The Federal Minister for Finance and Deregulation, Lindsay Tanner, claimed at a policy launch function held in late Feb ruary by the Institute of Internal Auditors (IIA) “the Rudd Government has put significant work into improving the standards of governance within the federal public sector”.

His speech, however, was delivered in the same week that a paucity of Federal Govern ment governance and risk management apti tude was exposed by a damning Minter Ellison Consulting report. The risk assessment, deliv ered in April 2009, detailed a litany of risks fac ing the home insulation scheme of Minister for the Environment Peter Garrett, and could have proved a model exercise in risk management had it actually reached the minister and been used before February 2010.

The public airing of the report was the final blow to a scheme that had resulted in four deaths among insulation installers, and had been riddled with ex amples of poor governance, risk management and compliance - many of them flagged 10 months earlier by the report. The Government was forced to scrap the scheme and strip Garrett’s ministerial portfolio back to Minister for Environment Protection, Heritage and the Arts.

The concern is that Garrett’s insulation bun gle is not an isolated case. The Government has come under criticism for governance bun gles in a number of its schemes, including the Green Loans Program and school building scheme, raising questions over the public sec tor’s current capacity to put into practice the gov ernance principles being expounded.

In his speech to the IIA in February, Tanner said the Government “is obliged to think about the design of its own business operations, its internal governance and regulatory framework, its accountability and reporting structures just like anybody else - we must also consider how we manage risk”.

However, Tanner noted that research com missioned by the IIA and conducted by a Cana dian expert late last year had found the internal audit practices of the Australian public sector were “patchy and inconsistent”.

Jim Hodges, manager of risk management services for Western Australia’s RiskCover, says recent events have shown that the important thing about doing any risk assessment or analysis “is to use it once you have done it”. “It’s not just a compliance procedure, or something that you can tick and flick - you should actually use it,” he says. “People think once you’ve identified the risk, you are managing it, but that’s really only the shopping list,” he told Risk.

IIA board director Gary Anderson agrees. “Even if you have a strategy, you need to check it is being implemented,” he says.

The public sector needs to move beyond a “compliance mentality”, Hodges says, to a place where risk thinking is integrated into manage ment, rather than just being dumped on a risk manager sitting in the corner.

Tanner detailed efforts being made by the Gov ernment on compliance, particularly Operation Sunlight, named for its goal of increasing trans parency and one which includes a Certificate of Compliance process. In the first year it was in place - in 2006/07 - 12,000 instances of non-compliance were recorded across the public service. This jumped to 30,000 the next year, showing that “the closer agencies looked, the more issues were iden tified”. As internal systems and control frameworks were refined, instances dropped back to 15,000, still leaving “a long way to go”, Tanner said.

Though the recent bungles have brought to light blatant examples of poor governance, risk management and compliance in the public sec tor, Hodges argues it has actually come a long way.

At RiskCover, which has a staff of 130, Hodges has seen a complete change in attitude by gov ernment departments towards risk management. “It’s got to the point today where they are knock ing our door down and dragging us into all parts of the business to make sure they are ahead of the game on managing risk,” he says.

These departments are not just coming from a pure compliance or op erational perspective, but are using RiskCover across major projects, procurements, and strategic and operational planning.

Of the 170 agencies in WA, about 60 to 70 of those are managing risk effectively, while a smattering of the others were on their way towards best practice.

It marks a “huge transition”, Hodges says, with the diversity of how de partments and agencies are using risk thinking today having increased “5000-fold” to the situation experienced 10 years ago.

“People have realised we are not going away - we’ve been like terriers with a bone,” he says. The catastrophic events of September 11 have also heightened awareness and matured attitudes towards the risk function.

Though Hodges says WA likes to think it is “leading the pack”, other states are moving in a similar direction, with Victoria, Queensland, Tasma nia and New South Wales all having implemented at least parts of a simi lar model to RiskCover, which was established in 1996, while the Federal Government established Comcover in 1998.

Clayton Utz partner Randal Dennings agrees a sea change is taking place. “If you put it into the historical context, the trend line is positive”, he says. “My sense of it is that going back before the work of the Nation al Audit Office, and its state equivalents, governance wasn’t a major focus,” he says. “Audit offices have served to elevate governance processes, and the meshing of good governance and risk management has been en couraged in the public sector.”

This has meant the gradual rationalisation of governance, risk and compliance functions, into an overarching function informing boards at the macro level, and the control environ ment at the micro level.

The advent of the Minter Ellison Consulting report has also raised the question of what role the legal profession can or should play in the operations of sound risk management in the public sector.

The IIA’s Gary Anderson warns against lawyers getting too involved in the risk process.

“There have been decisions about lawyers being used for risk assessment process, and I would caution that I don’t think you can outsource risk management, and we shouldn’t be looking to make risk management a legal issue.”

Rather, Anderson argues, risk management should remain a “business management responsibility”.

“You can have outsourced partners to facilitate that process, but it shouldn’t be turned into a legal definitional debate - it needs to stay a business issue, and internal audit can assist in assuring that what has been done is robust.”

Dennings, however, says lawyers do have a role to play in the risk management process - though it will require an evo lution towards a more proactive approach to the law.

Legal analysis traditionally operates with 20/20 hindsight, Dennings says, where it seeks to apportion responsibility and liability after an analysis of the facts, which is necessary for completion of traditional litigation.

But lawyers can add governance, risk and compliance to their practice, by asking what the reasonably foreseeable risks are, and what steps can be taken to mitigate them. “I think lawyers have a part to play, and the value-add is if governance, risk and compliance issues are brought to bear beyond straight legal ad vice.” However, it is this suite of proactive legal offerings that “many lawyers struggle with”, Dennings says.

As for Garrett’s bungles, Dennings says a glance at news papers at any given time will reveal “both good and bad” examples of governance, risk and compliance. He says the important thing is to learn that “no matter how well man aged the business or organisation, there is always room for improvement”.