1.25 In the 2008-09 MPR, the ANAO's review concluded that while the DMO was working to improve the standard of risk management arrangements applying to Major Projects, the inherently uncertain nature of risks and issues meant that PDSS data on these could not be considered complete because of unknown risk and issue events that may emerge in the future. For this reason, major risks and issues were placed outside the scope of the ANAO's review.
1.26 Under arrangements with the DMO for this year's review, major risks and issues data in the PDSSs continue to remain out of scope.
1.27 Nevertheless, over the course of the year, the ANAO engaged with the DMO on developments with risk management at an enterprise and project level in order to continue to develop its understanding of the DMO's risk management systems and processes.
1.28 The development of the DMO's enterprise risk management framework was identified last year by ANAO as a challenging but necessary step for DMO in striving to achieve its goal of improving project management. The ANAO highlighted particular challenges, such as the gap between risk management practices and those preferred practices as set out in the enterprise risk management framework.35
1.29 This year's review noted a strong corporate focus on these challenges, although broader organisational engagement was less evident. Currently, work is being undertaken by DMO to better understand and map the business and its controls in the context of enterprise risk management. This includes examining models and approaches that can generate improvements in risk management behaviour and considering how this will be tested within the organisation before the broader adoption of an improvement program. At a more applied level, work has been undertaken in areas such as updating the Chief Executive's Instructions on enterprise risk management and DMO's Project Risk Management Manual; upgrading the main risk management tool; and improving management's awareness of enterprise risk management by examining findings from past ANAO audits as well as Defence and DMO internal audits. Nevertheless, considerable work remains to be undertaken before effective enterprise risk management is in place to assist in improving the DMO's approach to the identification and management of risks to delivery of Major Projects.
1.30 This is particularly noticeable at the project level, where the ANAO's review indicated that there had been no significant progress over the last year in improving the consistency of risk management across the Major Projects. In some cases, planned updates to risk management systems and plans were not undertaken due to other organisational priorities. In terms of IT systems, the upgrade to DMO's main risk management software tool had implementation problems, and caused a degree of frustration at the project level. Linked to the implementation of this software upgrade, timely access to risk management training for project staff also featured as an issue during the ANAO's review.
____________________________________________________________________________
35 Australian National Audit Office, 2008-09 MPR, Part 1, pp.38-39.