Commonwealth Risk Management Framework

The Department of Home Affairs administers the Protective Security Policy Framework (PSPF). The PSPF prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally. Application of the PSPF assures government that entities are implementing sound and responsible protective security practices, and identifying and mitigating security risks and vulnerabilities. 

The PSPF provides direction and guidance for: 

• The Accountable Authorities of Australian Government entities, per the Public Governance, Performance and Accountability Act 2013 (PGPA Act). 
• Entity Chief Security Officers, Chief Information Security Officers, security practitioners and other named security officials. 
• Service providers that provide services to Australian Government entities, or are required to implement the PSPF according to relevant deeds or agreements. 
• Those responsible for communicating security information to Australian Public Service (APS) employees, third-party service providers delivering services to Australian Government entities, and visitors to government facilities. 
• Those working within, and for, the Australian Government, including APS employees, third-party service providers and contracted staff. 

More information on the PSPF can be found at Protective Security Policy Framework.

The Department of Agriculture, Fisheries and Forestry (DAFF) administers the Biosecurity Act 2015 and subordinate legislation to manage biosecurity risks entering Australian territory and support a sustainable and prosperous Australia through biosecurity, agricultural production and trade. 

The Biosecurity Act 2015 is designed to strengthen our national biosecurity system to provide a risk-based approach and an appropriate level of protection for Australia’s people, our environment and economy, consistent with international biosecurity obligations. 

These policies are relevant for portfolio industries and stakeholders seeking to: 

• import or facilitate the import of goods/commodities/animals or plants (including seeds and soil) to Australia
• travel or facilitate travel to and from Australia (including military movements)
• engage in portfolio related enterprises, including exporting goods/commodities from Australia
• form biosecurity management plans.

The Biosecurity Act 2015 describes the shared responsibilities of parties within the system. These include the responsibilities of DAFF, the Director of Biosecurity and Director of Human Biosecurity and their delegates, the Department of Health and Aged Care, the State and Territory Governments, Biosecurity Industry Participants, and members of the general public.

DAFF administers policies that support the Australia in achieving biosecurity outcomes including:

• the National Biosecurity Strategy - a strategic roadmap for Australia’s biosecurity system over the next 10 years, and 
• the DAFF Biosecurity 2030 Roadmap - DAFF’s priorities to support the goals of National Biosecurity Strategy.

For more information about Australia’s biosecurity legislation and policy arrangements, please visit Biosecurity and Trade.

Please note that parts of the Biosecurity Act 2015 pertaining to human health are administered by the Department of Health and Aged Care. For more information, please visit the Department of Health and Aged Care and the Australian Centre for Disease Control.

The Commonwealth Fraud Prevention Centre in the Attorney-General’s Department administers the Commonwealth Fraud and Corruption Control Framework. The Framework is designed to support Australian Government entities to effectively manage the risks of fraud and corruption. 

The Framework has 3 parts:

1. Fraud and Corruption Rule (section 10 of the Public Governance, Performance and Accountability Rule 2014) provides the legislative basis for the Commonwealth’s fraud and corruption control arrangements and is binding for all PGPA Act entities. It sets out the minimum standards for accountable authorities in relation to managing the risk and incidents of fraud and corruption.
2. Fraud and Corruption Policy sets out the procedural requirements for accountable authorities to establish and maintain an appropriate system of fraud and corruption control for their entity. The policy is binding for all non-corporate Commonwealth entities. Corporate Commonwealth entities and Commonwealth companies are encouraged to adopt the policy as better practice.
3. Resource Management Guide 201 Preventing, detecting and dealing with fraud and corruption provides further practical guidance on fraud and corruption control arrangements for all Commonwealth entities.

The Centre has a range of practical guidance and tools, specialist training and one-on-one support to help entities meet the framework obligations and enhance their counter fraud arrangements. To learn more, visit the Commonwealth Fraud Prevention Centre or contact us at info@counterfraud.gov.au.

The Department of Home Affairs administers the Security of Critical Infrastructure Act 2018 (SOCI Act) and is responsible for working with owners and operators of critical infrastructure to manage all-hazards risk affecting the function and security of the critical infrastructure ecosystem, including those arising from cyber, personnel, supply chain, and physical and natural hazards. These policies are relevant to entities that operate assets considered to be critical infrastructure assets under the SOCI Act. 

For detailed information about critical infrastructure risk management, mandatory cyber reporting, the Register of Critical Infrastructure Assets and other SOCI Act obligations, visit the Cyber and Infrastructure Security Centre. 

If you think you may operate a critical infrastructure asset, review the Asset Class Definition Guidance for definitions and relevant obligations of each critical infrastructure asset class.

The Department of Finance is responsible for managing the Commonwealth Risk Management Policy (CRMP) which supports section 16 of the PGPA Act. The CRMP sets out the principles and mandatory requirements for managing risk in undertaking the activities of government. Adherence to the CMRP is mandatory for all non-corporate Commonwealth entities and advised as good practice for corporate Commonwealth entities. 

The Department of Finance provides a range of online resources and specialised training to support agencies in developing their enterprise risk framework: 

• Resource Management Guide 211 Implementing the Commonwealth Risk Management Policy outlines the fundamentals of risk management and provides direction on how to follow the CRMP. 
• The Risk Management Toolkit contains examples and case studies to help agencies create a robust risk framework, develop strong risk culture, and clearly articulate the roles and responsibilities of staff in relation to risk management.
• There are also a number of risk management Communities of Practice to uplift risk and insurance capability across the APS. 
• The Commonwealth Risk Committee which is a sub-committee of the Chief Operating Officer’s Committee (COO Committee), which provides advice to the COO Committee on significant shared, common and emerging risks. 

For more information about enterprise risk management, contact comcover@comcover.com.au.