FOI 20/21-0879
DOCUMENT 1
National Disability Insurance Agency
Risk Management Framework
September 2014
Page 1 of 292
FOI 20/21-0879
Contents
Introduction ............................................................................................................................................ 3
Chapter 1: Scheme Governance ............................................................................................................. 4
Chapter 2: Strategic Goals and Risks ....................................................................................................... 6
Chapter 3: Risk Tolerance Statement ..................................................................................................... 8
Chapter 4: Risk Management Strategy ................................................................................................. 22
Risk Governance................................................................................................................................ 25
The Risk Management Process ......................................................................................................... 30
Risk Management Reporting Responsibilities .................................................................................. 38
Communication and Culture ............................................................................................................. 40
Risk Management Function .............................................................................................................. 41
Compliance ....................................................................................................................................... 41
Review of the Framework ..................................................................................................................... 44
Attachment A: NDIA Strategic Plan 2013 - 2016................................................................................... 45
September 2014
Page 2 of 54
Page 2 of 292
FOI 20/21-0879
Introduction
The National Disability Insurance Scheme (NDIS) is a once in a generation economic and social
reform which has been agreed to by all governments and will benefit all Australians.
The NDIS is an exemplar of governments doing what people cannot do for themselves.
People with disability are at the centre of the NDIS, and the Board and management of the National
Disability Insurance Agency (NDIA) are committed to working with stakeholders—participants, their
families, carers, governments, providers, business and community —to build a world leading
disability system.
Starting with the current launch phase 2013–2016 and building to full scheme, the Board is
committed to building a sustainable, flexible and responsive NDIS, which makes a real difference to
the lives of people with disability, their families and carers and their integration and inclusion in
community.
Achieving this goal will require clear focus on critical priorities; careful management of risks; and
excellent implementation.
No one should underestimate the significance of the NDIS and the transformation it brings for
people with disability, their families and carers and all Australians. True integration and inclusion in
mainstream community, socially and economically, is the ultimate goal.
To ensure that the NDIA is a high performance organisation, which forever changes Australia’s
disability system into one which is equitable, efficient, sustainable and based on choice and control,
will require regular reviews of the NDIA’s own performance and a culture of continuous learning.
The NDIA needs to manage the balance between choice and control and reasonable and necessary
supports to ensure the Scheme is equitable and sustainable for all Australians. Underpinning the
Scheme with insurance-based principles and processes will enable the NDIA to achieve this.
The NDIS is also a critical part of the National Disability Strategy (NDS) which states that the
community, government and industry must work together to address the challenges faced by people
with disability. This joint responsibility is essential for the NDIS to be a world leader. The NDIS will
share responsibility with the community and Australian governments to develop an inclusive society
in which the economic, education and social participation of people with a disability is maximised.
There are significant risks inherent in such a large and ambitious initiative. This document describes
how the NDIA sets out to manage those risks.
September 2014
Page 3 of 54
Page 3 of 292
FOI 20/21-0879
Chapter 1: Scheme Governance
The Scheme is funded jointly by the Commonwealth, State and Territory Governments. It is
administered by the National Disability Insurance Agency. The NDIA is established under
Commonwealth legislation (the
National Disability Insurance Act 2013), and funded by the
Commonwealth Government. The Agency is governed by a Board, appointed by the Commonwealth
Minister with the support of State and Territory Governments. The Board is advised by an
Independent Advisory Council, also appointed by the Commonwealth Minister with the support of
State and Territory Governments.
The Agency was established as a statutory authority under the
Commonwealth Authorities and
Corporations Act 1997, and is now a corporate entity under the new
Public Governance Performance
and Accountability Act 2013, which came into effect on 1 July 2014.
Broadly, the Board is responsible, under the
National Disability Insurance Act 2013, for ensuring the
proper, efficient and effective performance of the Agency’s functions; and for determining the
objectives, strategies and policies to be followed by the Agency. In discharging these
responsibilities, the Board is also bound by two pieces of subordinate legislation, the
National
Disability Insurance Scheme – Rules for the Scheme Actuary 2013, and the
National Disability
Insurance Scheme – Risk Management Rules 2013. Accordingly, the Board has established two
committees, the Sustainability Committee and the Audit and Risk Committee.
The Board has developed a Strategic Plan for the years 2013-2016, which sets out three key goals,
and success indicators for each. The indicators are drawn from the Integrated Performance
Reporting Framework (IPRF), which was agreed in the Intergovernmental Agreement at the Council
of Australian Governments. A copy of the Strategic Plan 2013-2016 is at Attachment A.
In relation to risk management, the Board uses Prudential Standard CPS 220, promulgated by the
Australian Prudential Regulation Authority, as the best practice standard it seeks to emulate, in
addition to meeting the requirements of the
Risk Management Rules. Generally accepted
international risk standards, and in particular, ISO 31000:2009: Risk management – principles and
guidelines, and other legislative requirements, are also factored in to the development of the Risk
Management Framework.
Complementing Agency-specific risk management activities is the important and ongoing role of the
State and Territory Governments in reviewing quality and system safeguards of service providers
that support the Agency in managing the overall integrity of the Scheme’s operation.
The Board freely accepts that it is ultimately responsible for ensuring that the Agency has a risk
management framework that is appropriate to the size, business mix and complexity of the Agency
and the Scheme. It is responsible for defining the Agency’s risk appetite and establishing a risk
management strategy, and ensuring that a sound risk management culture is established and
maintained throughout the Agency.1 Further, the Board accepts that requirements for the
framework will change over time, as the Scheme expands in line with agreements made by
participating Governments.
Consistent with the responsibilities of a Board articulated in CPS 220, and in accordance with section
8 of the
Risk Management Rules, the Board formulates a Risk Management Strategy for the Agency,
which is to be approved by the COAG Disability Reform Council (CDRC). The Strategy is reviewed and
submitted to the CDRC for approval annually, or if significant changes are made through the year. A
Risk Management Strategy was submitted to the CDRC in March 2014 and approved by that body.
1 CPS 220, para. 13. The Risk Management Framework, in accordance with CPS 220 (para. 22) is ‘the totality of
systems, structures, policies, processes and people ... that identify, measure, evaluate, monitor, report and
control or mitigate all internal and external sources of material risk…”
September 2014
Page 4 of 54
Page 4 of 292
FOI 20/21-0879
Since then, the Strategy has been further developed. The version incorporated in this document is
intended to replace the earlier version approved by the CDRC.
The Board’s Audit and Risk Committee provides oversight for the Agency’s implementation of the
Risk Management Framework and Strategy, as well as seeking independent assurance on the
appropriateness, effectiveness and adequacy of the Risk Management Framework and the Agency’s
risk management activities.
At the Agency-wide level, the Board have approved the following risk governance arrangements:
The Chief Executive Officer (CEO) has overall responsibility for how risks are managed by the
Agency;
The Agency Executive is responsible for ensuring key risks to the NDIA’s objectives are
identified, understood, and adequately managed;
The Board Audit and Risk Committee is responsible for monitoring the risk management
process and providing independent assurance and assistance on risk management to the
Board;
The Agency’s Assurance, Audit and Risk Committee is responsible for internal advice and
assurance to the Executive Management team and CEO on relevant risk management
matters within the Agency;
The Board’s Sustainability Committee is responsible for monitoring and reporting to the
Board on the financial sustainability of the Scheme and whether the Scheme objectives are
being met; and
The Board, in accordance with section 10 of the
Risk Management Rules, makes an annual
declaration to the COAG Disability Reform Council (CDRC) on the appropriateness and
effectiveness of the Agency’s risk management strategy.
September 2014
Page 5 of 54
Page 5 of 292
FOI 20/21-0879
The Board reviews and approves the Risk Management Strategy annually. The Strategy reflects, as a
minimum, the requirements specified in the
NDIS – Risk Management Rules 2013, and in accordance
with those rules, is sent to the COAG Disability Reform Council (CDRC). The CDRC approved the first
Risk Management Strategy at its meeting on 24 March 2014.
The Strategy covers the risk governance relationship between the Board, committees of the Board
and the senior management of the Agency; the processes for the Agency to identify and assess risks,
establish mitigation and control mechanisms for individual risks and monitoring and reporting issues
in relation to risk; how the Agency will raise staff risk awareness and develop an appropriate risk
culture; specific risk management roles and responsibilities; and the annual review process by which
the Board will assess the effectiveness of its Risk Management Framework in identifying, measuring,
evaluating, monitoring, reporting and controlling or mitigating material risk.
