risk management plan 2018-2020
TRANSCRIPT
NATIONAL COMPETITION COUNCIL
Risk Management Plan
2018
National Competition Council
Policy document
March 2018
NCC Risk Management Plan 2018
Page 3
1 INTRODUCTION
1.1 What is risk management?
Risk management is the culture, processes and structures that are directed towards taking
advantage of potential opportunities while managing potential adverse effects. The purpose
is to achieve an appropriate balance between realising potential opportunities and
minimising adverse effects. This requires systematically managing activities that involve a
material degree of risk of loss or other damage to the Commonwealth.
The Public Governance Performance and Accountability Act 2013 (PGPA Act) recognises the
importance of effective engagement with risks. The Council recognises the need to monitor
the development and implementation of arrangements and rules associated with the PGPA
Act. The Council’s Risk Management Plan explicitly acknowledges the requirement for the
Executive Director and secretariat of the Council to promote the efficient, effective and
ethical use of Commonwealth resources.
The Council recognises the importance of properly identifying and treating the risks
associated with its functions and activities. In particular, a productive, innovative and
efficient agency requires a careful approach to managing risks and to assessing risk
management.
This Risk Management Plan includes appendices as follows.
Appendix A contains the Council’s Risk Management Policy Statement.
Appendix B details the manner in which Council has assessed the level of risk.
Table 2 of this appendix sets out the risks facing the Council and assesses the
threats to the Council in 2018 and beyond based on judgments about the
likelihood and consequences of each risk.
Appendix C contains the Council’s Risk Management Register and Work Plan for
2018-19. The appendix analyses and prioritises the risks identified in Appendix B
to determine the required management action. The register and work plan
includes action dates for the implementation of risk management strategies.
Appendix D summarises staff roles and responsibilities in relation to risk
management.
Appendix E summarises the Council’s business continuity arrangements.
1.2 Objectives of risk management
Losses relating to functions and activities can emanate from internal and external sources.
Losses can arise from client dissatisfaction, adverse publicity, poorly performing executive
and ACCC staff undertaking Council work, equipment or computer failure, legal and
contractual matters and fraud.
It is not possible to have a totally risk free environment. The Council must assess what
constitutes an acceptable level of risk against judgments about the costs and benefits of
particular courses of action.
NCC Risk Management Plan 2018
Page 4
The Council’s objectives in adopting a risk management plan are to:
ensure that the major risks faced by the Council are identified, understood and
appropriately managed
ensure that the Council’s planning and operational processes focus on areas
where risk management is needed, and
create an environment where Councillors, the Executive Director and staff utilised
at the ACCC take responsibility for identifying and managing risk.
2 BENEFICIAL OUTCOMES
2.1 Why have risk management?
Risk management is an integral part of business planning. Appropriate risk management
policies and practices minimise the Council’s exposure to the consequences of adverse
events. Such events may include:
an inability to meet stakeholder requirements
provision of incorrect information or inadequate advice to a government Minister
and consequent failure of policy to achieve its objectives
injury to Councillors
a potential or actual financial loss to the Australian Government
damage to or destruction of or loss of Australian Government property
organisational and political embarrassment
loss of professional reputation
changes to government(s) policy affecting the functions, workload and integrity of
the Council, and
an audit or legal problem.
The risk management process comprises the systematic application of management policies
and appropriate written procedures and practices to identify, analyse, evaluate, monitor and
minimise risk.
2.2 Benefits of a risk management plan
Implementation of an integrated and rigorous approach to risk management:
increases the chances of avoiding costly and unacceptable outcomes, particularly
those arising from unexpected events
provides a better understanding of Council issues and functions and supports
continuous improvement in the Council’s operations
allows the Council to better contribute to the development of regulation and policy
relating to third party access;
helps maintain morale of Councillors and ACCC staff utilised to do work for the
Council
provides a reporting framework to assist with meeting corporate governance
requirements, and
allows for more structured and accountable business planning and project
management.
