We recognise the continuous and deep connection to Country, of Aboriginal and Torres Strait Islander peoples as the first peoples of this nation. In this way we respectfully acknowledge the Traditional Custodians of this land, sea, the waters and sky. We pay tribute to the Elders past and present as we also respect the collective ancestry that has brought us all here today.
AUTHOR: MARK HARRISON
In a recent Insights publication, the Australian Government Auditor-General has recently reported that since 1 July 2021, only 31% of audit findings relating to risk management were positive.
This forced us at Sententia Consulting to think about whether risk management in the Australian Government really is that bad.
We have concluded that the answer is yes… and no.
The fact is that the Australian Government (and government generally) is responsible for some of the most complex and risky ventures and activities in the country. Defence of the nation, operating healthcare systems that must cater for every citizen, delivering environmental outcomes in the face of massive environmental headwinds, all are ventures that can just as easily be unsuccessful as be successful … as well as being just plain difficult. Yet there are plenty of (often unheralded) successes by Government in all of its responsibilities.
It’s easy to look at some of the more challenging episodes in the Australian Public Service and attribute those to poor risk management – Robodebt, the “pink batts” scheme, any number of Defence materiel design and construction projects, and the 2013 lost ballot papers in the Federal Election, amongst others. Further, most agencies and public servants have experienced their own challenged procurements, failed programs, poor grant decisions, and policy implementations which in hindsight could have gone better.
While there is almost inevitably some truth to the comment that all of these are a result of poor risk management, that is simplistic and only part of the circumstances. (Note here, we are not seeking to misinterpret the Auditor-General’s comments, which were not that simplistic.)
Risk management represents just one part of good governance, or good project management, or good procurement management, or good program management, or good contract management, or frankly any model or framework for effective execution of aspects of public administration. Each of these have frameworks with multiple components that all need to work together to create good outcomes. Typically, those frameworks involve having good people doing the right jobs, good planning, effective process design, strong stakeholder engagement, tight legislative compliance, and clear accountability mechanisms.
While risk management definitely is important in contributing to all of these components of effective management, it is not the only discipline that needs to be in place and operating to support good outcomes. Put another way, good risk management does not guarantee a good outcome, but poor risk management does expose agencies to poor outcomes, and reduces defensibility when those poor outcomes occur.
In my 20-something years of working with the Australian Government, I have seen plenty of examples of really good risk management, and I have seen just as many examples of poor (or non-existent) risk management.
That 20 years of experience has taught us that the key ingredients to good risk management are:
- Deep experience and relevant expertise in what you are doing. Too often the Australian Government embarks on projects or processes without the right skills and experience to truly understand how to execute it effectively. Further, without that experience and expertise, it is impossible to really know what the risks are that need to be managed and how best to manage them.
- Strong situational awareness and good information. Risks emerge through projects and processes from a range of sources and vectors. If managers do not have effective monitoring of their operating environment and good data on the metrics that matter, they will likely not see risks emerging or unfavourable operating circumstances approaching. These are sure conditions for unmanaged risks to have a negative impact on your project or function.
- Discipline in following through on risk mitigations and controls. In our view, this is the key to effective risk management, and the most common gap. Risks typically require active management – the taking of steps or the creating of conditions that reduce risk. While managers may think about this while planning, it is not uncommon for the execution of those controls or mitigations to waver over time or as pressure increases. Risks that are not effectively controlled almost inevitably result in poor outcomes.
- Honesty in assessing risk and interpreting what it means. We have seen countless examples of agencies assessing risk at a level that is “perceived” as acceptable, or that reduces the effort required to develop risk management plans. While this may reduce effort at the early stages of a project or process, it increases the likelihood that risks become issues – and that’s where the effort really begins.
- A team that is on the same page about how risk should be considered and managed, including what risks should be taken and what risks should not. In the public service, we operate in teams and the secret to effective teamwork is having a team aligned behind a purpose who are well-informed, well-coordinated, well-directed and well-aligned. This should equally apply to the approach and attitude to risk, as any other aspect of teamwork.
Note here that I have not mentioned risk registers once. I have not referenced the Commonwealth Risk Management Framework once.
Each of these are important tools – tools that support good process and each of the ingredients I have referred to above. For all projects I lead or contribute to, I ensure I do follow the Framework, and I do maintain a focussed risk register.
But, where agencies miss the point with risk management is that they focus all of their energy in connection with risk management on the register and having a register that is “complete”, and a process for risk management that follows all of the steps in the manual or the policy or the Framework. And insufficient energy on some of the ingredients outlined above – and therefore on actually preventing or responding to risk.
To close this article I am reminded of two quotes that are influential in my approach to risk management:
- The first is a quote from an enormously successful leader of a “top 10” Australian company, who said to me “we have been successful in our field, not because of risk registers and risk management reports, but because we have good people who know what we are trying to achieve and make good decisions to support that achievement”. What resonates for me from this quote is the importance of having the people with the right skills, experience, authority and information to support the management of risks and opportunities in any project, organisation, function or business.
