FOI 20/21-0883
DOCUMENT 5
NDIA
Risk Management Strategy
04 December 2017
Board endorsed for Ministerial Council approval
Page 1 of 21
FOI 20/21-0883
1.1 Purpose
This Risk Management Strategy (RMS) describes the National Disability Insurance Agency’s
(NDIA or the Agency) approach to managing risks and opportunities arising from the effects
of uncertainty.
1.2 Context and overview
The NDIA’s purpose is to increase the ability of individuals with a significant and permanent
disability to be more independent, and to engage more socially and economically, at the
same time as delivering a financially sustainable National Disability Insurance Scheme
(NDIS or Scheme) that inspires community and stakeholder confidence. To do that we need
to put people with disability at the centre of everything we do, while recognising and
respecting the important role played by carers, providers and disability groups.
To achieve this the Agency’s Corporate Plan identifies four aspirations and 12 strategic
goals as the key to successful delivery of the Scheme. The scale, pace and complexity of
change required to implement this reform and achieve these aspirations and goals brings
with it considerable uncertainty. In this context the Agency’s ability to harness strategic
opportunities, and identify and respond to risks, is critical to delivering on its purpose.
This RMS has been developed to meet the Agency’s obligations under federal law,
including:
•
The Public Governance, Performance and Accountability Act 2013
•
The National Disability Insurance Scheme Act 2013
•
The National Disability Insurance Scheme – Risk Management Rules 2013.
It also reflects the expectations of the Scheme’s contributors expressed in the Statement of
Strategic Guidance for the Board, issued by the Council of Australian Government Disability
Reform Council on 15 March 2017 to identify strategic risks early and manage risks well by:
• Taking a structured approach to identifying and managing risks
• Developing a sophisticated understanding of the risk interdependencies that could
impact delivery of the NDIS
• During transition, escalate important issues urgently.
This RMS has six areas of focus to help build a robust, high-performing, professional and
systems-based Agency that continues to improve its practices through:
• Culture and behaviour – we are risk aware and sensitive to financial sustainability
and positive participant outcomes
• Leadership – our leaders setting the ‘tone at the top’ to reinforce the importance of
being prepared for risk
• Capability – building the skil s and insights of our staff and community partners
• Processes and approach – ensuring a risk lens informs the way we think and act
• Operating model and risk governance – ensuring the way we work is contemporary
and reflects better practice in risk management and governance
• Supporting infrastructure – establishing what’s needed to operationalise the RMS.
Page 2 of 21
FOI 20/21-0883
1.3 Publication
This RMS and supporting information, guidance and tools will be published on the Agency’s
intranet in a fully accessible format. This wil ensure our staff and community partners can
easily access, use and contribute to the full suite of risk management resources.
1.4 A positive risk culture
Risk culture is the set of shared attitudes, values and behaviours that characterise how our
staff and community partners consider risk in their day-to-day activities and decisions.
A positive risk culture promotes an open and proactive approach to managing risk. It
balances both the threats and opportunities that emerge from the uncertainty of this nation-
building reform.
Put simply, a positive risk culture sees our people doing the right thing – including when no
one is looking. It empowers Agency delegates, their team members and community partners
to:
• embrace opportunities when making decisions
• take responsibility for reducing unacceptable levels of potential exposure brought
about by risk
• feel confident to be able to speak up to escalate their concerns about significant risks
and contribute to practical solutions
• be part of a feedback loop, as part of an open, connected and well communicated
approach to risk management.
The NDIA requires staff and community partners to adopt the following principles:
1. Take accountability for managing risks and helping colleagues manage their risks
2. Communicate and escalate risks openly, honestly and quickly
3. Consider risks to quality, participant outcomes and financial sustainability when
making decisions and taking actions
4. Openly share and learn from mistakes and successes
5. Understand and apply the Agency’s risk management principles, processes and
reporting.
The Agency has identified four foundational elements to build a strong, positive risk culture.
They are:
• Being clear about the culture and behaviours we expect – ensuring our risk principles
and expectations are clearly stated and communicated
• Leaders set the tone and establish the right environment – the Agency Leadership
Framework sets out the roles and expectations of leaders to be exemplary risk
stewards
• Recognition and reinforcement mechanisms – where Agency and community partner
employee recognition programs celebrate a positive risk culture, both formally and
informally
• Ongoing monitoring of risk culture – through regular maturity assessments.
