This is an HTML version of an attachment to the Freedom of Information request 'NDIA’s business continuity management and plan test conducted in financial year 2018-19'.



FOI 20/21-0884
DOCUMENT 4
NDIA 
Risk Management Strategy 
Board approved February 2019  
Page 1 of 10

FOI 20/21-0884
1.1  Purpose 
This Risk Management Strategy (RMS) describes the National Disability Insurance Agency’s 
(NDIA or the Agency) approach to managing risks and opportunities arising from the effects 
of uncertainty.  
1.2  Context and overview 
The NDIA’s purpose is to increase the ability of individuals with a significant and permanent 
disability to be more independent, and to engage more socially and economically, at the 
same time as delivering a financially sustainable National Disability Insurance Scheme 
(NDIS or Scheme) that inspires community and stakeholder confidence. To do that we need 
to put people with disability at the centre of everything we do, while recognising and 
respecting the important role played by carers, providers and disability groups. 
To achieve this the Agency’s Corporate Plan identifies four aspirations and 10 strategic 
goals as the key to successful delivery of the Scheme. The scale, pace and complexity of 
change required to implement this reform and achieve these aspirations and goals brings 
with it considerable uncertainty. In this context the Agency’s ability to harness strategic 
opportunities, and identify and respond to risks, is critical to delivering on its purpose.  
This RMS has been developed to meet the Agency’s obligations under federal law, 
including: 
 The Public Governance, Performance and Accountability Act 2013
 The National Disability Insurance Scheme Act 2013
 The National Disability Insurance Scheme – Risk Management Rules 2013.
It also reflects the expectations of the Scheme’s contributors expressed in the Statement of 
Strategic Guidance for the Board, issued by the Council of Australian Government Disability 
Reform Council on 15 March 2017 to identify strategic risks early and manage risks well by: 
 Taking a structured approach to identifying and managing risks
 Developing a sophisticated understanding of the risk interdependencies that could
impact delivery of the NDIS
 During transition, escalate important issues urgently.
This RMS has six areas of focus to help build a robust, high-performing, professional and 
systems-based Agency that continues to improve its practices through: 
 Culture and behaviour – we are risk aware and sensitive to financial sustainability
and positive participant outcomes
 Operating model and risk governance – ensuring the way we work is contemporary
and reflects better practice in risk management and governance
 Leadership – our leaders setting the ‘tone at the top’ to reinforce the importance of
being prepared for risk
 Capability – building the skills and insights of our staff and community partners
 Processes and approach – ensuring a risk lens informs the way we think and act
 Supporting infrastructure – establishing what is needed to operationalise the RMS.
Risk Management Strategy 

Page 2 of 10

FOI 20/21-0884
1.3  Publication 
This RMS and supporting information, guidance and tools will be published on the Agency’s 
intranet in a fully accessible format. This will ensure our staff and community partners can 
easily access, use and contribute to the full suite of risk management resources. 
1.4  A positive risk culture  
Risk culture is the set of shared attitudes, values and behaviours that characterise how our 
staff and community partners consider risk in their day-to-day activities and decisions.  
A positive risk culture promotes an open and proactive approach to managing risk. It 
balances both the threats and opportunities that emerge from the uncertainty of this nation-
building reform.  
Put simply, a positive risk culture sees our people doing the right thing – including when no 
one is looking. It empowers Agency delegates, their team members and community partners 
to: 
 embrace opportunities when making decisions
 take responsibility for reducing unacceptable levels of potential exposure brought
about by risk
 feel confident to be able to speak up to escalate their concerns about significant risks
and contribute to practical solutions
 be part of a feedback loop, as part of an open, connected and well communicated
approach to risk management.
The NDIA requires staff and community partners to adopt the following principles: 
1. Take accountability for managing risks and helping colleagues manage their risks
2. Communicate and escalate risks openly, honestly and quickly
3. Consider risks to quality, participant outcomes and financial sustainability when
making decisions and taking actions
4. Openly share and learn from mistakes and successes
5. Understand and apply the Agency’s risk management principles, processes and
reporting.
The Agency has identified four foundational elements to build a strong, positive risk culture. 
They are: 
 Being clear about the culture and behaviours we expect – ensuring our risk principles
and expectations are clearly stated and communicated
 Leaders set the tone and establish the right environment – the Agency Leadership
Framework sets out the roles and expectations of leaders to be exemplary risk
stewards
 Recognition and reinforcement mechanisms – where Agency and community partner
employee recognition programs celebrate a positive risk culture, both formally and
informally
 Ongoing monitoring of risk culture – through regular maturity assessments.
Risk Management Strategy 

