We are committed to ensuring the delivery of our services at all levels – strategic, business and operational – is underpinned by effective risk management practices. CMTEDD’s approach to risk management is based on the Australian Risk Management Standard AS ISO 31000:2018 (‘The Standard’) and is consistent with the ACT Government Risk Management Policy 2019.
The directorate’s risk policies, Risk Management Framework and Policy Statement (risk framework), Risk Management Plan (risk plan), and Business Continuity and Disaster Recovery Framework (BC DR framework) are reviewed at least every two years with the last review been finalised in 2019, to ensure that risk management is effective and continues to support organisational performance.
The CMTEDD Audit and Risk Committee and Executive Management Group (EMG) had oversight of risk management activities within the directorate. During business continuity activations, the CMTEDD Crisis Management Team (CMT) provides an additional layer of risk oversight to manage risks during a business interruption event, like the COVID‑19 Public Health Emergency. Risks are monitored and reviewed by the CMT, and progress reports are provided to EMG and the Audit and Risk Committee for strategic oversight.
Business continuity management is a risk control that supports CMTEDD’s commitment to the ongoing delivery of the directorate’s critical business functions where a business interruption risk has been realised. The directorate’s business continuity plans were activated in March 2020, in response to COVID‑19. The CMT has coordinated regular updates of the directorate’s strategic risks and issues during the continuity activation. Risks are monitored during the stages of the continuity lifecycle and gateway reviews conducted as the business moves through the initial activation, ongoing management and recovery cycles. Ongoing review of the CMTEDD COVID‑19 Strategic Risk Register ensures that contemporary risks, controls and further treatments are identified and managed for the future business as usual model when the continuity cycle enters de-activation.
Business area risks were maintained and regularly reviewed at a business area level by senior managers and executives. Existing risks were monitored, reviewed and reported on as part of the directorate’s regular review process. Emerging risks were identified and reviewed, to determine if they should be included in the directorate Strategic Risk Register.
Training across the directorate assisted with ensuring that there was a consistent, appropriate application of the risk framework and risk plan, and assisted in increasing the risk management maturity across CMTEDD. Training available to staff included Introduction to Risk Management and Managing Risks in Projects. Staff were also encouraged to attend tailored risk register review workshops, risk awareness forums and risk management seminars introduced by the ACT Insurance Authority in conjunction with external experts.
During the 2019‑20 reporting year, the directorate’s business continuity plans, CMTEDD Control Centre Team Centralised Support Framework, CMTEDD Business Continuity Plan and ACT Government ICT Disaster Recovery Plan were reviewed and updated to ensure business continuity planning is effective and continues to support organisational resilience. Progress reviews of the plans structures and effectiveness has occurred throughout COVID‑19 will continue until a final review is completed at de-activation of business continuity.
The directorate continued to implement the testing schedule for testing and reviewing the business continuity and disaster recovery plans. The testing schedule provided practice and opportunity to build and improve resilience and capability across the directorate.
Eight tests were conducted in the period in accordance with the CMTEDD Testing Schedule. The test exercises included desktop scenarios for business continuity and disaster recovery, a restoration from backup exercise, a live walk-through business continuity exercise, disaster recovery plan desktop review workshop and a business continuity gap analysis workshop. The scenarios tested included: reduced availability of staff members in a pandemic outbreak (prior to the COVID‑19 Public Health Emergency and actual pandemic), relocation of critical staff due to loss of building, data damage of a critical system, system functionality and data restoration and a desktop scenario of a confirmed COVID‑19 case in a service centre.