- The second is a slightly modified famous quote as follows: “culture eats strategy [and process] for breakfast”. This classic quote from Peter Drucker (and I apologise for my adlibbed addition) reflects something that I believe is the difference in good risk management – everyone on the team understands the desired outcomes and what can impede them, is empowered to work together to achieve them, and they naturally respond to risk accordingly. This does not suggest that either risk strategy or risk management processes are unimportant to good risk management. But rather, that a powerful, informed and empowering culture around risk is more influential to effective risk management.
AUTHOR: JO CARROLL & NATHAN EDDY
Implementing wholesale process redesign in a compressed timeframe is a daunting task. Add political interest and an Auditor-General’s report to respond to and the pressure is really on. This is what we faced when presented with the redesign significant business process for a NSW Government Agency.
The NSW Auditor-General handed down a report in May that identified significant deficiencies in the management of a process that required remediation and made a number of recommendations to address the process deficiencies, address identified risk and provide greater control of the agency’s powers. The Secretary of the Agency committed to implement a new, organisation-wide, process by December – less than eight months from the release of the report.
We commenced this project on 1 July, giving us and our client only six months to deliver a wholesale redesign of a complex and critical business process. We were engaged to work side by side with the department to implement this significant project, working closely with teams across NSW.
We faced resistance and challenges to implementing such a complex program of work from the start. Some key challenges included:
- Wide and varied stakeholders, often with differing views, experience, and level of buy-in.
- Considerable change fatigue from 18 months of machinery of government (MOG) changes that implemented new ways of working and amalgamated legacy departments.
- Business as usual did not stop or slow while this project was being completed.
Our strategic approach was successful and ultimately allowed us to turn around a program of work that would normally take more than 12 months in a 6-month timeframe.
Our facilitative approach worked well to engage large groups of stakeholders through workshops to understand their current processes and challenges, map and step through critical process steps, and identify opportunities to improve and better practices within the agency. It allowed us to leverage their experience and expertise to design a future process that met their needs, supporting compliance with the legislated requirements and addressing the required outcomes for the project. This approach was used throughout the project starting with defining the high-level process design, down to developing individual operational steps within the process to ensure that those impacted by the change could be informed and contribute to the project, improving project outcomes and stakeholder buy-in.
Defining the End-State Early
There were many documents to be produced as part of the project and it was not feasible for Senior Management to be across them all in detail. To address this, workshops were held with Senior Management to establish design principles and articulate the desired future state before starting to redesign the process. Twenty design principles and 14 future-state statements were endorsed by Senior Management and the Steering Committee and communicated widely to stakeholders. They were used to frame discussions and were introduced at the start of each design workshop to guide the participants towards the desired end state endorsed by Senior Management. These statements were also used at the end of the project to measure success of the program of work.
Leveraging Project Governance to Maintain Momentum
As the pace of delivery of key documents picked up, we increased the frequency of working group meetings to engage directly with the management team, resolve issues efficiently, and make time critical decisions. We also utilised these meetings as needed for workshops or detailed walk throughs of the process documentation. For example, we used one meeting to step through in detail two different proposed process flows to resolve conflicting views between stakeholder groups and come to a resolution.
Like all high intensity and complex projects, the lessons learned provide valuable insights to inform our future strategies and planning. We paused at critical milestones throughout the project to reflect on what has worked well to date and what could be improved or done differently moving forward. Below we share some of our key lessons from this project.
Dividing the Workload Doesn’t Always Produce Efficiencies
In an effort to reduce the workload on individual stakeholders, we divided up the documents for review. In hindsight, a lot of time was spent providing context and explaining concepts contained in other documents. Making the draft documents centrally accessible to all stakeholders providing input to the project would have allowed them to delve deeper into the subject areas they were interested in and reduce the amount of time required during briefing sessions at the end of the project conducted as part of the change program.
Engaging stakeholders directly also resulted in siloed discussions and conflicting points of view that required further work to resolve. While it may be challenging to schedule discussions across stakeholder groups, the benefits are worth the effort. Having all stakeholders present for the same discussions leads to shared understanding and the ability to discuss differing points of view to resolution, rather than when consultation occurs in insolation.
Integration of Project and Change Management to Embed Change
Change Management is critical to the success of projects of this nature, particularly when redesigning complex processes with considerable history within experienced teams. Due to resource availability, the client’s Change Management resources were not brought into the project until we were well into development of the new process. Embedding a Change Management team from the commencement of the project and engaging them throughout the re-engineering process would have given them greater visibility of the technical and solution requirements and provided firsthand understanding of the impact of the change and the level of acceptance (and resistance) of the new process. It would have also greatly assisted in the development of key change artefacts and reduced the need to spend time with already stretched stakeholders at the pointy end of delivery to develop and deliver the Change Management program.
