Risk
Officer to support the accountable
authority to implement a strong risk
culture and behaviour across all levels
of the organisation”
MUST establish and The CRO is responsible for maintaining
maintain an entity specific the risk management policy that links
risk management policy the entity’s risk management
that: framework to its strategic
 defines its approach to objective(s). The risk management
the risk management and policy and supporting risk management
how it supports strategic framework should:
plans and objectives  inform, empower and guide the entity
 defines the entity’s risk and its officials on how to identify
appetite and risk and manage risks in their daily
tolerance activities and decision making
 outlines key  protect the soundness of the entity
accountabilities and and its resilience to risk events
responsibilities for
 clearly identify the accountabilities
managing and and processes for assessing,
implementing the risk monitoring, reporting and managing
management framework the strategic, emerging and material
 is endorsed by the risks facing the entity
entity’s accountable  support forward looking and
authority. insightful risk management across
the entity Top Down and Bottom Up.
Role of the business /
function
Executive Team (Head of
Division / Business Unit /
Function)
The first line of responsibility
for owning and managing risk
is the day-to-day decisions of
officials in all roles and at all
levels.
Business areas are
responsible for:
 proposing an entity’s risk
appetite, aligned to
Corporate and Business
Plans, for approval and
ensuring that this is aligned
to the entity’s risk appetite as
cascaded to it
 the Executive Team review
and approve Business
Plans and associated risk
appetite proposed by
Businesses and Functions.
Independent and
objective oversight
Audit Committee /Internal
Audit/ANAO/Regulators
S45 PGPA Act. Each
entity must have an Audit
Committee. Functions
must include the
appropriateness of the
entity’s system of risk
oversight, management
and internal controls
(PGPA Rule S17(1)).
Review and advise the
accountable authority on
the entity’s compliance
with the Commonwealth
Risk Management Policy.

1
 Department of Finance
Chief Risk Officer’s Guide

Establishing a risk management framework

Entity requirements to Role of the risk function Role of the business / Independent and
meet policy Chief Risk Officer / Head of Risk function objective oversight
Independent review of PGPA Act 2013 Executive Team (Head of Audit Committee
Rec 13 “Accountable authorities, Division / Business Unit / /Internal
particularly of large Commonwealth Function) Audit/ANAO/Regulators
entities, or entities with complex risks, The first line of responsibility S45 PGPA Act. Each
should consider appointing a Chief for owning and managing risk entity must have an Audit
Risk Officer to support the accountable is the day-to-day decisions of Committee. Functions
authority to implement a strong risk officials in all roles and at all must include the
culture and behaviour across all levels levels. appropriateness of the
of the organisation” entity’s system of risk
oversight, management
and internal controls
(PGPA Rule S17(1)).
MUST establish a risk Working collaboratively with the Where mandated the Review and advise the
management framework business to design a risk business is responsible for accountable authority on
which includes: management framework ensures that implementing and the appropriateness of
the risk management activities of the embedding the entity’s risk the entity’s:
 the risk management entity are:
policy andthe entity’s framework in its area,  risk management
 proportionate to the level of risks including:
approach to managing policy
risk faced by the entity  the efficiency and  risk appetite
 aligned to the other activities effectiveness of risk
 risk reporting (internal  internal controls for
andexternal) undertaken by the entity controls, processes and risk identification and
 structured, comprehensive and procedures
 the desired risk risk management
embedded across the entity  the identification,
management culture  articulation of roles
and how it is being  dynamic and responsive to management and and responsibilities
encouraged emerging and changing risks or reporting of strategic, for risk management
entity strategy and activities. material and emerging
 the approach to  internal controls
embedding risk (ISO 3100-2018) risks to its business
framework and
management into Risk Management Framework should  working collaboratively processes for
business processes address the following risk management with the Risk Function. assessing
 how it contributes to activities:  compliance with compliance with
managing any shared 1. Strategic Thinking policies, processes, policies, processes,
or cross jurisdictional 2. Risk Identification legal and regulatory legal and regulatory
risks 3. Risk Management requirements. requirements.
 measuring risk 4. Risk Appetite
management 5. Controls, Data, Systems
performance and the 6. Monitoring & Reporting
oversight 7. Governance
 the review and 8. Role Profiles
development of risk 9. Customer Outcomes
management
framework and risk
profile.
The risk management
framework must be
endorsed by the entity’s
accountable authority.

