Emergency notice

This policy is current as at 11/04/2021 01:11am, AEST. Please refer to policy library website (https://education.nsw.gov.au/policy-library) for an updated version.

Enterprise Risk Management Policy

This policy describes the NSW Department of Education's approach to risk management.

  1. Policy statement
    1. This policy and other components of the Enterprise Risk Management Framework support the effective management of risk within the department and ensure compliance with whole-of-government policy on risk management.
    2. The policy specifies the requirements, expectations, roles and responsibilities for managing risk and ensuring that risk management is integrated into business planning, decision-making and reporting functions.
    3. Risk is defined as the effect of uncertainty on objectives while risk management is defined as the coordinated set of activities to direct and control an organisation with regard to risk.
    4. The department is committed to the proactive management of risk, recognising that risk management is an integral part of sound management practice and an essential element of good corporate governance. It improves decision-making and enhances outcomes and accountability.
    5. Staff must manage the department’s risks in accordance with this policy, the department’s Enterprise Risk Management Procedures, and the various components of the Enterprise Risk Management Framework.
    6. Staff must identify, analyse, evaluate, manage, monitor and report on risks that may impact on the department’s ability to achieve its objectives.
    7. Staff must consider risk as part of any strategic, operational and project-based activities to help inform decisions and prioritise actions.
    8. All business areas in the department must use the likelihood and consequence tables in the Enterprise Risk Management Procedures to score risks, so there is a consistent basis for escalating and de-escalating risk across the department. Where required, program areas can provide more detailed information by enhancing likelihood and consequences tables.
    9. Executive directors and directors are responsible for effectively managing any business-related risks and where necessary, escalating risks to the relevant division head before consideration by the Executive Group via the Enterprise Risk Management Group.
    10. All staff are responsible for identifying and managing risk within their work areas. Staff should be familiar with the department’s Enterprise Risk Management Framework, including this policy and the Enterprise Risk Management procedures, to ensure compliance with all requirements.
    11. This policy must be read in conjunction with other policies and procedures that exist for a number of specific risk-related functions and activities including, but not limited to, business continuity, child protection, corruption and fraud prevention, insurance, project management, and work health and safety.
  2. Audience and applicability
    1. This policy applies to all departmental staff.
  3. Context
    1. In accordance with NSW Treasury Policy Paper TPP15-03 Internal Audit and Risk Management for the NSW Public Sector, the department must establish and maintain an appropriate risk management framework, consistent with the international standard for risk management, ISO 31000:2018.
    2. This policy is one component of the framework, which also includes the Enterprise Risk Management procedures (including tools and templates), the risk management information system and the risk management community of practice known as the Enterprise Risk Management Group that includes representatives from all divisions.
    3. The framework is overseen by the Enterprise Risk Management Group, and the Audit and Risk Committee.
  4. Responsibilities and delegations
    1. Risk management is the responsibility of all staff, with some staff having specific responsibilities and accountability:
    • Secretary
      • ultimate responsibility and accountability for risk management in the department, attesting to NSW Treasury in relation to compliance with the eight core requirements of TPP15-03 Internal Audit and Risk Management Policy for the NSW Public Sector.
    • Executive Director, Policy Coordination and Governance
      • endorse the department’s Enterprise Risk Management Framework
      • approve any substantial amendments to the existing Enterprise Risk Management Framework, policy and procedures tabled by the Deputy Secretary, Strategy and Delivery.
    • Deputy Secretary, Strategy and Evaluation
      • approves amendments to the existing Enterprise Risk Management Framework, policy and procedures, or where amendments are substantial, takes an amended framework, policy or procedure to the Executive Group for approval.
    • Deputy Secretaries and Division Heads
      • support the integration of risk management into planning, management, decision-making and performance reporting systems
      • actively participate in the identification, assessment and management of risk for their business area and the department as a whole
      • promote a positive risk management culture by modelling behaviour where risk information is valued.
    • Executive Directors
      • ensure risk management is integrated into planning, management and performance reporting processes within their business areas
      • lead the implementation of the risk management process within their business areas to ensure that risks are identified, assessed, managed and monitored.
    • Directors
      • ensure compliance with this policy and the risk management procedures for their business areas
      • lead and monitor specific risk management actions (ie controls and proposed risk treatments).
    • Staff
      • identify risks, issues and concerns and escalate to management, if appropriate
      • implement specific risk management actions (ie controls and proposed risk treatments).
    • Corporate Governance unit (Policy Coordination and Governance)
      • establish and lead the implementation of the department’s Enterprise Risk Management Framework including coordinating, maintaining and embedding the framework in the department
      • provide advice and assistance to help business units implement and maintain robust risk management processes, and coordinate risk management training.
    • Enterprise Risk Management Group
      • drive the implementation and communication of the department’s risk management policy and procedures for their divisions.
    • Internal Audit
      • provide assurance to the Secretary and the Audit and Risk Committee on the effectiveness of the risk management framework including the design and operational effectiveness of internal controls.
    • Audit and Risk Committee
      • provide independent assistance to the Secretary by monitoring, reviewing and providing advice about the department’s Enterprise Risk Management Framework and processes.
  5. Monitoring and review
    1. The Executive Director, Policy Coordination and Governance is responsible for monitoring the implementation of this policy and reviewing its effectiveness at least every three years.
  6. Policy contact officer
    1. Chief Risk Officer, Corporate Governance, Policy Coordination and Governance
      02 7814 1326

Return to top of page