Wholesale process redesign will always be complex and challenging, with each project needing a tailored response to ensure success. However, with these lessons in mind, you may be able to quickly deliver your priorities and successfully embed lasting change.
Sententia Consulting are proud to announce a new partnership with IPAA ACT. IPAA is the peak professional body focused on the promotion of excellence and professionalism in public administration, and as a values driven consulting firm specialising in supporting and uplifting the public sector, we see this partnership as a natural fit.
We share a commitment to strong public administration and a belief in the importance and power of the public sector to drive positive change. We are excited by the opportunity to demonstrate our support and commitment to public sector excellence, and to work together to progress the objectives of IPAA ACT’s strategic plan.
AUTHOR: KIRSTY MARTIN
The Commonwealth Procurement Rules (CPRs) set expectations and requirements for public sector procurement and are designed primarily to ensure value for money. They are made up of requirements that ‘must’ be followed, as well as requirements that ‘should’ be followed. The CPRs are designed with a level of flexibility (such as the ‘should’ elements and exemptions) to ensure they are not prohibitively prescriptive and can be tailored to individual agency circumstances and needs. However, many public servants appear to be taking advantage of this flexibility and conducting procurements in a manner that is technically compliant with the ‘musts’, but not in line with the broader intent of the CPRs.
Why does this matter?
Increasingly, community expectations are higher than the bar set by the mandatory requirements of the CPRs as public trust in government is challenged (along with the associated benefit of the doubt). And can we blame them? The list of criticisms relating to the proper use of public funds continues to grow with the PWC tax advice scandal, dubious lobbying from Synergy 360, “questionable land deals”, “carpark rorts”, “sports rorts”, as well as pork barrelling, over reliance on consultants and contractors, and some fairly scathing Australian National Audit Office (ANAO) and Joint Committee of Public Accounts and Audit (JCPAA) reports. And no, the public doesn’t care about the difference between public service decisions and ministerial decisions, state or commonwealth decisions, or the difference between procurements and grants etc. They just care about the efficient, effective, economical and ethical use of public money, and what they’re hearing is that this is not being taken seriously in the public sector. If public servants continue to aim for bare minimum compliance and give themselves benefit of the doubt that is not reciprocated in the broader community, further scandals and reputational damage will continue to occur.
Understanding the problem
If all elements of the CPRs (including the ‘shoulds’) were followed in all government procurements, we would be living in an accountability and transparency utopia – but this utopia would not be characterised by efficiency and optimised value for money. For lower risk procurements or in certain exceptional circumstances, value for money could be diminished by blanket (albeit well-intentioned) red tape, hence the flexibility and exemptions built in to the CPRs. Alternatively, if all mandatory elements of the CPRs as well as all reasonable ‘shoulds’ given the specific circumstances were followed, we would probably be closer to a procurement utopia that is both accountable and transparent as well as efficient and economical. However, this is not how the CPRs are always applied in practice.
In practice, the primary concern in many cases is achieving the ‘musts’. The ‘shoulds’ barely get a second glance. This is probably most stark when it comes to sole-supplier approaches, particularly when using panels (where a number of suppliers have a standing offer with the government for the delivery of specific categories of services for which they have been ‘pre-vetted’ and contracted). Under the CPRs, procurements from an existing standing offer (panel) are not subject to Division 2, meaning they aren’t required to approach multiple suppliers (among other things). However, a not insignificant number of procuring officials seem to have stopped reading at that point and missed the part (just 3 lines below) where the CPRs explicitly state that where possible, multiple potential suppliers should still be approached when using a panel arrangement to maximise competition. This is because panels are designed to improve efficiency when there are an overwhelming number of choices, and it is difficult to start from scratch – NOT to remove the need for competitive tenders. A comparison of rates on a panel doesn’t actually tell you much from a value-for-money perspective when you don’t know how different organisations would scope or conduct the work. A supplier with higher rates may be able to complete the task much more efficiently but you won’t know that if you don’t get competing quotes for the specific piece of work you are seeking.
Additionally, due to a quirk in the CPRs, these sole-supplier approaches are classified as ‘open tenders’ when reporting on AusTender if the panel used was originally set up using an open tender. This is objectively ridiculous and needs to be changed (as per the recommendations of the recent JCPAA “Commitment Issues” Commonwealth procurement inquiry report), but in the meantime public servants shouldn’t reduce transparency by using this quirk to their advantage when it is not in line with the intent of the CPRs.
Similarly, procurements under the threshold (generally <$80,000) are not required to seek multiple quotes. But again, the intent here isn’t that all procurements under $80k are just sole-sourced. Competition should still be a core driver of value-for-money where relevant. Unless there is a good reason for sole-sourcing (remembering ‘convenience’ alone is not a good reason), it is always best practice to seek multiple quotes to confirm value-for-money. As individuals in our private lives, we aren’t required to seek multiple quotes for anything, yet of course we usually still do because we are spending our own money and we want to ensure we are getting a good deal. This is the mindset that the public service should have around the spending of public funds, but it isn’t filtering down to all procurement decisions.