NCC Risk Management Plan 2018
Page 5
3 RISK MANAGEMENT POLICY AND PROCESS
3.1 The Council’s risk environment
The Council’s Risk Management Plan is framed in light of the initiatives and objectives as set
out in its Corporate Plan 2017-2018. The Risk Management Plan takes into account the
Council’s size and the nature of its operations. The Council is a small, non-commercial,
government agency that is financially dependent on a Parliamentary appropriation. The
Council helped deliver the National Competition Policy (NCP) reform program Australian
governments committed to in 1995 until the conclusion of the NCP in 2005-06, and now
advises government Ministers concerning third party access to the services of national
monopoly infrastructure. In doing so, the Council advises governments and Ministers
(Commonwealth, state and territory), makes some (limited) decisions and consults with a
range of external stakeholders.
From 1 July 2014 the Council entered into a Memorandum of Understanding (MOU) with the
Australian Competition and Consumer Commission (ACCC), whereby the ACCC provides
secretariat services to the Council. Hence, rather than directly engaging staff (and other
resources), the Council draws on ACCC staff and resources when required. The new
arrangements are structured so as to maintain the Council’s independence, whilst enabling
the Council to provide high quality and timely recommendations in response to access-
related applications. The ACCC has its own Risk Management Policies, Procedures and
Guidelines which are applicable to its staff, including when they are undertaking Council
work. The Council and the ACCC have also put in place a Conflict of Interest Protocol, and
Confidential Information Protocol, for ACCC staff working on NCC matters.
3.2 Risk identification and treatment
The Council faces risks that may affect:
its reputation, and/or that of its Councillors and/or stakeholders in regard to quality
of the information, advice and recommendations it provides
its performance against strategic priorities, such as the achievement of legislated
milestones, and
the integrity of its decisions and processes.
As well as the strategic and performance-related risks inherent in its work, the Council also
enters into contracts of a commercial nature. This may create additional financial and
commercial risks.
For each category of risks it faces, the Council has assessed the likelihood and potential
consequences of an adverse event, prioritised each category of risks according to the
level of threat facing the Council and determined its risk appetite. The Council has then
determined strategies for managing risks, devoting greatest resources to the risks considered
to present a severe, substantial or major threat. (Appendix B identifies the potential risks
facing the Council and assesses and prioritises the level of threat posed by each risk.
Appendix C provides a Work Plan for managing the identified risks.)
Under the MOU, the ACCC provides a range of services to the NCC. This arrangement gives
rise to some risks that are shared between the entities (e.g. the provision of IT equipment
NCC Risk Management Plan 2018
Page 6
and payroll/accounting services). These risks are mitigated and managed through the risk
management frameworks, policies and strategies implemented by the ACCC. Furthermore,
the annual testing of ACCC/AER business continuity planning specifically includes
considerations of potential impact arising from an ACCC/AER business event to the Council;
and should such impact eventuate, the ACCC will notify the Council and/or the Council’s
Audit Committee.
3.3 Risk Management Plan: staff responsibilities
All ACCC staff working on Council matters are expected to contribute to minimising risks.
The Executive Director is responsible for ensuring that the risk management
processes and controls identified in the Work Plan are built into the strategic and
business planning of the Council.
The Executive Director is responsible for coordinating the implementation of the
Risk Management Plan and reporting to the Council in a timely and effective
manner.
The Executive Director is responsible for overseeing the implementation of
processes relevant to the Council’s work, including ensuring that ACCC staff working
on Council matters understand the Risk Management Plan and implement endorsed
processes.
The Council’s Audit Committee provides general direction on the scope and implementation
of the Risk Management Plan. The Audit Committee considers the Council’s performance
against the plan and reviews the Council’s risk management arrangements every 2 years.
(Appendix D summarises staff roles and responsibilities in relation to risk management.)
4 OUTCOMES
4.1 Deliverables
The key deliverables in the Risk Management Plan are the management actions identified in
the Work Plan (see appendix C).
To ensure effective achievement of the deliverables, the Council:
has educated staff it utilises from the ACCC on its risk management procedures and
trains additional contractors as appropriate
monitors performance against its Work Plan
monitors the risks associated with contractors and clients, and ensures that
management of risks is appropriately considered in contracts
incorporates consideration of risk management performance into the performance
assessment of the Executive Director
considers performance against the Risk Management Plan annually
includes risk management, code of conduct and fraud control awareness in
induction material for ACCC staff undertaking Council work, and
ensures the Risk Management Plan, any changes to the plan, and related
information are provided to ACCC staff that undertake Council work, and that the
plan is published on the Council’s website and ACCC intranet.
