Go to top of page

Internal governance

Our internal governance framework and processes ensure accountability and transparency and promote quality leadership, effective people management and efficient and ethical use of our resources. Our internal governance structure includes the ACIC Executive and senior management committees.

Accountable authority

The CEO is the accountable authority of the ACIC for the purposes of the PGPA Act. Mr Michael Phelan APM was appointed CEO on 13 November 2017 and held that position throughout 2019–20.

ACIC Executive

On 30 June 2020, the ACIC Executive comprised the CEO, the Chief Operating Officer, three executive directors, 11 national managers and six state managers.

Table 3.1 provides details of the positions and responsibilities of the members of the ACIC Executive.

Table 3.1: Executive positions and responsibilities

Position title and name



Chief Executive Officer

Michael Phelan APM

Responsible for overseeing the management and administration of the ACIC, managing our relationship with ministers, working collaboratively with ACIC Board member agencies, and providing leadership, strategic direction and strong governance for our agency. Our CEO is a non-voting member of the ACIC Board.

Chief of Staff

Jeremy Johnson

Responsible for government relations and engagement; media and communication; strategy; planning and performance; and strategic policy.


Chief Operating Officer

Anne Brown

Responsible for key enabling services, including people; security; business and innovation; finance; property; and legal services.

National Manager Finance, Property and Procurement/Chief Financial Officer

Yvette Whittaker

Responsible for the financial management of the agency, procurement, the national property portfolio and business support.

National Manager People, Security and Integrity

Tim Simpson

Responsible for the delivery of people management and strategies, security, integrity and organisational psychology.

National Manager Legal Services/General Counsel

Nicole Mayo

Responsible for administrative and criminal law litigation; advice on the use of ACIC powers; policy development and legislative reform; risk and audit; agreements; and our examination capability.

National Manager Business Services

Peter Ingram

Responsible for business strategy, the Portfolio Management Office and the National Police Checking Service.


Acting Executive Director Technology

Stewart Sibree

Responsible for providing and maintaining our national information capabilities and services to support policing and law enforcement.

Acting Chief Technology Officer

Sam Lewis

Responsible for capabilities required to design, develop and operate ICT solutions to ensure connectivity between our agency’s IT systems and external systems and ongoing access to critical sources of data.

Senior Advisor Business Systems Delivery

Stephen McCarey

Responsible for intelligence and national policing information ICT solutions for our agency.


Executive Director Intelligence Operations

Matthew Rippon

Responsible for ACIC investigations and intelligence operations, our intelligence products development and oversight of state managers.

National Manager Operational Strategy

Darshana Sivakumaran

Responsible for the Australian Priority Organisation Target disruption unit; transnational serious and organised crime; criminal intelligence of cybercrime and gangs; and the monitoring and assessment unit.

State Manager New South Wales

Warren Gray

Responsible for operations and stakeholder relationships in New South Wales.

State Manager Victoria

Jason Halls

Responsible for operations and stakeholder relationships in Victoria.

State Manager Queensland

Charlie Carver

Responsible for operations and stakeholder relationships in Queensland.

State Manager Western Australia

Doug Miller

Responsible for operations and stakeholder relationships in Western Australia.

State Manager Northern Territory and State Manager South Australia

Simon Warwick

Responsible for operations and stakeholder relationships in the Northern Territory and South Australia.

State Manager Tasmania

John Arnold

Responsible for operations and stakeholder relationships in Tasmania.


Executive Director Capability

Mark Harrison

Responsible for strategic intelligence, human intelligence and technical intelligence capabilities.

National Manager Strategic Intelligence Capability

Katie Willis

Responsible for national strategic intelligence, including drugs intelligence research, strategic analytics and criminal intelligence information services; and head of the determinations function for the agency.

National Manager Human Intelligence Capability

Hans Koenderink

Responsible for human source capability, undercover capability, national surveillance, behavioural intelligence capability, covert operations assurance, capability protection, and intelligence and specialist capability training and development.

National Manager Technical Intelligence Capability

Robert Jackson

Responsible for covert technical intelligence capability and operations, covert system integration, and technical intelligence analytics.


Chief Information Officer/Executive Director NCIS Program

Rochelle Thorne

Responsible for providing and maintaining national information capabilities and services to support policing and law enforcement, and for the delivery of NCIS, including the delivery of committed benefits to the ACIC and its partners.

