Comcover Awards for Excellence 2012
Case studies of award winning agencies
Foreword
I am pleased to present to you Comcover’s second case study booklet. It showcases the risk management
practices of the award winners from Comcover’s Awards for Excellence program in 2011.
The Comcover Awards for Excellence recognise and reward those agencies that demonstrate innovation and
leadership in the field of risk management.
Each of these award winning agencies has put forward examples of excellence that highlight how it approached
the challenges of implementing effective risk frameworks, programs and systems.
Nominations in the 2011 Awards program reflected the importance of ensuring an agency’s approach to
managing risk is aligned with its strategic objectives.
A number of winning agencies in the Enterprise-Wide Risk Management Category identified the need to review
and update their frameworks to reflect changes to their operating environment. As a result there is a greater
focus on accountability and responsibility for managing risk; a clear understanding of the importance of
integrating risk with other governance processes; and recognition of the benefit in aligning the agency’s risk
framework with its outcomes.
Award winners in this year’s Risk Initiative Category are diverse. Each has demonstrated that by having the
appropriate systems and processes in place to manage risk, it is possible to develop a culture where the
consideration of risk provides opportunity for agency improvement.
A key objective of the Awards program is to facilitate the sharing of information. I encourage agencies to read
the case studies and make contact with award winners to gain further insight into how they have influenced
better management of risk within their agency.
Comcover will draw on the experience of each of the award winners to help demonstrate examples of better
practice for our education program, and in the future development of better practice tools and templates.
Robert Higgins
Manager
Comcover
ENTERPRISE-WIDE RISK MANAGEMENT CATEGORY
Highly Commended - Department of Agriculture, Fisheries and Forestry
Highly Commended - Australian Taxation Office
Honourable Mention - Department of Immigration and Citizenship
Honourable Mention - Department of Human Services
Department of Agriculture, Fisheries and Forestry
Highly Commended
Overview
In 2009, the Secretary of the Department of Agriculture, Fisheries and Forestry (DAFF), made revitalising the agency’s
risk management framework a priority. At the heart of this was a comprehensive review of how the agency approached
and managed risks.
The agency acknowledged its previous risk management framework, while sound, was process-oriented and
complex. A new risk management framework was needed that would build a more agile, effective, adaptive
and resilient organisation. Three guiding principles were identified:
 Risk management should be part of everyday decision-making and not seen as a ‘bolt-on’ process.
 DAFF should adopt a positive risk culture, moving from risk aversion to working with known and
calculated risks.
 Staff should be empowered to actively manage risks as part of everyday decision-making.
DAFF’s new risk management framework is underpinned by regular communication from the Secretary and the
Executive, which sends a strong message about the importance of risk management, and ensures attention and
resources are dedicated to the task.
The Risk Management Framework—creating the foundation to effectively manage risk
DAFF’s new governance framework has integrated the management of risk into all key business functions,
processes, systems, programs and projects. This means the Secretary, in consultation with the Executive
Management Team (EMT), can determine, communicate and review DAFF’s risk appetite in response to what is
a dynamic operating environment.
The Risk Policy set out in the Chief Executive Instructions, identifies risk management as an essential part of
the agency’s strategic approach. The policy makes sure the Department is well placed to understand and better
manage its risks and fulfill its accountability requirements.
Integrating risk management
By integrating risk management vertically and horizontally into its governance, planning and performance
management processes, DAFF made sure risk management became a mandated part of business planning at
the agency.
It did this by bringing the three separate elements of business planning, business risks and business reporting,
onto one platform. This new system, called ‘e-plan’, allowed corporate information to be automatically populated into
planning, risk and performance plans, and removed any possibility for human error.
It also allowed risk levels to be automatically calculated, with users able to select sources of risk from drop
down boxes. This allowed risk profiles to be calculated in minutes rather than days, and areas of risk growth to
be easily identified and treated.
While the new system supports and integrates risk more effectively into day-to-day business, DAFF has not
changed its existing integration model, which still allows risk information to flow through the Department
smoothly and be readily accessible by all senior executives.
DAFF regularly reviews, evaluates and updates its revamped risk management framework documents and
processes. Thanks to the successful implementation of ‘e-plan’, the review of risks has now become automated
and far easier to manage. Risk information is always in real time and relevant to day-to-day business.
Championing risk initiatives
DAFF has worked to create a positive risk culture that emphasises the benefits of risk management in achieving
the organisation’s objectives. It has embedded risk in the agency’s framework. Importantly, the Secretary and
the Executive drive this culture in the Department by championing risk initiatives and processes.
Implementing strategies, plans and processes
Crucial to DAFF’s successful implementation of a new and agency-wide risk management program, is the top
down commitment from the Secretary and Executive to providing the necessary financial, technical and human
resources needed to manage risk effectively and efficiently.
Responsibility for coordinating risk management across the Department lies with DAFF’s Business Assurance
& Risk Branch. It funds the dedicated Risk Management Team (RMT), which has three full-time officers. The
RMT coordinates and provides risk management advice and support across the agency.
The Department has also formed a risk branch to drive the biosecurity reform process and has various
specialist areas.
The RMT developed an organisation-wide strategy to implement, monitor, review and continuously improve
the Enterprise-wide Risk Management Framework. In implementing this strategy the RMT:
 Reviews and updates risk management methodologies and tools.
 Implements and monitors DAFF’s risk management program, including specialist risk activities.
 Analyses risk information and prepares a range of risk reports.
 Communicates risk information.
 Provides risk management learning and development opportunities.
Communication and training
As part of its efforts to effectively communicate risk information, DAFF consults widely with both internal and
external stakeholders to make sure risk sensitivity and emerging issues and opportunities are included in risk
analysis. External stakeholders include agriculture, food and fibre industries, other Australian and state
government agencies, consumer and community interest groups, and those involved across the biosecurity
spectrum.
The agency established a divisional risk network to champion risk management, and to provide points of
contact for all risk issues. It also provides feedback to the RMT on risk initiatives and risk mentoring.
DAFF carries out risk management training to make sure staff members have the knowledge and skills they
need to effectively manage risk in business operations, and offers a tiered risk management training program
for all staff.
As well as ‘Risk 101’ and risk scenario training, the Department also provides training on its risk tools.
Once developed and released from the development platform, training was provided on the new system ‘e-plan’,
which was designed to be intuitive and simple to use. One of its primary objectives was to reduce red tape and
streamline the whole planning, risk and reporting functions. Feedback indicates all of these objectives have
been met.
Business continuity
DAFF has successfully developed an agency-wide risk management framework that supports its business
objectives.
The agency’s risk profiling and reporting framework is a key input into business planning and performance
management activities. Strategic and key business risks are regularly reviewed, with risk assessment a normal
part of the annual business planning and reporting cycle.
As part of its business continuity program, DAFF undertakes a risk based Business Impact Analysis to identify
critical functions, dependencies, workarounds and the maximum acceptable outage times. All divisional
executive managers and key divisional staff were involved in this process, and the outcomes endorsed by the
Secretary and EMT in November 2009.
The Department regularly tests its business continuity framework by working through scenarios. These
culminate in an annual live exercise that is held late in the year. Exercise scenarios are based on potential risk
events and an exercise planning team that includes representatives from affected divisions are formed to plan,
organise and evaluate the exercise. All live exercises are also evaluated externally, with lessons learned used in
the annual review and update of the business continuity framework.
Results
DAFF’s revitalised risk management framework and program has ensured risk management has become a part
of everyday decision making processes. Risk management is integrated into the planning and reporting process
of the department, and links the agency’s management of risk within the overarching governance structures.
Championed by the Secretary, there is a top-down commitment to risk management that is complemented by
training and communication activities for all staff. This has helped to foster a positive approach to risk, with the
increasing realisation the Department should not be risk averse but have a better understanding of its risks, so
it can take known and calculated risks.
The introduction of ‘e-plan’ has dramatically reduced the amount of administration and errors the legacy
systems had built in. All business planning, risk and reporting functions are now in ‘real time’, which means
information is up-to-date and 100% accurate. This gives further reassurance to the Executive.
The Department has also seen improvements in how staff view risk training. Since the Department started
running ‘Risk 101’ training just over a year ago, more than 750 officers (from SES Band 2 to APS 2) have taken
part. The training is now being rolled out nationwide to front line officers, who have had risk training added as
part of their workplace agreement.
Australian Taxation Office
Highly Commended
Overview
The Australian Taxation Office (ATO) has over 20 000 staff across 25 business lines. It manages millions of
transactions every year from registrations and lodgments though to payments, refunds and debts.
Given the scale of its operations, the agency already had a well-embedded and mature risk management
capability and culture in its compliance areas, which had been recognised internationally. The challenge for the
ATO was to introduce an enterprise-wide risk management framework that continued to develop its
management of compliance risks, while extending it to cover all enterprise risks in an increasingly complex
organisation.
The ATO’s enterprise-wide risk management approach was designed to:
 Strengthen the integration of risk management activity across all areas of the ATO.
 Understand the range of risks as a ‘system’.
 Manage risks and take advantage of opportunities that arose from that understanding.