It appears in many cases that every procurement decision is treated as a completely separate decision, without consideration of how decisions are made across all procurements. By that I mean some people seem inclined to make exceptions for themselves because it’s just one procurement. In the scheme of things it’s not that high value and it will be easier this way, so it doesn’t really matter – except that when every decision is made with this mindset it does add up to a very high value and it does really matter. The CPRs build in exemptions and have ‘shoulds’ instead of ‘musts’ to ensure flexibility in exceptional circumstances, but when every circumstance is treated as exceptional it gets a bit ridiculous and integrity is lost.
This blog should not be interpreted as public service bashing, in fact it is quite the opposite. The Australian Public Service is an impressive institution with thousands of intelligent and passionate people working together to deliver incredibly important work for our country and communities. However, there is always room for improvement and procurement in particular does not seem to be getting the attention to detail it deserves at the moment. In many agencies procurement is decentralized to staff without specific procurement training, knowledge, or experience, who are also often under-resourced and under extreme pressure to deliver their priorities. It’s not hard to see how this approach may not be conducive to those public servants being able to take an ambitious approach to best practice procurement and really embrace and embody their roles as stewards of public funds every time they need to acquire goods and services.
For administrative changes that would support improvement in this space, implementation of the recommendations of the JCPAA’s “Commitment Issues” report would go a long way. Further improvements would also come from development of more detailed guidance for procuring officers including agency-specific procedures, tools, and templates to support the interpretation and application of the CPRs, as well as greater consideration of procurement needs early in program/activity planning to reduce the time pressures that so often become the enemy of proper process.
But as always, culture is king, and these changes alone will not be enough. Flexibility must remain in the CPRs, and where there is flexibility there is subjectivity. Where decisions are subjective, a culture that values, supports, and prioritises better practice will be required to enable improvement in procurement decision making in line with APS values and broader community expectations.
AUTHOR: BRIONI BALE & KELLI PIERCE
In this 5-part short video series our subject matter expert Brioni Bale draws on her vast experience to share useful insights and tips for better responding to disruption events.
Click the link below to watch.
Disruption Response Series YouTube
AUTHOR: JO CARROLL
Taking Control of Risk Management in 2023.
Focus on risk management has increased significantly over recent years as organisations have been forced to face back-to-back or even parallel crises. However, even with this increasing focus, many organisations are still finding themselves in predicaments that could have been avoided through effective risk management.
In this blog we will work through some recent high profile risk events, looking at them through three key risk themes and drawing out the practical lessons we can learn.
Accountability and Ownership
The collapse of Silicon Valley Bank (SVB) in March 2023 presents an excellent case study in the importance of not just assigning accountability and ownership but operationalising these concepts to hold leaders to account. This was the third largest banking failure in US history and the largest since the GFC in 2009. After months of regulators raising concerns, SVB failed after a bank run was caused when customers were spooked by their announcement on 8 March that it would hold an emergency sale of some treasury stock to raise $2.25b.
SVB was the 16th largest bank in the US, focussed on serving companies in the technology and start up industry. Prior to its collapse the Federal Reserve had identified that SVB was using modelling of interest rate risk that was ‘not at all aligned with reality’. Their risk modelling didn’t anticipate the combination of interest rate rises and liquidity risk shocks. This was flagged with bank management but not addressed.
In the year leading up to its collapse the bank had gone 8 months without a head of risk (Chief Risk Officer or CRO) and there was a lack of risk expertise at board level, with only one of the seven board members on the risk committee having a risk management background. Regulators were raising concerns for months, but the bank did not act.
While our regulatory environment in Australia is different to the US, the broader ramifications in the Banking Sector are still to be seen. Could we be headed for a similar fate?
What does this mean for Risk Management?
- A Chief Risk Officer with influence can hold other executives to account. However, too often the role is undervalued and classified at too low a level to exert the necessary level of influence.
- Boards need members with deep and proven Risk Management experience.
- Risk Management should be built into Job Descriptions and performance measurement and reward systems.
- Create and use risk tolerance, models and settings that inform data driven decision making.
- Assign responsibility to address concerns to regulators (this should go without saying).
Legal but not ethical
Rio Tinto’s May 2020 desecration of Juukan Gorge to make way for an expansion of its iron ore mine in the Western Pilbara highlights the importance of looking beyond legality to ensure decision making is ethical.
This site contained ancient rock shelters showing human occupancy dating back 46,000 years, making it the only inland site in Australia showing human occupation through the last Ice Age. Rio Tinto knew the archaeological value of the site before its destruction but was set to make $135m for the site and so the decision was made to go ahead. At the time this was legal but not ethical (aboriginal heritage laws have since been introduced in Western Australia) and caused great distress to the traditional owners, the Puutu Kunti Kurrama and Pinikura people.