2
 Department of Finance
Chief Risk Officer’s Guide

Defining responsibility for managing risk

Entity requirements to Role of the risk function Role of the business / Independent and
meet policy Chief Risk Officer / Head of Risk function objective oversight
Independent review of PGPA Act 2013 Executive Team (Head of Audit Committee
Rec 13 “Accountable authorities, Division / Business Unit / /Internal
particularly of large Commonwealth Function) Audit/ANAO/Regulators
entities, or entities with complex risks, The first line of responsibility S45 PGPA Act. Each
should consider appointing a Chief for owning and managing risk entity must have an Audit
Risk Officer to support the accountable is the day-to-day decisions of Committee. Functions
authority to implement a strong risk officials in all roles and at all must include the
culture and behaviour across all levels levels. appropriateness of the
of the organisation” entity’s system of risk
oversight, management
and internal controls
(PGPA Rule S17(1)).
An entity’s accountable The CRO provides oversight of the The Head of the Review and advise the
officer MUST (within the effectiveness of the Three Lines of Business/Function must accountable authority on
risk management policy) Defence Model in the entity that ensure that roles and the appropriateness of
define the responsibility ensures that roles and responsibilities for risk: the entity’s articulation
for managing risk by: responsibilities for risk  are meaningfully of roles and
 defining who is management, risk activities and risk understood and responsibilities for risk
responsible for Governance are clearly understood cascaded to all staff and management.
determining risk across the entity and that they align included in their role
appetite and tolerance with, and are complimentary to, profiles and performance
for risk delegations and authorisations. objectives
 allocating Risk Accountabilities (Individual &  are assessed as part of
responsibility for Collective) individuals’ performance
implementing the risk 1. Regulatory / Legal review processes.
management 2. Internal (3LOD)
framework 3. Governance
 defining roles and 4. Role Profiles
responsibilities in 5. Performance and Remuneration.
managing individual
risks.

3

Embedding systematic risk management into business processes
Entity requirements Role of the risk function
to meet policy Chief Risk Officer / Head of Risk
Independent review of PGPA Act
2013 Rec 13 “Accountable
authorities, particularly of large
Commonwealth entities, or
entities with complex risks,
should consider appointing a
Chief Risk Officer to support the
accountable authority to
implement a strong risk culture
and behaviour across all levels of
the organisation”
MUST ensure that the Provides objective oversight
systematic and challenge of the:
management of risk is
 entity’s systems and
embedded in key
controls in respect of risk
business processes.
management, noting risks
are owned by the business
 effectiveness of risk
management across the
entity by the business
including compliance with risk
appetite, risk policies, controls,
processes and procedures
 risks inherent in any
proposed business strategy
and plans are consistent
with the entity’s risk appetite
and tolerance.
Where appropriate, provide
guidance to the business on
consideration of risk in
business decisions.
Role of the business /
function
Executive Team (Head of
Division / Business Unit /
Function)
The first line of responsibility
for owning and managing risk
is the day-to-day decisions of
officials in all roles and at all
levels.
Within their area of
accountability:
 effective implementation of
risk controls and processes
 own and manage risks within
risk appetite, and evidence
consideration of risk in
decision making
 remediate weaknesses in
risk controls or processes
 escalate breaches of risk
appetite or risk concerns
 collaborate with, and
seeks guidance from, risk
SMEs to inform
consideration of risk in
decision making.
Department of Finance
Chief Risk Officer’s Guide
Independent and objective
oversight
Audit Committee /Internal
Audit/ANAO/Regulators
S45 PGPA Act. Each entity
must have an Audit
Committee. Functions must
include the appropriateness of
the entity’s system of risk
oversight, management and
internal controls (PGPA Rule
S17(1)).
 Provide independent
assurance over the
adequacy, effectiveness and
compliance with risk
policies, internal controls
and processes within the
business, and the
adherence to them by
officials of the entity.
 Conducting thematic and
post incident reviews at
the Entity / Business
/Functional level as required.
4