The Risk Management Framework—creating the foundation to effectively manage risk
Risk categories
To make sure all risks were considered, the ATO developed a schema of enterprise risk categories that
organised risk information into 22 categories. One of the key features of the framework is that it is enterprise
wide, and operates independently of organisational structures.
Sub-categories carry risk descriptions that clarify what the impact would be if a business outcome were not
achieved. An Enterprise Risk Owner (typically SES Band 2) is appointed for each risk category. All risks
identified at enterprise, operational and tactical levels map to the most relevant risk category and are subject to
the risk management process. This makes sure mitigation strategies and controls remain effective.
ATO Enterprise Risk Wheel - Level 0 and 1 risk categories
1. Tax Crime
2. ATP
3. Cash Economy
1.
2.
3.
4.
Major Tax Integrity Threats
ER-13
Income Tax
GST
Superannuation
Excise
Tax Revenue
ER-19
Interpretation
ER-11
Tax & Super
Administration
Policy Advice & Design
ER-15
1. Assist Law Development
2. Administrative Design
Business Reporting Services
ER-02
1. Australian Business Register
2. Standard Business Reporting
Other
Business
Valuation Services
ER-22
1. Valuations
1. Information Management
2. Knowledge Sharing
Government Engagement
ER-09
People
ER-14
Security & Privacy
1. People
ER-17
2.
3.
4.
5.
Physical
Technology
Information
Privacy
Large
SM&E
Micro
Individuals
Govt / NFP
Tax & BAS Ag ents
1. Client Service
2. Channel Management
Compliance Cost (exc Lge Busi
Compliance Cost
Finance
ER-07
Technology
ER-20
1.
2.
3.
4.
5.
6.
Client Experience 3.
4.
ER-03
Stakeholder
Engagement
1.
2. Other Projects
Knowledge
ER-10
Work Allocation
Returns Processing
Refunds Processing
Debt Management
Call Centres
Client Registrations
Community Engagement
ER-04
Enabling Capabilities
Enterprise Change
ER-05
Change Program
1.
2.
3.
4.
5.
6.
1. Revenue Tracking
2. Liabilities Raised
3. Payment Compliance
Governance
ER-08
Business Continuity
Business Continuity ER-01
1. Invest
2. Change
3. Sustain
1. Grants
2. Benefits
3. offsets
Product & Payment Processing
ER-16
Tax & Super Compliance
ER-18
1. Certainty through Advice
Law
2. Certainty through Litigation
1.
Transfers Compliance
ER-21
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
7.
1.
2.
3.
4.
5.
6.
Ministers
Treasury
States
External Scrutineers
Other Aust Agencies
International
Policy & Planning
Oversight
Reputation Management
Risk Management
Regulatory Compliance
Assurance
Internal Fraud
Budget
Account
Transact
Procure
Contract & Outsource
Retain
Develop
Engage
Environment
Ethics & Values
Facilities
ER-06
Legal Support 1. Accommodation
2. Maintenance
ER-12
3. Environmental Management
1. Advise
2. Defend
3. Litigate
Rating risk
The ATO recognises that risk management occurs at all levels of decision-making. Through the use of risk matrices that
vary in complexity, risks can be defined, rated and managed at the enterprise, operational and tactical levels, with
varying levels of effort. This ensures a more cost effective use of resources, by spending less time on simple risks and
more on complex and important risk decisions.
Tailored consequence criteria
Complementing the ATO’s risk rating matrices are tailored consequence criteria for each of the 22 risk categories. These
consequence criteria allow accurate articulation of risk tolerances and therefore accurate rating of the ATO’s risks.
The ATO’s Enterprise Risk Management approach provides:
 A framework to categorise, manage and report all risks in a consistent and systematic way irrespective of
organisational structures.
 Minimal overlap of risks by organising risks into ‘pools’ under the risk categories.
 Cost effective use of resources, focusing resources on the higher priority risks and less on risks within tolerance.
 A mechanism for escalating knowledge gained from intelligence activities to risk owners for quick action.
 A system view of risks, including how risks may drive and impact each other.
 A vehicle to integrate specialist risks such as tax technical decision-making, OH&S, business continuity and
security.
 A map of risk events from drivers through to business impact.
 A visual reminder that each category of identified risk requires consideration.
Accountability and responsibility
The ATO’s enterprise-wide risk management system hinges on everyone in the organisation—from senior leaders to
individual employees—being accountable and responsible for risk.
Second Commissioners are Portfolio Risk Leaders and:
 Oversee and resolve issues across a portfolio of enterprise risks.
 Emphasise the importance of, and embed risk management into, governance activities, planning, resource allocation,
and reporting.
 Instigate independent risk assessments.
Accountability for specific enterprise risks rests with the Enterprise Risk Owners. These people are typically Deputy
Commissioners (Senior Executive Service Band 2). By making risk categories independent of organisational structures,
the ATO has enabled a more flexible approach to managing risks and provided an end-to-end view of them. This
encourages greater communication between risk owners and risk managers across the agency and has led to a more
considered, consistent and integrated approach to risk management.
Risk managers are appointed to specific risk areas. They are responsible for implementing risk treatments, identifying
and assessing risks and the effectiveness of controls, and providing advice to enterprise risk owners on the status of
operational risks within their categories.
All employees play a role in managing risks, and some have specific risk responsibilities.
Overarching these specific day-to-day responsibilities is the Chief Knowledge Officer, who is formally accountable as the
capability leader for risk management practice within the ATO. This Officer receives advice on the agency’s risk
management capability from the Risk and Intelligence Forum, which is made up of SES (Band 1) officers. And finally, the
ATO’s Audit Committee oversees internal governance and assurance policy to monitor and evaluate internal controls,
including risk management.
Integrating risk management into business
Consideration of enterprise risks is incorporated into the ATO’s annual planning, budgeting and review processes,
ensuring considerations of priority and resource allocation are made for the management of the risks. The enterprise risk
categories ensure that this process is deliberate in encompassing the range of corporate risks.
The ATO has developed a one-stop shop approach to storing and managing risk information.
Built on Microsoft SharePoint, the new Enterprise Risk Register is an active real-time resource for all providers and users
of risk information. It is a collaborative platform that allows multiple perspectives and integration with risk assessments
and related records.
The Register is structured around ATO risk categories and features:
 Central and accessible recording of all enterprise and operational risks—mapped to the risk category.
 Identification of major risk interdependencies, similarities in risks but different approaches to treatments, and potential
duplication of risks and some potential risk gaps.
 Search function, reporting function, announcements and alerts.
 Storage of supporting reports.
Resourcing
A small corporate risk team manages and guides the implementation of enterprise risk management. This includes
developing risk policy, procedures and support tools, developing and implementing the risk register, collaborating with
learning and development professionals in risk training product development, delivering risk training and providing
ongoing advice and guidance on risk matters.
At an operational level risk committees review risk assessments, including new and emerging ones, relevant to their role
and specific areas of responsibility.
At an enterprise-wide level, enterprise risk owners identify the most significant risks (including emerging ones) and these
are considered in corporate forums. Discussion of these risks builds a wider understanding across the senior leadership
group of the risk landscape and systemic shifts or trends.
The ATO Risk and Intelligence Forum brings together leaders with a risk management focus from across the
organisation to consider aspects of risk management capability, including levels of resourcing, training needs, any
capability gaps as well as recruitment opportunities. This forum has been instrumental in improving information sharing
and consistency in how risk management is applied across the organisation.
Communication and training
The development of specific job profiles, a tailored learning and development curriculum and learning pathway for risk
roles, provides the basis for recognising and developing the competence of specialist risk capabilities.
In addition, the ATO identifies both in its policy and through individual employee roles, that managing risk is everyone’s
responsibility.
Risk training courses recognise the various levels of risk capability required. New ATO employees receive a specific risk
module as part of their induction. In addition, a further basic e-learning package is available for all staff.
More specialised training—from basic to advanced—is available using a variety of learning methods and is delivered by
risk experts.
Risk information is communicated agency wide via an intranet, the staff bulletin, and in a monthly newsletter for risk
specialists. Monthly meetings are also held for all Enterprise Risk Owner contacts to discuss practical issues and any
lessons learned.
Meanwhile SMS messaging is used to keep managers apprised of critical incidents with impacted staff updated through
email. Employees working on longer-term mitigation strategies are informed through business reporting.
Department of Immigration and Citizenship
Honourable Mention
Overview
In October 2009 the Secretary of the Department of Immigration and Citizenship (DIAC), Andrew Metcalfe, announced
he had set a challenge: to make the Department the best immigration and citizenship agency in the world. He wanted to
make sure the agency could compete in global markets and attract the best migrants and skilled workers Australia
needs.
As a result, the Department commissioned a complete review of its organisational structure and operations.
The enterprise-wide risk management framework that was developed from this challenge has had a huge impact on how
the agency conducts its business. Key outcomes include:
 Major structural changes that have improved accountability.
 Rollout of the Global Manager has increased focus on performance in the client service network, and delivered
improvements in service delivery.
 Work placement changes and improvements to service channels.