Page 3 of 21
FOI 20/21-0883
Key insights will come from an annual risk culture survey, regular pulse surveys and tracking
performance results against key performance indicators that include training, application of
risk management processes and demonstration of the preferred behaviours.
1.5 Operating model and risk governance
The Board is ultimately responsible for overseeing the establishment of an effective risk
management approach at the Agency. The Board fulfils its responsibilities with advice and
support from the Board’s Risk Committee.
The Agency maintains strong strategic oversight of uncertainty, opportunity and risk through
its Executive Leadership Team. Each executive team is supported by the Agency’s Chief
Risk Officer and the Risk Division.
Clear accountability for the management of key risks is also identified.
The Agency has a comprehensive risk governance structure to support the effective
management of risk with the Agency and across the NDIS through its community partners.
The Agency has adopted the ‘three lines of defence’ operating model, as summarised in
Figure 1 below:
Figure 1: NDIA risk governance model
Al Agency and community partner team members are responsible for the day-to-day
management of risk in their work and the timely identification, escalation and communication
of risks and weaknesses in the controls that usually mitigate these risks being realised.
Further detail on these roles and responsibilities is included in Appendix A.
Page 4 of 21
FOI 20/21-0883
1.6 Leadership
Achieving a culture where everybody ‘does the right thing’ requires an environment where
people understand what the ‘right thing’ is. Leaders at all levels within the Agency are
responsible for setting the positive tone, outlook and approach that encourages and rewards
risk-based decision making.
Management
Executive staff (defined as anyone within the Agency with oversight of staff or contractors)
will both lead and actively participate in risk and control monitoring activities to ensure
opportunities are realised and threats are identified and appropriately mitigated.
Regional executives and managers of front line staff are expected to monitor and respond to
risks that may arise in interactions with participants and providers. This wil be done by
ensuring all Agency and LAC staff complete compulsory training and operational procedures
are followed. Risks wil be addressed, mitigated and escalated as appropriate in real time.
Senior Executive (defined as CEO, DCEOs and other senior executive level staff)
communications will contain direct messages about, and examples of, good risk
management and how it is applied to the Agency’s work in delivering on the Corporate Plan.
In setting expectations, Agency and community partner executives are responsible for:
• Ensuring systematic consideration of risk is part of business planning and decision
making activities
• Maintaining an awareness of their critical controls and actively monitor their
effectiveness
• Frequently monitor the risk issues affecting decision quality, participant outcomes
and financial sustainability
• Advocating the value of considering risk early and often in business planning and the
execution of work tasks by teams
• Encouraging reflections and learnings from successes and failures
• Rewarding team members who demonstrate risk awareness and actively manage
risks
• Implementing robust systems and processes to support compliance, control and
integrity throughout the Agency and its community partners
• Maintaining regular high quality risk monitoring and reporting (in accordance with
section 1.8 of this RMS).
These responsibilities are aligned to the Agency’s Leadership Framework and are reinforced
within a dedicated risk training program for senior leaders and front line managers.
Board
The Board, aided by its Risk Committee, wil be diligent in its oversight and will support
management in delivering effective risk management by:
• Annually approving the Agency’s strategic risks, risk appetite statements, risk
tolerance settings and key risk indicators
• Regularly monitoring performance against risk tolerance settings
• Taking account of shared risks for the NDIS which extend beyond the Agency and
require shared oversight
• Being clear in its commitment to maintaining strong controls and procedures to
Page 5 of 21
FOI 20/21-0883
ensure risk is well managed and obligations are met
• Holding the CEO to account for promoting and fostering risk management as a
signature strength of the Agency and growing a positive risk culture.
The Board wil provide the Ministerial Council with an annual risk management declaration
regarding the Agency’s compliance with the RMS and the effectiveness of its operation.
1.7 Capability
Successful implementation of this RMS requires the consistent application of the following
activities:
• Scanning the environment (internal and external) to identify emerging opportunities
and threats and take early action in response
• Universal application of common risk management principles and processes across
all business planning, day-to-day team activities and delegate decision-making
• Embedding an effective, consistent approach to how financial and human resources
are deployed to manage uncertainty.
The key risk management capabilities to facilitate these activities include:
• Al Agency staff having a comprehensive understanding of the NDIA’s guiding risk
principles and how they apply to their individual accountabilities
• Appropriately trained and supported divisional and regional operational risk partners
who promote, guide and facilitate local risk management practices. These partners
also provide a communication and feedback channel back to the Risk Division
• Appropriately qualified and experienced specialist risk management practitioners
within the Agency’s Risk Division. The Division is responsible for setting the risk
management framework, delivery of training and providing support to Agency staff in
their risk management activities
• Expert insight and advice to support our internal capability when needed, including
through relationships with other commercially-oriented entities in the financial
services, insurance and social services sectors.
