The third biggest state in Australia relies on the Sword GRC solution to monitor risk and compliance across schools and regional offices.
Queensland Department of Education delivers world-class education services for people at every stage of their personal and professional development. Through its key portfolios of Early Childhood and Education, the Department employs more than 85,000 people across Queensland, with staff located in more than 1,200 work sites, including state schools and regional offices. As the third biggest state, Queensland accounts for over 20% of education enrolment in the country.
Its teachers and principals are supported by a diverse range of specialist, corporate, and support staff who oversee and manage both the daily and strategic operations to ensure smooth running across the organisation.
With such large numbers of staff and students across the state, the Department needs to ensure that it safeguards against any adverse events that may affect its community financially, socially as well as maintain individual wellbeing.
In the last five years, the number and complexity of risks that need to be managed across the organization to achieve this have increased significantly, resulting in the enterprise management team being responsible for a range of departmental risks of differing nature and priority. Risks can range from catering for high population growth (in the South), isolation issues for remote towns (distance learning in the North), crocodile attacks in the north of the state to weather events such as cyclones forcing statewide school closures and subsequent flood risks. Recognising the importance of robust risk management, the Department has invested in Sword GRC’s Active Risk Manager solution.
A Single view of risk in an enterprise management framework
As its incumbent management systems became increasingly reliant on Excel spreadsheets, the team found that the text-heavy process used to oversee, and control risks was not matching its new management framework and procedures. In addition, the team was finding it challenging to interpret the risks’ value, monitor tolerances, and trends and to report and communicate on them.
Robyn Albury, Executive Director, Governance Strategy & Planning explained:
We began looking at how we could communicate risk that makes sense to senior decision-makers. We started from a quality process basis and created a risk management framework that was easier to understand.
“As a result, we changed our language and how we wanted to discuss and report on risk – and spreadsheets with over 800 risks no longer matched this way of working.”
“The enterprise risk team set out their requirements and after inviting several companies to tender, selected Sword GRC for its expertise in the GRC space – and specifically for its risk management solution, Active Risk Manager (ARM).
“We have very specific procurement processes which set out our needs in detail. Not only did Sword GRC’s solution deliver on these, ARM was intuitive and matched the new way that we were talking about risk. It allows us to visualise risks differently – which in turn helps us to have different conversations about the actions and controls that we have in place,” said Albury.
Risk data shared across the organisation
Another key benefit of choosing Sword GRC was that as a cloud-based solution, it enables managers across the seven regional offices, as well as the central enterprise risk management team, to use the same system. Following initial rollout to the central users, the Department deployed a second wave of Risk Express licenses, designed for the business users.
Managers across the organisation are now actively managing risks and updating them on a quarterly basis, while the enterprise risk team carries out the interrogation and reporting on trends, controls, and actions for the senior management team.
Nikki Tran, Acting Director, Risk & Policy said:
Using ARM has helped us to change our conversations with risk owners. It’s easier for them to present risk visually and for us to interrogate the data and give feedback. We can see the likelihood and consequence of particular risks, report on controls in place, and actions taken.
“Before we had no documented controls and actions – now we have that visibility and can use that for specific business areas and owners. It’s logical and is aligned with our processes, backed up by relevant data. We can calculate the numbers of risks, categorise them, and observe trends, which helps us to communicate with senior managers about their risk profile.”
Achieving compliance with a risk-based approach
Monitoring compliance has also been a significant benefit from using ARM.
The Department has now implemented a risk-based approach to manage compliance, identifying where obligations have been met, who is responsible, and where action needs to be taken. The team has introduced a risk profile of urgency – helping to identify risks, summarise controls, and monitor actions that people own.
Albury said: We can now effectively present comprehensive compliance reports to the Executive Management Board. Using a risk-based approach it’s easy to be able to identify controls and actions required that are aligned to our policies to meet our legal obligations.
“In the past, we could have had actions listed over a number of years against some risks, without being able to track progress or outcomes. Now we can monitor and assess what risk owners are doing to mitigate risk and achieve compliance, giving us a much better line of sight for risk. We can start to marry up risk ratings with outside drivers that are actually happening, taking actions, and reporting against them.”
As an example, the risk team now has visibility of risks around workplace health and safety in a particular rural region, which is currently running outside of its agreed tolerance.
The reason for this is that there is a high number of teachers, who visit different schools across the region and spend long periods of time, sometimes up to 10-12 hours, driving to teach music and other specialist subjects. This potentially raises risks for their health and safety which need to be addressed through appropriate controls and actions to meet legislative requirements.
Looking at our internal audit figures on each school in the area, we have been able to identify that 39% of schools have a breach of workplace health & safety or non-compliance issues. Using the controls and data in ARM that we have set up, we can now drill down and identify what the risk is, who the owner is and what they are doing about it.
“We can easily tell our management board where the rating is coming from – what area is seeing it and identify why it is out of tolerance,” explained Albury.
Greater insights for better decisions
Overall, ARM is giving the enterprise risk management team the facts at their fingertips and the ability to interpret them to highlight issues, actions or successes.
ARM has transformed our reporting capability and our decision making. It’s either presenting us with a great story – or helps us to target areas that need attention from our Executive Management Board. It gives us total transparency and a single view of risk across the organisation,” Albury concluded.