risk management plan 2018-2020

NATIONAL COMPETITION COUNCIL

Risk Management Plan

2018

National Competition Council

Policy document

March 2018

NCC Risk Management Plan 2018

1 INTRODUCTION

1.1 What is risk management?

Risk management is the culture, processes and structures that are directed towards taking

advantage of potential opportunities while managing potential adverse effects. The purpose

is to achieve an appropriate balance between realising potential opportunities and

minimising adverse effects. This requires systematically managing activities that involve a

material degree of risk of loss or other damage to the Commonwealth.

The Public Governance Performance and Accountability Act 2013 (PGPA Act) recognises the

importance of effective engagement with risks. The Council recognises the need to monitor

the development and implementation of arrangements and rules associated with the PGPA

Act. The Council’s Risk Management Plan explicitly acknowledges the requirement for the

Executive Director and secretariat of the Council to promote the efficient, effective and

ethical use of Commonwealth resources.

The Council recognises the importance of properly identifying and treating the risks

associated with its functions and activities. In particular, a productive, innovative and

efficient agency requires a careful approach to managing risks and to assessing risk

management.

This Risk Management Plan includes appendices as follows.

Appendix A contains the Council’s Risk Management Policy Statement.

Appendix B details the manner in which Council has assessed the level of risk.

Table 2 of this appendix sets out the risks facing the Council and assesses the

threats to the Council in 2018 and beyond based on judgments about the

likelihood and consequences of each risk.

Appendix C contains the Council’s Risk Management Register and Work Plan for

2018-19. The appendix analyses and prioritises the risks identified in Appendix B

to determine the required management action. The register and work plan

includes action dates for the implementation of risk management strategies.

Appendix D summarises staff roles and responsibilities in relation to risk

management.

Appendix E summarises the Council’s business continuity arrangements.

1.2 Objectives of risk management

Losses relating to functions and activities can emanate from internal and external sources.

Losses can arise from client dissatisfaction, adverse publicity, poorly performing executive

and ACCC staff undertaking Council work, equipment or computer failure, legal and

contractual matters and fraud.

It is not possible to have a totally risk free environment. The Council must assess what

constitutes an acceptable level of risk against judgments about the costs and benefits of

particular courses of action.


The Council’s objectives in adopting a risk management plan are to:

ensure that the major risks faced by the Council are identified, understood and

appropriately managed

ensure that the Council’s planning and operational processes focus on areas

where risk management is needed, and

create an environment where Councillors, the Executive Director and staff utilised

at the ACCC take responsibility for identifying and managing risk.

2 BENEFICIAL OUTCOMES

2.1 Why have risk management?

Risk management is an integral part of business planning. Appropriate risk management

policies and practices minimise the Council’s exposure to the consequences of adverse

events. Such events may include:

an inability to meet stakeholder requirements

provision of incorrect information or inadequate advice to a government Minister

and consequent failure of policy to achieve its objectives

injury to Councillors

a potential or actual financial loss to the Australian Government

damage to or destruction of or loss of Australian Government property

organisational and political embarrassment

loss of professional reputation

changes to government(s) policy affecting the functions, workload and integrity of

the Council, and

an audit or legal problem.

The risk management process comprises the systematic application of management policies

and appropriate written procedures and practices to identify, analyse, evaluate, monitor and

minimise risk.

2.2 Benefits of a risk management plan

Implementation of an integrated and rigorous approach to risk management:

increases the chances of avoiding costly and unacceptable outcomes, particularly

those arising from unexpected events

provides a better understanding of Council issues and functions and supports

continuous improvement in the Council’s operations

allows the Council to better contribute to the development of regulation and policy

relating to third party access;

helps maintain morale of Councillors and ACCC staff utilised to do work for the

Council

provides a reporting framework to assist with meeting corporate governance

requirements, and

allows for more structured and accountable business planning and project

management.