The Agency’s risk management training strategy identifies the specific capabilities required
to understand and manage risk at all levels of the Agency. Training wil be undertaken on a
regular basis to develop, refine and enhance these skil s.
The Agency maintains a comprehensive suite of guidelines and toolkits to enable leaders
and team members to understand and carry out their risk responsibilities. These documents
and tools detail the Agency’s risk management processes and approach.
Page 6 of 21
FOI 20/21-0883
1.8 Processes and approach
The Agency’s risk management process includes information, guidance and supporting tools
to provide clear guidance on the identification, assessment, management, monitoring and
reporting of risks.
The Agency’s risk management cycle is set out in Figure 1 below.
Figure 1: NDIA risk management cycle
The overall approach is for uncertainty, opportunity and threats to be identified, managed
and monitored within the planning and execution levels of the Agency, as described in
Figure 2 below.
Figure 2: Alignment of NDIA planning and risk activities
Risk reporting wil reflect performance against leading and lagging key risk indicators,
monitoring of critical control effectiveness and treatment plan implementation.
Coaching and support for senior leaders and their teams wil be provided by the Risk Branch
and locally-based operational risk partners.
Page 7 of 21
FOI 20/21-0883
The Agency’s monitoring and reporting activities are outlined in Table 1 below.
Table 1 – NDIA Risk management monitoring and reporting activity
1.9 Supporting infrastructure
Successful implementation of this RMS relies on supporting infrastructure, including:
• An Enterprise Risk Management Plan, developed on an annual basis, to guide the
effective implementation of the RMS
• Risk training, designed to build and maintain a strong level of risk management
capability
• Performance assessments, designed to reinforce and recognise the demonstration of
appropriate risk behaviours
• Risk systems to allow the collection and analysis of appropriate data to enable
accurate reporting and guide risk-informed decision making and oversight.
The Agency’s Risk Management Framework and supporting infrastructure is documented in
the Board-approved Risk Management Framework Architecture at Appendix B.
1.10 Review
This RMS wil be reviewed annually. The Board’s Risk Commit ee wil undertake an initial
assessment and make recommendations for change, or not, to the Board for its
consideration and approval.
In addition, the Agency wil commission an independent external review of its risk
management framework, including the RMS, every three years to assess the adequacy and
effectiveness of risk management activities at the Agency.
Page 8 of 21
FOI 20/21-0883
DOCUMENT 6
Item 2.4 Attachment A
NDIA Business Continuity
Management Policy
April 2018
Draft for ELT Risk Committee Approval
Page 12 of 21
FOI 20/21-0883
Contents
1.
Introduction ................................................................................................................................... 4
2.
Objectives and Guiding Principles ................................................................................................. 4
3.
Scope ............................................................................................................................................ 4
3.1
Scope inclusions ........................................................................................................................ 4
3.2
Scope Exclusions ...................................................................................................................... 5
4.
Framework architecture ................................................................................................................. 5
5.
Roles and responsibilities .............................................................................................................. 5
6.
Framework review requirements ................................................................................................... 7
6.1
Document maintenance responsibilities and approvals .............................................................. 7
7.
Business continuity planning ......................................................................................................... 9
7.1
BCP minimum requirements ...................................................................................................... 9
7.2
BCP maintenance and testing requirements .............................................................................. 9
7.3
Post incident review ................................................................................................................. 10
8.
Glossary of Terms ....................................................................................................................... 10
Page 14 of 21
FOI 20/21-0883
1. Introduction
Business Continuity Management (BCM) encompasses a set of planning, preparatory and related
activities that ensure the Agency:
•
responds in a timely, coordinated and effective manner to an interruption or declared disaster;
•
continue to be operational despite serious incidents or disasters that might otherwise have
interrupted them; and
•
actively manage and resolve an incident in the shortest possible timeframe to minimise impacts.
Significant business disruption events can result from a wide range of causes including: loss of
access to building(s); utility outages; ICT outages; and loss of staff. The National Disability Insurance
Agency (NDIA or Agency) BCM arrangements are designed to minimise the impact of a significant
business disruption on the Agency’s critical business functions and services and aims to ensure
uninterrupted availability. Where this is not possible, the BCM activities will guide the rapid restoration
of critical business activities and assist in the resumption of business as usual in an appropriately
prioritised and orderly manner.
