Enterprise Risk Management in DHHSErin BakerDirector Human Resources and Workplace Safety

Risk in DHHS: My roles and responsibilities

• Leader: Risk Project Steering Group• Member of Departmental Executive: oversight of

DHHS enterprise risk management framework and strategic level risk register; ownership of some strategic risks

• Manager: oversight of business unit risk register• Mentor: through Risk Network – building a culture

of risk management

In DHHS we manage risk to:

• Increase likelihood of achieving objectives

• Improve quality of services

• Protect staff, assets, property and reputation

• Improve performance consistent with values

• Support better decision making

• Apply our resources more effectively

Where did it all start?

• Frank discussions about how much risk the organisation wished to pursue

• Having the difficult conversations• Senior executives stepping outside of their own

portfolio and thinking strategically across the organisation.

DHHS – a journey to risk maturity

1. What is an enterprise risk management system?2. Why did we choose it?3. How did we do it?4. What are the learnings?

Enterprise risk management (ERM)

ERM supports the achievement of an organisation’s objectives by addressing the full spectrum of its

risks and managing the combined impact of those risks as an interrelated risk profile.

Principles of ERM

• The same framework applies across, up and down the organisation

• The framework is tailored to the organisation, owned by its leaders and integrated into planning, policy and systems

• We know the risks that could impact on achieving our objectives

• Senior management and governance committees have ‘line of sight’ to those risks

DHHS ERM Governance Structure

Audit and Risk Committee

Departmental Executive

Groups

Business Units

Performance, Finance and Risk

Committee

Secretary

Why ERM for DHHS?

• A ‘mixed business’ with a broad mandate• National health reforms • Framework no longer matched the organisation• Changes to the external environment• Improve our performance

How did we do it?

• Established a project- clear objectives, tight timeframe, plan, governance, sponsor, dedicated project manager, access to resources

• Gained high level support by engaging leaders to:– develop and endorse the risk framework– assess strategic risks– achieve a common language – know our risks

Project Objectives

1. Know our risk profile2. Validate and communicate our risk profile3. Establish a risk governance system 4. Develop a risk management culture5. Integrate risk management with systems

Objective 1: Knowing our risks

• DHHS needed an up-to-date risk profile• Criteria linked to strategic objectives• Risk assessment by executive• Produced an initial risk profile – top risks

Objective 2: Communicate and Consult

• Risk assessment workshops for senior management

• Produced a strategic risk profile and group profiles

• Value of communicating and consulting:– Shared understanding– Shared language– Enhanced decision making

Objective 3: Governance System

• Policy, Handbook, Tools• Reporting and escalation• Risk Activity Management Plan• Risk Network• Risk Appetite Statement

Objective 4: Build a Culture of Risk Management

• Senior management buy-in• Communicate the value of ERM• Managers are key stakeholders• Risk Network – support, mentor, consult

Objective 5: Integrate Risk Management

• Align with business planning cycle• Integrate policies and processes

What does it look like?

• Risk assessment criteria tailored to our organisation and linked to our strategic objectives

• Reporting system linked to our ‘risk tolerance’

• Escalation of ‘high’ and ‘extreme’ risks for treatment and oversight

What are the outcomes?

• Less surprises

• Better planning

• Better communication

• Better decisions

What are the learnings?

• IT systems always take longer than you think• Know your requirements before you start• Its OK to start with something simple

What are the next steps?

• Rolling out framework to business units, with support of Risk Network

• Setting the risk appetite• Rolling out risk treatment plans• Automated risk register• First year of full cycle – business planning,

budget, performance management• It’s a journey!

Questions?