Commonwealth Risk Management Framework

The Commonwealth Risk Management Framework is an initiative that provides a holistic view and overarching structure for the management of risk across the Commonwealth. It operates to facilitate comprehensive, connected and collaborative risk management across the Commonwealth by providing a single point of connect for all officials to help bolster risk management maturity within Commonwealth entities. 

Legislative obligation around risk management is prescribed in section 16 of the Public Governance Performance and Accountability Act 2013 (PGPA Act) and requires that ‘accountable authorities of all Commonwealth entities must establish and maintain appropriate systems of risk oversight, management and internal control for the entity’.

Other than the legislative obligation, effective risk management is essential to improve decision making as well as maximise opportunities and better manage uncertainty.

The Commonwealth Risk Management Policy was formally launched on 2 July 2014. The policy supports the requirements of section 16 of the PGPA Act which requires accountable authorities of entities to establish and maintain systems and appropriate internal controls for the oversight and management of risk. 

The Commonwealth Risk Management Framework operates as a mechanism to bring together different entities with policy responsibility for a specific area of risk. This Framework provides a direct point of access to the homepages of these entities. Below you can select a policy/area of risk to view risk management information and resources.

The Department of Home Affairs administers the Protective Security Policy Framework (PSPF). The PSPF prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally. Application of the PSPF assures government that entities are implementing sound and responsible protective security practices, and identifying and mitigating security risks and vulnerabilities. 

The PSPF provides direction and guidance for: 

  • The Accountable Authorities of Australian Government entities, per the Public Governance, Performance and Accountability Act 2013 (PGPA Act). 
  • Entity Chief Security Officers, Chief Information Security Officers, security practitioners and other named security officials. 
  • Service providers that provide services to Australian Government entities, or are required to implement the PSPF according to relevant deeds or agreements. 
  • Those responsible for communicating security information to Australian Public Service (APS) employees, third-party service providers delivering services to Australian Government entities, and visitors to government facilities. 
  • Those working within, and for, the Australian Government, including APS employees, third-party service providers and contracted staff. 

More information on the PSPF can be found at Protective Security Policy Framework.

The Department of Agriculture, Fisheries and Forestry (DAFF) administers the Biosecurity Act 2015 and subordinate legislation to manage biosecurity risks entering Australian territory and support a sustainable and prosperous Australia through biosecurity, agricultural production and trade. 

The Biosecurity Act 2015 is designed to strengthen our national biosecurity system to provide a risk-based approach and an appropriate level of protection for Australia’s people, our environment and economy, consistent with international biosecurity obligations. 

These policies are relevant for portfolio industries and stakeholders seeking to: 

  • import or facilitate the import of goods/commodities/animals or plants (including seeds and soil) to Australia
  • travel or facilitate travel to and from Australia (including military movements)
  • engage in portfolio related enterprises, including exporting goods/commodities from Australia
  • form biosecurity management plans.

The Biosecurity Act 2015 describes the shared responsibilities of parties within the system. These include the responsibilities of DAFF, the Director of Biosecurity and Director of Human Biosecurity and their delegates, the Department of Health and Aged Care, the State and Territory Governments, Biosecurity Industry Participants, and members of the general public.

DAFF administers policies that support the Australia in achieving biosecurity outcomes including:

For more information about Australia’s biosecurity legislation and policy arrangements, please visit Biosecurity and Trade.

Please note that parts of the Biosecurity Act 2015 pertaining to human health are administered by the Department of Health and Aged Care. For more information, please visit the Department of Health and Aged Care and the Australian Centre for Disease Control.

The Department of Climate Change, Energy, the Environment and Water is responsible for the implementation of the Climate Risk and Opportunity Management Program. Climate change is a challenge for the whole of our economy, our society, and our environment and affects all Commonwealth entities and companies to some degree. To enhance climate risk management capabilities across the Commonwealth public sector, the Australian Government has 3 core objectives:

  1. Position Australia as an international leader in public sector climate risk management. 
  2. Drive better Australian Government decision-making through the consideration of climate risks and opportunities.
  3. Ensure the Australian Government is transparently disclosing its climate risks and opportunities, commensurate with climate risk disclosure requirements for Australia’s large businesses and financial institutions. 

The Climate Risk and Opportunity Management Program has been developed to integrate consideration of climate risk into policies, decision-making processes, enterprise risk management and key corporate documents across the public sector. It provides guides, learning and development modules, a digital tool, communities of practice and a support service. The Department of Climate Change, Energy, the Environment and Water can be contacted at climaterisk@dcceew.gov.au

The Government is also developing climate risk disclosure requirements for Commonwealth entities and Commonwealth companies through its Commonwealth Climate Disclosure initiative. The Department of Finance is responsible for this initiative and can be contacted at ClimateAction@finance.gov.au.

The Commonwealth Fraud Prevention Centre in the Attorney-General’s Department administers the Commonwealth Fraud and Corruption Control Framework. The Framework is designed to support Australian Government entities to effectively manage the risks of fraud and corruption. 