It is the responsibility of Agency management to implement the Strategy, in accordance with the
procedures set out in this Risk Management Framework, and supported by the material on the staff
intranet.
September 2014
Page 7 of 54
Page 7 of 292
FOI 20/21-0879
Chapter 3: Risk Tolerance Statement
CPS 220 requires the Board to establish the Agency’s risk appetite, and approve its risk appetite
statement. The Board departs from the intent of the APRA standard in one crucial way. APRA-
regulated bodies are commercial entities that deliberately take on risk in order to make a profit. The
NDIS, by way of contrast, does not generally seek to take on risk. Rather, it seeks to manage the
risks that are inherent in its role and to reduce them to tolerable levels to ensure that expenditure is
controlled and outcomes achieved in accordance with agreements made by participating
Governments. It is therefore generally more accurate to refer to the Agency’s risk tolerance than its
risk appetite.
A consolidated report on performance against Key Result Indicators of risk will be brought to the
Board quarterly. It is envisaged that, once the Board has sufficient evidence to identify trends in the
KRIs, ranges of tolerance will be determined. Reporting will then move to this basis.
Strategic Goal 1: People with disability are in control and have choices, based on the UN
Convention on the Rights of Persons with Disabilities
The Board has identified three key risks to the achievement of this goal, which are discussed below.2
1. The Agency fails to build the capacity of people with disability to exercise choice and
control
The exception to the Board’s aversion to risk concerns the means by which the Agency gives effect
to the fundamental principles of choice and control, and particularly how the Agency supports the
dignity of risk, through its own business practices, and through contractual partners such as
Disability Support Organisations. The “dignity of risk” means supporting individual participants to
acquire new skills and capabilities that help them achieve their goals through prudent risk taking.
Within these parameters, however, it is important for the Agency to ensure that this is “not
equivalent to encouraging recklessness; allowing risk does not mean being unsafe or setting people
up to fail.”3
The Board envisages that measurement of the exercise of choice and control will become more
sophisticated over time, as the number and capacity of participants and experience of the Agency
grows. The Board has identified a set of measures to use in the interim, which are set out below.
The Board accepts that providing participants with genuine choice and control means that some
funds will be spent ineffectively. Where participants opt to self-manage their packages of support,
there is a further risk that some funds will be spent inappropriately, that is, will not be directed
towards achieving desired outcomes. Further, in encouraging innovation, as required under the
legislation, the Agency must accept the risk of failure, where funding does not achieve anticipated
outcomes.
Guidelines have been issued to planners to assist them in the task of working with participants and
their supporters to construct support packages which maximise choice and control within the
overarching parameters established by the legislation. The legislation (section 34) stipulates that, in
addition to general supports, “reasonable and necessary supports” that will be funded must satisfy
all of the following criteria: assist the participant to pursue the goals, objectives and aspirations
included in the participant’s statement of goals and aspirations; assist the participant to undertake
activities that facilitate social and economic participation; represent value for money; will be, or are
likely to be, effective and beneficial for the participant, taking current good practice into
consideration; take account of what it is reasonable to expect families, carers, informal networks
2 Board meeting, 23 April 2014.
3 Opportunity for Independence - Dignity of Risk ( http://ofiinc.org/dignity-risk-0 ) accessed 19 February 2014
September 2014
Page 8 of 54
Page 8 of 292
FOI 20/21-0879
and the community to provide; and are most appropriately funded through the NDIS, rather than
other service systems.
As part of the Agency’s commitment to continuous learning, these Guidelines are revised regularly in
the light of the developing body of actuarial evidence.
Within the Agency’s Fraud Control Framework, a suite of analytical programs is run, designed to
detect anomalies and patterns of expenditure. Instances are investigated further to identify wilful
and persistent misuse of funds, and take appropriate action.
In summary, the Board accepts that, in giving effect to the legislative requirement to promote
individual choice and control, it is likely that some funds will be spent ineffectively or
inappropriately. The Board accepts this risk, but seeks to mitigate its impact through guidance to
staff and participants, and an active fraud detection program. Building participant capacity to make
informed choices will also operate to mitigate this risk. Given the measures in place under the Fraud
Control Framework, the Board believes the residual risk of fraudulent activity by participants is
acceptable.
Key Result Indicators The percentage of plans managed by participants, in whole or in part;
The percentage of plans managed by a plan facilitator;
The percentage of plans that contain a flexible provision, that is, an amount allocated but
where a specific purpose is not specified;
The percentage of plans managed by the Agency;
The percentage of participants accessing services provided by Disability Support
Organisations or Local Area Coordinators;
Proportion of participants participating in the labour force;
Proportion of participants who participate in social and community activities;
Proportion of carers with increased opportunities for economic or social participation;
The percentage of participant plans where misuse of funds occurs; and
The amount of funds that are misused.
2. The Agency fails to promote the independence and social and economic participation of
people with disability
The Agency is legislatively obliged to “support the independence and social and economic
participation of people with disability”, and further, to fund reasonable and necessary supports that
“develop and support the capacity of people with disability to undertake activities that enable them
to participate in the community and in employment.”4 In so doing, Agency staff encourage
participants, and their families and carers where appropriate, to articulate a participant’s goals
(desired outcomes) for independence and community and economic participation in consultation
with relevant Disability Support Organisations. Agency planners also work with participants, and
their families and carers as appropriate, to develop a package of reasonable and necessary support
to help them achieve those outcomes. As part of this process, Local Area Co-ordinators facilitate
access to existing supports available, from either informal networks or mainstream services.
The quality of advice given by Agency staff is an important element of the development of
appropriate packages of support. The Agency has mandated selection criteria for staff employed as
planners that include understanding of the needs of people with disability or lived experience with
disability. Additional guidance is available through material available to staff on the intranet, and a
peer review process examines a sample of plans and provides feedback as part of the Agency’s
4
NDIS Act 2013, section 3(1)(c) and 4(11)
September 2014
Page 9 of 54
Page 9 of 292
FOI 20/21-0879
commitment to continuous learning. Guidance on available and appropriate supports is also
provided through decision support tools based on actuarial evidence.
The Board has established an Outcomes Framework Reference Group led by the Scheme Actuary to
consider how best to measure individual outcomes for participants. The outcomes framework will
link to the NDIA Strategic Plan and the operations performance framework that is being developed.
Phase 1 of the project produced a review of existing national and international outcomes
frameworks. This information is being distilled to produce recommendations for individual outcome
measurement domains and indicators. Phase 2 of the project (July to December 2014) will involve
consultation with key stakeholders, finalisation of the framework, and implementation.
The Board considers that these measures work effectively to ensure that the Agency supports
participants in setting their goals and developing packages of support that will achieve their desired
outcomes. However, the Board recognises that errors of judgement will be made, and that
consequently there will be instances when goals and packages of support do not effectively support
the achievement of independence or social or economic participation. The quality assurance
arrangements instituted by the Agency are designed to ensure that the prevalence of such errors is
kept within best practice benchmarks.
However, achievement of desired outcomes is also contingent on the capacity of support providers
to meet the demand. This is linked to Strategic Risk numbers 12 and 13, and is explored more
thoroughly below. Briefly, there is a significant risk of market failure – that is, insufficient service
providers to meet demand - in some areas, particularly in rural and remote regions of Australia. The
Board’s capacity to influence the availability of providers to meet demand is limited. Building
disability sector capacity and building service provider readiness are two of the seven priorities
targeted for sector development funding but the Board accepts that the residual risk of some market
failure is high, and that fully effective mitigation strategies are beyond its capacity.
As noted above in relation to Strategic Risk number 1, the Board accepts that one of the
consequences of supporting individual choice and control and the dignity of risk is that, in some
instances, funded supports will not achieve the desired outcomes. The Board aims to manage the
incidence of failure, but accepts that this is not totally within its control.
Key Result Indicators The proportion of participants achieving plan goals, across all life domains;
The delivery of agreed supports as planned;
Participant/carer satisfaction rates;
The percentage of working age participants engaging in paid employment; and
Quality of staff decision making.
3. The Agency fails to establish mechanisms which effectively measure social and economic
outcomes and exercise of choice and control
In the interests of transparency and accountability, the Board is concerned to ensure that the
Agency demonstrates the effectiveness of its efforts to achieve the outcomes for the Scheme
envisaged by participating Governments and specified in the enabling legislation. Over the period of
the first Strategic Plan, the Board has given priority to robust measurement in the two key areas of
social and economic participation and exercise of choice and control.
