PM&C operates in a dynamic and fast-paced environment. There is inherent risk in everything we do and it is not possible, or necessarily desirable, to eliminate all risks. We strive to achieve the right balance between engaging with risk to promote efficiency and innovation within our business practices, while delivering on government priorities. PM&C is committed to engaging with risk in a way that enables us to be accountable, act with integrity, and uphold the reputation of the department.
Governance
PM&C’s governance committee structure (Figure 2) supports the Secretary to lead and govern the department to achieve our purpose, meet our performance objectives, manage risks, and ensure we are compliant with legislative requirements and government policies.
The governance committee structure is reviewed annually to ensure it remains fit for purpose and supports the Secretary as the accountable authority in discharging his duties under the PGPA Act and Public Service Act 1999.
Figure 2: PM&C’s governance committee structure at 1 July 2025
Diagram showing PM&C Governance Committee structure as the Accountable authority at top with 3 tiers reporting upwards to the Accountable authority.
At the top, the department’s accountable authority is shown as the Secretary.
Tier 1 is shown as the Executive Board. Off to the side of Tier 1 is the Audit and Risk Committee, which is shown as reporting to the Accountable authority.
Tier 2 shows the 3 sub-committees that report to Tier 1: the Executive Board: People and Culture; Performance and Risk; and Digital, Data and Security. Tier 2 also shows the temporary Major ICT Program Board that reports to Tier 1: Executive Board.
Tier 3 shows 3 committees reporting to Tier 2:
- the Work Health and Safety Committee
- Consultative Committee
- Network, group and divisional committees
Tier 3: Work Health and Safety Committee, is shown as reporting to the People and Culture sub-committee.
Tier 3: PM&C Consultative Committee is shown to provide information to Tier 2: People and Culture sub-committee.
The Executive Board determines PM&C’s risk appetite and tolerance to provide guidance to PM&C officials on the level of acceptable risk for the nature of our business. The Executive Board encourages officials across the department to appropriately balance positive risk engagement, which promotes innovation and efficiency, with risk controls and mitigations to uphold integrity and the department’s reputation.
Our risk management policy and framework provides guidance to our people on managing and engaging with risk and applies to all activities and officials. During 2025–26, we will continue to implement the policy and framework and supporting tools to guide implementation and raise awareness.
Risk oversight and management
Table 1 sets out our enterprise risks and how we manage those risks.
Table 1: PM&C enterprise risks
| Enterprise risk | Management of the risk |
|---|---|
Enterprise risk 1 We are not influential and fail to lead, collaborate, and anticipate policy direction. | PM&C uses key structures such as the Secretaries Board and Chief Operating Officers Committee to effectively monitor and report on government priorities. We provide leadership across the APS, promoting collaboration and quickly addressing any emerging issues to support the government’s mission. Our annual stakeholder survey helps to identify areas for improvement, ensuring we continually enhance our effectiveness. |
Enterprise risk 2 We are not able to effectively support government operations. | PM&C is agile and responsive to the government’s priorities and processes to assist the Prime Minister and minsters in running the government effectively. We develop detailed plans and protocols to ensure smooth operations and help APS agencies navigate these processes. Our annual stakeholder survey assesses how well we support ministers and APS agencies. |
Enterprise risk 3 We do not provide an environment that cultivates a positive culture or behaviours to support the safety and wellbeing of our people or continued high level of integrity and accountability. | PM&C continues to invest in the wellbeing of our staff, with initiatives that cover physical health, diversity, environmental hazards, mental health and personal development. Encouraging APS Employee Census results indicate our efforts have been effective, and we have ongoing plans to maintain positive wellbeing results. PM&C is committed to promoting integrity across the department. We provide multiple reporting channels that allow for the referral of wellbeing, compliance and integrity matters to dedicated areas for support and necessary action. |
Enterprise risk 4 We do not have the capability or capacity to deliver and meet emerging priorities. | PM&C is progressing with major projects to improve capacity by building capability in our people. These projects will address workforce management and planning, organisational psychology and management capability. |
Enterprise risk 5 We do not have effective, efficient and fit for purpose ICT systems and services. | PM&C has ongoing investments in capital and people, including hardware redundancy and testing for failover and recovery systems, and cross-skilling programs. The forward capital plan ensures planned upgrades and hardware replenishment are measured and appropriate for our current and anticipated needs. |
Enterprise risk 6 We fail to protect our information, personnel and physical environment and assets. | Security and reliability are core considerations for the department. PM&C maintains a defensive, in-depth stance that meets industry standards on IT security, and conducts regular pressure and penetration testing. PM&C continues to improve security measures with enhancements to authentication and access protocols for secure networks and document systems. PM&C ensures that its processes and systems are fit for purpose and remain in step with relevant security requirements. |
Enterprise risk 7 We fail to adopt, appropriately engage with and/or manage emerging/new technologies for PM&C. | PM&C monitors new and emerging technologies to foster innovation and enhance efficiency. Internal policy settings, along with detailed security and architecture assurance activities are used to assess technologies prior to their approval and deployment. |