A Few Words About Us

Australian GovLink is published bi-annually with a purpose to promote and review major initiatives in local, state and commonwealth government departments and to encourage the principles of progress through partnerships between the private sector and government.

A+ R A-

Risk Management Regulated
Rate this item
(0 votes)

Risk Management Regulated

Risk management principles have been recognised as best practice and good corporate governance by public and private sector entities in Australia at least since the issue of the first Australian Standard AS/NZS 4360 in 1995.

This standard has since been superseded by the International Standard ISO 31000, which largely adopted the earlier Australian Standard principles, and the practical implications for organisational governance and operational strategies have now been enshrined in a range of other regulatory instruments.

In a recent development, the requirement for the establishment and use of risk management programs in the Federal public sector has been explicitly spelled out in legislation. This change can reasonably be expected to have “knock-on” effects in other non-government organisations, as discussed later in this article.


iStock 000033418316Small


On 1 July 2014, operative provisions from the Public Governance, Performance and Accountability Act 2013 (PGPA Act) commenced. This new legislative instrument impacted on the compliance requirements for all Commonwealth entities, including Commonwealth Government Departments, Agencies, government-owned corporations etc.

Entities falling under the authority of PGPA Act are now required to ensure a range of risk management strategies are in place.

Broadly, key requirements include:

  • Development and maintenance of an appropriate system of risk oversight and management and systems of internal control
  • Risk management frameworks to incorporate an analysis of key risks and mitigation strategies
  • Audit committee charters to contain the requirement to have regard for the systems of risk oversight and management, and systems of internal control.

As an adjunct to the PGPA Act, the Department of Finance released the Commonwealth Risk Management Policy to support the requirements of section 16 of the PGPA Act.

Non-corporate Commonwealth entities are required to comply with this Policy, and while Corporate Commonwealth entities are not required to comply they are expected to review and align their risk management frameworks and systems with the Policy as a matter of good practice.

It is not uncommon for regulatory requirements imposed on the Australian public sector to be followed by parallel requirements in the private sector. Therefore, it would not be surprising to find in future years that the risk management strategies now required by law to be documented and implemented in Commonwealth entities become applicable to defined private sector entities.

Even if this legislative evolution does not eventuate, it is worthy of note that the requirements imposed on Commonwealth entities will necessarily have flow-on effects to other entities across the nation.  As a minimum they will be regarded as “best practice”.

As Commonwealth entities seek to demonstrate their compliance with the legislated requirements, other public and private sector entities working with the Commonwealth public sector can increasingly be expected to provide evidence that their parts of the supply chain of goods and services feeding into the Commonwealth public sector also comply with these requirements.

Is your organisation ready to comply with this level of regulation, should it be requested by a Commonwealth entity you deal with, or should the regulatory requirements be applied more widely in future?

For many organisations, the time and resources necessary to identify, develop and implement the management system and operational changes required by a regulatory shift of this nature may be hard to commit in the context of competing demands.  External assistance can “make it happen”, regardless of organisational constraints.

Preparation should include:

  • Development and implementation of an enterprise risk management program if there is not one already in place
  • Development of an appropriate Audit and Risk Committee charter and establishing and managing the Audit and Risk Committee
  • Undertaking a gap analysis of existing risk management systems against the requirements
  • Undertaking a compliance review of any work already undertaken to update the risk management systems to the requirements
  • Amending risk management systems and related documentation to incorporate the requirements
  • Developing and/or delivering training for key personnel to ensure they are informed of, and familiar with, their responsibilities under the new or revised enterprise risk management program.

QRMC can provide assistance with all of these tasks. Please contact QRMC for more information.


Last modified on Friday, 10 October 2014 14:20

Add comment

Security code Refresh


About Us

BGP Publishing
PO Box 159,
Newport Beach,
NSW 2106

Ph. 1800 720 585