The Scheme Actuary is leading an Outcomes Framework Reference Group to consider how best to
measure individual outcomes for participants. The outcomes framework will link to the NDIA
Strategic Plan and the operations performance framework that is also under development. Phase 1
of the project is complete, and has produced a review of existing national and international
outcomes frameworks. This information is being distilled to produce recommendations for
September 2014
Page 10 of 54
Page 10 of 292
FOI 20/21-0879
individual outcome measurement domains and indicators. Phase 2 of the project (July to December
2014) will involve consultation with key stakeholders, finalisation of the framework, and
implementation.
Measurement of the achievement of social and economic outcomes is contingent on the
specification of appropriate goals in participant plans. A participant’s success or otherwise in
achieving the goals they set for themselves is assessed as part of the plan review process. A three-
point measurement scale is used: achieved, partially achieved, not at all achieved; and each goal in a
participant’s plan is assessed. In this context, it is important to note again that the Board accepts
that some participants will not achieve their goals, or will only partially achieve them, and that this is
consistent with supporting the dignity of risk. The Board notes that the results of the internal quality
assurance regime in relation to the quality of participant plans are an important contributor to
management of this risk.
Limitations of the current IT system may compromise the capacity of the Board to obtain sufficiently
granular information to measure outcomes effectively in the short term. This is discussed further in
relation to Strategic Risk number 6 below. The Board’s approach to management of Strategic Risk
number 3 is twofold. In the first instance, the Board seeks assurance about the integrity of data in
the current participant management system, and looks to internal quality assurance and audit work
to provide that assurance. Secondly, the Board’s IT and Sustainability Committees are providing
oversight and input into specification of system requirements for the long-term IT solution.
Key Result Indicators Internal quality assurance results on the quality of plans;
Internal audit findings on data integrity
Strategic Goal 2: The National Disability Insurance Scheme (NDIS) is financially sustainable and
governed using insurance principles
The Board has identified seven key risks to achievement of this goal.
4. The Agency fails to meet support package needs within available funding envelopes
Participating Governments have made commitments to a significant amount of funding for the NDIS
(although the Commonwealth Government is responsible for 100% of the funding for the
administration of the Scheme, that is, for the National Disability Insurance Agency). The extent of
this commitment to packages of support, over the period of the 2014-15 Budget forward estimates,
is shown in Table 2 below.
Table 2: Expenses for packages of support over the period of the 2014-15 Budget forward
estimates5
Expenses
1
2013-14
2014-15
2015-16
2016-17
2017-18
Estimated
Budget
Forward
Forward
Forward
actual ($‘000)
($’000)
estimates
estimates
estimates
($’000)
($’000)
($’000)
148,403
458,255
851,076
3,447,796
9,749,457
The Agency needs both to achieve Scheme outcomes within the available funding envelope and to
demonstrate the wise use of those funds.
The Board regards this as one of the highest risks the Agency faces. The Board has established the
Sustainability Committee (which currently comprises all Board members) to focus predominantly on
this risk. The Committee uses actuarial data and projections to monitor commitments and actual
5 Source:
Portfolio Budget Statement 2014-15, Budget Related Paper No. 1.15A, Social Services Portfolio, p. 236
September 2014
Page 11 of 54
Page 11 of 292
FOI 20/21-0879
expenditure on packages of support, and cash flows. In addition to aggregate data, this monitoring
includes examination of types of support against a range of demographic indicators (for example,
age cohort and primary disability), life domain, and trial sites. The Board expects that its capacity to
demonstrate that packages of support fall within anticipated actuarial ranges and achieve outcomes
effectively while providing value-for-money will increase over time with the growth of the
participant population and experience. The Board is committed to communicating regularly with
Governments on progress with achieving the objectives set for the Scheme, through its quarterly
and annual reports, meetings with individual Ministers, and the CDRC, the reporting obligations of
the Scheme Actuary set out under section 180B of the
NDIS Act 2013. This includes reporting on
proposed remedial action to address any identified issues, which might threaten long-term
sustainability or the short term funding envelopes.
However, the Board acknowledges that the commitments by Governments were made on the basis
of the best information available at the time, particularly through the work of the Productivity
Commission, and that the Agency’s capacity to manage within the available funding envelope may
be impacted by the level of unanticipated need for support. Should this risk emerge, the Board is
committed to resolving it in consultation with participating Governments.
Key Result Indicators total payments compared with actuarial projections;
number of support packages within expected ranges;
growth in future commitments as forecast by the Scheme Actuary
5. The Agency fails to deliver operational capability within available funding envelopes
With trivial exceptions, the Board has no independent sources of revenue. It is entirely dependent
upon funds appropriated by the respective Parliaments. The Commonwealth Government bears all
the costs for the administration of the Scheme, with the exception of a $25 million contribution from
the Victorian Government to assist with the location of the National Office in Geelong. Anticipated
operating expenses (excluding capital) for the period of the 2014-15 Budget forward estimates are
shown in Table 3 below.
Table 3: Agency Operating Expenses over the period of the 2014-15 Budget forward estimates6
Expenses
2013-14
2014-15
2015-16
2016-17
2017-18
Estimated
Budget
Forward
Forward
Forward
actual ($‘000)
($’000)
estimates
estimates
estimates
($’000)
($’000)
($’000)
120,679
162,661
203,399
692,717
1,345,521
Projected growth in expenditure across the outyears is linked to the planned expansion of the
Scheme. The Board notes that the details of the expansion are being negotiated with States and
Territories, and that agreement is not scheduled for conclusion until March 2015. Furthermore, the
Board has commissioned advice from KPMG on the best means of achieving the transition to full
scheme and may wish to suggest to participating Governments that an alternative approach be
followed.
The Board closely monitors Agency expenditure, and focuses on both efficiency and effectiveness in
its scrutiny. An Audit and Risk Committee has been established to assist in this process. The Board
also commissions independent advice to provide assurance of the Agency’s capacity to achieve
mission-critical goals. Recent examples include the review of Agency capability, and the review of
6 Source:
Portfolio Budget Statements, p. 240. Note: The Commonwealth contributes 100% of Agency
operating costs.
September 2014
Page 12 of 54
Page 12 of 292
FOI 20/21-0879
the Agency’s preparedness to transition to full scheme. The Board requires management to develop
an action plan to address any gaps identified by external reviewers, and monitors the
implementation of these plans. The Board places a high priority on managing within funding
allocations, and is not prepared to countenance an operating deficit.
The Board is also committed to building a culture of continuous learning in the Agency, and this is
seen as a strategic priority (see the discussion on Strategic Risk number 15 below).
Notwithstanding this, the Board recognises that the Agency’s operating budget is determined by the
Commonwealth Government, and is subject to whole-of-Government fiscal policies and priorities.
For instance, it is required to meet efficiency dividends. Given that the Agency’s operations are
largely driven by inter-governmental agreements on participant phasing and full scheme rollout,
there is a risk that continued reductions in the operating budget will compromise the Agency’s
capacity to transition to full scheme as scheduled. Further, such reductions could compromise the
Agency’s capacity to provide adequate assistance to participants in developing the plans that
underpin packages of support. The Board is committed to achieving efficiency gains to forestall
these outcomes. Should they nevertheless appear likely to eventuate the Board will advise the
Commonwealth Minister promptly, and work with relevant Commonwealth agencies to resolve the
issue.
The Board also notes in this context that the target of a 7% Agency operating expenses ratio at full
scheme, specified in the Intergovernmental Agreement, is ahead of any performance currently being
achieved in comparable sectors.
Key Result Indicators operating expense ratio compared with the target specified in the IGA;
access and planning completed on time (noting that this is contingent upon adequate
resourcing);
degree to which predicted growth in future operating expenditure is within forecast levels
6. The Agency fails to identify and mobilise IT resources to meet the needs of actuarial and
management reporting
As managers of an insurance scheme, the Agency relies heavily on access to accurate,
comprehensive and timely data and performance information. The Board accepts that the current
participant management system was built for an envisaged three-year trial period. Further, it was
developed within compressed time frames, and before many of the fundamental aspects of Scheme
design had been agreed by participating Governments. The Board concurs with the advice provided
in the review of Agency capability, that this system is not fit-for-purpose for the full scheme.
The Board also recognises that, in preparing for launch, decisions were made about supporting IT
business systems (financial and HR management, records management etc.) primarily on the basis of
what could be deployed quickly, rather than what would best meet the Agency’s needs into the
future.
