Risk oversight and management

Risk management in the Listed Entity identifies and addresses the uncertainty in achieving our purpose. The goal of risk management is to appropriately mitigate risk and assist with identifying opportunities, thereby enhancing our ability to respond to the Heads of Jurisdiction requirements, Australian Government policy and legislative change, and to assist in providing the public with efficient and effective delivery of justice.

Success depends upon developing our people, strengthening and adapting systems, and forging strong relationships with stakeholders. By carefully applying appropriate risk management principles that have been recognised by our Internal Auditors as fit for purpose, we will maximise the efficiency and effectiveness of planning, decision-making, managing uncertainty and our use of resources to achieve the desired outcomes.

The risk management framework supports the identification, analysis, assessment, treatment, monitoring, and review of all strategic, financial, reputational, personnel, political and operational risks. These include risks to our stakeholders and emerging risks.

The Listed Entity’s risk framework is designed to:

• ensure risk management supports our purpose
• support a culture which encourages people to report incidents and take ownership of problems
• ensure risk management thinking is embedded in all activities; enabling the achievement of better outcomes
• ensure stakeholders are consulted to enable the consideration of a broader perspective
• identify and manage entity-wide strategic risks and program or project-specific risks
• promote sharing of risk information and experiences within the Listed Entity and across the Australian Government Community of Practices to develop more consistent approaches to managing risk, and
• align with the PGPA Act and the Australian Government’s expectations as detailed in the Commonwealth Risk Management Policy.

The Risk Management Framework and Plan, developed in accordance with the methodology set out in Commonwealth Risk Management Policy 2014 and the Australian/New Zealand Risk Management Standard (AS/NZS ISO 31000:2018), have been recently reviewed by Internal Audit which confirmed the framework and plan are fit for purpose.

Risk management priorities

The Listed Entity’s risk management priorities are established based on seven broad risk categories:

1. Strategic risks – risks that affect performance against identified strategic objectives.

2. Financial risks – risks that affect the financial outcomes of the Listed Entity or have detrimental financial impact.

3. Risks to reputation – risks that affect the reputation of the Listed Entity and its ability to perform, or which may impair the community’s trust with the Courts, Tribunal and the judicial system.

4. Operational risks – risks that affect the management of and accountability for performance, including the Listed Entity’s service delivery obligations, regulatory framework and business relationships.

5. Legal and compliance risks – risks arising from statutory and other compliance and reporting obligations as well as current or pending litigation to which the Listed Entity is a party.

6. People risks – risks that affect staff ethical behaviour, the integrity of decisions, processes and information, or affect the work, health and safety and wellbeing of our personnel, including psychosocial risks.

7. Information Management and Information Technology – risks associated with information and communication services and the delivery of those services, programs, and functions and includes business continuity, IT disaster recovery and external events, including cyber-attacks, impacting on the Listed Entity’s ability to deliver services.

Oversight

The Audit Committee is established in accordance with section 45 of the PGPA Act and provides specific functions to assist with meeting the Accountable Authority obligations.

The functions of the committee are to:

• provide independent assurance of the effectiveness of the Listed Entity’s Risk Management Framework
• review compliance with the Listed Entity’s Risk Management Policy and monitor and understand the potential impact of emerging risks on the Listed Entity’s ability to achieve its objectives
• monitor the implementation of the Listed Entity’s Risk Management Plan
• review compliance with finance law, including financial and performance reporting, risk reports periodically (quarterly and annual reports) and the internal control programs and advise whether key controls are appropriate and are operating effectively, and
• provide assurance that the Listed Entity has well-designed business continuity and IT disaster recovery arrangements in place and that these are tested periodically.

The Enterprise Risk Management Committee (ERMC) was established to provide oversight of the implementation and operation of the Listed Entity Risk Management Plan and is accountable to and supports the Accountable Authority by making recommendations concerning:

• the Listed Entity Risk Management Framework including the policy and plan
• the Accountable Authority’s Enterprise Risk Appetite Statement
• the Enterprise Wide Risk Register, and
• risk treatment strategies and action plans.

The ERMC also has responsibility for monitoring the effectiveness of controls where the Entity’s risk appetite has been exceeded.

Risk management oversight, together with broader responsibility for governance and compliance matters, has now been consolidated into a single Governance, Risk and Compliance area within Corporate Services.

Figure 1. Federal Court Listed Entity risk management structure.

Table 1. Risk faced by the Listed Entity.