2.12 During planning for the ANAO's assurance review, documentation on the design, development and implementation of DMO's ERMF was analysed in order to assess the ability to provide sufficient assurance for major challenges, project risks and issues, as included in Tables 1.2, 4.1 and 4.2 in the 2008-09 PDSSs.
2.13 During the course of the review, DMO provided an updated draft ERMF for ANAO review, providing a sound basis for a more consistent approach to the risk management of major acquisition projects. To provide confidence as to the completeness and accuracy of risk assessments, and soundness of risk mitigation strategies, the implementation and management of this framework will be a challenging but necessary step for DMO in its goal of improving project management.
2.14 The recent review of the draft ERMF by the DMO Chief Audit Executive (CAE), highlighted a number of areas of focus in relation to addressing this challenge, including:19
• the significant gap between current risk management practices and those set out in the draft ERMF;
• rationalising DMO risk management software available to projects;
• improving DMO's risk culture and establishing consistency in the level of support and leadership for risk management across DMO; and
• greater staff training in the use of DMO's risk management model.
2.15 While it is essential for DMO to maintain and develop its ERMF to manage organisational responses to risks and issues which inevitably arise in major project acquisitions, the CAE's review highlights that the ERMF is not yet sufficiently mature to provide the necessary documentary evidence as to the completeness of risks and their likelihood of occurring, nor that of the resultant issues.
2.16 Separately, the ANAO's review highlighted that the ERMF is not yet underpinned by a sufficiently cohesive Information Technology (IT) system, and that there is variability in the maturity of risk management practices and processes at the project level. There is also a need for DMO to address the limited nature of policies and procedures available within the organisation to ensure accurate translation of risk and issue data into the PDSSs. The changes underway in DMO require amendment to business processes, IT system rationalisation and enhanced control and evaluation on an ongoing basis and future strategies to achieve this are expected to involve:
• adoption of the ERMF at a whole-of-organisation level, including translation to the project level;
• evaluation of the ERMF's maturity and performance over time; and
• development of aggregation/declassification policies and procedures for translation of DMO risk and issues data into unclassified PDSSs.
2.17 Reflecting on these challenges, the ANAO's review has indicated that while DMO is working to improve the standard of risk management, the ANAO's conclusion is that the risk of misstatement under limited assurance procedures remains unacceptably high, is likely to continue for some time and it is not considered feasible to include major risks and issues within the scope of the ANAO's 2008-09 MPR. In particular, for sufficient and appropriate evidence to be provided in the requisite time frame for the purpose of this review, additional assurance processes, such as third party verification would be required.
2.18 The ANAO will continue to examine DMO's progress with enhancing the practice of enterprise risk management across the organisation. In the case of risk data for future MPRs, the JCPAA has asked the DMO to identify the extent to which DMO's risk management processes had forecast all risks that had eventuated compared to the previous year, by including an emergent risks and issues column within the respective PDSS tables.
_______________________________________________________________________________
19 DMO Internal Audit, Advice on the draft Enterprise Risk Management Framework (ERMF) Defence Materiel Organisation (July 2009).