The Agency is in the process of securing funding for a longer-term IT solution that is fit-for-purpose
and the Board’s IT Committee is overseeing this work. The Scheme Actuary is prominently involved
since her requirements are pre-eminent.
An important dimension to this project is investigating options that will give the Agency flexibility to
meet changing operational requirements, while still providing value-for-money. It is the
Commonwealth Government which will fund the system as part of the Agency’s operating costs.
Given the constrained fiscal outlook at the Commonwealth level, there is a risk that funding for the
optimal solution will not be available, or will not be available within timeframes that meet the
Agency’s operating requirements in expanding to full scheme coverage, or will force the Agency to
September 2014
Page 13 of 54
Page 13 of 292
FOI 20/21-0879
adopt an ICT solution that is not the most appropriate to meet the Agency’s business needs. The
consequences of this are potentially very severe, in terms of both community confidence and the
breach of intergovernmental agreements that would result. The Board will give high priority to
convincing relevant stakeholders of the fundamental importance of a fit-for-purpose IT system.
Key Result Indicators timely and appropriate actuarial reports;
financial condition and management reports;
no significant integrity and/or audit issues;
delivery of IT solution within timeframes and budget.
7. The scope and scale of participation exceeds Scheme design – more people with
permanent and significant disabilities
Modelling for the Scheme design, and consequent agreements on funding, were based primarily on
the work of the Productivity Commission. In turn, the Productivity Commission relied on the best
information available at the time. The Board places a high priority on monitoring actual
participation data and testing the assumptions of the Productivity Commission through actuarial
modelling of experience with the Scheme. The importance of this effort increases as the Scheme
expands, as it is critical to understanding the prevalence of disability in the Australian community.
It is possible that the number of eligible people with disability will exceed the projections used for
Scheme design. The Board’s Sustainability Committee is working closely with the Scheme Actuary to
contribute to the considerations regarding actuarial modelling of financial sustainability, which will
include an estimate of the eligible population. The Agency is working with appropriate officers in
participating Governments to ensure that the implications of any significant variations to projections
are addressed in a timely manner, and do not impact on the achievement of Scheme objectives.
However, this remains largely beyond the control of the Board and would ultimately have to be
resolved in consultation with participating Governments.
Of course, the Board has the capacity to influence the quality of decision making by Agency staff,
and to ensure that the eligibility criteria in the legislation are properly applied. The Board scrutinises
closely the results of the Agency’s quality assurance regime. As part of the commitment to
continuous learning, the Board also gives priority to the refinement of guidance to staff, to ensure
that experience with the Scheme enhances decision making processes. The Board is confident that,
insofar as it is able to influence the parameters within which staff makes decisions, the residual risk
of incorrect decisions on eligibility is low.
Key Result Indicators number of participants;
number of participants with approved plans;
number of successful AAT reviews (eligibility decisions)
8. The scope and scale of supports exceed Scheme design – cost of reasonable and necessary
supports
In addition to participant numbers, the other major cost driver for the Scheme lies with the packages
of support. Individual packages vary widely in size according to the needs of participants and cost
estimates are based on actuarial work done for the Productivity Commission.
The Sustainability Committee receives detailed reports from the Scheme Actuary on packages of
support, disaggregated according to various factors including trial site, primary disability, and type
and severity of support need. Actuarial monitoring works to compare the actual experience with
September 2014
Page 14 of 54
Page 14 of 292
FOI 20/21-0879
expected ranges and types of support by different cohorts. Analysis of these data forms an
important part of the continuous learning processes of the Agency, and is used both to refine advice
to staff on what constitutes “reasonable and necessary” support, and also to provide feedback to
operational managers.
The Committee escalates issues for Board consideration as necessary. Its scrutiny of actuarial
reports considers both the cost of packages against expected ranges, and also whether packages are
structured to achieve participant outcomes effectively.
The Board is confident that management processes operate effectively to minimise the risk of
uncontrolled or unnecessary expenditure at the level of individual packages.
The Board has limited capacity to control the support provider market, and pressures from providers
to increase rates of reward for individual items of support. As part of its commitment to stakeholder
engagement, the Board works to understand market and other cost drivers for providers, and to
ensure that the rates it approves are reasonable. However unless supply of supports increases in
line with demand it is to be expected that price pressures will emerge as more and more participants
gain access to the Scheme. The Board will advise Governments promptly if this risk eventuates and
will work with them to find the most acceptable and effective ways to alleviate cost pressures on the
Scheme.
Key Result Indicators Trends in:
average annualised package size;
distribution of annualised package sizes;
number of support packages; and
total package costs.
Number of AAT appeals (funded supports decisions)
9. A reduction occurs in the level of family and community supports and in personal
responsibility
The Board accepts that some reduction in voluntary contributions to care and support is a likely
consequence of the achievement of Scheme objectives to promote participants achieving
independence, where supports previously provided by families are funded under packages. The
Board also accepts that supports to achieve economic participation may in some cases be in lieu of
informal care arrangements. However, the Board is concerned to avoid the potential that
misunderstanding in the community of the role of the NDIS lead to a withdrawal of existing informal
supports that has the consequence of increasing demands from people with disability for support.
To this end, the Board will be looking to measure the impact of Tier 2 supports in assisting people
with disability.
The Board notes that costs and benefits of the Scheme need to be seen in the broader economic
context, and that increasing the capacity of people with disabilities and their carers to engage in paid
work is one of the major outcomes set for the NDIS by Governments. The Board is concerned to
ensure that, as the Scheme grows, mechanisms are in place to estimate the broader economic
impact of the NDIS.
However, the Board is also cognisant of the fact that Governments agreed a Scheme that included
specific provision for the recognition of continued informal care arrangements in the mix of total
supports provided to participants. To this end, the planning process considers participant goals, and
existing informal care and mainstream supports, when discussing what additional supports it is
reasonable and necessary to fund under the Scheme. The Board reports annually to the COAG
Disability Reform Council on the proportion of carers with increased opportunities for social and
September 2014
Page 15 of 54
Page 15 of 292
FOI 20/21-0879
economic participation, and the proportion of carers receiving additional support. Through its
Sustainability Committee, the Board also monitors the overall level of care provided to participants
through funded packages of support, and actuarial data are being developed that will be used to
monitor whether or not this falls within expected ranges.
Key Result Indicators The extent to which the following fall within expected ranges:
participants accessing mainstream services;
successful referrals to mainstream services;
community capacity/funding activities undertaken
10. The Agency fails to invest in a lifetime approach, including early intervention
The Board pays close attention to monitoring of long-term cost projections, noting that at this early
stage of the Scheme’s existence, the database supporting such analysis is comparatively small, and
wide variances can be expected as the Scheme grows. The Board’s strategies for managing this risk
include ensuring staff understand and apply the insurance principles on which the Scheme is based,
promoting and monitoring the longer-term return on investment from early intervention, and
supporting and promoting a willingness to fund innovative approaches to supports and the ways
they are delivered. The Board is also considering how to foster innovation as part of its
consideration of market development issues.
In so doing, the Board accepts the risk of failure inherent in supporting innovation, and will tolerate
such failures as long as the total costs involved are within reasonable levels. Initially, the Board is
monitoring trends in outcomes from innovation, with the aim of setting tolerance levels when the
evidence is sufficient to allow defensible measures to be established.
The Board also acknowledges that some early interventions will not deliver anticipated outcomes,
and is prepared to accept this risk as long as overall levels of achievement of Scheme objectives
remain high.
The Board’s Sustainability Committee provides detailed scrutiny and oversight of strategies to
manage this risk, as it is fundamental to the success of the Scheme being run on insurance principles.
The Committee is examining methods to provide a robust estimate of baseline costs without
intervention for the full scheme, which can be used over time to track the effectiveness of early
intervention measures.
Key Result Indicators number of participants with early intervention supports;
proportion with reduced future needs after intervention;
research and innovation expenditure
difference between actual scheme costs and projected baselines costs for full scheme.
Strategic Goal 3: The community has ownership, confidence and pride in the National Disability
Insurance Scheme and the National Disability Insurance Agency
11. Stakeholders perceive that the Scheme has failed to meet the needs of people with
disability and/or is too costly
The Board’s Stakeholder Engagement Strategy gives priority to active communication with
stakeholders at all levels, including participating Governments, people with disability, their families
and carers, the disability sector and the broader community. In this, the Board is assisted by the
work of its Independent Advisory Council, which has a work plan focused heavily on consultation and
feedback.
