Skip to content
An official website of the OECD. Find out more
Created by the Public Governance Directorate

This website was created by the OECD Observatory of Public Sector Innovation (OPSI), part of the OECD Public Governance Directorate (GOV).

How to validate authenticity

Validation that this is an official OECD website can be found on the Innovative Government page of the corporate OECD website.

Design and implementation of a simple risk management methodology to support the Enterprise Risk Management Framework for the Australian Taxation Office

Risk processes in the Australian Taxation Office (ATO) were inefficient, onerous and under scrutiny from a number of reviews.

A revised Enterprise Risk Management Framework was released and supported by a simple risk methodology. The framework and methodology supports the ATO to achieve its strategic objectives, harness opportunities and better manage risk.

The innovative approach moved risk to be part of the conversation and supports planning. The methodology ensures we harness opportunity, and supports governance.

Innovation Summary

Innovation Overview

Risk processes within the Australian Taxation Office were inefficient, causing risk management to be an afterthought, duplicating effort, and causing poor engagement between the work we were doing and risk management.

A revised Enterprise Risk Management Framework was released in late 2017, along with the appointment of a Chief Risk Officer and Enterprise Risk Management Committee, a new Enterprise Risk Register, and supported by a simple easy to use risk management methodology.

The supporting risk methodology is innovative in how it supports risk management across the ATO. By using four simple questions, it supports a movement to a positive risk culture, is practical and easy to use enticing more people to be naturally involved in risk management (non-specialists), reduces the burden of pages of paperwork and duplication of effort, fits easily and constructively into planning activities, and supports the ATO to harness opportunity.

The risk methodology asks four key questions to focus risk discussions:
1. What are our objectives?
2. What must go right? (what are your strategies to achieve the objective?)
3. What may go wrong? (what are the uncertainties or risks within the strategies?)
4. Are the strategies working and risks being managed effectively? (assurance)

Discussions are held with specialists and key stakeholders and led by risk experts directing the discussion. This ultimately makes risk part of the conversation, making risk easy to apply and understand makes risk part of day to day operation in the organisation. Making everyone a risk practitioner and accountable for risk.

The methodology creates a reduction in governance burden and duplication of effort as it is based around conversations, short succinct artefacts, and prepared strategy documents are used in the discussion to drive conversation and direct the risk. The strategy aligns the goals and objectives of the organisation to what may go wrong, or the risks and ensures accountability and adequate oversight by ATO executive.

At the operational level, risk management is supported by risk documentation that meets Public Sector requirements and guidelines. While oversight at the enterprise level reduces layers of risk and duplication across the organisation. A new Enterprise Risk Registered (ERR) was developed by the branch using a Protecht system. The ERR is an easy to use risk repository that can track and record the risk and risk documentation. It ensures risk assurance is met by automating alerts to the accountable risk owners when it is time to review their risk. It can be used for reporting purposes. System training and awareness sessions have been run to relevant or interested staff across the organisation.

The introduction of the framework and particularly the risk methodology has reengaged the organisation with risk. As an easily consumable product, staff at all levels are engaging with risk management practices, and through the processes understanding how their work contributes to the Corporate Plan.

There has been shift towards a positive risk culture. Looking at risk as an opportunity and encouraging ongoing risk discussions. A communication strategy supports risk awareness and a community of risk managers. Specific, targeted communication has included:
• Creation of two communities of practice (one for all levels and one for Senior Executives) joining risk specialists across the organisation through regular meetings to communicate risk messages and raise emerging risks
• A risk awareness month with risk roadshows at six locations across the country. These were half day sessions with external guest speakers, an executive risk discussion panel and interactive internal presentations
• Internal ATO wide news articles, Internal social media (yammer) announcements and yammer groups
• New corporate risk branding and signage, providing risk a new fresh look that is easily identifiable.

Innovation Description

What Makes Your Project Innovative?

We have designed a risk management methodology that is easy to use and contemporary. It supports planning activities by aligning risk to organisational objectives. It encourages a positive culture by bringing risk to the forefront of discussion, harnessing opportunities, reducing governance and duplicated effort. The method is easy to apply and moves risk to part of day to day practices applied by non-specialist staff.

The framework is a unique, non-traditional risk methodology to manage risks, plan activities and identify opportunities. This increases engagement with risk and risk management increasing the robustness of our processes.

It is innovative as it has created efficiency gains for the organisation by saving time, reducing duplication and paperwork. Unnecessary and onerous processes have been replaced with streamlined methods that reduce workloads and create a clear accountability and assurance of risk processes across the organisation.

What is the current status of your innovation?

The status of the Enterprise Risk Management Framework and supporting risk methodology has elements in implementation, evaluation and diffusing lessons.

The framework was released twelve months ago. Some elements we are still forming and implementing. In the main, we are evaluating and diffusing lessons.

