Managing risks to achieve EPA objectives

Our commitment to embedding a risk-management philosophy

The EPA’s commitment to becoming a world class regulator includes a commitment to:

  • identify risks
  • take opportunities to reduce harm
  • embrace a risk-management philosophy.

Refreshed risk-management tools

In 2020–21 we refreshed our approach to risk management. We updated our Risk Management Policy, our Risk Management Framework and Operating Procedures, and our Risk Register – three important tools for managing risk.

Risk coordinators showed how robust and flexible the new Risk Management Policy was by presenting detailed analyses of selected risks at 2020–21 meetings of the EPA’s Audit and Risk Committee.

Risk-based regulation

The EPA applies a risk-based approach to regulation, focusing our regulatory activities on the biggest risks – both current and emerging – to the environment and human health.

In doing this, we have been both responsive and adaptive. By using contemporary tools, technology and data, we have become better at listening, identifying and responding to risks and opportunities to reduce or prevent harm.

We continue to improve our risk management maturity through implementation of our risk management framework and continued effort and engagement within the EPA. Protective, detective and corrective controls will be in place to ensure robust risk management including early detection of emerging risk.

Assurance framework

The EPA assurance framework is another important tool for managing risk. It:

  • shows the EPA Board, the CEO and the Executive team whether the organisation’s work is achieving its goals
  • includes a review process that allows risks to service delivery to be identified and reduced
  • allows best practice to be captured and copied
  • supports the continuous improvement of EPA practice and risk management.

We applied this framework consistently throughout the year.

woman working on whiteboard with sticky notes

EPA staff member engaged in a workshop about asbestos waste management. Photo: Anne-Claire Collee/EPA

Audit and Risk Committee

The EPA’s Audit and Risk Committee (ARC) is a subcommittee of the Board and reports directly to the Chair. It is independent of the EPA and monitors, reviews and provides advice about our:

  • governance processes
  • risk management and control frameworks
  • external accountability obligations.

The EPA’s Chief Financial Officer, Chief Risk Officer and Chief Audit Executive can call on the committee to provide independent assurance to the Board that the EPA is managing its risks appropriately in the course of carrying out its regulatory, financial and audit responsibilities.

The current members of the Committee are: 

  • Christine Hawkins: Chair 
    Original appointment 11 April 2016–10 April 2019, reappointed for five years
  • Michael Rennie: Independent member 1
    Appointed 18 May 2020–18 May 2023
  • Elizabeth Wild: Independent member 2
    Three-year appointment, pending qualification under Treasury.

The CEO completes an internal audit and risk management attestation statement that indicates all Treasury requirements have been met. This is reproduced on the next page.

sunrise over the tree-lined Macquarie River, with white clouds reflected in the water

Macquarie River at sunrise in Dubbo, NSW. Photo: iStock



Internal Audit and Risk Mangement Attestation Statement
2020-2021 Financial Year


I, Tracy Mackey, Chief Executive Officer and Accountable Authority (by delegation) of the
Environment Protection Authority (EPA), am of the opinion that the EPA has internal audit
and risk management processes in operation that are, excluding any exemptions or
transitional arrangements described below, compliant with the seven (7) Core Requirements
set out in the Internal Audit and Risk Management Policy for the General Government
Sector, specifically:

Core Requirements Compliant, Non‑Compliant,
or In Transition

Risk Management Framework

1.1 The Accountable Authority shall accept ultimate responsibility and accountability for risk management in the Agency. Compliant


1.2 The Accountable Authority shall establish and maintain a risk management framework that is appropriate for the Agency. The Accountable Authority shall ensure the framework is consistent with AS ISO 31000:2018.


Internal Audit Function

2.1 The Accountable Authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purpose


2.2 The Accountable Authority shall ensure the internal audit function operates consistent with the International Standards for the Professional Practice of Internal Auditing


2.3 The Accountable Authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the 'model charter'


Audit and Risk Committee

3.1 The Accountable Authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks, and its external accountability obligations Compliant


3.2 The Accountable Authority shall ensure the Audit and Risk Committee has a Charter that is consistent with the content of the Compliant 'model charter'

Audit and Risk Committee – Membership The independent chair and members of the Audit and Risk Committee are:
  • Chair – Christine Hawkins AM (5 year term of re-appointment, commenced on 11 April 2019)
  • Member – Michael Rennie (3 year term of appointment, commenced on 18 May 2020)
  • Member – Elizabeth Wild (3 year term of appointment, pending prequalification)

Tracy Mackey Chief Executive Officer
Accountable Authority (by delegation)
Environment Protection Authority



Amanda Cleary Lead
Audit & Executive

Page last updated