Page 3 of 10




FOI 20/21-0884
Assurance and key insights will come from an annual risk culture survey, regular pulse 
surveys and tracking performance results against key performance indicators that include 
training, application of risk management processes and demonstration of the preferred 
behaviours. 
1.5  Operating model and risk governance 
The Board is ultimately responsible for overseeing the establishment of an effective risk 
management approach at the Agency. The Board fulfils its responsibilities with advice and 
support from the Board’s Risk Committee. 
The Agency maintains strong strategic oversight of uncertainty, opportunity and risk through 
its Executive Leadership Team. The Executive Leadership Team is supported by the 
Agency’s Chief Risk Officer and the Risk Branch.  
Clear accountability for the management of key risks is also identified. The Agency has a 
comprehensive risk governance structure to support the effective management of risk with 
the Agency and across the NDIS through its community partners.  
The Agency has adopted the ‘three lines of defence’ operating model, as summarised in 
Figure 1 below:  
Figure 1: NDIA risk governance model 
Risk Management Strategy 

Page 4 of 10

FOI 20/21-0884
All Agency and community partner team members are responsible for the day-to-day 
management of risk in their work and the timely identification, escalation and communication 
of risks and issues, upon the identification of weaknesses in the controls that usually mitigate 
these risks.  
Further detail on these roles and responsibilities is included in Appendix A. 
1.6  Leadership 
Achieving a culture where everybody ‘does the right thing’ requires an environment where 
people understand what the ‘right thing’ is. Leaders at all levels within the Agency are 
responsible for setting the positive tone, outlook and approach that encourages and rewards 
risk-based decision making. 
Management 
Executive staff (defined as anyone within the Agency with oversight of staff or contractors) 
will both lead and actively participate in risk and control monitoring activities to ensure 
opportunities are realised and threats are identified and appropriately mitigated. 
State executives and managers of front line staff are expected to monitor and respond to 
risks that may arise in interactions with participants and providers. This will be done by 
ensuring all Agency and Partner in the Community staff complete compulsory training and 
follow operational procedures. Risks will be addressed, mitigated and escalated as 
appropriate in real time.  
Senior Executive (defined as CEO, DCEOs and other senior executive level staff) 
communications will contain direct messages about, and examples of, good risk 
management and how it is applied to the Agency’s work in delivering on the Corporate Plan. 
In setting expectations, Agency and community partner executives are responsible for: 
 Ensuring systematic consideration of risk is part of business planning and decision
making activities
 Maintaining an awareness of their critical controls and actively monitor their
effectiveness
 Frequently monitor the risk issues affecting decision quality, participant outcomes
and financial sustainability
 Advocating the value of considering risk early and often in business planning and the
execution of work tasks by teams
 Encouraging reflections and learnings from successes and failures
 Rewarding team members who demonstrate risk awareness and actively manage
risks
 Implementing robust systems and processes to support compliance, control and
integrity throughout the Agency and its community partners
 Maintaining regular high quality risk monitoring and reporting (in accordance with
section 1.8 of this RMS).
Board 
The Board, aided by its Risk Committee, will be diligent in its oversight and will support 
management in delivering effective risk management by: 
 Annually approving the Agency’s strategic risks, risk appetite statements, risk
Risk Management Strategy 

