Strategic and operational risk management
Attestation
The Victorian Government Risk Management Framework
The Department of Treasury and Finance released the Victorian Government Risk Management Framework in July 2007. The Framework brings together information on governance policies, accountabilities and roles and responsibilities for all those involved in risk management across the State.
The Framework formalises and builds upon existing processes and requirements and also promotes the need to address inter-agency and state-wide risks when developing and implementing a risk management framework.
We recommend that all public sector agencies adopt the framework, however it is compulsory for those agencies that report in the Annual Financial Report for the State of Victoria.
Elements of the Framework
One significant requirement under the framework is the need for accountable officers to “attest” in their organisation’s annual report, that:
- risk management processes consistent with the standard (AS/NZS 4360:2004) are in place
- an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures
- the audit committee/board verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.
The attestation process ensures that organisation-wide risk management culture, processes and structures are embedded across the business, so that risk management is relevant, effective, efficient and sustained.
Frequently asked questions
- will management need to formally sign off the process?
- what systems and processes will allow/support this?
- what does satisfactory look like? how do you demonstrate a satisfactory effort?
- what evidence will the secretary/chairman need to support the attestation?
- what about the internal auditors? Will, or can they sign off?
- what if we don’t attest? What are the consequences?
- what about a phase in period?
These frequently asked questions are addressed in our Risk Insight publication, "Attestation - What does it mean for your organisation?
Key principles
It is important you brief the agency’s management, executive and board on the requirements of the risk standard, the framework and particularly the attestation requirements. Plan ahead and embed attestation into your reporting and compliance framework.
Our key principles include:
- Attestation is intended to provide “assurance” or demonstrate “performance”. It should not be merely a compliance or “box-ticking” exercise.
- Keep the attestation framework and process as pragmatic and relevant as possible.
- The agency’s maturity, size, complexity and risk appetite needs to be considered, since “attestation is relative to maturity”.
- Use a model, similar to the Australian Stock Exchange’s "if not, why not?" reporting style. If the agency does not attest, you should explain why not and what will be done to improve over the coming year.
Attestation seminar
The VMIA held a seminar "Attestation - What does it mean for your organisation?" in November 2007. The slides from the seminar are available below. Contact training@vmia.vic.gov.au for further information.
Attestation framework
Each agency will have its own attestation framework. The framework should support the overall attestation process and, in particular, address the second core element that an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures. This should include:
- keeping management and the board fully informed of the range and breadth of risk management processes, and control activities undertaken across the agency
- providing management/executive sign-off that “the executive understand, manage and satisfactorily control risk exposures” in support of the overall attestation. This may be through a cascading process linked to your risk or control register.
Evidence will also be required to support the attestation that:
- the agency has risk management process in place consistent with AS/NZS 4360:2004
- the agency’s risk profile has been critically reviewed within the last 12 months.
An annual plan or calendar of risk and assurance activities can be useful. This could include the range/frequency of risk and audit reports and formal risk and audit meetings of management and the board. The number/type of reviews, assessments and audits completed in support of the organisation’s risk framework
If you are going to meet the attestation challenge you will need to have a risk management framework that embeds risk management across all-important practices and processes, and develop complete risk registers, frameworks, policies, procedures and embody sound risk principles throughout the organisation. If you do not you will most likely be required to apply the “if not why not” principle noted above.
For a full summary of the core elements of the Framework and particularly the attestation requirements and what that means for departments and agencies refer to our Risk Insight: Attestation: Is your organisation ready?