 Greater focus on operational and strategic risks.
 Improved quality and performance of internal business services.
 Plans are being developed to simplify visas.
The Risk Management Framework—creating the foundation to effectively manage risk
DIAC’s transformation process has been translated into an enterprise-wide risk management system that serves a
complex organisation. This system is based on three principles:
 Strategic and Tactical Risk Map.
 Risk Triangle (operationally focused).
 Risk Appetite.
Senior executive officers were involved in the review of the risk management processes, procedures and documentation,
and endorsed the embedding of risk management into the agency’s daily activities. This ensured the creation of sound
strategic planning, decision-making and accountability, and also identified the agency’s risk appetite.
Identifying executive staff as risk champions and giving them risk responsibilities was fundamental to ensuring a sound
enterprise-wide risk management framework.
Risk, Fraud and Integrity Division
A Risk, Fraud and Integrity Division (RFID) was established just over a year ago as a result of the transformation. RFID
has over 245 staff providing specialised risk and fraud services across the Department’s business functions.
The division consists of a diverse range of integrity and risk-related areas that had previously been dispersed throughout
the Department. It brought all these related areas together in a bid to centralise, enhance and streamline risk and
integrity-related functions.
RFID gives the Department intelligence and analytical capabilities to address and to respond to existing risk, including
risks that have, traditionally, not been visible. It is continuing to deploy new approaches, techniques and tools that build
on past experience, recognise the current environment, anticipate the future and prepare DIAC to manage emerging
risks.
In other initiatives, a recent collaboration involving Detention Services, RFID and PriceWaterhouse Coopers, developed
an overarching risk assessment for managing the Detention Services Contract nationally, and a suite of site-specific
assessments and quality assurance programs at each Immigration Detention Centre and facility.
This work is significant because it helps DIAC manage its critical strategic risk as it relates to the management of
irregular maritime arrivals.
DIAC Risk Management Plan Hierarchy
DIAC Strategic Plan
Strategic
Risk
DIAC Strategic
Priorities
DIAC Outcomes
DIAC Strategic Risk Map
Divisional
Business Plans
Tactical Risk
DIAC Programs and
Policies
Division Risk Management Plans
Service Delivery
Network Plans,
Branch and Section
Business Plans
Operational Risk
Contracts, Projects,
Business as Usual
Risk Plans:
Service Delivery Network + Branch + Section + One-off (e.g new
contract, project etc.)
DIAC Risk Management Framework
Implementing strategies, plans and processes
DIAC has automated its risk assessment tools and linked them to strategic and tactical risks, which generate ‘heat maps’
for both strategic and program specific purposes. These maps are easily read and understood, and allow executive staff
to quickly identify emerging and ongoing risk issues as well as identifying gaps in the risk matrix. This signifies a much
improved analysis of data generated from completed risk assessments.
In addition, a Risk Management Helpdesk was created and operates from the RFID. It provides both formal and
ad hoc risk advice to the agency.
DIAC’s framework gives its stakeholders, staff, contractors and ministers assurance that risks, including business
continuity and monitoring arrivals, are being managed.
The agency is working to integrate risk management processes into its daily activities.
Communication and training
To support and help staff understand their risk management responsibilities and departmental processes, a Risk
Management Helpdesk was set up within the RFID. It accesses specialist risk expertise and provides advice to all areas
within the department. The Helpdesk plays three roles:
 Identifies risks within programs and projects.
 Tailors risk and fraud training to individual areas.
 Provides general ad hoc information about risk management.
To further communicate and provide training to staff, risk management and fraud training is formally incorporated into the
following training courses: induction, executive level, overseas preparation and compliance officer. As part of the
induction process, new staff must complete the risk management and fraud awareness e-learning courses. These are
now mandatory for all staff entering the Department, regardless of level.
In addition, all staff must now complete the fraud awareness e-learning course every two years.
DIAC risk specialists have developed a number of governance-themed online learning courses, such as Values and
Conduct, Business Continuity and Quality Assurance, for departmental staff. These link to the risk management elearning course as a pre-requisite, ensuring risk definition, methodology, accountability and measures are being
consistently used throughout the department.
To support and complement risk management training, a reference suite of documents has been developed to guide
staff. These reference and training materials provide advice to staff on understanding DIAC’s risk management
processes, completing the risk assessment template, and understanding their responsibilities for actively managing the
risks that fall within their area of responsibility.
To make sure profiling and reporting of risk is effective, the Department has created a Central Risk Register. This is
developed each year and is a record of all the risks identified across agency risk management plans.
Risk reporting
One of the first tools instigated by the RFID, over 12 months ago, was integrity scans of major departmental programs.
These have had a great impact on identifying risks, proposed risk owners and risk treatment owners, and have been well
received by important stakeholders across the Department.
A summary report of integrity scans is provided to the Departmental Executive Committee on a monthly basis. This
monitors the Department’s progress in addressing concerns raised. Critical to the success of the process is obtaining
agreement between the risk owner and the risk treatment owner on a course of action to mitigate any identified risk.
Risk analysis and reporting is embedded in the governance structure of the Departmental Audit Committee (DAC), by
requiring all DAC reports to include comments on key risks and mitigation strategies. A rolling agenda of items focussing
on strategic, tactical and operational risk issues is also discussed and reviewed by the DAC.
Business continuity
The Department has a robust business continuity program, which is overseen by the Departmental Audit Committee and
Departmental Executive Committee.
Each of the Department’s 66 overseas posts has a business continuity plan (linked to the Department of Foreign Affairs
and Trade plan at each Post). In addition there are 68 business continuity plans for onshore facilities and discreet work
areas within the National Office structure; these include plans for each immigration detention facility, DIAC staff located
at airports and state and territory offices.
The Department’s business continuity program is an integral aspect of sound risk management. The identification of
critical business functions is via a risk-based business impact analysis. This analysis considers the possible duration of
business interruptions and what impacts they might have on each business area and the business objectives of the
Department as a whole.
Understanding the need for business continuity plans within the Department is growing, particularly after the recent
experiences in the Queensland floods, the North Queensland and Northern Territory cyclones, and damage to detention
facilities due to rioting. In addition, a number of offshore posts have utilised their plans in response to civil unrest,
bombings and/or other major security situations.
The agency’s business continuity contingency philosophy led to it setting up an Incident Response Unit. This coordinates
DIAC’s efforts in whole-of-government response situations such as those that recently occurred in Christchurch, Cairo,
Sendai and Libya.
Department of Human Services
Honourable Mention
Overview
When major agencies are amalgamated, a key issue is how to reconcile various risk management frameworks and
create one new, overarching one. Questions that have to be answered include what are the benefits of the current risk
frameworks, what is the breadth of work the new department will undertake and how might risk translate into such an
organisation?
These were the issues the Department of Human Services (DHS) had to tackle when on 1 July 2011, the merger of
Medicare Australia, Centrelink, DHS and the Commonwealth Rehabilitation Service Australia was completed. (The
integration of the portfolio agencies started in October 2004, and more recently, the melding of the agencies into one
department was managed through a service delivery reform agenda.)
The consolidation of risk management was a vital issue in the amalgamation, as it impacted on all areas of the new
agency. Throughout the process, it was important the agency not only defined its new risk culture and appetite, but
also incorporated the best of each agencies individual risk management frameworks into the new enterprise-wide one.
The Risk Management Framework—creating the foundation to effectively manage risk
The DHS amalgamation affected 38 000 people. Previously each agency had a chief executive officer and its own risk
management framework that managed enterprise-wide risks differently.
The first 12 months saw a melding process with the Executive looking forward and shaping enterprise risks.
Creating a new enterprise risk model
An enterprise risk model was developed to understand the new Department’s risk profile and review the risks of
individual agencies. This model included a set of high-level risk categories that described key facets of the business.
Within each of these, a set of sub-categories was developed that refined the given risks. This risk categorisation model
allowed the Department to easily capture information about its risk distribution against important business categories.
The Department uses an internally developed standard risk template to identify, capture and plan for how risks will be
managed. This makes sure all business units apply a consistent level of discipline to their risk assessments. It also
streamlines the collation of risks at an organisational level and allows for measurement and comparison of similar risks.
This approach makes sure risk accountability is embedded into every day program delivery. In addition, individuals have
been identified as responsible for strategic risks. The elements of managing risk in the new department are evolving with
the basic elements working together. Chief Executive’s Instructions issued on 1 July 2011 refer to the management of
risk.
While it is an ongoing process, a risk appetite has been created for the new department with identified boundaries and
residual risks. As the Department continues to take on additional responsibilities, so this process will continue to evolve.
Implementing strategies, plans and processes
The Department is still in the early stages of developing communication and education strategies. To make sure staff are
equipped to identify and manage the risks associated with the new department, the Department asks all workshop
attendees to have carried out a risk assessment before attending courses. This is designed to increase their learning
during the course.
The Secretary is actively involved in strategic planning, is looking for best practice and is actively engaged in managing
risk. The agency has identified the need for a consistent risk management process across the new department and
draws on best practice to ensure acceptance across the different business areas.