Developing a positive risk culture
Entity requirements Role of the risk function
to meet policy Chief Risk Officer / Head of Risk
Independent review of PGPA Act
2013 Rec 13 “Accountable
authorities, particularly of large
Commonwealth entities, or
entities with complex risks,
should consider appointing a
Chief Risk Officer to support the
accountable authority to
implement a strong risk culture
and behaviour across all levels of
the organisation”
An entity’s risk The CRO is responsible for
management supporting the accountable
framework MUST officer in the development of a
support the positive risk culture across the
development of a entity. This should include the
positive risk culture. assessment of and actions
taken to embed positive risk
behaviours:
 Listening, Sharing and
collaboration
 Adherence to policies,
processes and procedures
 Risk is evidenced in decision
making
 Continuous improvement
 Individual accountability and
Learning from mistakes
 Open and constructive giving
and receiving of challenge.
The risk culture should promotes
a proactive approach that
considers both threat and
opportunity.
Role of the business /
function
Executive Team (Head of
Division / Business Unit /
Function)
The first line of responsibility
for owning and managing risk
is the day-to-day decisions of
officials in all roles and at all
levels.
 Role model and set a strong
Tone From the Top.
 Support the development
of a positive risk culture
consistent with the entity’s
target risk culture,
evidenced by reinforcing
desired risk behaviours
and appropriate actions
taken for detrimental
culture risk behaviours.
 Promote a proactive
approach to risk
management that
considers both threat and
opportunity.
Department of Finance
Chief Risk Officer’s Guide
Independent and objective
oversight
Audit Committee /Internal
Audit/ANAO/Regulators
S45 PGPA Act. Each entity
must have an Audit
Committee. Functions must
include the appropriateness of
the entity’s system of risk
oversight, management and
internal controls (PGPA Rule
S17(1)).
Review and advise the
accountable authority on the
appropriateness of the
entity’s risk culture.
5

Communicating and consulting about risk
Entity requirements Role of the risk function
to meet policy Chief Risk Officer / Head of Risk
Independent review of PGPA Act
2013 Rec 13 “Accountable
authorities, particularly of large
Commonwealth entities, or
entities with complex risks,
should consider appointing a
Chief Risk Officer to support the
accountable authority to
implement a strong risk culture
and behaviour across all levels of
the organisation”
MUST implement  Oversight and report the
arrangements to entity’s aggregate risk
communicate and profile relative to current
consult about risk in a and future business strategy
timely and effective and activities and agreed
manner to both internal risk appetite:
and external  reporting should consider all
stakeholders. material risks
 report on emerging risks to
the entity and plans to
mitigate them
 alert the accountable
authority to and provide
challenge on, any business
strategy, plans or actions that
may cause the entity exceed it
risk appetite and tolerance
 oversight and validation of the
entity’s external risk
reporting obligations.
Understanding and managing shared risk
Entity requirements Role of the risk function
to meet policy Chief Risk Officer / Head of Risk
Independent review of PGPA Act
2013 Rec 13 “Accountable
authorities, particularly of large
Commonwealth entities, or
entities with complex risks,
should consider appointing a
Chief Risk Officer to support the
accountable authority to
implement a strong risk culture
and behaviour across all levels of
the organisation”
MUST implement  The CRO provides guidance to
arrangements to the business on how to
understand and collaborate with other
contribute to the Commonwealth Entities to
management of shared identify areas of shared risks
risks. and to contribute to the
aggregate assessment of those
risks and, importantly, their
effective management, not only
for the entity, but on occasion the
Commonwealth.
Role of the business /
function
Executive Team (Head of
Division / Business Unit /
Function)
The first line of responsibility
for owning and managing risk
is the day-to-day decisions of
officials in all roles and at all
levels.
 Oversight of and report the
business risk profile
relative to current and
future business strategy
and activities and agreed
risk appetite.
 Report emerging risks and
plans to mitigate them.
 Alert the Risk Function
and the accountable
officer with regard to
current or planned
activities that may cause
the business to exceed it
risk appetite and
tolerance.
Role of the business /
function
Executive Team (Head of
Division / Business Unit /
Function)
The first line of responsibility
for owning and managing risk
is the day-to-day decisions of
officials in all roles and at all
levels.
 Openly collaborates and
shares information on
current and emerging risk
issues with others.
Department of Finance
Chief Risk Officer’s Guide
Independent and objective
oversight
Audit Committee /Internal
Audit/ANAO/Regulators
S45 PGPA Act. Each entity
must have an Audit
Committee. Functions must
include the appropriateness of
the entity’s system of risk
oversight, management and
internal controls (PGPA Rule
S17(1)).
Outcomes of oversight
activities should:
 inform the accountable
authority whether the entity’s
system of internal controls is
appropriate to the entity
 provide advice to the
accountable authority on
major concerns identified
and recommended
actions, including
identification and
dissemination on good
practice.
Independent and objective
oversight
Audit Committee /Internal
Audit/ANAO/Regulators
S45 PGPA Act. Each entity
must have an Audit
Committee. Functions must
include the appropriateness of
the entity’s system of risk
oversight, management and
internal controls (PGPA Rule
S17(1)).
Where appropriate share
outcomes of oversight with
other Commonwealth entities
to identify areas of shared
risks and to contribute to the
aggregate assessment of
those risks.
6