NCIS = National Criminal Intelligence System

Senior management committees

Our committee structure comprises our Commission Executive Committee, Organised Crime Management Committee, Project Governance Committee and Corporate Committee, and several other committees, panels, working groups and consultative committees. The relationships between senior management committees are shown in Figure 3.1.

During 2018–19 and 2019–20, we adjusted our internal committee structures to align with our functions and updated organisational structure. The scope of all committees was reviewed, and the Project Governance Committee (formerly the Technology Governance Committee) was expanded to capture governance of all non-operational projects in the agency. The sub-committees of the senior management committees were reviewed and, where appropriate, removed, to streamline governance.

We will continue to review the structure to ensure that our governance is as effective and streamlined as possible.

Figure 3.1: Senior management committee structure at 30 June 2020

 *Executive committees; ^Supporting groups and sub-committees; **Legislatively required committees.

Commission Executive Committee

The Commission Executive Committee is our agency’s peak committee to support the achievement of ACIC strategic and business objectives, effective and efficient management of ACIC resources, strategic investment and management of risk. It also ensures that we are accountable and meet the expectations of the ACIC Board, the Australian Government and the public. It receives reporting and advice from other executive committees, identifies and plans for future ACIC capability investments, and makes all major resourcing and funding decisions.

The Commission Executive Committee consists of the CEO (Chair), the Chief Operating Officer and all executive directors. The committee meets monthly, or more often as required.

Corporate Committee

The Corporate Committee reviews and makes decisions on broader issues of organisational health and effective function. It receives relevant reporting on a broad spectrum of organisational health indicators and oversees key organisational improvement projects. This aspect of the committee function is supported by the National Work Health Safety Committee and the Diversity and Inclusion Sub-committee (DISC).

The committee consists of the Chief Operating Officer (Chair), the Executive Director Technology, the Executive Director Intelligence Operations and the Executive Director Capability. The Chief of Staff attends as an observer. The committee meets quarterly, or more often as required.

Work health safety committees

The ACIC has local work health safety committees and a National Work Health Safety Committee, with functions as described in section 77 of the Work Health and Safety Act 2011. Local committee meetings are held quarterly in our offices around the country and feed into the National Work Health Safety Committee meetings.

These committees are the primary means of consultation on work health and safety matters for our staff. They support the ACIC Executive by helping to identify, develop, implement and review measures designed to manage a healthy and safe workplace for all staff.

More information on National Work Health Safety Committee activities in 2019–20 is in Appendix B: Work health and safety.

Diversity and Inclusion Sub-committee

The DISC oversees the ACIC’s Workplace Diversity Program and provides support for and input into the development, maintenance and implementation of our diversity action plans. These plans focus on gender equality, people from culturally and linguistically diverse backgrounds, Aboriginal and Torres Strait Islander peoples and people with disability.

The DISC consists of Senior Executive Service (SES) level Diversity Champions and Deputy Champions and diversity working group members. The sub-committee meets quarterly and reports to the Corporate Committee.

Project Governance Committee

The Project Governance Committee provides executive insight and direction to ensure that all agency technology projects and activities are aligned to ACIC objectives and operate effectively. The committee performs a portfolio management role to enable the most effective balance between business as usual and organisational change and improvement.

The committee consists of the Chief Operating Officer (Chair); all executive directors; the Chief Technology Officer, Chief Financial Officer, Chief of Staff, National Manager Business Services, National Manager Operational Strategy, and Senior Advisor Business Systems Delivery; and the Manager Portfolio Office (Adviser), IT Security Advisor and Manager Board and Strategic Engagement (Liaison). The committee meets quarterly, or more often as required.

The Portfolio Working Group is a formal sub-committee of the Project Governance Committee. The Portfolio Working Group provides advice to the Project Governance Committee on project prioritisation, project management, and portfolio risk and issues.

Organised Crime Management Committee

The Organised Crime Management Committee makes decisions about the ACIC’s organised crime and intelligence work program and the allocation of relevant resources to support the delivery of its objectives.

The committee consists of the Executive Director Intelligence Operations (Chair), the Executive Director Capability and the Chief Operating Officer; the national managers of Strategic Intelligence Capability, Operational Strategy, Technical Intelligence Capability, and Human Intelligence Capability; and all state and territory managers. The National Manager Legal Services attends as an adviser to the committee, which meets monthly.