New risk management team
Central to the Department’s risk management strategy is a dedicated risk management team. This team is responsible
for maintaining the quality of the risk framework and policy and supports business units and individuals.
The team visits business units throughout the year to discuss, educate and deliver presentations on current risk issues.
Project managers receive training in effective risk management and new starters are introduced to the Department’s risk
processes and resources as part of their induction.
A set of resources is available to all employees and includes:
 Comprehensive intranet site, containing all risk documentation.
 Templates providing standard base requirements for risk plans and assessment.
 Support covering all aspects of the risk assessment and management process.
 Access to advice and or help on planning and running risk workshops.
Specialist risk teams
Specialist risk activity attracts dedicated resources in the Department. For example, the ICT group maintains its own
specialist risk team. The Department’s ICT arm accounts for considerable budget expenditure and outcomes and
manages a diverse technology framework unparalleled in federal government.
Each of the specialist risk teams works in concert with the Department’s risk management team. This provides
assurance that risk activity remains consistent and in accordance with departmental policy objectives.
Business units responsible for managing risk
All business units in the Department are required to take responsibility for managing risks. This is designed to achieve
two things: that business experts are assessing those risks most relevant to the delivery of services; and reducing the
risk associated with concentrating expertise in any single location.
This model also allows business units to make tactical decisions in a controlled manner within an enterprise framework
based on their expertise and the support of the Department’s risk appetite and culture.
Overall, in a relatively short time, DHS has built the basic building blocks in its risk management framework, and just
needs time to establish the framework across the whole Department.
Business continuity
Supporting the Department’s risk management capability is the development of a comprehensive business continuity
approach.
The Department is often asked to respond, on behalf of government, to significant domestic and international
emergencies. Often it is responding to natural disasters and providing on-the-ground resources for government, while
simultaneously managing the recovery of its own infrastructure and resources. It had to do this, for example, during
Cyclone Yasi and the Queensland and New South Wales floods of January 2011.
To maintain ‘business as usual’ while also dedicating resources to an emergency, the Department relies on a strong
business continuity model that can be started quickly.
To make sure it is able to function effectively during service disruptions, the Department regularly tests its response
capability. This testing includes mock disasters, technical recovery exercises, off-site rehearsals and desktop
assessments.
The introduction of sample desktop reviews for business, risk and business continuity plans was premised on improving
the quality of the planning and providing consistency for the framework.
Results
There are two particularly noteworthy results from DHS’s new approach to risk management.
In early 2010, a decision was taken to integrate risk, business continuity and business planning for all portfolio agencies,
in anticipation of the new department coming into existence in 2011. This presented an opportunity to refocus the
Department’s attention on these business functions.
The second result stems from the Department’s response to a series of significant emergencies in early 2011, which
demonstrated the resilience built into the new risk and business continuity frameworks.
The coincidence of multiple major disasters in 2011 provided a new challenge to the agency’s risk and business
continuity planning.
The response to these emergencies was refined following the disasters and informed the new framework before it was
implemented department-wide.
Focus going forward
The focus for DHS over the next 12 months is the evolution of its strategic direction, engaging the Executive to consider
strategic risks, developing strategic reporting processes and focusing on emerging risks. Effort will also continue in the
adoption of best practice where appropriate, simplifying processes and embedding a culture of risk in a maturing
department.
The Department is measuring its approach to managing risk across the agency by reviewing its strategic processes and
monitoring its outcomes.
RISK INITIATIVE CATEGORY
Winner - Australian Taxation Office
Highly Commended - Department of Agriculture, Fisheries and Forestry (Asian Gypsy Moth)
Highly Commended - Australian Maritime Safety Authority
Highly Commended - Bureau of Meteorology
Honourable Mention - Department of Agriculture, Fisheries and Forestry (Aquatic
Animal Health)
Honourable Mention - Australian Customs and Border Protection Service
Australian Taxation Office
Winner
Overview
The Australian Taxation Office (ATO) has the important responsibility on behalf of the community for the care of
Australia’s tax and superannuation systems and the Australian Business Register. These systems fund the public goods
and services that give effect to economic and social policies and Australia’s superannuation system helps secure
retirement income for Australians.
The ATO’s vision is that “Australians value their tax and superannuation systems as community assets, where
willing and proper participation are recognised as good citizenship.”
Most Australians demonstrate high levels of willing participation and in 2010-2011, the ATO collected almost $273bn on
behalf of the community, the vast majority of it without any direct intervention by the ATO. However, this does not tell the
whole story. The ATO also needs to know its various compliance activities are having a positive impact on the
compliance behavior of those who don’t willingly participate in the system while maintaining the support of those that do,
by demonstrating it is effective in maintaining a level playing field for the whole community.
The ATO has developed and implemented its own methodology that embeds evaluation as ‘business as usual’ for tax
risk managers. The Compliance Effectiveness Methodology facilitates the evaluation of compliance strategies to
determine whether they have changed behavior in a sustainable way, and it provides a framework for continuous
improvement as they learn what works and what doesn’t.
The Organisation for Economic and Cultural Development (OECD) has adopted the methodology on the basis
it is innovative and pioneering and addresses a critical gap in practical guidance for member revenue bodies.
Compliance effectiveness methodology
Traditionally, the ATO had concentrated on measuring the efficiency of its programs but had not had a clear picture of its
effectiveness, that is, the extent to which its intended outcomes were, or were not, being achieved. In 2006 the ATO
Executive recognised the need for a consistent and robust process or methodology that would support the systemic
evaluation of ATO effectiveness, leading to improved decision making, choice of treatment strategies and resource
allocation.
Developing the methodology involved a thorough stocktake of the performance indicators used at the ATO, an extensive
review of literature on effectiveness and a collaborative, consultative and co-designed approach to creating a conceptual
framework.
Using the key insights developed through these processes, the ATO converted the conceptual framework into a series of
practical steps to be applied by compliance risk managers to support:
 Development of strategies that are aligned with the ATO’s strategic direction.
 Definition of intended outcomes and success goals.
 Development of indicators which form the basis for evaluating whether the intended outcomes had
been achieved.
The Compliance Effectiveness Methodology has four distinct phases, each of which has a specific focus.
Phase 1 is about understanding and articulating the compliance risk and ensuring the risk focus is aligned with the ATO’s
strategic goals.
Phase 2 is about clearly articulating the outcomes to be achieved by treating the risk; specifying the success goals or
what change it wants to see occur; and developing the treatment strategy that will meet those goals and achieve the
intended outcome.
Phase 3 is about identifying the indicators that will reveal if the intended outcomes have been achieved.
Phase 4 is about measuring and interpreting those indicators, evaluating whether the intended outcomes have been
achieved, assessing what has been learned and reviewing and revising future approaches.
FIGURE 1: ATO compliance effectiveness methodology
Operationalising the methodology
The ATO knew from its implementation risk assessment that its biggest hurdle in successfully implementing the
methodology would be creating the necessary cultural shift away from measuring efficiency to measuring effectiveness. It
knew cultural change would take time and would need to be actively supported to be successful.
The project team responsible for implementing compliance effectiveness designed a comprehensive change
management process, which included creating a number of key stakeholder forums and groups. These allowed the
project team to consult, collaborate and co-design with the Compliance Sub-plan business lines and relevant corporate
areas.
Training was provided for ATO risk owners, risk managers and facilitators. A helpdesk service was also established to
provide ongoing guidance and support. Support products were developed to help people understand the methodology
and its application, including reference materials, a guide for facilitators and a practical workbook.
Guidelines for data analysis and evaluation were also drafted along with templates to help align the intent, strategies and
indicators, the validation of indicators and the measurement of effectiveness. Compliance effectiveness requirements
were also integrated into existing ATO business processes, including project management, risk management, planning,
governance and reporting.
FIGURE 2: How compliance effectiveness is embedded within the ATO’s risk management
framework.
A reference group was created that included senior staff from across the agency. This has an ongoing steering role and
disseminates information and champions the value of measuring compliance effectiveness.
The ATO’s Compliance Executive, led by the Second Commissioner, Compliance and comprising the Compliance Subplan Deputy Commissioners, is the primary governance body and assurance point for ATO Compliance Effectiveness.
When the new compliance effectiveness framework was integrated into the relevant business lines and products in mid
2009, the risk managers, who had proved invaluable in supporting the development and integration of the compliance
effectiveness methodology, became champions for effectiveness and were formed into a ‘community of practice’.
A Compliance Effectiveness Centre of Expertise (CoE) was also created to provide expert guidance and support for the
new methodology. The CoE provides direct support and advice to risk managers.
The CoE developed products to build skills and also identified a core group of risk managers who received specific
training as facilitators. This capability was again formed into a ‘community of practice’ to help build the agency’s overall
effectiveness capability and encourage knowledge sharing.
The agency’s process testing, the development of good communication strategies and its stakeholder engagement
demonstrated a mature and comprehensive change management approach.
Benefits
2011 marked the third year since the Compliance Effectiveness Methodology was transitioned to ‘business as usual’.
