Part 4: Risk report
What we set out to achieve in 2003-04
Our key objectives for 2003-04 in relation to risk management were to:
1. Implement our (governance and) risk management framework (see page 5 of our Annual Plan 2003-04).
2. Improve our own measurement and reporting of risk.
Our risk management framework
We have developed a comprehensive risk management framework for the Office in consultation with key staff. It was introduced in 2003-04 and integrated within our strategic and business planning processes.
Our risk management framework can be represented as follows:
We define risk management as:
“The culture, processes and structures that are directed towards the continuous management of both opportunities and adverse effects impacting on our business.”
The key features of our risk management framework are:
- Our risk management framework is aligned to our business outcomes and the strategies designed to achieve these outcomes.
- The culture within the Office accepts that risk management is a critical part of our business. Management’s acceptance of ownership and accountability to effectively manage agreed risks and take an appropriate degree of mitigating action is an essential part of this culture.
- We apply a defined methodology that enables us to identify and assess risks and make decisions about appropriate ways to mitigate the risks identified.
- We have clear statements of our risk management policy, principles and practice.
- Our risk management process includes the mechanisms we use for: identifying and assessing risks; developing specific mitigating strategies, plans or actions; and recording, monitoring and reviewing.
The governance arrangements associated with our risk management framework have been outlined in the Governance Report on pages 39-57.
Measuring our risks
In implementing our risk management framework in 2003-04, we identified our key strategic risks. These were published in our Annual Plan 2004-05 and are as follows:
- not maintaining our credibility and reputation;
- not meeting our stakeholders’ expectations;
- not maintaining and building our capability;
- failure to successfully implement our five-year Strategic Plan;
- not maintaining our independence; and
- serious audit failure.
In addition, we outlined the key measures we will use to assess the extent of implementation, and the quality, of our risk mitigation strategies. We will report on these for the first time in next year’s Annual Report.
As we had not implemented our risk management framework at the time of publishing our Annual Plan 2003-04, we did not specifically identify our key risks or how we would measure them. We did, however, outline what we saw as the “challenges and risks” to the Office that we expected in our operating environment. These were largely consistent with what subsequently emerged through our robust risk management process.
We also included some general statements about “what we need to do”. These were not specifically risk mitigation actions. In this Annual Report, we summarise our key responses to these general statements. Many of these responses were incorporated in the development of the Strategic and/ or Business Plans, or were part of our ongoing “business as usual” (which is separately reported in our Statement of Objectives and Service Performance on pages 123-140).
Challenges and risks | "What we need to do" | Our key responses |
---|---|---|
Credibility of the accounting and auditing profession | Maintain the quality of our key products and services | Reported on in our Statement of Objectives and Service Performance (pages 123-140) |
Ensure that the way we select and brief auditors, and monitor quality and timeliness of audit work and opinions, maintains the highest professional standards | We implemented our new audit resourcing
model
We continued to monitor the quality and timeliness of audit work |
|
Target our written products accurately to appropriate audiences and write them clearly and authoritatively | We continued our policy of external peer review of selected performance audit reports | |
Increases in Parliamentary and public expectations about public sector performance and accountability | Ensure that we have sufficient resources to respond to increases in demand | Addressed through our five-year Strategic Plan and associated three-year Business Plan |
Expectation gap and limitations on our effectiveness | Continue to focus on strengthening our working relationship with Parliament | Ongoing programme of Auditor-General
meetings with Select Committee chairpersons
Active consultation with Parliament over our Draft Annual Plan 2004-05 |
Discuss with Parliament any options for possible changes to the current system for dealing with our reports | We continued to consider ways in which we could enhance the impact of our reports | |
Promote awareness of our reports among relevant sector representatives and central agencies | The Auditor-General meets 2 or 3 times a
year with central agencies
Key senior staff across the Office continue to meet regularly with relevant sector representatives |
|
Ongoing changes in, and increasing complexity of, Central and Local Government operations | Assess the effects of these changes and reforms, and contribute to addressing their financial management and accountability implications | Addressed through our five-year Strategic Plan and associated three-year Business Plan |
Increasing litigiousness in the public sector | Ensure our methods for choosing what work we undertake (especially inquiries) are sound and transparent | A further review of our major inquiries process commenced and will be completed in 2004-05 |
Identify where additional capability is required (including training) | Addressed through our five-year Strategic Plan and associated three-year Business Plan | |
Ensure that our own processes are fair, transparent and consistent with the requirements of natural justice | A review of our inquiries methodology is proposed for 2004-05 | |
Manage the additional time and costs (such as legal costs) involved in “getting it right” | Addressed through the Office’s business planning process | |
Advances in information systems and information and communication technology | Keep up to date with these developments in the public sector, and also in the audit and assurance tools available to deal with them | Addressed through the Office’s business planning process |
Ongoing changes in performance reporting | Ensure that we have adequate capability, informed processes, and appropriate products | Addressed through our five-year Strategic Plan and associated three-year Business Plan |
Difficulties in obtaining required capabilities | Constant assessment, recruitment of people, and acquisition of information – to maintain our capability and respond to the increasing breadth of knowledge we are dealing with | Addressed through our five-year Strategic Plan and associated three-year Business Plan |
Keep skills levels up and institutional memory strong | ||
Formulate strategies to obtain external capability when required | ||
Need to maintain a viable in-house audit capability |
Summary
1. Did we implement our risk management framework?
We believe that we have substantially implemented our risk management framework in 2003-04.
- We undertook a robust process of identifying and assessing our key strategic, professional and business risks. This involved a large number of senior staff across the Office.
- We developed key mitigation actions for 2004-05.
- We fully integrated our agreed risk mitigation actions into our business plans.
- We established the ongoing monitoring and reporting framework to ensure achievement of our risk mitigation actions.
- We set up the processes for recording and re-assessing risk status and actions.
An area we would like to develop further is:
- Embedding our culture of risk management into all our management activities.
2. Did we improve in our own measurement and reporting of risk?
We believe that we have improved our measurement of risk. We have yet to implement our proposed improvements in the reporting of risk.
- We developed our first risk measures and published them as part of our Annual Plan 2004-05.
- We will develop the mechanisms to report on these measures during the 2004-05 year.