Strategic planning

Strategic planning ensures that our activities and resources align with our strategic priorities and support the achievement of our purpose. Two key documents set out our goals and the approach we take to achieve them:

  • the strategic plan, endorsed by the ACIC Board, which identifies our strategic objectives and articulates our functions, how we operate and our culture for the five financial years to 2022–23
  • the corporate plan, updated annually, which describes our priorities and operating environment and how we will manage risk, achieve our purpose and measure our performance over four financial years.

The strategic plan and corporate plan are available on our website at www.acic.gov.au/publications/corporate-documents.

Our strategic planning framework connects our strategic direction and priorities as approved by the ACIC Board, key activities, risk assessment, resource allocation, performance measurement and monitoring, as shown in Figure 3.2.

Figure 3.2: Strategic planning framework

 Portfolio budget statements (PBS). Flowing from the PBS—ACIC corporate plan, Strategic investment plan, Division/branch plans, individual performance plans. These each flow through to the ACIC annual report. Surrounding the flow chart and connected from the legislation at the top of the chart is the ACIC Risk Management Framework at the bottom of the chart.

Stakeholder research

We conduct an annual stakeholder survey to better understand stakeholders’ perceptions and levels of satisfaction with our delivery of systems and services. The results also help us to assess our results against our performance criteria.

In 2019–20, a specialist market research company undertook the research, which included an online survey. The survey attracted 233 respondents from a broad cross-section of agencies and classification levels and a range of areas, including policy, information systems, intelligence and investigations. Respondents were asked questions relevant to their areas of work and interactions with us.

Key results and stakeholder comments are detailed in the annual performance statements in Section 2 of this report. Respondents rated our overall performance in meeting their needs at 7.0 on a scale of 1 to 10, an improvement on the 2018–19 result of 6.9.

Most respondents agreed that the ACIC plays a unique and important role, particularly as a service provider to its partner agencies, facilitating the sharing of information through its policing and intelligence systems and collating and disseminating shared intelligence products.

Respondents rated the following as our most valuable services:

  • the National Police Checking Service
  • the production and dissemination of intelligence products
  • the provision of specialist capabilities
  • investigations work
  • information and intelligence systems and services.

We will continue to focus on what our stakeholders told us were their biggest needs over the next 12 months. For 2020–21, those needs include:

  • continued production and sharing of high-quality intelligence products
  • continued, proactive engagement with domestic and international partners and strengthened opportunities for collaboration between agencies
  • delivery of IT projects.

Internal audit

The internal audit function provides an independent advisory service which delivers support and assurance to the ACIC Executive regarding the responsible, effective and efficient use of ACIC powers and resources.

The internal audit team is directly accountable to the CEO and the Audit Committee, and the roles, responsibilities and scope of the function are set out in the ACIC Internal Audit Charter.

In supporting the ACIC to achieve its objectives, our internal audit team has three main responsibilities:

  • working with management to systematically review enterprise risks, controls, governance, systems and processes
  • adding value to the ACIC by identifying opportunities for innovation and efficiency
  • monitoring the implementation of audit outcomes.

The following key areas were examined by internal audit during 2019–20:

  • Information technology security—The audit noted the continuing maturity of the ACIC’s implementation of the Australian Signals Directorate Essential Eight.
  • Project management—The audit noted the improvements resulting from the ACIC’s adoption of the P3M framework for project management.
  • Work health and safety—The audit found that the ACIC is aware of its work health and safety risks and noted a number of improvements to the framework required to manage the broad range of those risks faced by the ACIC, given the nature of the operational activities undertaken.
  • Covert arrangements—A range of audits were undertaken in accordance with legislative requirements.

We operate a co-sourced internal audit service and contract an external provider for a small number of our audits.

Audit Committee

In accordance with responsibilities under section 45 of the Public Governance, Performance and Accountability Act 2013, the CEO has established and maintains an independent Audit Committee. The committee’s authority is established under a charter, which sets out its functions and responsibilities. The ACIC Audit Committee Charter is available at www.acic.gov.au/about-us/governance.


The Audit Committee endorses the ACIC Internal Audit Charter, approves the annual audit plan, reviews progress against the audit plan and considers all audit reports. It also monitors the implementation of all internal and Australian National Audit Office audit recommendations and takes a keen interest in the progress of recommendations arising from other review activity, including activity by the Commonwealth Ombudsman.