While the ATO still has a lot to do to fully embed effectiveness in the day-to-day thinking and activities of its people, it is
already clear that it is better able to:
 Define compliance behaviour and consider the drivers of that behaviour.
 Describe desired outcomes from the outset.
 Consult, collaborate and co-design strategies with relevant stakeholders.
 Design indicators that will allow it to assess the effectiveness of its strategies.
 Evaluate and refine its strategies in light of the required outcomes.
Further, evaluation results are increasingly being used to shape the agency’s strategic responses, demonstrating the
effectiveness of the methodology as a continuous improvement tool.
Longer-term benefits also expected include:
 Increased differentiation so that compliance treatment strategies are better tailored to the circumstances
of the risk and those involved in it.
 Increased productivity as the ATO’s activities are more closely aligned to the achievement of its
strategic objectives.
Department of Agriculture, Fisheries and Forestry
Highly commended
Overview
Asian gypsy moths (Lymantria spp.) originate from temperate Eurasia and are recognised internationally as among the
world’s worst invasive species. They cause major damage by eating the leaves of as many as 1600 types of plant,
including forestry and horticultural crops as well as garden plants.
The cost of this damage is very high, with estimates for individual forestry or tree crop plantations exceeding $400 million
per cropping cycle. As a quarantine pest, the moths have spread from their endemic origin to a number of other countries
via trade pathways, notably to the United States and New Zealand.
Because the moths are simply attracted to lights and illuminated objects at night, pathway management has been a real
challenge. Maritime vessels and sea cargo have been regularly contaminated as they are well lit during night loading
operations.
To tackle the problem, Department of Agriculture, Fisheries and Forestry (DAFF) scientific staff conducted a study that
used satellite imagery to identify the ports most at risk from the moths. This was possible through the innovative use of
geospatial intelligence techniques to identify ports in close proximity to suitable densely vegetated areas where the
moths live.
This technique predicts the seaports in Asia where visiting vessels and cargo are most likely to be contaminated with the
moths’ egg masses. This study, combined with surveillance records, identified and confirmed the risk posed at individual
Asian seaports.
This risk initiative has allowed DAFF to become predictive rather than reactive in its ongoing risk management of the
moths and has the potential for Australia to become a world leader in the surveillance of them.
The success of this initiative is based on intra-departmental cooperation between DAFF’s scientific and operational
business units. Implementation of this risk management initiative has been strongly supported by the Department’s
executive as an example of what the agency is calling ‘risk-return’, that is, gaining the best outcome in both quarantine
protection and cost-effective resource allocation.
The Risk Management Framework—creating the foundation to effectively manage risk
To verify a risk-based intervention could be properly developed, managed and implemented, DAFF used standard
project management techniques.
To develop the initiative, staff carried out detailed consultations with scientific and operational business areas and
developed clear objectives, identified and evaluated risks, and prepared streamlined inspection procedures, data
collection and reporting requirements.
All Asian seaports in the geographic range of these moths were surveyed by satellite analysis using a combination of
public domain industry intelligence, and satellite imagery from Google Earth of juxtaposed suitable vegetation and port
infrastructure. This methodology allowed the Department to consider both existing and future risk pathways.
Mapping the Asian gypsy moth
DAFF identified that in Asia, the Asian gypsy moth typically attacks the trees that make up the dominant forest types (for
example, oak and larch forests). The size and extent of these forests could be precisely and accurately identified from
space due to the light spectrum the trees reflected. By mapping this reflectance data around each seaport, the
Department was able to identify which Asian seaports had the potential to be a risk source of moths.
Studies in Japan showed the moths do not tend to migrate out of forests and penetrate areas of human habitat by more
than 1500 metres. A buffered distance of 2000 metres was therefore used as the cut-off for the flight range of the moths.
Any seaport within 2000 metres of suitable forest types was considered a risk source of contamination.
Risk estimate report
A risk estimate report was compiled based on these findings, which when combined with an international standard
surveillance methodology for the moths, allowed Australian quarantine inspectors to target only those vessels identified
as the highest risk.
The analysis was also used to identify the highest risk areas on vessels where egg masses were most likely to occur.
The surveillance design also collected information on where eggs were located on vessels in order to calibrate and
improve surveillance.
Using geospatial technology was an innovative approach to a potential risk that allowed resources to be better managed
and allocated.
This risk-initiative provides significant efficiency benefits to DAFF through streamlining inspection procedures to reduce
the threat of moths in Australia. It also reduces demand on DAFF resources as well as inspection fees to the maritime
industry.
Implementing strategies, plans and processes
Based on the recommendations of the geospatial intelligence report, a pilot intervention program was implemented by
the DAFF Seaports Program from 1 July–30 September 2011, at the four busiest Australian seaports that receive the
greatest number of risk vessels.
These ports were Gladstone and Brisbane in Queensland, Newcastle in New South Wales and Port Headland in
Western Australia.
The intervention employed a targeted risk-based approach to vessel inspection based on an ‘Asian Seaports Identified
for Surveillance List’, and inspection procedures for the moths that included:
 Vessel inspections based on examining high-risk areas of the vessel where the moths were most likely to be found.
 Egg masses found by quarantine inspectors were identified using remote microscope diagnostics by quarantine
entomologists, to identify whether the egg masses were of a quarantine risk species.
 If the species was classified as a quarantine risk, inspectors then thoroughly went through the vessel to eliminate egg
masses present.
 Quarantine inspectors recorded the time required to complete inspections for the moths for further analysis.
The pilot achieved two key objectives:
 Confirmation the predicted risk of moths entering Australia was correctly identified as being from risk ports.
 The streamlined, targeted inspection methodology was effective in intercepting the moth on international vessels.
This information will now be used to develop the full implementation policy for Asian gypsy moth inspections.
The creation of the ‘Asian Seaports Identified for Surveillance List’ will allow DAFF to become predictive rather than
reactive in the risk management of the moth.
Short-term benefits
The use of geospatial intelligence as a risk-management tool for Asian gypsy moths has already provided DAFF with a
range of short-to medium-term benefits:
1. Resourcing:
 Use of geospatial intelligence to shape border inspections has allowed DAFF to efficiently and effectively manage
its resources.
 Quantitative risk assessment through geospatial intelligence unambiguously directs quarantine inspectors towards
only those vessels that are most likely to be contaminated by the moth.
 A highly specific inspection methodology allows quarantine inspectors to target the highest risk places on
potentially contaminated vessels.
2. Identification of previously unknown risk ports:
 This risk initiative successfully identified four Asian seaports capable of exporting Asian gypsy moths to Australia
via contaminated vessels. Previously, these ports had not been recognised as risk ports by any country.
 This initiative resulted in the first quarantine interception anywhere in the world of Asian gypsy moths from the
Korean Peninsula.
3. Diplomatic approach:
 The use of an intelligence-based approach has allowed Australia to manage the risk posed by the moth entirely
on-shore. No additional demands have been placed on quarantine operations internationally, for example by
needing to send quarantine inspectors offshore to undertake pre-departure inspections of vessels. The risk of
vessel contamination posed by Asian gypsy moths is a sensitive issue throughout Asia, and visits by quarantine
agencies have not always been welcomed.
Long-term results
DAFF will use the results from this risk-based intervention to shape a revised national Asian gypsy moth policy over the
next 12 months.
Forecasting is another major long-term benefit arising from this risk initiative not only for this moth, but other invasive
species.
The data collected will also be used to predict when individual Asian seaports will be most vulnerable to contamination by
the moth. Because the metamorphosis of all Asian gypsy moths is strongly dictated by temperature, remotely accessed
climate data for Asian risk ports could potentially be used to predict when the moth would be most likely to affect
individual ports.
 It is expected these predictions could be narrowed to within a 1-2 week period. These forecasts could then allow
DAFF to help industry and other quarantine agencies to manage the moth in an integrated and effective risk-based
approach, further reducing inspection costs.
Australian Maritime Safety Authority
Highly commended
Overview
The Australian Maritime Safety Authority (AMSA) is a Commonwealth Statutory Authority. It is responsible for setting and
regulating standards for the operation of commercial shipping, an extensive network of marine aids to navigation around
the Australian coast, aviation and maritime search and rescue and a national plan to protect the marine environment.
When it comes to navigation safety, AMSA’s prime focus is on providing national aids for our navigation network. One of
its strategic objectives in this area is to adopt technological advances to improve safety. This is critical to the shipping
industry, which is an important stakeholder in AMSA. While the Authority is in part funded by the Australian Government,
over 50% of its funding comes from levies paid by the shipping industry.
In August 2006, AMSA’s top-ranked risk centred on pilotage in the Torres Strait. (The third highest risk was the potential
for a serious incident in sensitive waters—mainly referring to Torres Strait and the Great Barrier Reef.)
Navigating the Torres Strait is demanding. Passage involves transiting confined waters that have limiting depths, while
the tidal flows are complex, highly variable and fast.
On top of this is a tropical climate with its alternating wet and dry seasons. Seasonal rainsqualls frequently affect
visibility, and the region experiences moderate to strong trade winds, tropical thunderstorms and occasional cyclones.
