The Commonwealth Risk Management Policy sets out the elements required for an appropriate risk management framework under the PGPA Act. It requires that the accountable authority of a Commonwealth entity must set up and maintain systems and internal controls for risk management and oversight. The policy binds all non-corporate Commonwealth entities.