3 RISK MANAGEMENT POLICY AND PROCESS

3.1 The Council’s risk environment

The Council’s Risk Management Plan is framed in light of the initiatives and objectives as set

out in its Corporate Plan 2017-2018. The Risk Management Plan takes into account the

Council’s size and the nature of its operations. The Council is a small, non-commercial,

government agency that is financially dependent on a Parliamentary appropriation. The

Council helped deliver the National Competition Policy (NCP) reform program Australian

governments committed to in 1995 until the conclusion of the NCP in 2005-06, and now

advises government Ministers concerning third party access to the services of national

monopoly infrastructure. In doing so, the Council advises governments and Ministers

(Commonwealth, state and territory), makes some (limited) decisions and consults with a

range of external stakeholders.

From 1 July 2014 the Council entered into a Memorandum of Understanding (MOU) with the

Australian Competition and Consumer Commission (ACCC), whereby the ACCC provides

secretariat services to the Council. Hence, rather than directly engaging staff (and other

resources), the Council draws on ACCC staff and resources when required. The new

arrangements are structured so as to maintain the Council’s independence, whilst enabling

the Council to provide high quality and timely recommendations in response to access-

related applications. The ACCC has its own Risk Management Policies, Procedures and

Guidelines which are applicable to its staff, including when they are undertaking Council

work. The Council and the ACCC have also put in place a Conflict of Interest Protocol, and

Confidential Information Protocol, for ACCC staff working on NCC matters.

3.2 Risk identification and treatment

The Council faces risks that may affect:

its reputation, and/or that of its Councillors and/or stakeholders in regard to quality

of the information, advice and recommendations it provides

its performance against strategic priorities, such as the achievement of legislated

milestones, and

the integrity of its decisions and processes.

As well as the strategic and performance-related risks inherent in its work, the Council also

enters into contracts of a commercial nature. This may create additional financial and

commercial risks.

For each category of risks it faces, the Council has assessed the likelihood and potential

consequences of an adverse event, prioritised each category of risks according to the

level of threat facing the Council and determined its risk appetite. The Council has then

determined strategies for managing risks, devoting greatest resources to the risks considered

to present a severe, substantial or major threat. (Appendix B identifies the potential risks

facing the Council and assesses and prioritises the level of threat posed by each risk.

Appendix C provides a Work Plan for managing the identified risks.)

Under the MOU, the ACCC provides a range of services to the NCC. This arrangement gives

rise to some risks that are shared between the entities (e.g. the provision of IT equipment


and payroll/accounting services). These risks are mitigated and managed through the risk

management frameworks, policies and strategies implemented by the ACCC. Furthermore,

the annual testing of ACCC/AER business continuity planning specifically includes

considerations of potential impact arising from an ACCC/AER business event to the Council;

and should such impact eventuate, the ACCC will notify the Council and/or the Council’s

Audit Committee.

3.3 Risk Management Plan: staff responsibilities

All ACCC staff working on Council matters are expected to contribute to minimising risks.

The Executive Director is responsible for ensuring that the risk management

processes and controls identified in the Work Plan are built into the strategic and

business planning of the Council.

The Executive Director is responsible for coordinating the implementation of the

Risk Management Plan and reporting to the Council in a timely and effective

manner.

The Executive Director is responsible for overseeing the implementation of

processes relevant to the Council’s work, including ensuring that ACCC staff working

on Council matters understand the Risk Management Plan and implement endorsed

processes.

The Council’s Audit Committee provides general direction on the scope and implementation

of the Risk Management Plan. The Audit Committee considers the Council’s performance

against the plan and reviews the Council’s risk management arrangements every 2 years.

(Appendix D summarises staff roles and responsibilities in relation to risk management.)

4 OUTCOMES

4.1 Deliverables

The key deliverables in the Risk Management Plan are the management actions identified in

the Work Plan (see appendix C).