Following considerable public backlash, 3 top executives and 2 board members chose to stand aside, including CEO and Chairman. Rio Tinto has now imposed a moratorium on all work within 10sq kms of Juukan Gorge and is making reparations to the traditional owners including full reconstruction of the caves. Damages are expected to be much more than the $135m they expected to make from the mine.
What does this mean for risk management?
- Ethical and cultural decisions ͏need independent advice. Risk management practices need to keep pace as failure to meet community and social expectations presents an increasingly high reputational and financial risk.
- ͏Diversity in decision making needs to be actively sought to ensure broad and varied perspectives are considered at the decision-making table.
- Strong Environmental, Social and Governance practices need to be implemented to align organisations with social expectations to create and sustain long-term value.
This case study is particularly relevant for public servants. On 17 June 2022, Former Deputy Premier of NSW Mr John Barilaro was announced as the Senior Trade and Investment Commissioner to the Americas. A Parliamentary Inquiry Interim Report found that this decision had “all the trademarks of ‘jobs for the boys’”, finding a preferred candidate had been selected and offered the position only to have that process set aside for a change of government policy. Quoting the Inquiry:
‘The process of appointment was flawed and not at arm’s length, there was a lack of transparency and integrity in the public sector recruitment process’… ‘there was a pattern of Ministerial interference and lack of transparency conducted by the Government’
This was not only embarrassing to the Government but the Minister and CEO both lost their jobs as a result.
What does this mean for risk management:
- Good probity processes need to be defined and tailored to the decision being made and linked to the risk of the decision.
- We need to say ‘No’ when the risk is too great. There must be the ability to give frank and fearless advice.
- Set the tone from the top and lead by example.
- ͏Decision-making processes should be transparent. Individual decision makers should always ask themselves whether they would be comfortable defending their decision publicly (for example in a Parliamentary Inquiry!).
Each of these cases provide important lessons for all organisations. To avoid becoming another cautionary tale, take these lessons on board and prioritise risk management!
The March 2023 Senate Inquiry into management and assurance of integrity by consulting services offered the perfect pedestal to reignite a long-wielded stigma that consultants are self-interested, greedy, and unethical. So, in a climate where our profession is viewed unfavourably by many in the community, we would like to share our perspectives on what ‘integrity’ means to a consultant.
While the feeling may not always be mutual, consultants who work with the Australian Government, consider themselves a proud extension of the public service.
Consultancies inherently do not have perfectly aligned interests to the Commonwealth. Consultancy firms are running a business, creating a market profile and managing a reputation, to ensure their staff are remunerated and provided opportunities to develop their skills and experiences. These are different to the Commonwealth, an entity whose purpose is to deliver critical programs and services to support, serve and protect Australia, its citizens and its interests.
Despite these different perspectives, the alignment of interests are typically clear. Consultants want to do good work that meets the client’s needs in order to ensure payment for services, as well as creating a positive market profile and contributing value. Further, consultants are motivated by doing good work for their clients. In some cases (such as for Sententia Consulting), the support for the Government and our community is a driving part of a firm’s vision.
These are areas of alignment between Commonwealth agencies and its consultants, that can help to ensure that the intersections of interest exceed the deviations of interest.
It should be noted that the mere existence of deviations of interest does not mean that consultants do not have the best interests of the public sector and community in mind when delivering on behalf of the Australian Government.
Looking at integrity mechanisms, consultants play by traditional rules. The most significant measure that supports prevention of unethical conduct or breach of contracts, are the professional obligations imposed on consultants by their professions. Leading consultants are members of professional bodies, which supports excellence and professionalism in their chosen area of expertise. Whether that be accountants, lawyers, engineers, information technology, project and procurement professionals, assurance providers, medical consultants, trainers and teachers or other areas of recognised expertise, there is a professional body which requires consultants to act with integrity and consistent with applicable laws. For consultants, that professional membership represents a form of “license to operate” and a way to maintain their market leadership.
The necessity for consultants to consistently display integrity through delivery cannot be overstated, to manage and promote a trustworthy market profile and reputation for their firm that supports ongoing viability of their businesses. Agencies do not select consultancies that have a reputation lacking credibility, ethics, or compliance. In this regard, it is noteworthy that there are hundreds of consultancies underway across the Australian Government at any one time, and the vast majority of them take place ethically with value-driven outcomes. These tend not to be the engagements you hear about.
The use of consultants is an important part of managing risks to public sector integrity. While the Australian Public Service at large is filled with highly talented, capable, and dedicated staff, they do not (and cannot) have all of the skills, depth of expertise and breadth of perspective that is necessary to always do everything in the scope of an agency to the highest possible standard.
Consultants bring specific deep expertise and experience as well as a breadth of perspective that comes from working across organisations and sectors, that helps to ensure that public sector outcomes are delivered with quality, efficiency and integrity.
