14. Risk Management and Internal Accountability
14.1 Introduction
This Chapter deals with risk management and internal accountability policy and procedures. It covers the department's risk management plan, discusses the operation of the Audit and Risk Committee and outlines the responsibility of departmental officials to act ethically and to report suspected fraud and misconduct.
The FMA Act requires agency Chief Executives to manage the affairs of the Agency in a way that promotes proper use of the Commonwealth’s resources for which the Chief Executive is responsible. Proper use means the efficient, effective and ethical use of the Commonwealth's resources. To facilitate this the Secretary has implemented a risk management strategy, has made the Chief Finance Officer and Finance Managers responsible for implementing procedures and controls over the use of resources, and has established an Audit and Risk Committee and an Ethics Committee to manage internal accountability.
Risk Management Strategy
The department encounters and manages a variety of risks on a day-to-day basis that have an impact on the department's ability to achieve the Government's objectives for the portfolio. Risks can include client dissatisfaction, unfavourable publicity, physical safety and security, mismanagement, equipment failure, legal action, fraud, etc. Every decision involves managing risk in terms of judging the costs and benefits of particular courses of action.
The department’s risk management strategy seeks to improve overall performance by leading to the more efficient, effective and ethical use of the Commonwealth’s resources through a systematic evaluation of the risks associated with adopting various courses of action or policy proposals. A systematic approach to risk management is consistent with higher standards of public sector accountability and assists in dealing with the uncertainties of a changing operating environment.
The department's risk management policy is outlined in Administrative Circular P0599. It requires employees to consider the risks inherent in their work, in formulating policy and in decision making and, where warranted, to undertake formal risk assessments.
Some risks may be managed through securing insurance coverage. Insurance is covered in FMM Chapter 16.
Internal accountability
Internal accountability incorporates:
- The implementation and maintenance of internal controls by the Chief Finance Officer and Finance Managers over the use of departmental resources. Examples of internal controls are the separation of duties (see Chapter 2) and the regular checking of collections and advances (see Chapter 5)
- The review of financial and resource management by the Audit Committee
- The review of performance through the conduct of internal compliance and performance audits that contain recommendations and identify best practice
- The provision of high level guidance by the Ethics Committee for the promotion of ethical conduct in the department
- Measures to ensure DFAT officials are aware of and undertake to observe the APS Code of Conduct, the department's own Code of Conduct for Overseas Service or the LES Code of Conduct established in each post, and other instructions on conduct-related matters, including in the form of Administrative Circulars
- Mechanisms for the early detection, reporting and investigation of allegations of fraud and misconduct; and
- The department's Fraud Control Plan which identifies high risk areas and recommends strategies to minimise and manage risks
14.2 Risk Management and Business Continuity
Instructions
- DFAT officials involved in formulating policy advice or in taking decisions on the management of large scale and complex projects should consider the risks inherent in those decisions in accordance with the department's risk management policy.
- Officials involved in the development, implementation and ongoing application of key processes related to financial and/or resource management should assess and manage the risks inherent in those processes in accordance with the department's risk management policy and ensure the risks affecting critical business processes are addressed.
- Risk assessments and business continuity plans are to be documented in a form suitable for internal and external audit scrutiny. Posts and divisions are required to prepare business continuity plans which identify key business processes and outline strategies to continue the delivery of these services in the event they are interrupted by an event that triggers the activation of a business continuity plan.
- Advice on risk management and business continuity plans can be obtained from the Evaluation and Audit Section.
Procedures
Responsibility
- Officials involved in formulating policy or managing large-scale or complex projects
- Officials involved in the management of areas that deliver business services
Frequency/Conditions
- As required in accordance with Administrative Circulars P0599 and P1023.
- As required or at least annually.
Action
- Give due consideration to the risks involved in decision making, policy formulation and in implementing and maintaining key processes related to financial/resource management, including formal risk assessments as appropriate, in accordance with the department's risk management policy.