4.2 Financial implications
The costs of implementing the Risk Management Plan are predominantly ACCC staff time,
NCC Risk Management Plan 2018
Page 7
particularly that of the Executive Director. Given its small size, narrow set of functions and
relatively low risk environment, the Council does not allocate funding explicitly for risk
management activities.
There is expected to be a net benefit from the operation of the plan, arising from lower
costs from reduced:
staff time lost as a result of adverse events
litigation costs, and
insurance premiums.
There will, of course, be other gains such as benefits from the provision of better advice and
information to governments and other key stakeholders and improved morale.
5. REVIEW
The Risk Management Plan is reviewed every 2 years by the Audit Committee. The next
review will occur at the first meeting of the Audit Committee in 2020.
NCC Risk Management Plan 2018
Page 8
Appendix A Risk Management Policy Statement
1 The Council is committed to the management of risks to protect:
the governments it advises
its other stakeholders
its quality of service
its assets and intellectual property
its contractual and statutory obligations, and
its image and reputation.
2 Risk management is a key part of improving the Council’s business and services. The
Council’s aim is to achieve best practice in managing all risks.
3 Risk management standards involving risk identification and risk evaluation linked to
practical and cost-effective risk control measures are in place and are regularly
reviewed.
4 Risk management is a continuous process demanding awareness and proactive
measures by all the ACCC employees who perform Council work and outsourced
service providers to reduce the occurrence and impact of risk events.
5 The Council’s Risk Management Plan assists the Executive Director and ACCC staff
who perform Council work to apply appropriate risk management arrangements and
to develop skills in dealing with and understanding risk management. The main
elements of the program are:
development of risk management standards
assessment and prioritisation of the risks facing the Council with regular
review
reporting on risk management policy and any issues, and
education and training in risk management of ACCC staff who perform
Council work.
NCC Risk Management Plan 2018
Page 9
Appendix B Threats posed to the Council
Introduction
This appendix identifies the risks facing the Council and prioritises them on the basis of the
potential overall threat that each risk poses to the Council in the period 2018 and beyond.
Assessing the threat posed to the Council
The Council has estimated the potential threat posed by each category of risks on the basis of
the likelihood of occurrence of the risk (frequency or probability) and the expected
consequence (impact or magnitude). The basis for the Council’s assessment of potential
threats is set out in Table 1.
Table 1 Level of threat posed by risks: likelihood of occurrence and consequences of risks
Likelihood
Consequences
Extreme Substantial Medium Minor Negligible
Almost certain severe severe high major significant
Likely severe high major significant moderate
Possible high major significant moderate low
Unlikely major significant moderate low very low
Rare significant moderate low very low very low
Examples of the level of threat
1 - Severe: consequences would threaten the survival of the Council
2 - High: consequences are significant for the effectiveness, operations and reputation of
the Council, but are unlikely to threaten the survival of the Council
3 - Major: consequences are signif icant for particular programs and operations and
threaten continuation of those programs or impair their effective undertaking
4 - Significant: consequences adversely affect particular programs and operations and the
effectiveness of the Council
5 - Moderate: consequences may affect effectiveness of particular programs and
operations
6 - Low: minor consequences for the Council and/or particular programs and operations
7 - Very low: negligible consequences for the Council and/or particular programs and
operations
What is an acceptable risk?
Determining that a risk is acceptable does not imply that the risk is insignificant. A risk may
be considered to be acceptable because:
NCC Risk Management Plan 2018
Page 10
the threat posed is assessed to be so low (for example because the likelihood of
occurrence is rare) that specific treatment is not necessary
the risk is such that the Council has no available treatment, for example, the risk of a
change to a particular project might occur following a change of government
the cost of treating the risk is so high compared to the benefit from successful
treatment; or
the opportunities presented outweigh the threats to such an extent that the risk is
justified.
The Council is willing to accept significant, moderate, low or very low risks, and through the Executive Director and/or the President will act to monitor and manage severe, high or major risks. The Council has determined its risk appetite and associated management/treatment actions for each level of risks, as set out in the section below.