So, what is the answer to the original question? Consultants are typically highly aware of and attuned to the potential for conflicts of interest or integrity breaches. While there have been some notable exceptions, most consultancies engaged by the Australian Government deliver effectively, with integrity and consistent with the contractual and professional obligations. Integrity in the consulting industry is still a thriving principle, and, speaking for Sententia Consulting, remains at the forefront of all engagements.
Regardless of which side of the fence you sit on in your support for the use of consultants, it’s undeniable that consultants serve an important role in supporting the Australian Government in delivering outcomes for our country.
AUTHORS: MARK HARRISON, LILI MILLAWITHANACHCHI, HIRUNDA KANAHARAARACHCHI, & KIRSTY MARTIN
In many organisations Internal Audit functions are not respected, and the value of Internal Auditors is not understood or appreciated. Internal Audit can be an incredible asset to any organisation and an effective strategy acts as powerful tool to identify and demonstrate the value we bring. A strategy helps to:
- Foster continuous improvement of the function
- Support strategic alignment between the audit function and the broader organisation
- Enable adaptation to changing risk profiles
- Improve Internal Audit’s reputation and relationships to gain influence across organisations
To support a future-ready Internal Audit function, an effective strategy should cover the following key elements:
Integrate with risk
Supporting effective risk management is a fundamental component of the role of Internal Audit. As such, risk management needs to sit as the core to an Internal Audit Strategy. To be effective in drawing on intel on risk, Internal Audit needs to partner with the Risk Management function to form a mutually beneficial relationship. Both Internal Audit and Risk Management perform unique roles that allow for a broad view across the organisation.
While it can sometimes feel like Internal Audit and Risk functions are competing to be the trusted advisor in an organisation, sharing insights between these functions can add value in tailoring and targeting the activities they each perform.
Namely for Internal Audit, it provides rich intel on where to focus the Internal Audit Strategy. Tactically, sharing of information between the roles can support Internal Audit to identify where it needs to pivot activities to better target changing risk profiles.
Traditional Internal Audit structures and processes slow its ability to adapt to emerging risks.
Becoming more agile means that Internal Auditors have their eyes open to changing risk profiles and pivot quickly to deliver more valuable and timely insights.
This can mean stepping away from a stable annual Internal Audit Program with fixed scopes determined at the start of the year. An agile delivery approach takes the pressure off Internal Audit functions to ‘crystal ball gaze’ to design relevant audit programs 12-18 months in advance. But this also means that linear performance measures of Internal Audit functions like timely delivery against a pre-determined audit program lose relevance. Success of the Internal Audit function needs to be measured with a focus on business outcomes and the alignment of the Internal Audit activity that contributed to it.
Moving to a more agile approach requires change management in setting the expectations of the Audit Committee, organisational leadership, and other stakeholders. Without understanding the true value of agile auditing, these stakeholders will default to traditional approaches. An Internal Audit Strategy that prioritises agile approaches can serve as a mechanism to aide change management by drawing attention to it and supporting conversations on what this will mean for each stakeholder group.
Capitalise on data
Data captured within organisations provides a rich source of information for Internal Auditors. This remains an area of untapped potential for many Internal Audit functions. Data literacy is a core capability of all Internal Auditors – specialist knowledge and expertise can help Internal Auditors to gain a seat at the table for discussions on new system functionality to influence decision making to ensure structured, reliable data is collected. Regardless of the maturity of the organisation and its Internal Audit function, there is value for an Internal Audit Strategy to prioritise the use of data and development of data capability within the function.
Data-heavy internal audits can also allow for innovative presentation – moving away from traditional reporting to dashboards of “real-time” data, allowing readers to interact with data visualisations to drill down into areas of interest.
This allows for more engaging and dynamic reporting, which increases the likelihood of it being read, understood, and actioned. In an increasingly fast-paced and resource constrained environment, an Internal Audit Strategy that fails to prioritise succinct, targeted reporting limits the value it can deliver.
Internal Audit functions need to expand on their skillsets to remain relevant and deliver innovative audits that add value. The Internal Audit profession needs creative auditors who are IT-savvy, flexible and agile, influential and with strong business acumen and communication and networking skills. This can mean taking risks on candidates who have these skills but lack technical audit skills and experience.
Target skills need to be prioritised and built into professional development plans and rewards and recognition mechanisms and supported by investment in training and recruitment.
This starts with demonstrating the value of Internal Audit within organisations to make a case for the investment. Building your future-proof Internal Audit team will not happen overnight but including capability uplift in your Internal Audit Strategy draws attention to the need and supports prioritisation of investment.
As with any change, we need to bring our stakeholders along on the journey. An effective Internal Audit Strategy provides a shared vision of the future and supports ongoing communication to enable progress towards a bolder and more valuable Internal Audit Function.
Author: Lili Millawithanachchi
As we get closer to 30 June, many Internal Audit functions have been casting their minds to developing their annual internal audit programs. Careful selection of audit topics can help to uncover areas of emerging risks for agencies and add the most value.