Maintaining risk management capability
Entity requirements Role of the risk function
to meet policy Chief Risk Officer / Head of Risk
Independent review of PGPA Act
2013 Rec 13 “Accountable
authorities, particularly of large
Commonwealth entities, or
entities with complex risks,
should consider appointing a
Chief Risk Officer to support the
accountable authority to
implement a strong risk culture
and behaviour across all levels of
the organisation”
MUST maintain an  Identify and support the
appropriate level of development of the capabilities
capability to both needed to ensure that risks are
implement the entity’s managed effectively across the
risk management entity, including that the data
framework and used to assess its risks is fit-
manage its risks. for-purpose in terms of quality,
quantity and breadth.
 Identify and support learning
and training needs needed to
effectively manage risk and
develop a positive risk culture
across the entity.
Reviewing and continuously improving the management of risk
Entity requirements Role of the risk function
to meet policy Chief Risk Officer / Head of Risk
Independent review of PGPA Act
2013 Rec 13 “Accountable
authorities, particularly of large
Commonwealth entities, or
entities with complex risks,
should consider appointing a
Chief Risk Officer to support the
accountable authority to
implement a strong risk culture
and behaviour across all levels of
the organisation”
MUST review its risks, Ensure the continuing
its risk management efficiency and effectiveness of
framework and the the risk management Function
application of its risk and Risk Management
management practices Framework and that it remains
on a regular basis, and fit-for-purpose in supporting and
implement enabling the entity to conduct
improvements arising its activities in a safe manner.
out of such reviews.
Role of the business /
function
Executive Team (Head of
Division / Business Unit /
Function)
The first line of responsibility
for owning and managing risk
is the day-to-day decisions of
officials in all roles and at all
levels.
 The business is primarily
responsible for ensuring
staff have the capabilities
to manage risk in their daily
activities aligned to their
roles and responsibilities
 Where appropriate the
business collaborates with
the Risk Function for
support in building their
risk capabilities.
Role of the business /
function
Executive Team (Head of
Division / Business Unit /
Function)
The first line of responsibility
for owning and managing risk
is the day-to-day decisions of
officials in all roles and at all
levels.
Undertakes regular activities to
assess the effectiveness of
risk management within the
business and is responsible
for remediating identified
weaknesses.
Department of Finance
Chief Risk Officer’s Guide
Independent and objective
oversight
Audit Committee /Internal
Audit/ANAO/Regulators
S45 PGPA Act. Each entity
must have an Audit
Committee. Functions must
include the appropriateness of
the entity’s system of risk
oversight, management and
internal controls (PGPA Rule
S17(1)).
Identify and support the
development of the
capabilities needed to
conduct its oversight
activities.
Independent and objective
oversight
Audit Committee /Internal
Audit/ANAO/Regulators
S45 PGPA Act. Each entity
must have an Audit
Committee. Functions must
include the appropriateness of
the entity’s system of risk
oversight, management and
internal controls (PGPA Rule
S17(1)).
Ensure the continuing
efficiency and effectiveness
of its oversight processes,
including the coverage of the
oversight activities of the
entity’s key risks and activities.