To ensure effective achievement of the deliverables, the Council:

has educated staff it utilises from the ACCC on its risk management procedures and

trains additional contractors as appropriate

monitors performance against its Work Plan

monitors the risks associated with contractors and clients, and ensures that

management of risks is appropriately considered in contracts

incorporates consideration of risk management performance into the performance

assessment of the Executive Director

considers performance against the Risk Management Plan annually

includes risk management, code of conduct and fraud control awareness in

induction material for ACCC staff undertaking Council work, and

ensures the Risk Management Plan, any changes to the plan, and related

information are provided to ACCC staff that undertake Council work, and that the

plan is published on the Council’s website and ACCC intranet.

4.2 Financial implications

The costs of implementing the Risk Management Plan are predominantly ACCC staff time,


particularly that of the Executive Director. Given its small size, narrow set of functions and

relatively low risk environment, the Council does not allocate funding explicitly for risk

management activities.

There is expected to be a net benefit from the operation of the plan, arising from lower

costs from reduced:

staff time lost as a result of adverse events

litigation costs, and

insurance premiums.

There will, of course, be other gains such as benefits from the provision of better advice and

information to governments and other key stakeholders and improved morale.

5. REVIEW

The Risk Management Plan is reviewed every 2 years by the Audit Committee. The next

review will occur at the first meeting of the Audit Committee in 2020.


Appendix A Risk Management Policy Statement

1 The Council is committed to the management of risks to protect:

the governments it advises

its other stakeholders

its quality of service

its assets and intellectual property

its contractual and statutory obligations, and

its image and reputation.

2 Risk management is a key part of improving the Council’s business and services. The

Council’s aim is to achieve best practice in managing all risks.

3 Risk management standards involving risk identification and risk evaluation linked to

practical and cost-effective risk control measures are in place and are regularly

reviewed.

4 Risk management is a continuous process demanding awareness and proactive

measures by all the ACCC employees who perform Council work and outsourced

service providers to reduce the occurrence and impact of risk events.

5 The Council’s Risk Management Plan assists the Executive Director and ACCC staff

who perform Council work to apply appropriate risk management arrangements and

to develop skills in dealing with and understanding risk management. The main

elements of the program are:

development of risk management standards

assessment and prioritisation of the risks facing the Council with regular

review

reporting on risk management policy and any issues, and

education and training in risk management of ACCC staff who perform

Council work.


Appendix B Threats posed to the Council

Introduction

This appendix identifies the risks facing the Council and prioritises them on the basis of the

potential overall threat that each risk poses to the Council in the period 2018 and beyond.

Assessing the threat posed to the Council

The Council has estimated the potential threat posed by each category of risks on the basis of

the likelihood of occurrence of the risk (frequency or probability) and the expected

consequence (impact or magnitude). The basis for the Council’s assessment of potential

threats is set out in Table 1.

Table 1 Level of threat posed by risks: likelihood of occurrence and consequences of risks

Likelihood

Consequences

Extreme Substantial Medium Minor Negligible

Almost certain severe severe high major significant

Likely severe high major significant moderate

Possible high major significant moderate low

Unlikely major significant moderate low very low

Rare significant moderate low very low very low

Examples of the level of threat

1 - Severe: consequences would threaten the survival of the Council

2 - High: consequences are significant for the effectiveness, operations and reputation of

the Council, but are unlikely to threaten the survival of the Council

3 - Major: consequences are signif icant for particular programs and operations and

threaten continuation of those programs or impair their effective undertaking

4 - Significant: consequences adversely affect particular programs and operations and the

effectiveness of the Council

5 - Moderate: consequences may affect effectiveness of particular programs and

operations

6 - Low: minor consequences for the Council and/or particular programs and operations

7 - Very low: negligible consequences for the Council and/or particular programs and

operations

What is an acceptable risk?

Determining that a risk is acceptable does not imply that the risk is insignificant. A risk may

be considered to be acceptable because:


the threat posed is assessed to be so low (for example because the likelihood of

occurrence is rare) that specific treatment is not necessary

the risk is such that the Council has no available treatment, for example, the risk of a

change to a particular project might occur following a change of government

the cost of treating the risk is so high compared to the benefit from successful

treatment; or

the opportunities presented outweigh the threats to such an extent that the risk is

justified.

