We have designed a risk management methodology that is easy to use and contemporary. It supports planning activities by aligning risk to organisational objectives. It encourages a positive culture by bringing risk to the forefront of discussion, harnessing opportunities, reducing governance and duplicated effort. The method is easy to apply and moves risk to part of day to day practices applied by non-specialist staff.

The framework is a unique, non-traditional risk methodology to manage risks, plan activities and identify opportunities. This increases engagement with risk and risk management increasing the robustness of our processes.

It is innovative as it has created efficiency gains for the organisation by saving time, reducing duplication and paperwork. Unnecessary and onerous processes have been replaced with streamlined methods that reduce workloads and create a clear accountability and assurance of risk processes across the organisation.

The status of the Enterprise Risk Management Framework and supporting risk methodology has elements in implementation, evaluation and diffusing lessons.

The framework was released twelve months ago. Some elements we are still forming and implementing. In the main, we are evaluating and diffusing lessons.

The risk methodology has been applied across the business lines resulting in the population of the ERR in accordance with international guidelines and standards. This provides the risk picture for the enterprise and business levels across the organisation.

To promote a positive risk culture and promote risk awareness we deployed a Risk Roadshow to engage people face to face with risk management more broadly and to increase capability and a common risk language with using the framework and methodology. This process provided great support to the ease of use of the methodology, broad applicability, and general support for the new process.

The development of the ERMF and risk methodology was completed by the Corporate Risk and Assurance branch from the recommendations of external reviews by Deloitte and Protiviti.

The ERR was created using Protecht software. It was developed internally with technical assistance from Protecht as required.

During the risk road show external speakers from: PWC, Protecht, Comcover and Deloitte shared their experience and risk management insights.

This benefits all ATO staff, with particular benefit for Senior Executives who have better oversight of enterprise level risks. The ERR provides better support to risk owners/managers/contacts to manage their risks and have their efforts linked to the Corporate Plan.

The organisation benefits as risk practices are in accordance with Public Governance, Performance & Accountability Act, International Standards ISO 13100, and other regulations that require adequate oversight/accountability.

The ERMF and risk methodology have identified and assessed risks which have been uploaded onto the ERR in accordance with ANAO standards. It has successfully created a level of accountability for risks and aligned risks to risk owners and organisational objectives. It has successfully provided internal assurance through an Enterprise Risk Management Committee and independent assurance through an Audit and Risk Committee.

All levels of the ATO have been very receptive of the new ERMF, and particularly the new risk methodology. Feedback from the recent Risk Roadshow where staff were engaged face to face about risk management, the framework and methodology, was very positive. Staff provided feedback that 94 percent increased their knowledge of risk and the risk methodology and believed they would be able to apply the information they acquired to their projects and business as usual work.

There have been two key challenges

• multiple frameworks
• fear of job loss through reduced paperwork

A number of risk management frameworks and different registers exist across the ATO. Moving to an overarching enterprise wide model has been a challenge where business areas are used to doing things a certain way, and where business decisions have been built into their risk framework. However, it has led to positive discussions on what needs to be considered within a risk framework, and how risk can be used in business for the selection of compliance and audit work. It has refreshed the organisation and created an awareness of unnecessary layers of complexity within different approaches to risk.
The new framework reduces the amount of paperwork to capture the key components of risk by specifying the information required and limiting the amount of detail. This has come with a significant cultural shift to release the need to have in-depth research, calculations and documenting evidence.

The success of the enterprise risk management framework has required backing from senior leaders and senior executives to provide guidance to staff to support the on boarding required to make it work.

The appointment of a Chief Risk Officer sent a key message from the Commissioner that risk is important and it provided the leadership required for execution of the framework.

The CRA branch provides support directly to users. Having the correct tools, particularly people to guide people through the change has been essential.

The push from supporting staff has driven the implementation of the framework to occur and meet timeframes. Support staff were required to update guidance material, communicate messages, update systems, and foster a positive risk culture with stakeholders and across the organisation.

Not at this stage.

There have been many lessons learned along the way, many of which have led to adjustments and improvement in processes in how things are done and communicated. Innovation creates change. Change is not a single event and we are still working on bringing the framework and all it supports to maturity.

Improvement to processes has involved providing additional information where key stakeholders wanted more detail. Adjusting templates and the way work was presented to make it easier to read or more visually appealing. Using technology such as Microsoft Office Communicator to screen share presentations in workshops where participants weren’t co-located meant we could be more interactive and participants were more engaged.

Communicating messages to stakeholders who have different levels of understanding, different agendas, and different end goals has meant being flexible and adaptable when engaging with staff. Working with different schedules and levels of availability has meant engaging with fewer people, or contacting separately rather than a workshop scenario.

During the risk roadshow presentations were shortened and made more interactive based on feedback. More time was spent on quality and standards, for example making sure things went right on the day, including technology, catering and presenters.

Generally as the framework matures and knowledge increases we are able to make tweaks and adjustments along the way to make improvements to all aspects of the work and the outcome we are trying to achieve.