In this blog we outline audit topics that could resonate for your organisation’s audit program in unexpected areas. We have paired each of these topics with innovative approaches to delivery that can help to bring new insights and offer different ways of engaging with stakeholders.
1. Business Resilience
Business resilience remains a key area of risk for many organisations as they continue to examine aspects of operations affected by the pandemic, the economic slowdown, and change in government.
In particular, supply chain management risks brought to light during the pandemic, constrained labour markets, and hybrid working models are posing ongoing resilience challenges for organisations of all sizes.
Agile auditing techniques can provide valuable insight and assurance over key areas that impact resilience. For example, a high-level audit of talent retention may be conducted to identify whether there are any significant gaps in the approach taken by the organisation. At the mid-point of the audit, the internal audit team may determine the need for a more in-depth review of one or more gaps identified. This way, audit effort is targeted to the areas of most significant exposure, which may not be known when planning the audit program.
2. Data Governance, Security, and User Access
Data governance, and more specifically, data security, has hit centre-stage for many organisations following several high-profile hacks in the past year. This has caused closer examination of things like data retention and user access, as well the security culture of organisations.
Behavioural audits of security risk management culture can provide insights into how effectively controls are operating in practice. An audit can be designed to identify attitudes to security management, particularly in positions of influence such those in managerial or leadership roles. This can go beyond a “tick-and-flick” of whether an organisation is complying with requirements to providing insights on sticking points in improving security culture.
3. Performance Reporting
Agencies need to be prepared for the increasing level of scrutiny over performance information that will come with the Australian National Audit Office’s (ANAO’s) expansion of their annual performance statement audit program.
A series of snapshot audits through pivotal points in the performance reporting lifecycle can identify weak points and seek to address them early in 2023-24. Innovative reporting such as rapid snapshots and dashboards can be used to monitor and report on performance throughout the lifecycle. This would be useful for organisations seeking to ready themselves for an upcoming ANAO audit.
4. Indigenous Action Plans
Indigenous action plans are becoming an increasing area of focus for organisations as Australians consider the Indigenous Voice to Parliament.
If progress against the Indigenous action plan is a known weakness, a facilitative audit may be undertaken in which organisations are supported in addressing known gaps with guidance and advice to management, rather than simply leaving a number of recommendations. A facilitative audit involving Indigenous leaders or experts in the field can be a way of supporting organisations in identifying ways to improve Indigenous action plans.
5. Coordinated Assurance
A more coordinated approach to assurance activity improves efficiency in a cost-constrained environment. Assurance mapping, assurance strategies, and whole-of-organisation assurance frameworks can be leveraged by management and leaders to prioritise assurance activity in areas of greatest need, reduce duplication of effort, and improve decision making.
Internal Audit plays a pivotal role in assurance provision and is well placed to lead a more coordinated enterprise approach to assurance due to their technical expertise and visibility across the organisation. This may mean setting aside resourcing for coordinating assurance and sharing expertise to support other areas in implementing improved assurance approaches.
This can, for example, lead to supporting a second-line assurance function to develop self-assessments for evaluation of the effectiveness of a management framework.
Author: Gihan Mallawaarachchi
“…But this isn’t going to land me in jail, right?”
This was the response I received from a SES officer when I informed them of material probity risks in a significant procurement process for which they were the delegate. Probity is about as exciting as it is understood and therefore not typically front of mind for most public officials when considering key procurement, granting or spending decisions. However, a change in community expectations, a renewed emphasis on integrity by the Government and a series of reputation-damaging missteps by public officials mean that the importance of good probity management is on the rise.
What is probity?
Probity is not a well-known concept and can be difficult for people to understand (so much so that I was once introduced by a client as working for the firm ‘probity’).
So let’s start at the beginning; probity is the evidence of ethical behaviour and means that decisions are made with integrity, honesty and fairness. In a public sector context, good probity management supports transparency, contestability and accountability in decision making, helping entities achieve value for money and withstand external scrutiny or challenge of their decisions.
Probity is more than just the avoidance of corrupt or dishonest conduct, but rather is concerned with making decisions with the right intentions and in good faith, in line with ethical principles and common values. In short, does it ‘pass the pub-test’; where the actions or decisions need to meet community expectations of honesty and fairness, over and above simply being legal or following an established process. In this way, effective probity management helps to support confidence and trust in public sector decision making and mitigates against the reputational damage that can be caused by actual or perceived misconduct.
Why the importance of probity is on the rise
Probity is a necessary component of good governance and is expected to be demonstrated in any significant decision making process. Working consistent with generally accepted probity principles aligns with the Australian Public Service (APS) Values and is underpinned by certain legislation. Notwithstanding the general importance of probity in the public sector, there have been several developments over the past year that have further emphasised the need for effective probity management and have also highlighted the potential damage that can be caused when individuals or entities fail to uphold ethical principles and community values.
There have been a number of recent and high profile scandals or allegations that have highlighted the significant reputational damage caused to individuals and entities from poor probity management.