Page 5 of 10

FOI 20/21-0884
tolerance settings and key risk indicators 
  Regularly monitoring performance against risk tolerance settings  
  Taking account of shared risks for the NDIS which extend beyond the Agency and 
require shared oversight 
  Being clear in its commitment to maintaining strong controls and procedures to 
ensure risk is well managed and obligations are met  
  Holding the CEO to account for promoting and fostering risk management as a 
signature strength of the Agency and growing a positive risk culture. 
The Board will provide the Ministerial Council with an annual risk management declaration 
regarding the Agency’s compliance with the RMS and the effectiveness of its operation. 
1.7  Capability 
Successful implementation of this RMS requires the consistent application of the following 
activities: 
  Scanning the environment (internal and external) to identify emerging opportunities 
and threats and take early action in response 
  Universal application of common risk management principles and processes across 
all business planning, day-to-day team activities and delegate decision-making 
  Embedding an effective, consistent approach to how financial and human resources 
are deployed to manage uncertainty. 
The key risk management capabilities to facilitate these activities include: 
  All Agency staff having a comprehensive understanding of the NDIA’s guiding risk 
principles and how they apply to their individual accountabilities 
  Appropriately trained and supported operational risk partners who promote, guide 
and facilitate Group risk management practices. These partners also provide a 
communication and feedback channel back to the Risk Branch 
  Appropriately qualified and experienced specialist risk management practitioners 
within the Agency’s Risk Branch. The Risk Branch is responsible for setting the Risk 
Management Framework, delivery of training and providing support to Agency staff in 
their risk management activities 
  Expert insight and advice to support our internal capability when needed, including 
through relationships with other commercially-oriented entities in the financial 
services, insurance and social services sectors. 
The Agency’s Risk Management Training Strategy identifies the specific capabilities required 
to understand and manage risk at all levels of the Agency. Training will be undertaken on a 
regular basis to develop, refine and enhance these skills. 
The Agency maintains a comprehensive suite of guidelines and toolkits to enable leaders 
and team members to understand and carry out their risk responsibilities. These documents 
and tools detail the Agency’s risk management processes and approach. 
 
 
Risk Management Strategy  
 

 
Page 6 of 10





FOI 20/21-0884
1.8  Processes and approach  
The Agency’s risk management process includes information, guidance and supporting tools 
to provide clear guidance on the identification, assessment, management, monitoring and 
reporting of both risks and issues. 
The Agency’s risk and issues management cycle is set out in Figure 1 below.  
Figure 1: NDIA risk management cycle  
The overall approach is for uncertainty, opportunity and threats to be identified, managed 
and monitored within the planning and execution levels of the Agency, as described in 
Figure 2 below. 
Figure 2: Alignment of NDIA planning and risk activities
Risk reporting will reflect performance against leading and lagging key risk indicators, 
monitoring of critical control effectiveness and treatment plan implementation. 
Coaching and support for senior leaders and their teams will be provided by the Risk Branch 
and Group operational risk partners. 
Risk Management Strategy  

Page 7 of 10




FOI 20/21-0884
The Agency’s monitoring and reporting activities are outlined in Table 1 below. 
Table 1 – NDIA Risk management monitoring and reporting activity 
1.9  Supporting infrastructure 
Successful implementation of this RMS relies on supporting infrastructure, including: 
 An Enterprise Risk Management Plan, developed on an annual basis, to guide the
effective implementation of the RMS
 Risk and issues management training, designed to build and maintain a strong level
of risk management capability
 Performance assessments, designed to reinforce and recognise the demonstration of
appropriate risk behaviours
 Risk systems to allow the collection and analysis of appropriate data to enable
accurate reporting and guide risk-informed decision making and oversight.
The Agency’s Risk Management Framework and supporting infrastructure is documented in 
the Board-approved Risk Management Framework Architecture at Appendix B.  
1.10   Review 
This RMS will be reviewed annually. The Board’s Risk Committee will undertake an initial 
assessment and make recommendations for change, or not, to the Board for its 
consideration and approval.  
In addition, the Agency will commission an independent external review of its Risk 
Management Framework, including the RMS, every three years to assess the adequacy and 
effectiveness of risk management activities at the Agency. 
Risk Management Strategy  

Page 8 of 10