Redesigning Frameworks to Integrate a Resilient Corporate Governance and Risk Culture
Prioritising Communication and Education to Build a Positive Risk Culture
Director Corporate Governance and Risk
National Archives of Australia
At the recent Public Sector Governance, Risk and Compliance event, we heard from Shaun Rohrlach, Director, Strategic Projects, National Archives of Australia as he dived into how to prioritise communication and education to build a positive risk culture. In this article he explores:
- Reducing complexity and addressing shortcomings by building new, and renewing risk frameworks
- Shifting to a more pro-active and concurrent risk and audit approach to identify issues early
- Embedding a risk assurance mindset and a positive culture toward audit and risk
Getting the organisational structure right
For all organisations, and public sector agencies in particular, having good organisational frameworks and governance structures is critical. Yet for many organisations, because of their size or complexity and the environment around them, they often have outdated structures. Amending those processes is rarely a priority, and even if it is, they generally don’t know where to start. Shaun Rohrlach, the Director of Strategic Projects at the National Archives of Australia (NAA), and formerly the Director of Corporate Governance and Risk, says that for them, it was fear and disappointment that drove them to change. Previously, “we submitted our reports at the end of a project and then waited for the auditor to tell us all the things we did wrong. In many ways we were fearful of the responses.”
As a result, about two and a half years ago at a gathering of all the senior executives and directors – “about 30 staff from across the organisation” – a discussion began around “thinking differently about how we approach governance and risk within the organisation.” This is particularly important because the NAA is the “federal agency that collects records of Australian government decisions and actions as evidence to preserve the nation’s memory, identity and history,” and therefore needs to be well governed. The idea internally was to “get people to understand the benefits of effective governance, rather than it being just about filling out paperwork.” The NAA therefore approached the Australian Institute of Company Directors to assist them in their transformation process.
Identifying and articulating risks
Though the process began some time ago, it was in the last year that it really accelerated, partly as a result of the pandemic. In that time the NAA has re-worked “our purpose, our vision, our mission and the values that drive us.” Previously there were “some 30 strategic risks that were just unwieldly and difficult to track.” Now these have been consolidated into “six high-level, core strategic risks” which are about data, security, trust, innovation, the workplace and communication. They are also linked back to “our four clear strategy streams,” which are about being enabled, secure, connected and innovative. All of this has led to the creation of a new governance structure.
The risks are now “clearly mapped” and are in line with the agency’s “objectives and performance monitoring arrangements.” This helps to enable “clearer accountability and better decision making processes,” as well as better “program and project management.” The point is that all the processes and resources are now “consistent and speak a common language.” In line with these changes, “we’ve tweaked our governance arrangements around our committee structure, which has provided a clarity of decision making,” and “we’ve clearly defined the role of our assurance committees, otherwise known as audit risk and project assurance or operational committees.” All of those sub-committees now report to the board and the director general, giving greater consistency and transparency, and much of this is done through “the new document management control framework,” which is clear, strategic and streamlined. It only went live recently, but until it was approved and adopted, “all the documents had different processes and underlying risks. Now it’s all streamlined and consistent.”
To make things even more clear and consistent, the governance team created “an introduction to risk on-a-page” and also “a program and project management lifecycle map on-a-page,” split into four clear pathways: “initiate, plan, execute and monitor, and close.” Each project also has “a complexity rating and a risk assessment.” To go along with that is “a new risk management framework and policy with a whole range of new integrated risk templates and an easy-to-follow risk management guide,” with “clearly articulated monitoring and assurance controls.” The templates and other documents are intuitive and easy to use, with “simplified processes and easy interplay between different elements.” Like everything, this is about being more consistent and strategic, and about “providing better oversight for improved decision making.” Risk management is now therefore “integrated into all of our business planning processes.” Previously, risk was rarely taken into account. The new policy states that “all projects, as a minimum, must have a current risk assessment.” Moreover, business-as-usual (BAU) activities as well as changes to already assessed projects, must also undertake risk assessments. The policy articulates how these should be conducted, managed and documented, and why taking some risk is necessary.
”We’ve actually established a new formal corporate governance framework for the organisation that sets out clearly the strategy and policy setting expectations, the agency’s risk appetite, and ensuring that we have a tolerance level that is clearly understood rather than just a set of parameters.
As such, “we’ve expanded our tolerance levels from a low to a medium risk rating, with appropriate approvals and mitigation measures in place.” This is also in line with the six risks identified earlier, and is particularly necessary as the agency transitions to greater access for online records. All of this has been done with the authority of the leadership team, and in fact, “senior executives and directors have been leading from the top in terms of creating a cultural change and being exemplars of how we manage risk by encouraging a positive risk culture.”
Once the risk and other governance structures were in place, the NAA decided to review and then update their review audits as well. Generally, it’s too late in hindsight “to be told what we could have done better.” That’s why “we moved to a much more active program of concurrent assurance audits,” with mapped out key topics and priorities, allowing the agency to focus on specific areas, and to “address project issues in a timely way.” Since implementation, this has already improved some of their project outcomes and created greater efficiencies. “There’s good checks and balances now in place, and positive feedback from our audit risk committee.”
Despite many of the new resources and processes having been created and implemented, they have only become successful because senior executives started to use them, but also because of a communication plan that was rolled out across the whole agency. “We’ve mapped out our key messages, content and activities, and created an internal learning hub.” There have also been training sessions, both face-to-face and online, and work plans developed for every team. “It was a fairly rapid process once we settled on the need to make the changes, but it has been the right approach and hopefully will continue to deliver improved outcomes for the agency.”
”In looking at our risk history, we identified that we’ve been very much focussed on mitigating all risk. We’ve now reframed our risk appetite because that was affecting our ability to innovate. We weren’t taking enough risk to enable innovation.