Enterprise risk management policy
Audience
Department-wide
Purpose
This policy supports the Department of Education's (the department) obligations to have an effective system for risk management to support the department to achieve its strategic and service delivery objectives.
Policy statement
The department is committed to balancing risk with opportunity to deliver high quality outcomes for children, students, our workforce and Queensland communities. Everyone in the department is responsible for risk management, including identifying and reporting risks as part of part of day-to-day activities. Risk management is integrated into all decision-making processes to support continuous improvement and deliver outcomes to meet the department’s objectives. The department’s approach to risk management supports how it plans, manages and delivers its services.
Principles
Principle
|
What this means for the department
|
Creates value
|
- The department’s decision-making creates and protects value, in pursuit of its strategic objectives.
|
Transparent and inclusive
|
- The department has a strong risk culture where all are responsible for risk management.
- The department engages, collaborates and communicates with diverse stakeholders to inform and understand the department’s risks.
- Human rights are considered to ensure actions and decisions are compatible with human rights.
|
Integrated
|
- Risk management is integrated into the department’s governance, systems, processes and practices, including planning and decision-making.
|
Structured, systematic and timely
|
- The department applies a structured risk process which is communicated to all staff.
- Risks are identified, assessed and monitored through a regular reporting cycle.
|
Continuous improvement
|
- The department proactively reviews and reports risks to create a positive risk culture that is capable, innovative and accountable.
|
Requirements
The department is required under section 61(b) of the Financial Accountability Act 2009 (Qld) to establish and maintain a system for risk management. The department's approach and system for managing risk includes this policy, the Enterprise risk management procedure, processes, and supporting information, and is represented through the Enterprise risk management framework.
The department's approach and system of managing risk is based on the Australian Standard AS ISO 31000:2018 Risk management – guidelines.
Risk is integrated in all decision-making activities, and embedded within planning, performance and service delivery considerations. The department's risk management process is detailed in the Enterprise risk management procedure, and its approach is guided by the following elements:
1. Risk environment
- The department seeks to understand the risks external to and within its operating environment in order to deliver its strategic priorities. Sources of potential risks may arise from strategy development and implementation, service delivery, and natural disasters or events beyond the department's control.
- The operating environment includes risks that have a significant impact on the department’s strategic objectives (strategic objective risks) and tactical risks.
2. Risk appetite
- The department will accept a certain level of risk to achieve its objectives and priorities. The department's risk appetite helps guide opportunities to create value and meet objectives and ensures we always consider our areas of lowest risk appetite (enterprise risks) when making decisions.
3. Performance
- Risk management is integrated with planning processes to support continuous improvement and meet performance outcomes.
4. Assurance
- The department’s systems and processes are designed to integrate risk management as part of decision-making processes to achieve outcomes aligned to objectives. This includes effective assurance of risks which is provided across three assurance lines:
- first line: day-to-day compliance and monitoring
- second line: corporate oversight and review
- third line: independent assurance.
- Assurance of the department’s enterprise risks is demonstrated through the integrated assurance maps (DoE employees only).
5. Governance
- The department takes a risk-based approach when organising and prioritising its people and resources to achieve its strategic objectives, with risk management an integral element of good governance.
- The department’s strategic governance committees have the relevant information to oversee and manage risks that have a significant impact on our strategic objectives.
- Portfolio, program and project boards implement the required level of governance to manage risks throughout the project lifecycle.
- Risks are reported and escalated in line with local governance and accountability arrangements in schools, regions and divisions.
Definitions
Term
|
Definition
|
Enterprise risks
|
These are risks to the department’s areas of lowest appetite which are:
- child and student protection and safety
- workplace health and safety
- security of confidential and personal information (information security)
- our integrity (fraud and corruption).
Enterprise risks are risks within the strategic objective risk group.
|
Enterprise risk management framework
|
The department's approach and system of managing risk including policies, procedures, processes, and supporting information, and is represented through the Enterprise risk management framework document.
|
Risk
|
The chance of something happening that will impact the department’s ability to achieve its objectives. Risk is measured in terms of consequences and likelihood.
|
Risk appetite
|
Level of risk or opportunity the department is willing to accept in achieving its objectives.
|
Risk management
|
Coordinated activities to direct and control the department’s risks.
|
Strategic risks
|
Risks to the achievement of the department’s strategic objectives as determined by the executive leadership team.
Strategic risks are risks within the strategic objective risk group.
|
Tactical risks
|
Operational, business unit and portfolio/program/project risks.
|
Legislation
Delegations/Authorisations
Other resources
Enterprise risk management tools
Related resources
Superseded versions
Previous seven years shown. Minor version updates not included.
2.0 Enterprise risk management