Treatment of risks
Treatment involves deciding what management measures need to be put in place to
minimise the threat posed by identified risks. Treatment options include:
measures aimed at avoiding or minimising the risk
measures to reduce the threat posed by the risk, either by reducing the likelihood of
the risk and/or its consequences
measures aimed at improving the capacity of the Council and the ACCC staff who
perform Council work to deal with actualised threats
transferring the threat by shifting the risk to another party via, for example,
contracting out or insurance, and
accepting the risk without taking any action to avoid it, but monitoring the risk and
ensuring that the Council has the financial and other capacities to cover associated
losses and disruptions.
Risk appetite and strategic approach to managing each level of threat
No. Level of threat Appetite Responsible officer(s) and action
1 Severe No appetite Executive Director to develop a detailed
management plan; specific management by the President and the Executive Director
2 High Low appetite
Executive Director to develop a detailed management plan; specific management by the President and the Executive Director
3 Major Moderate appetite
Ongoing monitoring and management action by the Executive Director
4 Significant Moderate appetite
Ongoing monitoring by relevant ACCC staff with action as necessary
NCC Risk Management Plan 2018
Page 11
5 Moderate Moderate appetite
Ongoing monitoring by relevant ACCC staff with action as necessary
6 Low High appetite
Ongoing monitoring by relevant ACCC staff with action as necessary
7 Very low High appetite
No action generally required
Risk register
Table 2 provides a register of the level of threat to the Council in the period 2018-19 from
identified, unmitigated risks.
NCC Risk Management Plan 2018
Page 10
Table 2 Register of unmitigated risks and assessment of threat 2018-19
Threat Description of the risk Likelihood of
occurrence
Consequences of
occurrence
Assessed threat to the
Council
1 Political, funding or regulatory function changes that affect the Council Possible Extreme High (2)
2 Inability to maintain a quorate Council comprising appropriately qualified non-
conflicted Councillors
Possible Substantial Major (3)
3 Incorrect or poorly reasoned advice or information to the Treasurer, governments
or other stakeholders
Possible Substantial Major (3)
4 Litigation against the Council arising from incorrect or poorly reasoned advice
or process
Possible Substantial Major (3)
5 Damage to credibility from overturn of a recommendation Possible Substantial Major (3)
6 Inability to fund significant litigation Unlikely Substantial Significant (4)
7 Essential information lost, including information that is the property of external
parties
Rare Extreme Significant (4)
8 Secretariat arrangements with ACCC fail to support the Council’s independence,
including through actual or perceived conflicts of interest with the Council
Possible Medium Significant (4)
9 Financial loss, including due to fraud against the Commonwealth Unlikely Substantial Significant (4)
10 Failure of contractors to fully comply with their contract obligations Unlikely Medium Moderate(5)
11 Failure to meet reporting deadlines Possible Medium Significant (4)
12 Inability to keep Secretariat staffed with suitable personnel Unlikely Substantial Significant (4)
13 Lack of access to or failure of ACCC’s ICT and communications systems /equipment and support that the Council relies upon
Unlikely Medium Moderate (5)
14 Improper disclosure of information, including emails to Councillors Rare Substantial Moderate (5)
15 Councillor injury or illness due to workplace causes including official travel
(work health and safety matters)
Rare Medium Low (6)
NCC Risk Management Plan 2018
Page 11
Appendix C Risk Management Action Plan 2018-19
Table 3 describes the risk management treatments (actions) to be implemented and the residual risk rating after treatment.
The Council is comfortable with the residual level of risk once the risk mitigation actions have been implemented.
Table 3 Risk Management Action Plan 2018-19
Risk Description of the risk Assessment of the threat posed
by the unmitigated risk
Risk mitigation action Timing of management
action
Assessment of the threat
posed after risk mitigation
action
1 Political, funding or regulatory function changes that affect the Council
High (2) 1. Contact with Commonwealth Ministers and Ministers from other jurisdictions and their advisors to explain access issues under Part IIIA and the National Gas Law
2. Contact with Treasury and other agencies to monitor potential changes in policy and legislation
3. Council participation where possible at senior level, in external processes covering areas of work that are relevant to the Council
All controls in place.
This risk is largely
outside Council’s control.
