How the Dept of Justice developed an assurance governance mapping tool…

Have you been tasked with providing an analysis of how assurance activities within your organisation are mitigating against risk?

Ahead of ERM for Government 2014,  Jacinthe Galpin, Director Risk and Audit at the Victorian Department of Justice gave us a sneak peak of developments across risk management….

Jacinthe is an innovative governance executive with over 15 years’ experience across public and private sector corporations, including the Australian Taxation Office, British Petroleum, Telstra Corporation and the Department of Justice.

Jacinthe believes that governance functions can – when well executed – not only provide robust assurance and comfort but can also deliver innovative best appropriate practice.

The Department of Justice Victoria has developed an assurance governance mapping tool. Can you give us some background on what this is and why it was developed?

An assurance governance map is an one-page analysis of how assurance activities in organisations are mitigating against risks. Assurance governance mapping allows an organisation to assess both the presence, and effectiveness of, governance, risk and control processes. It also highlights opportunities for realistic reduction of assurance activity (if existing activity is sufficient) or where assurance activity must be increased (if existing activity is insufficient).

While assurance governance mapping may not tell you anything new, it distils information from a variety of inputs into a single point, allowing organisations to see their risk and control environment on one page as an executive summary of an organisation’s risk environment.

The Department of Justice is a complex and diverse organisation. Assurance governance mapping will help us understand our risk environment – our exposures, threats and opportunities – and make informed and intelligent decisions about that environment. It will help our decision making and strengthen the intelligence and data we use to make those decisions.

With increased regulatory and compliance requirements, how important is it for public sector organisations to understand and manage their risks?

Public sector organisations must have frameworks in place to identify, analyse, evaluate and treat risk. The community expects nothing less.

A good risk management framework increases organisational awareness of exposures, threats and opportunities, and gives its owner the tools with which to manage those risks to acceptable levels.

Can you give us some insight into the findings of your mapping tool? And how has this made you reassess your approach to difference kinds of risk within the department?

The Department of Justice’s tool is still in development so I can’t speak about the findings yet. However, we expect to be surprised by the end result as assurance governance mapping is usually an exercise where everyone ends up learning a little more about their business. History shows that organisations tend to saturate known risks with control structures whilst the severe and protracted problems are a little tougher to deal with and, as a result, control activity tends to be more limited or targeted. My own personal experience has shown me that in many organisations where severe and protracted problems were critically exposed, it was only via the assurance governance map that the exposure was identified and subsequently treated.

For the Department of Justice, the implementation of assurance governance mapping will enable us to best direct our efforts in terms of control and treatment strategies. We will be able to better target areas of exposures and ensure that our lines of defence remain robust and strong.

Developing a proactive risk culture is a major challenge across the public sector. What strategies can risk leaders deploy to develop a proactive risk culture and build capability in the risk function?

Building and maintaining a culture in which the awareness and discussion of risk is paramount is critical to the successful development and implementation of a risk framework. A good culture is developed with and for its business, is agile and responsive and seeks to embed risk in the day to day operations of a business, rather than a cumbersome additional compliance exercise. A bad culture is one where the executive has decided what the culture is going to be and it is henceforth dictated to staff.

Good risk management leaders should conduct risk surveys, talk to their business and find out what people really want rather than what you think they need. Working closely with your business to institute change by degree may result in slower cultural transformation, but your results will be more sustained and embedded.

Join Jacinthe and key stakeholders from State, Local and Federal Government during ERM for Government 2014.

Government Organisations tasked with risky business…

Times are changing for government organisations, and for many it’s going to come as quite a shock. When it comes to risk, we haven’t seen anything that’s actually required government agencies to set up a framework that really aligns to processes. The framework is aimed to fully manage risk and proactively put tools in place to mitigate any potential outcomes.

By the 1st July, under new guidelines, it’s time for organisation to progress beyond compliance.

Rod Farrar, Director of Paladin Risk Management Services has been working with organisations for years, helping them to develop and implement risk management frameworks for their business. He explained how in many organisations, if risk management is done at all, it is in a token manner and is mainly seen as a compliance exercise – it does not add value to the organisation in any way. Even with the introduction of the PGPA, there is a danger that Government Agencies will do just enough to be compliant but it’s time to start looking at the wider strategic and operational picture. If embraced fully, in the long term, there’s huge potential to achieve the national objective of doing ‘more with less’.

It’s time for change

What needs to happen between now and July 1st? According to Rod, organisations need to embrace the true benefits of ERM to achieve their full potential: “Many Government organisations are in a situation where they spend more time crisis managing than they do on risk management. If they start to see risk management as more than a compliance activity, one which is fully integrated into their other organisational programs, then huge efficiencies are to be gained.

“There are some key areas that need to change, and it has to start with a culture shift driven from within. To manage risk effectively, we need to be working in a no blame culture, where we learn from our mistakes.”

“When you have a culture that embraces open discussion around mistakes, people are more encouraged to prevent it happening again and therefore adapt new processes. There’s absolutely no capability of a risk framework succeeding if there is a blame culture.”

For many organisations, this would require a big shift in culture, with support needed from top to bottom

“Everyone is accountable for driving a positive culture, management need to lead through open communication, but all tiers need to embrace change in order to switch from re-active to pro-active. There needs to be a transition from ‘doing risk management’ to ‘managing risk.’

“I look around the public service now and government agencies have to come up with efficiency dividends. This is usually done by reducing staff numbers. If we managed risk properly, however, efficiency dividends may not be needed.

Where the benefits can be seen

It seems clear there are some real benefits to be had for the entire business when risk management is seen as more than just a compliance exercise. Rod described the knock on effect that has seen many organisations dramatically improve operations:

“Organisations are currently spending too much time managing a crisis. It’s been shown that managing crises costs more than proactively managing risk.

“What risk management will do – if it’s integrated properly with strategic and business planning, compliance, performance management and internal audit is reduce the amount of work an organisation is required to do and will significantly reduce expenditure.   “Risk management has also been shown to improve objectives, planning and relationships with stakeholders.

 “Simply relying on risk champions within your organisation to be the focus of the risk management effort will not work – the organisation as a whole needs to embrace the program within a well-structured risk management framework.”

Join the Masterclass

During Enterprise Risk Management 2014, we’ll be holding a brand new one day masterclass: Governance, Risk and Compliance. Not sure whether it’s for you? Find out more