The Council is willing to accept significant, moderate, low or very low risks, and through the Executive Director and/or the President will act to monitor and manage severe, high or major risks. The Council has determined its risk appetite and associated management/treatment actions for each level of risks, as set out in the section below.

Treatment of risks

Treatment involves deciding what management measures need to be put in place to

minimise the threat posed by identified risks. Treatment options include:

measures aimed at avoiding or minimising the risk

measures to reduce the threat posed by the risk, either by reducing the likelihood of

the risk and/or its consequences

measures aimed at improving the capacity of the Council and the ACCC staff who

perform Council work to deal with actualised threats

transferring the threat by shifting the risk to another party via, for example,

contracting out or insurance, and

accepting the risk without taking any action to avoid it, but monitoring the risk and

ensuring that the Council has the financial and other capacities to cover associated

losses and disruptions.

Risk appetite and strategic approach to managing each level of threat

No. Level of threat Appetite Responsible officer(s) and action

1 Severe No appetite Executive Director to develop a detailed

management plan; specific management by the President and the Executive Director

2 High Low appetite

Executive Director to develop a detailed management plan; specific management by the President and the Executive Director

3 Major Moderate appetite

Ongoing monitoring and management action by the Executive Director

4 Significant Moderate appetite

Ongoing monitoring by relevant ACCC staff with action as necessary


5 Moderate Moderate appetite


6 Low High appetite


7 Very low High appetite

No action generally required

Risk register

Table 2 provides a register of the level of threat to the Council in the period 2018-19 from

identified, unmitigated risks.


Page 10

Table 2 Register of unmitigated risks and assessment of threat 2018-19

Threat Description of the risk Likelihood of

occurrence

Consequences of

occurrence

Assessed threat to the

Council

1 Political, funding or regulatory function changes that affect the Council Possible Extreme High (2)

2 Inability to maintain a quorate Council comprising appropriately qualified non-

conflicted Councillors

Possible Substantial Major (3)

3 Incorrect or poorly reasoned advice or information to the Treasurer, governments

or other stakeholders


4 Litigation against the Council arising from incorrect or poorly reasoned advice

or process


5 Damage to credibility from overturn of a recommendation Possible Substantial Major (3)

6 Inability to fund significant litigation Unlikely Substantial Significant (4)

7 Essential information lost, including information that is the property of external

parties

Rare Extreme Significant (4)

8 Secretariat arrangements with ACCC fail to support the Council’s independence,

including through actual or perceived conflicts of interest with the Council

Possible Medium Significant (4)

9 Financial loss, including due to fraud against the Commonwealth Unlikely Substantial Significant (4)

10 Failure of contractors to fully comply with their contract obligations Unlikely Medium Moderate(5)

11 Failure to meet reporting deadlines Possible Medium Significant (4)

12 Inability to keep Secretariat staffed with suitable personnel Unlikely Substantial Significant (4)

13 Lack of access to or failure of ACCC’s ICT and communications systems /equipment and support that the Council relies upon

Unlikely Medium Moderate (5)

14 Improper disclosure of information, including emails to Councillors Rare Substantial Moderate (5)

15 Councillor injury or illness due to workplace causes including official travel

(work health and safety matters)

Rare Medium Low (6)


Page 11

Appendix C Risk Management Action Plan 2018-19

Table 3 describes the risk management treatments (actions) to be implemented and the residual risk rating after treatment.

The Council is comfortable with the residual level of risk once the risk mitigation actions have been implemented.

Table 3 Risk Management Action Plan 2018-19

Risk Description of the risk Assessment of the threat posed

by the unmitigated risk

Risk mitigation action Timing of management

action

Assessment of the threat

posed after risk mitigation

action

1 Political, funding or regulatory function changes that affect the Council

High (2) 1. Contact with Commonwealth Ministers and Ministers from other jurisdictions and their advisors to explain access issues under Part IIIA and the National Gas Law

2. Contact with Treasury and other agencies to monitor potential changes in policy and legislation

3. Council participation where possible at senior level, in external processes covering areas of work that are relevant to the Council

All controls in place.