High (2)
2 Inability to maintain a quorate Council comprising appropriately qualified non-conflicted Councillors
Major (3) 1. Ministers and Treasury kept aware of their responsibilities on Councillor appointments
2. Three Councillors appointed
All controls in place
Significant (4)
3 Incorrect or poorly reasoned advice or information to the Treasurer, governments or other stakeholders
Major (3)
1. ACCC staff conducting Council work are appropriately supervised and monitored
2. Regular meetings with ACCC staff conducting Council work are held with Executive Director
3. Recognised economic and legal experts contracted to provide advice on significant matters where the Council does not have expertise
4. Council meetings to provide oversight and advice 5. Effective links with governments 6. Advices, information, etc to governments and others on sensitive and
key issues approved by Council, Executive Director and/or President
All controls in place
Significant (4)
NCC Risk Management Plan 2018
Page 12
Risk Description of the risk Assessment of the threat posed
by the unmitigated risk
Risk mitigation action Timing of management
action
Assessment of the threat
posed after risk mitigation
action
4 Litigation against the Council arising from incorrect or poorly reasoned advice or process
Major (3) 1. Recognised economic and legal experts contracted (for legal experts, using APS Legal Services Multi-use List or similar) to provide advice on significant matters where the Council does not have expertise
2. Council meetings to provide oversight and advice 3. Advice, information, etc to governments and others on sensitive and key
issues always approved by the Council, Executive Director and/or President
All controls in place.
Executive Director monitors relevant APS processes.
Significant (4)
5 Damage to credibility from overturn of a recommendation
Major (3) 1. Recognised economic and legal experts contracted (for legal experts, using APS Legal Services Multi-use List or similar) to provide advice on significant matters where the Council does not have expertise
2. Council meetings to provide oversight and advice 3. Advice, information, etc to governments and others on sensitive and key
issues always approved by the Council, Executive Director and/or President
4. Best affordable legal representation is obtained
All controls in place.
Executive Director monitors relevant APS processes.
Major (3)
6 Inability to fund significant litigation
Significant (4) 1. Insurance cover in place, reviewed annually 2. Appropriation available each year to cover normal legal costs and
measures to obtain additional funding if necessary
All controls in place. Appropriation (and reserves) sufficient to provide Council services including nominal budget allocation for external legal and
economic services.
Moderate (5)
NCC Risk Management Plan 2018
Page 13
Risk Description of the risk Assessment of the threat posed
by the unmitigated risk
Risk mitigation action Timing of management
action
Assessment of the threat
posed after risk mitigation
action
7 Essential information lost, including information that is the property of external parties
Significant (4) 1. ACCC staff conducting Council work are located in secure office buildings with access available only via access card
2. Data maintained on servers is backed up nightly and located off-site, managed by the ACCC
3. Effective electronic document management 4. Paper filing system monitored 5. Councillors implement basic security measures for their electronic
devices when using GOOD: including password protection and remote wipe capabilities (advice issued).
6. Files that contain sensitive information converted to pdf format and marked with appropriate document classification level
7. Council papers and other documents stored on Govdex or similar platforms, with access provided to Councillors (and ACCC staff as appropriate).
All controls in place.
Effective document management system is managed by the ACCC’s systems
Significant (4)
8 Secretariat arrangements with ACCC fail to support the Council’s independence, including through actual or perceived conflicts of interest with the Council
Significant (4) 1. ACCC-NCC Conflict of Interest Protocol agreed between the agencies, and followed by ACCC staff
2. ACCC-NCC Confidential Information Protocol agreed between the agencies, and followed by ACCC staff
3. ACCC staff, including Executive Director, discharge duties to the Council in accordance with the Council’s direction
4. Regular consideration of matters at Council meetings to provide independent oversight of secretariat activities
5. External peer review mechanisms available to be utilised where cost-effective to do so
6. Periodic reporting by Executive Director to Council of ACCC staff working on NCC-related matters
All controls in place.
Ongoing Council oversight on matters before it.
Significant (4)
NCC Risk Management Plan 2018
Page 14
Risk Description of the risk Assessment of the threat posed
by the unmitigated risk
Risk mitigation action Timing of management
action
Assessment of the threat
posed after risk mitigation
action
9 Financial loss, including due to fraud against the Commonwealth
Significant (4) 1. Financial delegations and established processes for approval of expenditure in place
2. Fraud Control Plan in place and regularly reviewed 3. Certificate of (financial) Compliance process undertaken annually
All controls in place.