2. Objectives and Guiding Principles
The guiding principles of NDIA’s BCM Framework are:
• we ensure access to medical and care supports for impacted staff members at all times and
ensure participants are not put at risk; and
• nationally consistent systems are in place to support the business.
These guiding principles drive the key objectives of NDIA’s BCM Framework, which are to:
• minimise disruptions to time critical business activities;
• ensure a timely resumption of operations following a disaster or other significant business
disruption; and
• preserve stakeholder confidence, credibility and goodwill.
These objectives are achieved by:
• maintaining a set of plans to ensure that NDIA can manage and recover from emergencies,
disasters and other business disruptive events;
• fostering a culture and awareness of BCM within NDIA and promoting the practice of its planning
as a routine part of business management;
• the ongoing development, exercising and review of BCM plans and procedures; and
• ensuring linkages with NDIA’s Risk Management Framework and Emergency Management
procedures.
3. Scope
3.1 Scope inclusions
There are a number of scenarios that could seriously impact the ongoing functions and activities of
NDIA, as such it is not possible to predict every possible scenario or cause of disruption. Whilst the
BCM Framework provides direction, the unique nature of incidents requires that staff exercise
judgment and tailor the response to their circumstances.
Page 15 of 21
FOI 20/21-0883
The NDIA BCM Framework is designed to address the following business disruption scenarios:
• an event that creates a loss of physical access to the NDIA National Office buildings, Regional
Office sites and the assets located at those sites;
• loss of core utility services such as electricity, water and air-conditioning to the sites;
• unavailability of personnel;
• unavailability of ICT services including telephony, internet, intranet and email;
• other scenarios specific for an individual critical business activity.
3.2 Scope Exclusions
The scope of the NDIA BCM Framework excludes detailed Information and Communications
Technology (ICT) disaster recovery procedures, which are managed by the Department of Human
Services (DHS). NDIA’s BCPs provide workarounds only, which allow the Agency to continue the
identified critical business functions while ICT applications are recovered by DHS.
4. Framework architecture
Figure 1 below illustrates the core documents within the NDIA BCM Framework and identifies
accountabilities for BCM and related documents.
Figure 1 – NDIA Business Continuity Management and related frameworks
5. Roles and responsibilities
Page 16 of 21
FOI 20/21-0883
7. Business continuity planning
Each function of the Agency will undertake/ review an annual Business Impact Assessment (BIA) to
identify critical business activities. Each critical activity identified in the BIA will be captured in a
Business Continuity Plan (BCP).
7.1 BCP minimum requirements
The NDIA operates in a widely dispersed and complex operating environment. To ensure its BCM
framework is fit for purpose, the Agency maintains a number of business continuity plans, as
outlined in Figure 1 on the previous page.
At a minimum, all BCPs must specify:
a)
critical business activities;
b)
maximum tolerable period of disruptions for each activity;
c)
alternative work locations;
d)
minimum staffing requirements;
e)
critical equipment requirements and alternative storage arrangements (including emergency
kits, computers and motor vehicles);
f)
local BCT responsibilities;
g)
manual workarounds where available;
h)
communication approach with staff and stakeholders;
i)
interdependencies with other areas of NDIA;
j)
any external stakeholders, including references to, or attachments of, formal agreements
with external stakeholders; and
k)
recovery checklists.
7.2 BCP maintenance and testing requirements
BCPs will be fully reviewed at least every 12 months to ensure they are fit for purpose. In addition to
the annual assessment, a review of business continuity documents will occur following:
a)
a business disruption or exercise to capture and address any gaps or lessons learnt;
b)
significant organisational restructure;
c)
relocation of NDIA or its Offices;
d)
significant staff movements; or
e)
a shift in the strategic direction of NDIA.
When updating business continuity documents, maintenance teams must ensure:
a)
any new activities or services that need to be included in the document are identified;
b)
the document is effective, up-to-date, fit-for-purpose, and appropriate to the level of risk
faced;
c)
the document is clear, simple and concise; and
d)
any lessons learned and/or process improvements from exercises or actual business
continuity events have been incorporated into the plan.
Copies of all BCPs must be stored:
a)
At NDIA sites in hard copy with the Site Manager;
b)
Electronically and hard copy with the National Business Resilience Team;
c)
Electronically with the Incident Manager; and
d)
With delegates as required.
Page 20 of 21