This risk is largely

outside Council’s control.

High (2)

2 Inability to maintain a quorate Council comprising appropriately qualified non-conflicted Councillors

Major (3) 1. Ministers and Treasury kept aware of their responsibilities on Councillor appointments

2. Three Councillors appointed

All controls in place

Significant (4)

3 Incorrect or poorly reasoned advice or information to the Treasurer, governments or other stakeholders

Major (3)

1. ACCC staff conducting Council work are appropriately supervised and monitored

2. Regular meetings with ACCC staff conducting Council work are held with Executive Director

3. Recognised economic and legal experts contracted to provide advice on significant matters where the Council does not have expertise

4. Council meetings to provide oversight and advice 5. Effective links with governments 6. Advices, information, etc to governments and others on sensitive and

key issues approved by Council, Executive Director and/or President

All controls in place

Significant (4)


Page 12




action



action

4 Litigation against the Council arising from incorrect or poorly reasoned advice or process

Major (3) 1. Recognised economic and legal experts contracted (for legal experts, using APS Legal Services Multi-use List or similar) to provide advice on significant matters where the Council does not have expertise

2. Council meetings to provide oversight and advice 3. Advice, information, etc to governments and others on sensitive and key

issues always approved by the Council, Executive Director and/or President


Executive Director monitors relevant APS processes.

Significant (4)

5 Damage to credibility from overturn of a recommendation

Major (3) 1. Recognised economic and legal experts contracted (for legal experts, using APS Legal Services Multi-use List or similar) to provide advice on significant matters where the Council does not have expertise

2. Council meetings to provide oversight and advice 3. Advice, information, etc to governments and others on sensitive and key

issues always approved by the Council, Executive Director and/or President

4. Best affordable legal representation is obtained


Executive Director monitors relevant APS processes.

Major (3)

6 Inability to fund significant litigation

Significant (4) 1. Insurance cover in place, reviewed annually 2. Appropriation available each year to cover normal legal costs and

measures to obtain additional funding if necessary

All controls in place. Appropriation (and reserves) sufficient to provide Council services including nominal budget allocation for external legal and

economic services.

Moderate (5)


Page 13




action



action

7 Essential information lost, including information that is the property of external parties

Significant (4) 1. ACCC staff conducting Council work are located in secure office buildings with access available only via access card

2. Data maintained on servers is backed up nightly and located off-site, managed by the ACCC

3. Effective electronic document management 4. Paper filing system monitored 5. Councillors implement basic security measures for their electronic

devices when using GOOD: including password protection and remote wipe capabilities (advice issued).

6. Files that contain sensitive information converted to pdf format and marked with appropriate document classification level

7. Council papers and other documents stored on Govdex or similar platforms, with access provided to Councillors (and ACCC staff as appropriate).


Effective document management system is managed by the ACCC’s systems

Significant (4)

8 Secretariat arrangements with ACCC fail to support the Council’s independence, including through actual or perceived conflicts of interest with the Council

Significant (4) 1. ACCC-NCC Conflict of Interest Protocol agreed between the agencies, and followed by ACCC staff

2. ACCC-NCC Confidential Information Protocol agreed between the agencies, and followed by ACCC staff

3. ACCC staff, including Executive Director, discharge duties to the Council in accordance with the Council’s direction

4. Regular consideration of matters at Council meetings to provide independent oversight of secretariat activities

5. External peer review mechanisms available to be utilised where cost-effective to do so

6. Periodic reporting by Executive Director to Council of ACCC staff working on NCC-related matters


Ongoing Council oversight on matters before it.