To overcome these risks, AMSA decided to introduce an Under Keel Clearance Management System (UKCM System).
AMSA realised that implementing its risk initiative was not without its own attendant risks. These included take up by
users, unrealistic expectations on transit times by vessel owners, the draught of vessels, along with the more general risk
of failure.
The Risk Management Framework—creating the foundation to effectively manage risk
Under Keel Clearance refers to the vertical distance between the keel of a vessel and the sea floor; a distance that has
to be maintained to ensure safe navigation and avoid grounding.
The risk initiative involved implementing web interface systems where information would be provided to a vessel’s pilot,
allowing them to plan a transit of Torres Strait and monitor it in real time.
The information provided by the UKCM System is based on the known characteristics of the vessel type, predicted
motion of the vessel, the topography of the seabed, predicted and known tidal movements and predicted and known
wind and wave motion.
For AMSA, the UKCM System covered three primary aspects:
1. Voyage planning. This could take place up to 12 months before travelling through the Strait. It provides information
that allows a vessel to arrive at a specific point in the Strait at a time when the predicted height of the tide and tidal
stream allows a safe transit.
2. Transit planning. This allows the pilot to select the best transit time and plan in detail.
3. Transit monitoring. The pilot uses real time information provided from shore-based systems to an on-board device to
monitor the ship’s transit and make timely and informed decisions during that transit.
In November 2006, AMSA engaged an expert shipping consultancy to carry out an initial risk review. This identified a
number of risks in implementing a UKCM System in the Torres Strait.
The primary one was the quality of input data. This included existing charts and the quality needed for other data relating
to tides and individual vessels. But with appropriate treatments, these risks were acceptable.
The Torres Strait is an environmentally sensitive area and a shipping accident would stop a large portion of trade to and
from Australian ports, and potentially pollute the marine environment. AMSA’s risk initiative would make transiting the
Torres Strait safer and more efficient, especially as trade through the area is expected to increase substantially.
Implementing strategies, plans and processes
AMSA chose to stagger the implementation of its risk initiative. This was done to manage risks, including those
surrounding the expectations of users.
Initially, AMSA only worked with pilots and pilot providers. It established a centre of pilot excellence, and training in the
new system was developed and introduced.
The Authority also made sure that when it came to coordinating with internal and external parties, responsibilities were
well defined both within and outside AMSA.
Entity
Role/Responsibility
Shipping company/agent
Provide the required vessel particulars, including hydrostatic details and
ETA at the UKCM area, to the pilotage provider.
Master
Provide the required final stability particulars prior to the pilot
boarding/transiting the area.
Coastal pilots/pilotage providers
Utilise the UKCM System.
Manage tidal windows and transit plans.
AMSA
Oversee the use of the UKCM System by coastal pilots and pilotage
providers.
Provide validated sensor data for use by the UKCM System.
Provide pilotage provider/pilot access to the UKCM System.
UKCM provider
Ensure contracted service is provided to AMSA, including delivery to the
specified performance and availability criteria.
REEFVTS
Provide UKCM-related information, as part of the on going delivery of an
Information Service.
Finally, when AMSA was confident identified risks were being effectively managed, it rolled the system out to ship
operators directly.
Consultation with these stakeholders was an important part of the risk initiative. AMSA’s communication strategy was
designed to give stakeholders assurance the system would be effective, and manage their expectations.
Ultimately, the UKCM System had good take up by users and the final stage of implementation took place on
16 December 2011.
An integrated program that meets the needs of stakeholders
AMSA developed an integrated program that combined:
 A technological solution (the UKCM System).
 A regulatory framework (Marine Order 54).
 Authoritative/quality assured inputs from various sources.
 Accurate information from the ship operator/master/pilot.
 Training and engagement of users at all levels.
AMSA will regulate the use of the UKCM System (by coastal pilots and pilot providers) through Marine Order Part 54. A
framework was established to verify the accuracy of sensor data and periodically re-calibrate the sensors, independent
of the contractor.
AMSA is working closely with the Australian Hydrographic Service to make sure high accuracy surveys of the Torres
Strait needed by the UKCM System are available.
The AMSA risk manager was involved in the initial risk assessment and in subsequent risk assessments of activities.
External specialist resources were brought in as required to provide technical expertise.
Overall, the UKCM System project was initiated and driven by non-risk management staff, who were willing to call in
risk management specialists when needed. This demonstrates the management of risk is embedded in AMSA’s
processes and procedures.
AMSA worked hard to meet the needs of each stakeholder through the risk management approach the agency
developed and implemented.
Short-term benefits
The short-term benefits of this project include:
 A marked reduction in the time pilots need to calculate transit times.
 Pilots are using Transit Planning to gain an assessment of the efficiency and safety of intended transit windows, and
compliance with AMSA’s rules.
 Pilots are using Transit Monitoring for real-time assessments of their transit. The system also captures all relevant
information for AMSA to review for future improvements and model adjustments.
 Pilots, pilot providers and pilot launch masters are using the Met-Ocean service for real-time, predicted and short-term
forecasts of environmental information. Launch masters are also using the information to assess the risks of transfer
activities (ship to launch or launch to ship) in exposed waters.
 The UKCM System is able to exchange key system and vessel-related information with third party systems.
Benefits identified by AMSA of its staged implementation approach include:
 Strong industry acceptance.
 A robust system that integrates well with existing systems.
 Service providers taking up the system.
 For pilots using the system, transit information in the form of charts highlighting the current voyage is currently
available to ships’ masters on deck. This adds credibility to its operation.
AMSA has also realised the short-term benefits of its new system translate as long-term benefits for Australian mining,
general freight movement and the environment.
While the system is relatively new, it has demonstrated potential and ongoing improvements for vessels transiting the
Torres Strait in a way that reduces inherent risks.
Long-term results
The long-term benefits identified by AMSA include the implementation of a system that gives pilots the ability
to improve their decision-making and transit planning while ensuring a safe transit though the Torres Strait.
Additional long-term benefits include:
 Validating the existing under keel safety margin for deep draught vessels and helping evaluate the appropriateness of
the draught limit regime.
 Improved safety due to increased knowledge of conditions, in particular, better knowledge of shallow areas that
present dangers to shipping, which AMSA identified as a major risk.
 Improved efficiency thanks to a better knowledge of deep-water areas, which will allow greater flexibility
in transit planning and management, and lead to more efficient transits.
 Potential for greater transit windows and the associated economic benefits, including more efficient use
of shipping.
 Ability to modify a vessel’s transit while in progress due to unforeseen events (for example short period tidal variations,
reduction in available speed, presence of other vessels), which improves safety and efficiency.
Overall, AMSA’s risk initiative has great potential and has demonstrated effective use of risk management techniques,
processes and procedures.
Bureau of Meteorology
Highly commended
Overview
The Bureau of Meteorology’s weather forecasts and warnings services are some of the most widely used government
products.
The agency’s core tasks include meeting the national need for climatic records, water information, weather and
oceanographic services, a scientific understanding of Australian weather and climate, and providing a high quality
service to the Australian community.
Severe weather events, including tropical cyclones, severe thunderstorms and flash flooding, pose a significant risk to
the safety of the Australian community. One of the Bureau’s primary roles is to mitigate this risk by providing a
comprehensive forecast and warning service, which has now been extended to include graphical products.
The Bureau is able to provide an end-to-end information and warning system where state-of-the-art weather
observations, forecast and warning technologies are used, and information is tailored for the Australian community.
The rapid growth of the internet and the Bureau’s services has resulted in the agency’s website being one of the most
heavily accessed and used sites in Australia. The Bureau’s Warnings and Weather Forecasts Program offers a wide
range of analysis and prediction products. These include forecasts, warnings and information services for the general
public, national and international shipping and aviation, the Department of Defence and others.
Services are provided through Regional Forecasting Centres in capital cities and through the National Meteorological
and Oceanographic Operations Centre in Melbourne. All of these centres maintain a 24-hour weather watch every day of
the year, and issue forecasts and warnings together with tsunami watches and warnings.
The Risk Management Framework—creating the foundation to effectively manage risk
While looking for ways it could respond to the community need for improvements in weather services, the Bureau noted
its “traditional” or existing products were based on text for point locations. This required a significant amount of manual
input by a forecaster to prepare. In short, this process was labour intensive and limited the Bureau’s ability to respond to
rapidly evolving technologies being used by the community.
To manage the increasing demand for forecasts and weather warnings that were accurate and geospatially detailed, the
Bureau created the Next Generation Forecast and Warning System (NexGenFWS) project.
The Bureau identified the Graphical Forecast Editor (GFE) as a potential forecasting tool. It was originally developed in
the United States by the National Oceanic and Atmospheric Administration and used in all forecast offices of the US
National Weather Service. In 2008 the Bureau piloted the GFE in its forecast and warning service in Victoria. As a result
of the success of this implementation, federal government funding was obtained to nationally roll out this world’s bestpractice system over a five-year period.
The NexGenFWS links activities across many of the Bureau’s programs. The Bureau acknowledges that managing risk
is essential for project work, and helping staff to understand, accept and manage risks as a part of everyday decisionmaking, was a priority for the project.