September 2014
Page 16 of 54
Page 16 of 292
FOI 20/21-0879
The Board is committed to open and transparent operations, including the provision of extensive
information about the Scheme and the Agency on a website that is fully accessible. This includes
publication of the Board’s reports to the COAG Disability Reform Council, and reports from the
Scheme Actuary, as well as promulgation of the rules and operating guidelines used by Agency staff
in making decisions about eligibility and provision of supports. The Board also encourages feedback
from stakeholders about any aspect of the Agency or Scheme operations, through the website, and
through targeted consultations.
Additionally, the Board actively seeks feedback on the quality of service and performance of the
Agency through participant satisfaction surveys. The NDIS website also includes a capacity for
providing feedback, making complaints, and for participants to lodge appeals against decisions.
As part of its commitment to continuous learning, the Agency uses the technique of co-design
workshops when developing or reviewing basic business processes for participants, their families
and carers, and providers.
The hearings and reports of the Joint Standing Committee of the Commonwealth Parliament are a
further source of information about the impact of the Scheme on participants.
The Board is of the view that its commitment to genuine engagement and communication with
stakeholders, and its active management of the quality of service and performance of the Agency,
work to ensure that this risk is well managed.
Key Result Indicators complaints /compliments;
stakeholder satisfaction surveys;
the Scheme Actuary reports negatively on financial sustainability.
12. Sufficient competent providers fail to emerge to meet the new and expanded demand for
services
The capacity of the disability support sector to meet the new levels of demand that will be created
by the NDIS, especially in full scheme rollout, is recognised by all Governments as a significant risk to
the success of the Scheme.
This risk could manifest itself in either or both of two ways. First, existing providers may fail to make
the transition from a model in which they receive block funding in advance for providing services to
largely captive clients to one that focuses on attracting individual clients, and receiving payment in
arrears. Secondly, new providers may fail to emerge in sufficient numbers to meet increased
demand resulting in unmet need, services that are too costly, services that are of poor quality or
some combination of these deficiencies.
The Board’s capacity to mitigate this risk is limited, although it complements the activities of
Commonwealth, State and Territory Governments in this area wherever practicable through
prioritisation and deployment of the Sector Development Fund and by working with the relevant
Commonwealth and State agencies to encourage increased capacity. The Board’s Sustainability
Committee receives regular reports from the Scheme Actuary on the levels of agreed support
included in participant plans that is received or not received. The Board will advise Governments
promptly if the Sustainability Committee considers that the level of supports not received exceeds
acceptable rates.
The Board has established a schedule of pricing for individual supports, based on actuarial
modelling, which it believes represents fair market rates. This is clearly a contentious area and the
Agency works with the disability support sector to resolve disagreements over prices. While it is
unlikely that full consensus will be reached there are examples in other regulated industries of
September 2014
Page 17 of 54
Page 17 of 292
FOI 20/21-0879
pricing models which produce satisfactory outcomes for providers. Ultimately there is a series of
markets at work, many with low barriers to entry, so it is reasonable to expect that over time
equilibrium between supply and demand will be reached.
The Board receives assurance on the quality of service provision from registered providers through
compliance activities relating to ongoing eligibility for registration, and through reports on
investigation of complaints from participants, their families and carers. Under the
intergovernmental agreements that set the parameters for operation of the Scheme, though, the
responsibility for quality and safeguards during the initial three year launch period remains with
relevant State and Territory Governments. The Agency refers any complaints falling within
State/Territory jurisdictions to the relevant agencies. Work is underway in the Agency on the
development of a national quality and safeguards framework that will replace existing arrangements
when the full scheme is rolled out. This work is being done in conjunction with State and Territory
Governments.
The Board is conscious that this risk represents a significant threat to the overall success of the
Scheme and is particularly acute in the transition phase. It will work actively with other Government
agencies to help develop effective mitigation strategies.
Key Result Indicators service provider coverage and characteristics;
participant/carer satisfaction
13. Sufficient qualified provider staff fail to emerge to meet the new and expanded demand
for services
Workforce issues were canvassed extensively by the Productivity Commission, and these are being
considered by relevant agencies in the Commonwealth, State and Territory Governments. The
Board can provide valuable insights through monitoring levels of informal care and community
support, as well as gaps between formal supports approved and provided. The Board will advise
Governments promptly if the Sustainability Committee detects signs that workforce shortages – as
indicated by waiting times for access to supports once plans are finalised - are exceeding reasonable
levels of tolerance.
The Board is conscious that this risk represents a significant threat to the overall success of the
Scheme and is particularly acute in the transition phase. It will work actively with other Government
agencies to help develop effective mitigation strategies.
Key Result Indicators agreed supports received/not received;
supports pricing compared with actuarial projections;
complaints/compliments (provider quality related);
performance of projects funded under sector development funds
14. The Agency fails to meet its reporting obligations to Governments and the Commonwealth
Parliament
The governance arrangements surrounding the Scheme and its administration are unusually
complex. The shared ownership of the Scheme is reflected in a set of reporting obligations that are
set out in intergovernmental agreements and the
NDIS Act 2013. In the main, these requirements
are captured in the
NDIS Integrated Performance Reporting Framework, which specifies monthly
September 2014
Page 18 of 54
Page 18 of 292
FOI 20/21-0879
provision of information at the level of officials, and quarterly and annual reports from the Board to
the CDRC.
In addition, the Agency, as a Commonwealth statutory authority, has a separate set of
accountabilities to the Commonwealth Government and Parliament which also involve extensive
reporting obligations.
The Board’s Audit and Risk Committee has primary responsibility for oversight of the Agency’s
compliance function to ensure that all accountability requirements are met.
The Board is committed to meeting its reporting obligations in full and on time in the interests of
transparency and accountability. However, the Board notes that the totality of these formal
reporting requirements imposes significant demands upon the Agency’s resources, and in particular
on the Scheme Actuary. The task is presently labour-intensive because of the limitations of the
interim IT system. In discussions on the requirements for the longer-term IT solution, the Board has
made clear that the new system must enable the Agency to meet Scheme and management
reporting obligations efficiently and cost-effectively.
The Board appreciates the level of support and interest from stakeholders, and is keen to make
information about the Scheme widely available. However, the Board notes that the level of
information requests from non-Government sources is increasing, as is the number of requests for
additional information from Governments outside the formal reporting requirements. The Board is
concerned that these additional requests for information will impact upon the capacity of the
Agency to meet the challenge of rolling out the Scheme in accordance with the agreed schedule.
The Board notes the provision in the COAG Intergovernmental Agreement for additional information
requests from Governments to be provided on a cost-recovery basis. Thus far, the Board has chosen
not to invoke this provision, in the interests of promoting transparency, although this decision is
reviewed regularly in the context of monitoring additional demand.
The Board gives priority to fulfilling formal requirements, and if necessary, will take up the level of
additional requests for information with relevant Governments.
Key Result Indicators timely and appropriate Government and public reports;
no significant integrity and/or audit issues
15. The Agency fails to establish an organisational culture and management systems that
foster accountability and continuous learning
The Board notes that the review of Agency capability it commissioned identified considerable scope
for improvement in internal Agency governance and management. While not unusual in a start-up
organisation, especially one operating within the compressed timeframes attendant upon the launch
of the Scheme, the Board is concerned that failure to address those weaknesses now constitutes a
risk to the Agency’s capacity to deliver the outcomes of the Scheme. Accordingly, the Board
required Agency management to produce an action plan to address the findings of the review of
capability. The Board reviews implementation of this action plan at each meeting.
The Board accepts without question its responsibility to set clear strategic directions and
performance expectations for the Agency, and to ensure these standards are achieved. The Board is
confident of the Agency’s capacity to do so, efficiently and effectively, in accordance with the action
plan as amended from time to time in light of emerging circumstances.
The Board is determined that the Agency will be a learning organisation. The Scheme is currently in a
trial phase and it is critical to its long term success that the lessons learned in this phase be absorbed
and disseminated throughout the Agency so that support packages have the best chance of
September 2014
Page 19 of 54
Page 19 of 292
FOI 20/21-0879
achieving the desired outcomes for participants. Accompanying this culture of continuous learning
will be a strong risk management culture so that mistakes are kept to a minimum and resources
carefully husbanded. The Agency’s Quality Management Framework, currently being developed, will
provide valuable evidence on the extent to which these principles are operating in practice. The
Board’s commitment to transparency and accountability is dealt with under Risk 14 above. The
Board notes the potential for reductions to the Agency’s operating budget to compromise its
capacity to build a high performing organisation. The Board will work with the Commonwealth
Minister with the aim of ensuring that funding for Agency operations remains adequate to deliver
successful outcomes in line with intergovernmental agreements.