Significant (4)


Page 14




action



action

9 Financial loss, including due to fraud against the Commonwealth

Significant (4) 1. Financial delegations and established processes for approval of expenditure in place

2. Fraud Control Plan in place and regularly reviewed 3. Certificate of (financial) Compliance process undertaken annually


Delegations being reviewed and updated (expected completion in March 2018). Fraud Control Plan reviewed in March 2018.

Annual certificate of (financial) compliance / agency viability process undertaken in accord with Finance Minister’s requirements.

Moderate (5)

10 Failure of contractors to fully comply with their contract obligations

Moderate (5) 1. Performance of contractors against their obligations monitored 2. Arrangements for reporting to contractors on their performance relative

to their obligations in place 3. Contracts include, where feasible, performance indicators and penalties

for non-compliance


Low (6)

11 Failure to meet reporting deadlines

Significant (4) 1. Work program regularly reviewed 2. Project team meetings, as required, to review progress 3. Standardised application templates and processes with all information

required for public participation on the Council website 4. Strong emphasis placed on meeting statutory timeframes, including

reporting to Parliament in annual report


Council considers work program and oversees progress with major issues at meetings.

Moderate (5)


Page 15




action



action

12 Inability to keep Secretariat staffed with key personnel

Significant (4) 1. ACCC provides all secretariat services required by Council and has a large pool of staff available to it to perform its work

2. ACCC has an attractive work environment including diverse, challenging and rewarding work with maximum possible flexibility provided when possible

All controls in place and regularly reviewed.

Current workload on ACCC staff in relation to Council work is manageable.

Moderate (5)

13 Lack of access to or failure of communications systems / equipment managed by the ACCC

Moderate (5) 1. All equipment is managed by the ACCC. Refer to ACCC risk policy in this regard


ACCC has appropriate controls in place.

Moderate (5)

14 Improper disclosure of information, including emails to Councillors

Moderate (5) 1. Contracts incorporate Commonwealth G,overnment requirements 2. Arrangements for accepting and protecting confidential material in

place, including protocols for publishing applications and related material

3. Full listing of material relied upon included with every recommendation decision

4. Appropriate protection on Councillors’ electronic devices when using GOOD including passwords (see also item 7)

Council outputs developed under supervision of the Executive Director and reviewed by Council before release.

Councillors use password protection on electronic devices.

Moderate (5)


Page 16




action



action

15 Councillor injury or illness due to workplace causes including official travel (work health and safety matters)

Low (6) 1. ACCC Work Health and Safety Policy addresses most risks relating to the physical work environment

2. Appropriate insurance arrangements in place (Comcare, Comcover) including coverage for councillors travelling

3. Travel policy providing appropriate travel and accommodation arrangements in place

All controls in place, including annual review of insurance cover.

Low (6)

Risk Management Plan 2018

Appendix D Staff roles and responsibilities

Executive Director Oversees the implementation of the Risk Management Plan

Ensures the ongoing review of risks and update of risk registers is performed under

supervision by the Council

Encourages a management climate which is aware of and supports risk management

Oversees development of processes to deal with new risk management issues

Ensures risk management controls and processes are built into strategic planning

processes

All ACCC staff whom perform Council work

Identify new risk management issues and report problems to the Executive Director

in a timely and effective manner

Assist in developing processes to deal with new risk management issues

Risk Management Plan 2018

Appendix E Business continuity

The Council has no APS staff or offices under the secretariat arrangements with the ACCC,

and therefore relies upon the ACCC’s business continuity plan in most respects (which also

takes into account the NCC’s business needs).

Continuation of ICT services and legal services

All the Council’s ICT services are managed by the ACCC. The ACCC server, which holds the

Council’s data, is backed up and stored offsite in Canberra. Accordingly, the risk of data loss is

minimised in the event of damage to the ACCC office premises or server. The risks of

managing these systems are met by the ACCC.

The Council purchases legal services using the APS Legal Services Multi-use List (or

equivalent). While bearing in mind possible conflicts of interest, the Council anticipates that it

should have little difficulty obtaining the legal services it needs from firms on the APS list.

risk management plan 2018-2020

Documents