Delegations being reviewed and updated (expected completion in March 2018). Fraud Control Plan reviewed in March 2018.
Annual certificate of (financial) compliance / agency viability process undertaken in accord with Finance Minister’s requirements.
Moderate (5)
10 Failure of contractors to fully comply with their contract obligations
Moderate (5) 1. Performance of contractors against their obligations monitored 2. Arrangements for reporting to contractors on their performance relative
to their obligations in place 3. Contracts include, where feasible, performance indicators and penalties
for non-compliance
All controls in place.
Low (6)
11 Failure to meet reporting deadlines
Significant (4) 1. Work program regularly reviewed 2. Project team meetings, as required, to review progress 3. Standardised application templates and processes with all information
required for public participation on the Council website 4. Strong emphasis placed on meeting statutory timeframes, including
reporting to Parliament in annual report
All controls in place.
Council considers work program and oversees progress with major issues at meetings.
Moderate (5)
NCC Risk Management Plan 2018
Page 15
Risk Description of the risk Assessment of the threat posed
by the unmitigated risk
Risk mitigation action Timing of management
action
Assessment of the threat
posed after risk mitigation
action
12 Inability to keep Secretariat staffed with key personnel
Significant (4) 1. ACCC provides all secretariat services required by Council and has a large pool of staff available to it to perform its work
2. ACCC has an attractive work environment including diverse, challenging and rewarding work with maximum possible flexibility provided when possible
All controls in place and regularly reviewed.
Current workload on ACCC staff in relation to Council work is manageable.
Moderate (5)
13 Lack of access to or failure of communications systems / equipment managed by the ACCC
Moderate (5) 1. All equipment is managed by the ACCC. Refer to ACCC risk policy in this regard
All controls in place.
ACCC has appropriate controls in place.
Moderate (5)
14 Improper disclosure of information, including emails to Councillors
Moderate (5) 1. Contracts incorporate Commonwealth G,overnment requirements 2. Arrangements for accepting and protecting confidential material in
place, including protocols for publishing applications and related material
3. Full listing of material relied upon included with every recommendation decision
4. Appropriate protection on Councillors’ electronic devices when using GOOD including passwords (see also item 7)
Council outputs developed under supervision of the Executive Director and reviewed by Council before release.
Councillors use password protection on electronic devices.
Moderate (5)
NCC Risk Management Plan 2018
Page 16
Risk Description of the risk Assessment of the threat posed
by the unmitigated risk
Risk mitigation action Timing of management
action
Assessment of the threat
posed after risk mitigation
action
15 Councillor injury or illness due to workplace causes including official travel (work health and safety matters)
Low (6) 1. ACCC Work Health and Safety Policy addresses most risks relating to the physical work environment
2. Appropriate insurance arrangements in place (Comcare, Comcover) including coverage for councillors travelling
3. Travel policy providing appropriate travel and accommodation arrangements in place
All controls in place, including annual review of insurance cover.
Low (6)
Risk Management Plan 2018
Page 19
Appendix D Staff roles and responsibilities
Executive Director Oversees the implementation of the Risk Management Plan
Ensures the ongoing review of risks and update of risk registers is performed under
supervision by the Council
Encourages a management climate which is aware of and supports risk management
Oversees development of processes to deal with new risk management issues
Ensures risk management controls and processes are built into strategic planning
processes
All ACCC staff whom perform Council work
Identify new risk management issues and report problems to the Executive Director
in a timely and effective manner
Assist in developing processes to deal with new risk management issues
Risk Management Plan 2018
Page 20
Appendix E Business continuity
The Council has no APS staff or offices under the secretariat arrangements with the ACCC,
and therefore relies upon the ACCC’s business continuity plan in most respects (which also
takes into account the NCC’s business needs).
Continuation of ICT services and legal services
All the Council’s ICT services are managed by the ACCC. The ACCC server, which holds the
Council’s data, is backed up and stored offsite in Canberra. Accordingly, the risk of data loss is
minimised in the event of damage to the ACCC office premises or server. The risks of
managing these systems are met by the ACCC.
The Council purchases legal services using the APS Legal Services Multi-use List (or
equivalent). While bearing in mind possible conflicts of interest, the Council anticipates that it
should have little difficulty obtaining the legal services it needs from firms on the APS list.