Risk assessments were an essential part of the NexGenFWS implementation process. The project integrated and
embedded risk management into the governance, project management, planning, reporting, procurement and
performance management processes. A project risk management plan that focused on risk profiling and graphical
reporting was developed and aligned with the enterprise-wide risk management framework.
Adopting a project focused risk framework allowed:
 Bureau staff to understand, accept and manage risks as part of everyday decision making.
 Successful delivery of service improvements and service continuity outcomes that were within the constraints laid out
in the project management plan.
The Bureau developed process tools and reports that were used to identify, evaluate and communicate the range of risks
associated with the project and that had to be managed by project staff and the sponsor. Since the development of this
project the Bureau has introduced the focused risk methodology into its enterprise-wide risk management framework.
Risk initiative links to governance framework
This risk initiative clearly linked to the Bureau’s governance framework. The project demonstrated the Bureau’s key focus
was client service as well as legislative requirements. The Bureau has a large stakeholder base, which in some
instances wasn’t communicating effectively. The risk initiative was designed to meet all stakeholder requirements for
information.
The Bureau successfully embedded risk management into the governance, project management, planning, reporting,
procurement and performance management processes of the NexGenFWS project delivery.
Implementing strategies, plans and processes
The Bureau’s framework for the NexGenFWS was designed to address the following risks:
 Complexity of the changes with respect to technology, training and products.
 Impact on staff and users.
 Large geographic coverage of the system and the regional base requirements of forecasting.
 Extensive risk profile associated with changing thousands of the Bureau’s public weather and warning products.
Given deployment risks, constraints and the project’s resourcing demands, a Rolling Wave Project Planning strategy was
adopted. This allowed incremental improvements needed in software, infrastructure, training and science; collaboration
to develop a common feature environment for forecasters; and minimised a range of internal and external risk factors.
This project’s five-year rollout allowed the Bureau to effectively oversee the risk process regarding:
 Decisions about the range of rollout options, including timings for each region.
 When and what components to build first.
 Manage the project schedule.
 Manage dependencies, status tracking, estimate activities and resources needed to fulfil the project’s objectives.
Communicating change
The Bureau fully understood the many elements and risk profiles of such a complex project. It developed and
implemented a wide range of tools to communicate and support the delivery of the project rollout. These included:
 Management and executive briefings.
 Bureau meteorology training courses.
 Forecaster and science forums.
 Media briefings.
 Information stall at conferences as well as boating or agricultural events.
 Minutes/briefs (internal).
 Industry base information and notices (posted on the Bureau website and registered user pages).
 Staff newsletters (posted on intranet) mailing lists and internal wikis.
 Frequently Asked Questions (internal & external).
 Papers/presentations at industry forums.
 Print media.
 Television and radio broadcasts, face-to-face meetings and surveys.
The Bureau’s communication activities were comprehensive and targeted a wide range of users, stakeholders and
consumers. This minimised the risk of a poor reception of the project from forecasters, and increased the opportunities
for identifying and resolving any emerging issues.
Short-term benefits
The Bureau acknowledged that its risk initiative faced a number of inherent risks, however, by fully integrating structured
risk identification, assessment and a mitigation framework, the project has successfully met deliverables.
Some of the immediate benefits identified include:
 Modernised weather forecast production with more accurate forecasts and warnings to allow the Australian community
to mitigate weather-related risks.
 Can issue more visual and graphic forecasts.
 Improved accuracy, detail, consistency and presentation of forecast and warning information, including high impact
events, such as heavy rain or bushfires.
 Extended the forecast outlook period so more days are covered going forward.
 Geographic equity of services for city, rural and Indigenous communities, with more frequent and detailed services for
everyone, not just those living in major cities.
 Platform can be extended and supported to satisfy the increasing demand for services at a local level.
The Bureau’s risk initiative has delivered benefits to the agency as well as the Australian public, industry and other
government agencies (for example AMSA).
Long-term results
Long-term benefits for the Bureau thanks to its implementation of NexGenFWS include:
 The Bureau’s disaster mitigation services can provide spatially oriented services to major clients.
 Accurate weather information will be available to all Australians, including small isolated communities and Australian
Indigenous communities.
 The Bureau is better placed to meet its on-going commitments under the Meteorology Act 1955.
 The system supports international disaster mitigation activities.
 The platform can be extended to allow quick development and delivery of new products.
 Tailored GFE system being made available to other countries.
 Broader community has confidence in the quality of the Bureau’s warning products and services.
 The system supports the rapid adoption of developments in meteorological science and technology.
Confidence within the Bureau that the system is providing effective forecasts and warnings, and is able to meet changing
community needs and delivery expectations.
Department of Agriculture, Fisheries and Forestry
Honourable Mention
Overview
Today’s biosecurity organisations face significant challenges globally. Chief among these are environmental change,
changes in human movement, trade and economic development, and the evolution and emergence of pests and
diseases.
To gather and analyse information on new hazards expected to affect aquatic animal health, the Department of
Agriculture, Fisheries and Forestry (DAFF) developed an online intelligence system dedicated to tracking and forecasting
outbreaks of aquatic animal diseases.
AquaticHealth.net is the first of its kind in the world and scans the internet on a regular basis for open-source content
(news and journal articles and ‘tweets’ from Twitter) related to aquatic animal health. The system allows anyone to
submit content, automatically detects location information that can be plotted on a Google Map, and tags the
information with useful key terms.
All users can browse content and generate reports and maps (by search terms, filtered date ranges, tags, locations) and
receive resource description framework site summary feeds as well as e-mail updates.
The Risk Management Framework—creating the foundation to effectively manage risk
AquaticHealth.net is one of DAFF’s strategic priorities to manage Australia’s biosecurity by effectively identifying and
targeting the management of risk to aquatic animals.
In creating AquaticHealth.net, the agency undertook a systematic, agency-wide approach to underpin the gathering,
analysis, reporting and application of biosecurity intelligence on emerging aquatic diseases. It also monitored changes in
a range of dynamic processes such as environmental, social and technological change, which affect pests and diseases
associated with aquatic animals.
Along with gathering information, the agency also developed systems to store and retrieve it. When analysed, the
information gathered led to useful intelligence that informed strategic planning, resource allocation and policy
development within the agency.
The three strategies identified in DAFF’s business plan to meet its objective were:
1. Develop intelligence, risk analysis and risk management capability.
2. Move toward an effective integration of pre-border, border and post border activities based on assessing and
managing risk.
3. Lead and support staff to make sure they have the skills, knowledge and tools to match business priorities.
An early warning system for emerging threats
This initiative fills an identified gap in the risk analysis research sponsored by DAFF. It provides an early warning system
for emerging threats and is integral to developing effective biosecurity strategies.
AquaticHealth.net allows authenticated users to tag, edit and classify all reports, as well as add and refine the search
terms the system uses to find content. The system also includes a wiki in which authenticated users can edit and update
entries on diseases and other topics related to aquatic animal health. Each wiki page includes a forecasting section,
where users can make and debate forecasts of disease outbreaks.
Utilising social networking
The result is an online intelligence system for aquatic animal health that is social at almost every level and provides
relevant information to decision-makers in a practical, efficient and timely manner.
This web-based approach utilises social networking to find gaps in biosecurity information and allows DAFF to achieve
its business objectives. DAFF manages the risks associated with this type of social network by only allowing
authenticated users to take part.
The work is funded through competitive research grants awarded and administered by the Australian Centre of
Excellence in Risk Analysis (ACERA). ACERA’s core function is to develop the practice of risk analysis by creating and
testing methods, protocols, analytical tools and procedures to benefit both government and the broader Australian
community. ACERA’s funding is managed by DAFF.
Implementing strategies, plans and processes
AquaticHealth.net was implemented and adopted through case studies, participation of DAFF staff, and through
dissemination of tools and techniques on both the DAFF intranet and internet (including linking with social media), and
through successful outcomes from the tools developed to date.
DAFF adopted a ‘crowd-sourcing method’, which is an open call to an undefined group, usually made up of people
appropriate for a specific task, to analyse or solve a problem via AquaticHealth.net. Users could be anonymous or
authenticated and all users can view the system’s reports, add reports, and add commentary. Authenticated users have
additional privileges, including the ability to edit report content and to classify and tag reports.
In designing AquaticHealth.net, DAFF combined the cheapness and efficiency of automation with the accuracy and
potential for value-adding by individuals. The system was made as open as possible, by providing the potential for users
to rank, comment on and add value to reports, modify search capacities, tag and classify content, add new information
the automated scan misses, as well as location information.
AquaticHealth.net is unique and is now highly regarded both nationally and internationally for the detection of developing
biosecurity risks on a global scale.
Tracking information
Between 50 and 100 articles are gathered daily by the current list of search terms and listed in the daily scan. Of these,
only about five to ten articles are published and tagged by users as useful, and of the published reports, the system will
tag about ten articles each week as ‘disease news’.