Key Result Indicators timely and appropriate learning and development framework;
16. The Agency fails to attract and retain sufficient talented leaders and staff to meet the
challenges of start-up and/or full scheme rollout
The Agency commenced operations on 1 July 2013 with a senior management cohort comprising
principally officers seconded from other Government agencies. For the first few months the Board’s
main focus was on ensuring a successful launch of the Scheme. The Board then commissioned a
review of capability to assess the extent to which the Agency was capable of meeting the challenges
both of the trial phase and full scheme roll-out.
This review highlighted weaknesses in this area. In particular, the review identified the following
capabilities to be built in the medium term: approaches to identifying and nurturing talent, a
succession planning capability (to try and reduce ‘key person’ risk going forward) and the ability to
fill key capability gaps through people management initiatives. The reviewers note that “this work is
dependent upon the capacity of the new Senior Executive and the quality of support from the
people area once it is settled.” 7 The Board monitors progress with implementation of the action
plan to address these findings at each meeting. The Board also expects that action plans will be
developed by Agency management in response to findings from regular staff satisfaction
surveys, now that these have commenced. As well as reviewing progress with these action
plans, the Board will monitor changes in levels of staff satisfaction over time.
The Agency faces the challenge of recruiting staff in new offices and new launch sites in the lead
up to full scheme rollout. The Board acknowledges that the scope of this risk is, to some extent,
reliant on decisions about the shape of the service delivery network, especially in terms of
functions retained in-house and possible outsourcing arrangements. The Board has no
preconceptions about preferred forms of service delivery but aims to resolve these matters as
soon as is practicable. The Board holds the CEO accountable for ensuring the Agency’s people
management and culture strategies deliver outcomes that fall within the ranges expected of
high performing organisations, as measured in the annual State of the Service report from the
Australian Public Service Commissioner.
A range of measures are being developed to enable the Board to monitor Agency capability,
including a set of indicators specifically related to people and culture.
With a new Senior Executive team in place, these matters are within the Board’s control to
manage, and provided only that it has adequate resources the Board is resolved to manage
them so that the residual risk around staff capability is low.
7 A review of the capabilities of the National Disability Insurance Agency, January 2014, p. 24
September 2014
Page 20 of 54
Page 20 of 292
FOI 20/21-0879
Key Result Indicators staff turnover compared with APS averages;
staff engagement as measured through regular staff surveys;
percentage of staff achieving competency levels specified under the Agency’s performance
management system
September 2014
Page 21 of 54
Page 21 of 292
FOI 20/21-0879
Chapter 4: Risk Management Strategy
Consistent with the responsibilities of a Board, articulated in CPS 220, and in accordance with
section 8 of the
NDIS Risk Management Rules, the Board formulates a Risk Management strategy for
the Agency which is to be approved by the COAG Disability Reform Council (CDRC).
The Board’s approach is to ensure that risk management is integral to the way the Agency conducts
its business. In this way, the Board seeks to ensure that the benefits of a structured approach to risk
management are realised. The Board has defined these benefits as increasing the likelihood of the
Agency achieving strategic and business objectives; encouraging a high standard of accountability at
all levels of the organisation; supporting more effective decision making through better
understanding of risk exposures; creating an environment that enables the Agency to deliver timely
services and meet performance objectives in an efficient and cost effective manner; safeguarding
the Agency’s assets – human, property and reputation; and meeting compliance and governance
requirements.
The Board develops the NDIS Strategic Plan (with a three year horizon), identifies key risks to
achieving the objectives of the Strategic Plan (the Strategic Risks), and then articulates its attitude
towards the management of them through the Risk Tolerance Statement.
Of particular importance is ensuring that risks to the achievement of the Board’s strategic objectives
are adequately addressed through the Agency’s business planning processes.
Identifying risk during the business planning process allows the Board to set realistic delivery
timelines for strategies and activities, or to choose to remove a strategy or activity if the associated
risks are too high or unmanageable. The impact of changing risk levels over a given time period can
then be mapped to the relevant objective, enabling more timely expectation management with key
stakeholders.
The annual Agency Business Plan, approved by the Board, sets out Agency-wide priorities for action
that give effect to the objectives of the Strategic Plan, including priorities for the management of the
Strategic Risks. Responsibility for managing each Strategic Risk is allocated to members of the
Executive (CEO, Deputy DEO and General Managers) in the Agency Business Plan, which has a twelve
month horizon. Cascading from the Agency Business Plan are Divisional and Branch/Launch Site
Business Plans, and, where appropriate, Section Business Plans. Each of these plans also has a
twelve month horizon.
The responsibilities for management of the Strategic Risks are set out in Table 4 below.
September 2014
Page 22 of 54
Page 22 of 292
FOI 20/21-0879
Role of the Scheme Actuary
The NDIS legislation emphasises the Scheme Actuary’s role in assessing the financial sustainability of
the scheme and advising the Agency and Board of any risks to financial sustainability. Specifically
under Section 180B of the NDIS Act and Rules, the Scheme Actuary in her annual report must:
Assess the financial sustainability of the NDIS
Assess risks to that sustainability, consider the causes of any risks, and discuss
recommendations to manage or address these risks.
Include in her annual financial sustainability report a discussion of the Agency’s risk
management arrangements (all systems, structures, cultures, processes, policies and people
that identify, assess, mitigate and monitor all sources of risk, both internal and external to
financial sustainability) and any recommendations in relation to any inadequacies.
The proposed strategic risks (in line with the strategic plan) are grouped in three broad categories:
a. People with disability are in control and have choices, based on the UN Convention on the
Rights of Persons with Disabilities.
b. The NDIS is financially sustainable and governed using insurance principles
c. The community has ownership, confidence and pride in the NDIS and the NDIA.
The Scheme Actuary plays a direct role in monitoring and identifying risks, causes of risks, and
mitigation strategies for the strategic risks in (b) above. In fact actuarial analysis is a key risk
mitigation strategy in itself with regards to scheme financial sustainability. Actuarial analysis is up to
date, monitors actual experience against expected experience (and provides information on
deviations), and projects expenditure based on scheme experience. This allows risks to financial
sustainability to be identified early, and strategies put in place to mitigate these risks.
Once the Scheme Actuary has identified risks – usually in the quarterly actuarial report, these risks
need to feed into the Agency’s risk management process. Specifically, these risks should feed into
the Risk Register Report through the risk champion for the sustainability, actuarial and reporting
division. These risks, along with other risks identified by other divisions, should then be
appropriately acted upon, and monitored, using the risk management process outlined in the Risk
Management Manual. These risks should also be monitored closely in the Risk Treatment Action
reports.
The Scheme Actuary has broad oversight of all risks identified and the processes for mitigating these
risks through involvement in the following committees:
Assurance, Audit and Risk Committee (which reviews reports on operational and technical
risks, and identifies new and emerging risks);
Strategic Risk Committee (reviews the risk profile reports, the risk treatment actions report,
and the new and emerging risk reports);
Audit and Risk Committee (sub-committee of the Board); and
Sustainability Committee (sub-committee of the Board).
The Scheme Actuary will also continue to report on the risks she identifies in the quarterly actuarial
reports.
The Chief Executive Officer (CEO) has overall responsibility for how risks are managed by the Agency.
The CEO and Executive Management Group meet regularly as the Strategic Risk Committee to
monitor risks to the achievement of the Agency’s strategic plans and goals, and the management of
strategic risks identified by the Board. The Executive is also responsible for ensuring key risks to
NDIA’s objectives are identified, understood and adequately managed. In line with the three lines-
of-defence risk governance model identified by APRA in CPS 220, the CEO and Executive
Management Group are responsible for ensuring that risk ownership is clearly defined, and that the
risk management framework is effectively implemented and supports decision-making.
September 2014
Page 26 of 54
Page 26 of 292
FOI 20/21-0879
Step Two – Establish the Context
This involves stating the objectives of the Agency up front, as clearly as possible, in order to identify
risk areas precisely, and consider their potential impact on Scheme outcomes. It means considering:
The external context
Building an understanding of external stakeholders, and the extent to which the external
environment will impact on the ability to achieve corporate objectives, by considering the business,
social, regulatory, cultural, competitive, financial and political environments in which the Agency
operates; and the Agency’s strengths, weaknesses, opportunities and threats.
