2.3 Risk analysis and planning for integrity

Risk management is the coordinated set of activities to control risks, and create and protect value.

Risk analysis and planning are part of good risk management. Analysing risk involves considering uncertainties, sources of risk, likelihood and consequences of risk, and effectiveness of existing controls.

Integrity risks are those that could facilitate integrity breaches. Some risks are common, like conflicts of interest, while others are specific to an authority because of its functions and activities. Identified risks make up an authority’s risk profile.

A good understanding of integrity risks and planning to address them informs the development of an integrity framework. Whether integrity risks are considered separate from or part of a broader risk management program is a decision for the authority head. Responsibilities for managing identified risks (assigning risk owners) and implementing controls are also decisions for the senior leadership team.

Why are risk analysis and planning for integrity important?

The public expects authorities to be aware of and respond to risks to protect resources and the community. To be effective, managing integrity risks must be planned. Managing risk is iterative and important for authorities to achieve their objectives, set good strategy and make informed decisions.

For some authorities, risk management is required through legislation or instruments such as Treasurer’s Instruction 825: Risk management and security.

Ideas for good and better practice for risk analysis and planning for integrity

Good practice

• Align risk management with the Australian Standard 31000-2018: Risk Management Guidelines and Australian Standard 8001-2021: Fraud and Corruption Control.
• Understand the operating environment and processes, and other risks by:
  • mapping accountabilities
  • examining high risk positions, functions and activities, for example financial management, information and communications technology, human resources management, asset and facilities management, information management and discretionary decision making
  • looking at assets that may be of value or interest to individuals or organisations motivated to exploit them such as equipment and commercially sensitive information
  • assessing vulnerabilities, weaknesses and gaps in current approaches and controls that could be exploited.
• Do a new assessment in response to potential new risks and factors that change risks, for example structural changes, evolving business practices, where work is performed and new technologies.
• Use data and information to help identify risks. This can include disciplinary cases, and the reports of the Public Sector Commission, Corruption and Crime Commission, and Office of the Auditor General.
• Use internal and, where appropriate, external expertise to identify current and potential risks and possible controls.
• Describe risks and controls, and identify risk owners in a risk register so they are managed, monitored and updated.
• Provide a process for officers to report weaknesses in controls.
• Think critically about managing identified integrity risks including:
  • risks to be managed first (those with the highest risk rating)
  • available and feasible options to treat the risks
  • required resources.
• Review risks at least once a year to make sure risk management is responsive.

Better practice

• Examine cultural factors that could undermine implementation.
• Examine potential motivators and pressures that could lead to an individual engaging in integrity breaches and how these can be addressed.
• Appoint champions to promote risk awareness and encourage a collective approach to risk management.
• Have information about risks, including fraud and corruption, in integrity education programs.
• Include risk management in job descriptions for managers in positions of trust.
• Use surveys to gauge officers’ understanding of risk and how vulnerabilities, gaps and weaknesses can be reported.