Have you been tasked with providing an analysis of how assurance activities within your organisation are mitigating against risk?
Ahead of ERM for Government 2014, Jacinthe Galpin, Director Risk and Audit at the Victorian Department of Justice gave us a sneak peak of developments across risk management….
Jacinthe is an innovative governance executive with over 15 years’ experience across public and private sector corporations, including the Australian Taxation Office, British Petroleum, Telstra Corporation and the Department of Justice.
Jacinthe believes that governance functions can – when well executed – not only provide robust assurance and comfort but can also deliver innovative best appropriate practice.
The Department of Justice Victoria has developed an assurance governance mapping tool. Can you give us some background on what this is and why it was developed?
An assurance governance map is an one-page analysis of how assurance activities in organisations are mitigating against risks. Assurance governance mapping allows an organisation to assess both the presence, and effectiveness of, governance, risk and control processes. It also highlights opportunities for realistic reduction of assurance activity (if existing activity is sufficient) or where assurance activity must be increased (if existing activity is insufficient).
While assurance governance mapping may not tell you anything new, it distils information from a variety of inputs into a single point, allowing organisations to see their risk and control environment on one page as an executive summary of an organisation’s risk environment.
The Department of Justice is a complex and diverse organisation. Assurance governance mapping will help us understand our risk environment – our exposures, threats and opportunities – and make informed and intelligent decisions about that environment. It will help our decision making and strengthen the intelligence and data we use to make those decisions.
With increased regulatory and compliance requirements, how important is it for public sector organisations to understand and manage their risks?
Public sector organisations must have frameworks in place to identify, analyse, evaluate and treat risk. The community expects nothing less.
A good risk management framework increases organisational awareness of exposures, threats and opportunities, and gives its owner the tools with which to manage those risks to acceptable levels.
Can you give us some insight into the findings of your mapping tool? And how has this made you reassess your approach to difference kinds of risk within the department?
The Department of Justice’s tool is still in development so I can’t speak about the findings yet. However, we expect to be surprised by the end result as assurance governance mapping is usually an exercise where everyone ends up learning a little more about their business. History shows that organisations tend to saturate known risks with control structures whilst the severe and protracted problems are a little tougher to deal with and, as a result, control activity tends to be more limited or targeted. My own personal experience has shown me that in many organisations where severe and protracted problems were critically exposed, it was only via the assurance governance map that the exposure was identified and subsequently treated.
For the Department of Justice, the implementation of assurance governance mapping will enable us to best direct our efforts in terms of control and treatment strategies. We will be able to better target areas of exposures and ensure that our lines of defence remain robust and strong.
Developing a proactive risk culture is a major challenge across the public sector. What strategies can risk leaders deploy to develop a proactive risk culture and build capability in the risk function?
Building and maintaining a culture in which the awareness and discussion of risk is paramount is critical to the successful development and implementation of a risk framework. A good culture is developed with and for its business, is agile and responsive and seeks to embed risk in the day to day operations of a business, rather than a cumbersome additional compliance exercise. A bad culture is one where the executive has decided what the culture is going to be and it is henceforth dictated to staff.
Good risk management leaders should conduct risk surveys, talk to their business and find out what people really want rather than what you think they need. Working closely with your business to institute change by degree may result in slower cultural transformation, but your results will be more sustained and embedded.
Join Jacinthe and key stakeholders from State, Local and Federal Government during ERM for Government 2014.