The internal context
Building an understanding of organisational elements and the way they interact, including
governance, organisational structure, roles and accountabilities; policies, objectives, and the
strategies that are in place to achieve them; capabilities (people, time, systems, processes,
technologies and capital); the relationships with and perceptions and values of internal stakeholders;
the organisation’s culture; information systems, information flows and decision making processes
(formal and informal); standards, guidelines and models adopted by the Agency; and the form and
extent of contractual relationships.
By paying attention to these and other relevant factors, the Agency can ensure that the risk
management approach adopted is appropriate to the circumstances, and is supported by an
appropriate level of resourcing.
Step Three – Identify Risks
This step involves reviewing as many sources of risk as possible, to identify the risks that could
impact on the achievement of the Agency’s objectives. Because unidentified risks can always pose a
major threat, it is important to take care to ensure that the NDIA maintains an open perspective on
all possible threats and opportunities.
Key information sources to consider include the NDIA Strategic, Corporate and Business Plans;
internal and external audit reports; post-event or post-implementation reviews; and local and
overseas experience. Risks can be identified using various tools and techniques, some of which have
been condensed into templates to assist in the risk identification process.
By considering these, the aim is to identify a comprehensive list of risks that could adversely impact
the achievement of Agency objectives, as well as risks associated with not pursuing opportunities
that could foster the achievement of objectives.
Step Four – Analyse Risks
Once a risk is identified, it is important to describe it adequately. A comprehensive risk analysis will
include consideration not only of a particular risk event, but also of its causes and consequences.
For example:
Event
Cause
Impact
High staff turnover
Staff job dissatisfaction
Inability to achieve strategic
objectives
Risk analysis involves identifying the likelihood of the risk occurring, identifying the potential
consequence or impact that would result if the risk was to occur; identifying
the controls currently in place to manage those risks by reducing either the consequence of the risk,
or its likelihood; and assessing the effectiveness of current controls.
September 2014
Page 31 of 54
Page 31 of 292
FOI 20/21-0879
can warrant treatment other than on economic grounds, such as risks to the Agency’s reputation, or
levels of public confidence in the integrity of the Scheme.
At this stage, it is also important to plan how to communicate risk treatments to relevant
stakeholders, and to consider the potential impact of the treatment on them. This is particularly so
where risks are to be transferred, retained or increased.
Once the preferred treatment option has been selected, the cost of any actions is incorporated into
the relevant budget planning process; a responsible person is designated for delivery of the action,
and performance measures are determined.
The preferred option is documented in a risk treatment plan that sets out how the chosen risk
treatment will be implemented. Treatment plans include the reasons for selection of treatment
options, including expected benefits to be gained; those who are accountable for approving the plan
and those responsible for its implementation; proposed actions; resource requirements including
contingencies; performance measures and constraints; reporting and monitoring requirements; and
timing and scheduling.
Risk treatment plans are also incorporated into other Agency processes, such as business or project
management plans.
Risk treatment involves a cyclical process of assessing the treatment; deciding whether residual risk
levels are tolerable; if not, generating a new risk treatment; and assessing the effectiveness of that
treatment.
This has been built into the risk reporting process used in the Agency, and so occurs at intervals
determined by the nature of the risk and the priority accorded it by the Board or senior
management.
Step Seven – Monitor and Review
The Agency’s risk monitoring and review processes are aimed at ensuring that controls are effective
and efficient in both design and operation; obtaining further information to improve risk
assessment; analysing and learning lessons from events (including near misses), changes, trends,
successes and failures; detecting changes in the external and internal context, including changes to
risk criteria and the risk itself, which can require revision of risk treatments and priorities; and
identifying emerging risks.
Risks are monitored and reported at a strategic, operational and project level, as shown in Figure 4
below.
September 2014
Page 36 of 54
Page 36 of 292
FOI 20/21-0879
Figure 4: Risk monitoring and reporting
Key elements of the risk monitoring and review arrangements include:
Strategic risks are identified and assessed by the Board annually and reviewed by the Audit
and Risk Committee at each meeting
o The management of particular risks, identified by the Board, may be reported more
frequently to the Board if appropriate;
Operational risks are reviewed annually as part of the business planning cycle, and
management of them is reviewed monthly by executive managers, with High risks reported
to the Audit and Risk Committee quarterly;
Targeted risk assessment of specialist risks including compliance, business continuity,
workplace health and safety and fraud are undertaken in accordance with legislative
requirements;
Project risk assessments are undertaken for significant projects and monitored fortnightly
through the project governance arrangements.
The Sustainability Committee reviews risks associated with Scheme sustainability and
participant outcomes at each meeting, and reports on them to the Audit and Risk
Committee and the Board;
The Risk Management Framework, and all its components are subject to an independent
review by internal audit; and
The Board provides annual declarations on the adequacy and effectiveness of risk
management and compliance activities, as required by paragraphs 7 and 10 of the
Risk
Management Rules.
September 2014
Page 37 of 54
Page 37 of 292
FOI 20/21-0879
Thirdly, implementation of the risk management process described previously ensures that risk
management is a key element of planning and risks are identified, monitored and managed in a
consistent and coordinated way.
Risk Management Function
The Agency’s Chief Risk Officer (CRO) is responsible for assisting the Board, committees of the Board
and the senior management of the Agency to develop and maintain the risk management strategy
and framework. The CRO reports to the Deputy CEO, but is operationally independent, meaning that
the position has no direct involvement in the Agency’s functions in relation to the funding or
provision of supports under the NDIS. The CRO is able to brief the Board, committees of the Board
and senior management of the Agency as necessary, and has access to all aspects of the NDIS that
have the potential to generate material risk, including information technology systems and system
development resources. The CRO is tasked with notifying the Board of any significant breach of, or
material deviation from, the risk management framework in a timely and effective manner.
The CRO fits within the second line of defence outlined in APRA’s Draft Prudential Practice Guide on
Risk Management, and has independent oversight of the risk profile and risk management
framework, including providing an effective challenge to activities and decisions that materially
affect the risk profile. APRA expects the CRO to be a senior executive. The Agency has a CRO at the
SES Band 1 level until the end of September 2014, when the position will be reviewed against the
broader context of Agency operating requirements, the SES cap, and maturity of the implementation
of the Framework. The CRO is supported by an EL2 position, with responsibilities primarily relating
to the co-ordination of operational risk management and activities that support development of an
appropriate risk management culture.
The CRO is also responsible for fraud control, prevention and detection; business continuity
planning, co-ordination of the internal audit function, and business planning. In this, an EL1 Fraud
Control Officer, and an EL1 Audit Liaison Officer, who also assists with the fraud detection program,
support the CRO.
The internal audit program is developed in consultation with management and the Board, and
approved by the Audit and Risk Committee. It is a three year program, but reviewed annually to
ensure that it continues to reflect current priorities. The first three year program was formulated
within the first six months of operation of the Scheme, and was built largely on management
perceptions of risk areas. Progressive implementation of the Risk Management Framework will build
a growing body of evidence that can be used to target internal audit activities to high risk areas.
Audit findings are classified on a three point scale, based on the auditors’ assessment of the urgency
for management action. The Audit and Risk Committee receive quarterly reports on progress with
addressing audit findings.
The delivery of the internal audit program is outsourced to a specialist provider. The managing
partner for the contract attends all meetings of the Audit and Risk Committee, and provides an
independent report on progress with delivery of the program. The managing partner also has direct
and unfettered access to the Chair of the Audit and Risk Committee, and to the CEO.
Compliance
The Agency’s compliance obligations can be divided into four categories: the responsibilities of
Directors; administration of the Scheme, including the enabling legislation (
NDIS Act 2013 and
subordinate rules), and requirements under the Intergovernmental and bilateral agreements;
specific responsibilities for Commonwealth authorities under the
CAC Act 1997 (for 2013-14) and the
Public Governance Accountability and Performance Act 2013 (from 2014-15); and general regulatory
compliance with relevant Commonwealth legislation (for example,
Freedom of Information Act 1982,
September 2014
Page 41 of 54
Page 41 of 292
FOI 20/21-0879
Privacy Act 1988, Environment Protection and Biodiversity Conservation Act 1999, Workplace Gender
Equality Act 2012, Carer Recognition Act 2011, Public Service Act 1999, Archives Act 1983,
Public
Works Committee Act 1969.
Responsibilities of Directors
As directors of a Commonwealth corporate entity, Board members have a specific set of obligations
under the
Commonwealth Authorities and Companies Act 1997 (for 2013-14) and the
Public
Governance Performance and Accountability Act 2013 (from 2014-15). The process for ensuring
compliance with the obligations of Board directors, and reporting on it, is managed by the Board
Secretariat.