The Framework has 3 parts:

  1. Fraud and Corruption Rule (section 10 of the Public Governance, Performance and Accountability Rule 2014) provides the legislative basis for the Commonwealth’s fraud and corruption control arrangements and is binding for all PGPA Act entities. It sets out the minimum standards for accountable authorities in relation to managing the risk and incidents of fraud and corruption.
  2. Fraud and Corruption Policy sets out the procedural requirements for accountable authorities to establish and maintain an appropriate system of fraud and corruption control for their entity. The policy is binding for all non-corporate Commonwealth entities. Corporate Commonwealth entities and Commonwealth companies are encouraged to adopt the policy as better practice.
  3. Resource Management Guide 201 Preventing, detecting and dealing with fraud and corruption provides further practical guidance on fraud and corruption control arrangements for all Commonwealth entities.

The Centre has a range of practical guidance and tools, specialist training and one-on-one support to help entities meet the framework obligations and enhance their counter fraud arrangements. To learn more, visit the Commonwealth Fraud Prevention Centre or contact us at info@counterfraud.gov.au.

The Australian Government Crisis Management Framework (AGCMF) is the Australian Government’s capstone policy framing Australia’s national crisis management arrangements. It outlines the Australian Government’s all-hazards approach to preparing for, responding to, and recovering from crises. It details the roles and responsibilities of Australian Government agencies, ministers and senior officials, and outlines the tools and mechanisms available for managing crises. It is managed by the Department of the Prime Minister and Cabinet.

A revised version of the AGCMF was published in 2024 and will be reviewed annually.

The AGCMF is supported by:

The Department of the Prime Minister and Cabinet provides further information about the AGCMF.

The Department of Home Affairs administers the Security of Critical Infrastructure Act 2018 (SOCI Act) and is responsible for working with owners and operators of critical infrastructure to manage all-hazards risk affecting the function and security of the critical infrastructure ecosystem, including those arising from cyber, personnel, supply chain, and physical and natural hazards. These policies are relevant to entities that operate assets considered to be critical infrastructure assets under the SOCI Act. 

For detailed information about critical infrastructure risk management, mandatory cyber reporting, the Register of Critical Infrastructure Assets and other SOCI Act obligations, visit the Cyber and Infrastructure Security Centre

If you think you may operate a critical infrastructure asset, review the Asset Class Definition Guidance for definitions and relevant obligations of each critical infrastructure asset class.

The Department of Finance is responsible for managing the Commonwealth Risk Management Policy (CRMP) which supports section 16 of the PGPA Act. The CRMP sets out the principles and mandatory requirements for managing risk in undertaking the activities of government. Adherence to the CMRP is mandatory for all non-corporate Commonwealth entities and advised as good practice for corporate Commonwealth entities. 

The Department of Finance provides a range of online resources and specialised training to support agencies in developing their enterprise risk framework: 

For more information about enterprise risk management, contact comcover@comcover.com.au.

The Legal Services Directions 2017 (the Directions) are a set of binding rules issued by the Attorney-General about the performance of Commonwealth legal work. The Directions set out requirements for sound practice in the provision of legal services to the Australian Government. They offer tools to manage legal, financial, and reputational risks to the Australian Government's interests. The Directions cover matters such as:

  • informing the Attorney-General about significant issues
  • seeking Attorney-General approval to settle a significant issue
  • handling of claims and the conduct of litigation, including the Model Litigant Obligations
  • rules about the engagement of counsel, including the rates to be paid
  • the type of work that is tied to government legal services providers
  • consulting on and sharing of legal advice across government, and
  • compliance with the Directions.

The Office of Legal Services Coordination (OLSC) within the Attorney-General’s Department administers the Directions. It has prepared Legal Services Directions and guidance notes to help agencies to comply with their obligations under the Directions.

The OLSC conducts training workshops on a quarterly basis to help Australian Government agencies understand their obligations under the Directions, and how to comply with them. For further information on the training, or for any specific matters regarding the Directions, OLSC can be contacted at olsc@ag.gov.au or on (02) 6141 3642.

The OLSC also supports the operation of the Legal Risk Committee, which is a forum for senior government lawyers to discuss managing Commonwealth legal risk in a coordinated way. The committee meets 4 times a year and is a consultative and information-sharing body, rather than a decision-making body. The committee’s members are a representative group of senior government lawyers every department of state and a selection of agencies. For more information contact the Australian Government Legal Service (AGLS) team within OLSC at agls@ag.gov.au

The Regulatory Reform team in the Department of Finance administers the Regulatory Policy, Practice & Performance Framework (the RPPP) to provide regulatory agencies with principles-based advice and guidance to modernise regulation and regulatory systems, and to protect against regulatory failures. 

The RPPP provides regulators and regulatory policy agencies with 6 principles to drive fit-for-purpose regulation and mitigate regulatory risks. The RPPP is applicable to all government agencies that develop or manage regulation. 

For further information and to view the Framework, visit Regulatory Reform.

Comcare administers the Commonwealth Work Health and Safety Act 2011 and Work Health and Safety Regulations 2011 and is the national regulator for work health and safety.

Comcare publishes a variety of resources to assist Commonwealth entities with the implementation of the Work Health and Safety Act and Regulations:

  • Regulatory guides to help organisations and agencies understand the requirements of work health and safety laws.
  • Codes of Practice practical guides on specific workplace hazards.

 

 

Best Practice Risk Management

 


Did you find this content useful?