The global aquatic animal health intelligence community is growing stronger and adding value to this web-based
intelligence system every day. To promote it, DAFF has delivered presentations and media material at major global
aquatic animal health conferences. Google has also played its part thanks to the way its search engine prioritises listing
of relevant websites. This has resulted in the site appearing in the top five results when you search for information
relating to any aquatic animal disease.
User statistics show the site is gaining momentum daily. This means DAFF is continually upgrading capacity to handle
the volume of traffic.
As the site scans into the future, it should detect and save nearly every piece of information on aquatic animal disease
that hits the electronic environment. And as the user community grows, AquaticHealth.net will become an essential and
powerful information resource for all aquatic animal health specialists, industry participants and biosecurity experts
around the world.
The benefits of implementation
Although AquaticHealth.net is a new initiative it has been able to:
 Capture emerging disease information.
 Analyse disease trends.
 Map diseases.
 Organise data and perform basic forecasting.
 Contribute to strategic planning.
 Provide biosecurity alerts, build biosecurity risk profiles .
 Support decision-making relating to imports and exports.
Reports are generated by the system and cover a six-month period. They are entered into the ‘Emerging Diseases’ wiki
and the information produced is provided to Australian government committees responsible for aquatic animal health and
identifying emerging diseases; specifically for emerging issues outside Australia.
The report allows the committees to keep abreast of potential emerging disease threats, inform biosecurity planning and
recommend preventive action on significant issues if needed.
For example, an interrogation of AquaticHealth.net provided evidence of the unregulated movement of used aquaculture
equipment that would adversely affect the viability of Australia’s oyster farmers. Within weeks of the threat becoming
known, the Australian Government introduced preventive measures to ensure all used equipment exported to Australia
was decontaminated on arrival.
One of the critical functions of AquaticHealth.net is the ability to develop and continuously improve the search terms
responsible for gathering relevant information. To further support its search capabilities a translation function for nonEnglish speaking countries is to be developed. However, this function depends on collaboration with language experts
and on non-English speaking users of the system increasing.
The collection of disease-related information is building a bank that will allow analysts to identify and interpret emerging
risks. As more information enters, is archived, searched and sorted, the power of the website as a critical intelligence
resource will become apparent.
The initiative has been successfully integrated in to DAFF’s risk management processes and the agency has started
building similar websites for intelligence communities involved in plant health, avian influenza and biosecurity forecasting
for future health planning.
Australian Customs and Border Protection Service
Honourable Mention
Overview
The Australian Customs and Border Protection Service (Customs and Border Protection) manages a range of risks to the
Australian border, while also facilitating legitimate trade and travel.
Over the next eight years, international passenger movements are projected to increase to around 40 million, while
incoming container and air cargo consignments will double to almost 27 million annually.
Combined with these trends, Customs and Border Protection faces an equally challenging fiscal environment. Like most
public sector agencies around the world, the agency must re-prioritise existing resources, rather than receive additional
funding from government.
To meet priorities and achieve its outcomes, Customs and Border Protection adopted an intelligence-led
risk-based approach to intervention and assurance.
The Risk Management Framework—creating the foundation to effectively manage risk
Customs and Border Protection is meeting the challenge of managing its future operating environment and a tightening
resource base by developing a strategic plan that incorporates a rigorous risk management model. This approach is
embodied in the agency’s new Multi-Year Planning and Budgetary Framework and its Risk Management Framework,
which together are referred to as ‘the Frameworks’. Taken together, these documents represent the agency’s blueprint
for a risk-based approach to strategic planning.
The Frameworks moved Customs and Border Protection away from a traditional annual planning system to an
intelligence-led, risk-based, multi-year approach. They are being implemented progressively, with a view to firmly
embedding each component into every area of the organisation.
At the core of the Frameworks is the idea that Customs and Border Protection’s basic mission is to manage ‘Border
Risk’. This refers to the likelihood that people or goods will enter or leave the country without authorisation or without
meeting the necessary entry and exit conditions.
Border Risk encompasses many different commodities and outcomes, ranging from illicit drugs and firearms, to the
illegal movement of people and money.
A notion closely related to Border Risk introduced by the Frameworks is that of ‘Enabling Risk’. Enabling Risk covers the
aspects of the business that support and enable Customs and Border Protection’s core operational responses to Border
Risk. In their simplest form, the Frameworks aim to link resourcing to risk.
The risk-based system is allowing Customs and Border Protection to better understand what a change in the risk
environment will mean for its business strategy, and how a change in the strategy will affect the agency’s control of the
risk environment. In this regard Customs and Border Protection will only allocate resources within the agency if they can
be justified and linked to a change in the risk environment or its risk appetite.
A key challenge for Customs and Border Protection in developing its risk model was connecting conventional enterprise
risk management concerns, with the new risk-based approach to strategic planning, where decisions are made based on
whether its core operations are achieving strategic objectives.
The Frameworks guide risk management actions that support the agency’s strategic objectives by linking allocation of
resources with the potential for certain events to occur.
Customs and Border Protection is using risk management to support innovation and is looking at how it can use a new
risk-based approach to develop its strategic planning, as well as risk manage its conventional enterprise concerns.
Implementing strategies, plans and processes
Due to the scale and breadth of the Frameworks, Customs and Border Protection is undertaking a phased, iterative
approach to implementing the risk-based model, with a view to building a sustainable and mature capability over time.
To support the implementation, a large amount of planning and development has already been undertaken and includes:
 Governance reforms:
 Reviewing all aspects of the agency’s strategic planning processes.
 Creating ‘Risk Leads’ at the senior executive level, which are a single point of accountability for analytical
management of each risk.
 Creating a Risk Management Board.
 Developing a performance measurement system around the risk-based model that reduces uncertainty around the
risk environment.
 Emphasis on taking stock of Customs and Border Protection’s position re Border and Enabling Risks at
mid- and end-of-year reviews.
 Development of the following documents and processes:
 Strategic Threat Assessment document.
 An agency-wide Risk Plan that forms the cornerstone of the agency’s approach.
 Strategic Planning Guidance material.
 Annual PIan. This outlines the core risk-driven priorities and investment decisions for the coming year.
 Supporting Activities that include Risk Performance e-Reporting, regular reporting to the executive on performance,
conducting a full end-of-year assessment on how risks have been managed.
 Education campaigns that focus on validating risk assessments, testing new or different ways to deal with a Border
Risk, ways to better focus efforts, filling knowledge gaps and testing perceived risks or vulnerabilities.
 Practical exercises designed to test Customs and Border Protection’s capabilities and see if its assumptions on
resulting threats are right.
 Game changer workshops to develop innovative methods of intervention at the border.
This phased approach is fully supported by the Executive and has allowed the agency to develop a sophisticated
performance measurement system around the risk-based model, which will help it mature its approach to risk.
Short-term benefits
In the first cycle of implementing its risk-based model, Customs and Border Protection gained unprecedented visibility of
its risk environment.
For the first time, it was able to carry out assessments of each Border and Enabling Risk across the entire agency at the
same time. More importantly, it fed these assessments directly into its strategic planning and resource allocation
processes.
Before introducing the new model, capital investment proposals were not linked to assessments of risk. With the new
risk-based model, vulnerabilities that are critical, urgent or otherwise significant are prioritised for funding (through the
Strategic Planning Guidance).
Ultimately, these priorities are listed in the agency’s Annual Plan, which in turn connects directly to branch and divisional
plans where relevant line areas identify actions to address the gaps.
Customs and Border Protection has seen the following results:
 Scarce resources are being allocated to areas of highest risk first, based on explicit evaluations of both Border and
Enabling Risk.
 Single points of accountability spread across the organisation are responsible for assessing the alignment of its
capabilities with the risk environment.
 Customs and Border Protection can now respond quickly and confidently to new and emerging threats because the
risk assessment process is linked directly to the budget process.
 All levels of the organisation are taking greater ownership for responding to risk gaps as accountability is embedded in
its core planning documents.
 Customs and Border Protection is reducing uncertainty by increasing its knowledge of the operating environment,
measuring performance and validating the results.
Long-term results
This initiative is allowing Customs and Border Protection to more quickly and confidently re-prioritise funding to manage
emerging threats and risks. It is also making sure the agency can readily adapt to changing government priorities,
capabilities, planning and budgetary requirements.
When fully mature, the risk-based approach will allow Customs and Border Protection to continuously:
 Reassess the threats to the border and its business needs.
 Evaluate the adequacy and effectiveness of its control strategies and enabling functions.
 Develop initiatives to respond to identified gaps in controls and business functions.
 Link these initiatives to the budget so that resources are allocated annually to areas of highest priority.
The risk-based approach is also making it easier for Customs and Border Protection to contribute to the following
government policies:
 National security through strong border security.
 Increased trading to allow more jobs to be created and increasing Australia’s prosperity.
 Enhancing Australia’s economic prosperity through tourism.
 Fiscal responsibility.
When its risk-based approach is fully operational, Customs and Border Protection will be able to continuously reassess,
evaluate and improve the threats to the border, control border strategies, identify and treat gaps in its controls and
business functions, as well as link the strategies to the budget so resources are allocated annually to areas of highest
priority.