Administration of the Scheme
In the first year of operation, the Agency has focussed on compliance with the requirements for two
key decisions made under the enabling legislation: making decisions on access to the Scheme, and
making decisions on the reasonable and necessary supports to be funded through the Agency in
participant plans.
A
Quality Management Framework has been developed comprising a combination of self-
assessment and independent review of decisions. This Framework is being implemented
progressively.
Individual self-assessment is a review undertaken by staff to assess their performance against
Agency procedures. Staff assess how they have followed Agency policy/guidelines (as published on
the staff intranet and public internet), sought participant/stakeholder feedback at significant points
during the planning process and implementation phase, and kept appropriate documentation
throughout their support to participants.
The second element is a
formal peer review process, where staff with similar roles and
responsibilities critically assess each other’s’ performance and provide constructive feedback, to
reinforce strengths as well as to identify areas for improvement.
Participant file reviews will be co-ordinated by the National Quality Improvement Team (NQIT), and
completed by Senior Planners or Directors at trial sites. The NQIT will determine the sample
selection depending on the objective of the review which will be determined by performance
reports and complaints. Findings from participant file reviews will highlight any practice issues
and/or reinforce effective strategies which can be shared across trial sites. The findings from
participant file reviews will be shared with service delivery staff across trial sites, and will enable
action to be taken to address any issues, update or develop guidelines or procedures, or drive the
learning and development strategies for staff.
Team self-assessment is a planned process where teams will collect and analyse data about their
practice to determine their compliance with rules made under the
NDIS Act and the Agency’s
policies and procedures (on the intranet and internet), including data accuracy and integrity.
Team self-assessments will be carried out at trial sites every six months and will involve all service
delivery staff and other team members as appropriate. The NQIT will provide each trial site with a
schedule of indicators to be reviewed that will demonstrate that the objectives and principles of the
NDIS Act are being met both at a trial site location and at the systemic level. The team self-
assessment will be led by the Director Service Delivery and draw on information from case-reviews
completed during the previous 6 months; participant and stakeholder feedback, including
complaints; and, a review of a random sample of participant records.
An
independent review program, conducted by the NQIT, will systematically review systems and
operations at the local level, including documentation to support decisions made by the Agency.
September 2014
Page 42 of 54
Page 42 of 292
FOI 20/21-0879
While focussing initially on decisions concerning eligibility and reasonable and necessary supports,
the Quality Management Framework will be progressively extended to cover all decisions made
under the legislation and subordinate rules that relate to participants and to providers.
Compliance with the
NDIS Risk Management Rules 2013 is reviewed as part of the annual internal
audit program and attested to by the Board in the annual Risk Management Declaration
CAC/PGPA Act obligations
For 2013-14, the Agency’s directors are required by
Finance Circular No. 2008/05 Compliance
Reporting – CAC Bodies to provide a Compliance Report indicating whether or not, in their opinion,
they and their body have complied with the provisions and requirements of the Commonwealth
Authorities and Companies (CAC) legislation (Act, Regulations and Orders).
In the establishment of a new process for the Agency, the Department of Finance and a number of
other CAC Act agencies were consulted to determine the most effective processes to be undertaken.
Consequently, it was determined that the most effective way to assist the compliance reporting was
to develop a survey to be completed by responsible managers quarterly and board members
biannually detailing instances of compliance and non-compliance with the CAC legislation.
In constructing the survey each component of the CAC legislation was reviewed and areas requiring
compliance were included. Additional questions were also included on compliance with significant
Agency policies.
The Audit and Risk Committee, at its meeting of 12 February 2013, endorsed this process as
underpinning the Certificate of Compliance for 2013-14.
This process will be used to inform the annual Risk Management Declaration by the Board, as
required under the Scheme Risk Management Rules.
General Regulatory Obligations
The Agency developed a two stage approach to general regulatory compliance obligations for 2013-
14.
The first stage of work involved management identifying key pieces of legislation or requirements
critical to the functioning of the Agency or to the rollout of the Scheme. These are the Freedom of
Information (FOI) Act, the Privacy Act, the Archives Act, the Work Health and Safety Act 2011, the
Environment Protection and Biodiversity Conservation Act, and the requirements of the Public
Works Committee (PWC) Act in relation to approval of property plans and proposed expenditure.
In relation to the FOI Act, the Agency has established an Information Publication Scheme and
disclosure log, and has complied with all of its obligations under the Act in respect of the requests
for access it has received. In relation to privacy and broader information protection obligations
including under the NDIS Act, the Agency has provided training to staff as part of the induction
process on key requirements of the Agency’s privacy obligations, with a specific focus on appropriate
handling of sensitive and protected information. The Agency has not been notified of any
complaints to the Privacy Commissioner for 2013-14.
The Agency has been working with the National Archives of Australia (NAA) to develop appropriate
and compliant records management policies and processes, based on the NAA’s digital archiving
standards.
A WHS committee was established in accordance with the WHS Act, and has met regularly since
December 2013. The Agency has incident reporting arrangements in place in accordance with the
legislation.
September 2014
Page 43 of 54
Page 43 of 292
FOI 20/21-0879
The Agency has made submissions to the Public Works Committee, and appeared to give evidence in
hearings, as required under the PWC Act. The Committee has approved proposed expenditure on
property in accordance with the legislation.
The Agency complies with its obligations under the Environment Protection and Biodiversity
Conservation Act as part of the due diligence it conducts before entering into leases for property.
The second stage of work will be to extend the compliance program to all regulatory requirements
under Commonwealth legislation. This will be implemented through 2014-15.
The consequences of failure to comply with its regulatory obligations is one of the risks monitored
by the Audit and Risk Committee and taken into consideration in developing the Agency’s annual
internal audit program.
Review of the Framework
To assist in formulating its annual risk management declaration, the Board has included a review of
the risk management framework, and its operation, in the annual internal audit program. The
results of this review are considered by the Board’s Audit and Risk Committee with the aim of
ensuring that recommendations for improvement are identified and, if possible, implemented
before the risk management declaration is signed.
Additionally, every three years, the Board commissions a comprehensive review of the
appropriateness, effectiveness and adequacy of its risk management framework from an
independent and suitably qualified party. This review will cover the extent of any change in the
Agency’s operations, the Board’s risk tolerance, and any changes to the external environment in
which the Agency operates. This review will assess whether the framework is implemented and
effective; remains appropriate for the Agency, taking into account the Board’s current business plan;
remains consistent with the Board’s risk tolerance; is supported by adequate resources; and the risk
management strategy accurately documents the key elements of the risk management framework
that give effect to the Board’s strategy for managing risk.
The Scheme actuary will have the opportunity to contribute to the annual and triennial reviews, and
to comment on the outcomes and proposed remedial actions, if any.
The ANAO will have access to the outcomes of the reviews and will have an opportunity to assess
the effectiveness of the proposed remedial actions, if any, if the Auditor-General so chooses.
In accordance with clause 10 of the
Risk Management Rules 2013, the Board provides a risk
management declaration to the COAG Disability Reform Council after the end of each financial year.
Two Board members sign this declaration. The Board authorises the signing of the declaration only
after it has had the benefit of an independent review of the risk management framework. The
declaration is qualified, if necessary, to the extent considered warranted by the Board, taking into
account the outcomes of the independent review, any recommendations from the Audit and Risk
Committee, and its own separate enquiries.
September 2014
Page 44 of 54
Page 44 of 292
FOI 20/21-0879
Attachment A: NDIA Strategic Plan 2013 - 2016
August 2014
Page 45 of 54
Page 45 of 292
FOI 20/21-0879
Page 46 of 292
August 2014
Page 46 of 54
FOI 20/21-0879
Page 47 of 292
August 2014
Page 47 of 54
FOI 20/21-0879
Page 48 of 292
August 2014
Page 48 of 54
FOI 20/21-0879
Page 49 of 292
August 2014
Page 49 of 54
FOI 20/21-0879
Page 50 of 292
August 2014
Page 50 of 54
FOI 20/21-0879
Page 51 of 292
August 2014
Page 51 of 54
FOI 20/21-0879
Page 52 of 292
August 2014
Page 52 of 54
FOI 20/21-0879
Page 53 of 292
August 2014
Page 53 of 54
FOI 20/21-0879
Page 54 of 292
August 2014
Page 54 of 54