Some notable examples include:
- the shortcomings in fairness and impartiality witnessed in recent senior public sector appointments within the Commonwealth and NSW Governments;
- concerns over the integrity of decision making raised in the acquisition of land for the future Western Sydney Airport;
- failures in due process and transparency noted in multiple community grant programs (think the commuter car park scheme and the ‘sports rorts’ affair);
- the management of the ‘Robodebt’ scheme; and
- the criticisms of honesty and transparency in the former Prime Minister’s appointment to multiple ministries.
Such examples have shown that decisions do not necessarily need to cross the threshold of illegality or misconduct, but need only fail to meet community expectations of transparency, honesty and integrity, to cause individuals to lose positions or organisations to suffer irreparable damage.
Community perceptions of trust in government
These scandals also serve to demonstrate how failures in probity management can severely undermine public confidence in public sector decision making and erode trust in government. As stewards of public resources, the integrity of decision making by public officials has a significant influence on the community’s perception of trust in government. It should then serve as a red flag to officials that there is considerable evidence to suggest that community confidence in all levels of government is on the decline.
For example, the seventh annual Ethics Index published by the Governance Institute of Australia showed that public confidence in the public service and government has eroded year on year. In 2022, the Ethics Index scored public service and government at 38, which was down eight points from the 2021 (46) and 18 points from the 2020 (56) ethics scores. This was against the backdrop of a continual decline in Australia’s overall ethics score, which was recorded in the Ethics Index as 42 in 2022, down from 45 in 2021 and 52 in 2020.
While such data may be in contrast to how many public officials consider the integrity of public sector decision making, it is important for officials to recognise that current community sentiment suggests that further attention on probity is needed to restore public confidence in the decisions of the public service and government.
Government’s Pro-Integrity Agenda
Public officials should also recognise the priority being placed by the current Government on strengthening integrity across the APS. In a series of statements last year, the Minister for the Public Service made clear that the Government wants an APS that is ‘pro-integrity’ and that operates consistent with the standards of the community it serves.
This was followed by the appointment of a new Secretary for Public Sector Reform to design and deliver recommendations to strengthen the public sector; the establishment of an APS Integrity Taskforce to identify gaps and opportunities to deliver system wide integrity improvements; and the promotion of a pro-integrity culture across all levels of the APS, where integrity is championed as a core competency of a professional public service.
The pro-integrity agenda suggests that the Government considers there is room to strengthen the probity of public sector decision making and better uphold community expectations of integrity, accountability and transparency.
National Anti-Corruption Commission
In December 2022, the National Anti-Corruption Commission Act 2022 was passed into law, paving the way for the establishment of a powerful and independent National Anti-Corruption Commission (NACC) later this year. The NACC has extensive powers to investigate and report on corrupt conduct that is serious or systemic. As such, the NACC is expected to shine a strong light on the probity of public sector decision making.
The definition of corrupt conduct under the Act is far-reaching and includes:
- any conduct of any person (whether or not a public official) that adversely affects, or that could adversely affect, either directly or indirectly:
- the honest or impartial exercise of any public official’s powers as a public official; or
- the honest or impartial performance of any public official’s functions or duties as a public official;
- any conduct of a public official that constitutes or involves a breach of public trust;
- any conduct of a public official that constitutes, involves or is engaged in for the purpose of abuse of the person’s office as a public official;
- any conduct of a public official, or former public official, that constitutes or involves the misuse of information or documents acquired in the person’s capacity as a public official.
This means that corrupt conduct does not need to amount to a criminal offence to be investigated by the NACC, but rather only needs to be considered to be serious or systemic. This suggests that severe and deliberate failures in probity may have the potential to fall within the scope of the NACC.
So what does this mean?
Recent high profile scandals and the declining levels of trust in government indicate that the conduct of public officials and institutions are not consistently meeting public expectations for integrity, transparency and accountability. At the same time, there is a heightened focus of Government on establishing a ‘pro-integrity’ APS, as well as a powerful new federal body on the horizon to investigate potential serious and systemic corrupt conduct. These factors suggest that there is an increasing importance being placed on effective probity management in the public sector, and in ensuring that decisions are made with the right intentions and in good faith – rather than simply being lawful or compliant.
Government entities and officials can no longer afford to take a passive approach to probity management by relying on people to ‘do the right thing’ and operate consistent with the APS values or legislative requirements. But rather, there should be a proactive and robust consideration of probity in any significant decision making process, which seeks to identify and mitigate probity risk throughout all stages of the process. In this way, probity should be at the forefront of the minds of public officials in managing the quality and defensibility of public sector decision making.
Gihan Mallawaarachchi is a Partner at Sententia Consulting and specialises in the provision of probity advice and assurance in the public sector. Sententia Consulting’s team of probity professionals are passionate about helping our clients to better understand and manage the probity risks related to their work.
 If you are interested in learning more about the Ethics Index, please visit: https://www.governanceinstitute.com.au/advocacy/ethics-index/