The Audit Committee provides advice on matters of concern raised by internal auditors or the Auditor-General and advises the CEO on the preparation and review of the ACIC’s annual performance statement and financial statements.

During 2019–20, the Audit Committee met six times and reviewed areas including:

  • financial performance
  • internal and external audit reports
  • progress against audit recommendations
  • planning and performance frameworks and reporting
  • compliance with legislation
  • risk oversight and management
  • Australian National Audit Office activity.


At 30 June 2020, the Audit Committee consisted of an independent chair and two other independent members, two members from the ACIC Executive, and an observer from the Australian National Audit Office.

As committee members, the ACIC officials provided insight and understanding into operational and technical aspects of ACIC work to support the committee’s deliberations. From 1 July 2020, the Audit Committee will cease to have members who are ACIC officials.

As prescribed under section 17AG(2A) of the Public Governance, Performance and Accountability Rule 2014, information on each audit committee member’s qualifications, attendance at meetings and remuneration is set out in Table 3.2.

Table 3.2: Audit Committee members


Qualifications, knowledge, skills or experience

Meeting attended/held

Total remunerationa

Geoff Knucke (Chair)

Bachelor of Economics (ANU), FCA, GAICD, RCA

An experienced audit committee member and chair, Geoff currently serves on audit committees for numerous government entities. He also has extensive experience as a director and serves on the boards and audit committees of several private sector entities.

He has been a full-time company director and audit committee member since 2009, following a 32-year career with Ernst & Young specialising in audit and assurance services in

the public and private sectors across a range of industries.





Bachelor of Arts and Bachelor of Laws (UNSW), FAICD

Elizabeth has over 20 years experience as a chair, deputy chair and member of boards and audit committees across a range of government and not-for-profit entities. She has broad-ranging experience in governance and the machinery of government, including in financial and performance reporting, risk, assurance, and program and project management and oversight. She is a former CEO of the Australian Transaction Reports and Analysis Centre (AUSTRAC) and senior financial services lawyer with King & Wood Mallesons.



Janine McMinn

Bachelor of Arts (Computing, Statistics) (ANU), FAICD, CISA, CISM

Janine is an independent director and executive adviser with more than 34 years experience in internal audit, risk and information technology. Janine currently sits on eight audit and risk committees and is President of the Australian War Memorial Voluntary Guides. She provides mentoring and coaching support to senior executives and to Master of Arts students at the Australian National University. Prior to retirement in 2015, she was a partner for Oakton’s ICT assurance and security business. She has advised many organisations in the management of risk and ICT security and conducted assurance reviews in public and private organisations.



Matthew Rippon

As the ACIC’s Executive Director Intelligence Operations, Matthew is responsible for ACIC investigations and intelligence operations, our intelligence products development and oversight of state managers.



Rochelle Thorneb

As the ACIC’s Chief Information Officer/Executive Director NCIS Program, Rochelle is responsible for providing and maintaining national information capabilities and services to support policing and law enforcement, and for the delivery of the National Criminal Intelligence System, including the delivery of committed benefits to the ACIC and its partners.



Stewart Sibreeb

As the ACIC’s Acting Executive Director Technology, Stewart is responsible for providing and maintaining our national information capabilities and services to support policing and law enforcement.



a Independent members receive $2,000–$2,500 (excluding GST) for each meeting, including meeting preparations. Remuneration for committee service is not applicable to members who are ACIC officials.

b Stewart Sibree replaced Rochelle Thorne as a committee member on 27 February 2020.

Risk management

The ACIC’s risk management framework assists us to make risk-informed decisions that support our work to achieve our purpose while meeting our corporate and operational accountabilities.

During 2019–20, we:

  • revised the ACIC Risk Management Policy and Procedures to more closely align with the Commonwealth Risk Management Policy and address improvement opportunities identified in the Comcover Risk Management Benchmarking Survey
  • developed more formalised risk management forums across the organisation to support a more integrated enterprise risk management framework
  • participated in multiagency risk forums and consulted with partner agencies on better practice approaches to managing risk.

Our risk function is represented at the Audit Committee and works closely with the internal audit team and the ACIC Executive.