The risk methodology has been applied across the business lines resulting in the population of the ERR in accordance with international guidelines and standards. This provides the risk picture for the enterprise and business levels across the organisation.

To promote a positive risk culture and promote risk awareness we deployed a Risk Roadshow to engage people face to face with risk management more broadly and to increase capability and a common risk language with using the framework and methodology. This process provided great support to the ease of use of the methodology, broad applicability, and general support for the new process.

Innovation Development

Collaborations & Partnerships

The development of the ERMF and risk methodology was completed by the Corporate Risk and Assurance branch from the recommendations of external reviews by Deloitte and Protiviti.

The ERR was created using Protecht software. It was developed internally with technical assistance from Protecht as required.

During the risk road show external speakers from: PWC, Protecht, Comcover and Deloitte shared their experience and risk management insights.

Users, Stakeholders & Beneficiaries

This benefits all ATO staff, with particular benefit for Senior Executives who have better oversight of enterprise level risks. The ERR provides better support to risk owners/managers/contacts to manage their risks and have their efforts linked to the Corporate Plan.

The organisation benefits as risk practices are in accordance with Public Governance, Performance & Accountability Act, International Standards ISO 13100, and other regulations that require adequate oversight/accountability.

Innovation Reflections

Results, Outcomes & Impacts

The ERMF and risk methodology have identified and assessed risks which have been uploaded onto the ERR in accordance with ANAO standards. It has successfully created a level of accountability for risks and aligned risks to risk owners and organisational objectives. It has successfully provided internal assurance through an Enterprise Risk Management Committee and independent assurance through an Audit and Risk Committee.

All levels of the ATO have been very receptive of the new ERMF, and particularly the new risk methodology. Feedback from the recent Risk Roadshow where staff were engaged face to face about risk management, the framework and methodology, was very positive. Staff provided feedback that 94 percent increased their knowledge of risk and the risk methodology and believed they would be able to apply the information they acquired to their projects and business as usual work.

Challenges and Failures

There have been two key challenges

  • multiple frameworks
  • fear of job loss through reduced paperwork

A number of risk management frameworks and different registers exist across the ATO. Moving to an overarching enterprise wide model has been a challenge where business areas are used to doing things a certain way, and where business decisions have been built into their risk framework. However, it has led to positive discussions on what needs to be considered within a risk framework, and how risk can be used in business for the selection of compliance and audit work. It has refreshed the organisation and created an awareness of unnecessary layers of complexity within different approaches to risk.
The new framework reduces the amount of paperwork to capture the key components of risk by specifying the information required and limiting the amount of detail. This has come with a significant cultural shift to release the need to have in-depth research, calculations and documenting evidence.

Conditions for Success

The success of the enterprise risk management framework has required backing from senior leaders and senior executives to provide guidance to staff to support the on boarding required to make it work.

The appointment of a Chief Risk Officer sent a key message from the Commissioner that risk is important and it provided the leadership required for execution of the framework.

The CRA branch provides support directly to users. Having the correct tools, particularly people to guide people through the change has been essential.

The push from supporting staff has driven the implementation of the framework to occur and meet timeframes. Support staff were required to update guidance material, communicate messages, update systems, and foster a positive risk culture with stakeholders and across the organisation.

Replication

Not at this stage.

Lessons Learned

There have been many lessons learned along the way, many of which have led to adjustments and improvement in processes in how things are done and communicated. Innovation creates change. Change is not a single event and we are still working on bringing the framework and all it supports to maturity.

Improvement to processes has involved providing additional information where key stakeholders wanted more detail. Adjusting templates and the way work was presented to make it easier to read or more visually appealing. Using technology such as Microsoft Office Communicator to screen share presentations in workshops where participants weren’t co-located meant we could be more interactive and participants were more engaged.

Communicating messages to stakeholders who have different levels of understanding, different agendas, and different end goals has meant being flexible and adaptable when engaging with staff. Working with different schedules and levels of availability has meant engaging with fewer people, or contacting separately rather than a workshop scenario.

During the risk roadshow presentations were shortened and made more interactive based on feedback. More time was spent on quality and standards, for example making sure things went right on the day, including technology, catering and presenters.

Generally as the framework matures and knowledge increases we are able to make tweaks and adjustments along the way to make improvements to all aspects of the work and the outcome we are trying to achieve.

Year: 2017
Level of Government: National/Federal government

Status:

  • Implementation - making the innovation happen
  • Evaluation - understanding whether the innovative initiative has delivered what was needed
  • Diffusing Lessons - using what was learnt to inform other projects and understanding how the innovation can be applied in other ways

Innovation provided by:

Date Published:

28 January 2017

Join our community:

It only takes a few minutes to complete the form and share your project.