- Document formal risk assessments clearly and comprehensively with reference to the Risk Management Toolkit.
14.3 Audit and Risk Committee
The functions of the Audit and Risk Committee include:
- Helping the department to comply with obligations under the FMA Act and Regulations and the Finance Minister’s Orders
- Providing a forum for communication between the Chief Executive, the senior managers of the Agency and the internal and external auditors of the department
FMA Regulation 22C requires the terms of reference, functions and responsibilities of the Audit Committee to be set out in an Audit Committee Charter approved by the Secretary.
Instructions
- DFAT officials must comply with requests of the Audit and Risk Committee.
Procedures
Responsibility
- DFAT officials
Frequency/Conditions
- As required
Action
- Comply with requests of the Audit and Risk Committee.
14.4 Fraud and Misconduct
In accordance with FMA Act section 45 the Secretary must implement a Fraud Control Plan. The First Assistant Secretary, Corporate Management Division is responsible for preparing the plan.
Instruction
Code of Conduct
- DFAT officials must act in accordance with the APS values and the APS Code of Conduct enshrined in the Public Service Act 1999 and, where applicable, the department's Code of Conduct for Overseas Service or LES Code of Conduct established at each post.
- DFAT officials have a duty towards the prevention and detection of fraud and misconduct.
Fraud Control Plan
- In accordance with the Fraud Control Plan, officials are responsible for implementing and managing fraud prevention strategies within their area of operation. Fraud prevention is an integral component of prudent financial management.
- The FAS CMD is responsible for preparing a report on fraud control and providing the report to the Minister every 2 years.
- Under the Fraud Control Plan risk assessments of departmental functions are conducted periodically to ensure that fraud prevention capabilities and controls are maintained. These include adequate administrative processes, an appropriate level of training for staff and regular updating of control and reporting systems.
Ethics Committee
- The Ethics Committee is responsible for the development of policy on conduct and ethics issues and the oversight of the handling of allegations of fraud and misconduct.
- The Conduct and Ethics Unit is responsible for management of the ethics outreach program and investigations into allegations of fraud and misconduct. The Unit also provides advice to managers on fraud control planning and ethics policy issues.
Dealing with fraud
- There is an agreement between the department and the Australian Federal Police (AFP) which specifies the circumstances under which fraud matters must be referred to the AFP.
- When dealing with fraud, employees should report it quickly and only inform those who need to know (see Action section below). The confidentiality of a person making an allegation about fraud and the privacy of persons under investigation is to be protected to the maximum extent possible, as explained in the department's guidance on whistleblowing.
- Officials against whom allegations of fraud or misconduct are made are presumed to be innocent unless proven otherwise.
- Investigations into allegations of fraud or misconduct should be conducted in accordance with Commonwealth fraud control policy and departmental investigation guidelines.
Procedures
Responsibility
- All officials to act ethically
- All officials to help prevent, detect and report suspected fraud or misconduct
- Conduct and Ethics Unit to investigate allegations of fraud or misconduct
Frequency
- At all times comply with APS values and Codes of Conduct and the department's own Code of Conduct for Overseas Service or LES Code of Conduct.
- Immediately report suspected or detected fraud or misconduct
- Investigations as required
Action
- All officials are to act in accordance with APS values, the APS Code of Conduct and, where applicable, the Code of Conduct for Overseas Service or LES Code od Conduct.
- Officials who become aware of, or suspect, fraud or misconduct should observe developments carefully and record all details, including any action they themselves have undertaken. Original documentation must not be marked, written on or tampered with in any way.
- Officials have an obligation to report the matter to their supervisor. If an employee feels unable to raise the matter with a supervisor, or believes that his or her concerns have not been properly addressed, he or she should refer the matter to the Conduct and Ethics Unit (CEU) directly.
- The CEU is responsible for coordinating investigations into allegations of fraud and misconduct. Employees reporting alleged fraud or misconduct or assisting investigations should observe instructions issued by the CEU, Commonwealth fraud control policy and departmental investigation guidelines.