Security and integrity

We are entrusted with special powers to enable us to effectively work with our partners to combat serious and organised crime in Australia. Security and integrity are critical in the use of these powers and in delivering our required outcome to the Australian Government, our partner agencies and more broadly, the public.

Our security and integrity framework outlines a defined approach in managing integrity and security risks across the ACIC. Our documented, agreed and understood policies, procedures and processes define how security and integrity are managed.

Protective security

The ACIC adopts a risk-based approach to the security environment, ensuring protection of people, information and assets. We continue to enhance our security maturity against the Australian Government’s Protective Security Policy Framework, under the guidance of the ACIC’s leadership team. In 2019–20, the work included the delivery of additional security awareness training; review and enhancement of the agency’s security plan to ensure that people, information and assets are appropriately protected; and appointment of a chief security officer.

In 2019-20, an agency security plan was developed to inform decision-making, help identify security requirements, and provide a planning framework to ensure that security risks are mitigated to protect all ACIC assets: people, information, property, reputation, operations and activities. The plan provides authority for the operation of management structures, the assignment of accountabilities and resourcing, to enable the governance and implementation of appropriate, risk-based protective security arrangements.

We undertook a number of significant projects in 2019–20 to enhance the ACIC’s security governance framework and enhance physical security at a number of sites to ensure the ongoing protection of sensitive capabilities. The ACIC maintains appropriate personnel security arrangements and protections, ensuring that all staff have appropriate security clearances to access required information, in addition to reviewing ongoing suitability annually.

Security incidents

The ACIC investigates all security breaches and ensures that appropriate action is undertaken. We report such incidents to external agencies where required and have a rigorous after-action process which includes providing additional security awareness training for relevant staff. Where possible, we incorporate specific examples of security incidents or breaches, within the ACIC or shared by other agencies, into security awareness sessions.

The majority of security incidents reported in 2019–20 were low level and occurred within secure ACIC premises (for example, low-level classified documents being left on desks). These incidents have not significantly compromised the security of ACIC information, people or premises.

Integrity assurance

Our integrity assurance function contributes to effective fraud and corruption control by providing a reporting, prevention, detection and investigation function regarding suspected internal fraud and corruption in the ACIC.

Fraud and corruption

The ACIC’s Fraud and Corruption Control Plan complies with the Commonwealth Fraud Control Framework, outlines our attitude and approach to fraud and corruption control, summarises risks identified in the fraud and corruption risk assessment, and details mitigation strategies recommended to treat significant risks.

The ACIC works closely with partners to ensure that we are adequately and appropriately addressing risks within our operating environment, and ensures that staff have appropriate education and awareness to identify potential instances of wrongdoing and the reporting mechanisms available.

Where fraud or corruption is suspected, the matter may be subject to misconduct investigation, criminal investigation, or both. If sufficient evidence of a criminal offence is found, the matter may be referred to the Commonwealth Director of Public Prosecutions for consideration of criminal prosecution.

We are well connected with other organisations focused on preventing corruption. We participate in the Australian Commission for Law Enforcement Integrity (ACLEI) Community of Practice for Corruption Prevention, a network of integrity professionals from the agencies under ACLEI’s jurisdiction that shares best practice strategies for detecting and deterring corrupt conduct and participates in discussions on key or emerging issues.

We are committed to deterring and preventing corruption by organised crime wherever it occurs. Where requested and as appropriate, we assist ACLEI with its investigations. We provide specialist services, including surveillance, as agreed through our memorandum of understanding with ACLEI.

Assumed identities

In accordance with Commonwealth, state and territory legislation, ACIC officers and supervised civilians may be authorised to acquire and use assumed identities for the purposes of conducting investigations or gathering intelligence in relation to serious and organised crime, or in associated support or training roles.

During 2019–20, as required under the legislation, we:

  • reported to Commonwealth, state and territory ministers in accordance with legislative requirements
  • reviewed the ongoing necessity for each authorised member of staff to continue to use an assumed identity
  • conducted mandatory audits of ACIC records relating to assumed identities.

In 2019–20, the ACIC delivered the new, bespoke Assumed Identities Management System (AIMS). AIMS is a self-service portal offering a single point of truth for activities relating to the management of assumed identities. ACIC staff will be able to use a single, secure application to undertake intelligence, investigative and research activities using assumed identities and online personas to support strategic and operational outcomes.