In 2018/19 we have undertaken a number of activities to strengthen our approach to risk management. Initially, we reviewed the questions in the Comcover Risk Management Benchmarking Survey to identify practical and immediate ways in which we could improve the risk management maturity of the Institute across the nine elements of the Commonwealth’s Risk Management Framework. Some initiatives were implemented in the lead up to the survey – including the development of AIFS’ risk appetite and risk tolerances – while the remainder formed the basis for our risk management plan to be implemented throughout 2019. This led to an increased maturity in seven of the elements in our 2019 Comcover Risk Management Benchmarking Survey results.
Improving our risk management practice and developing a positive risk culture is an important focus for the Institute. Comcover considers a positive risk culture to exist in an organisation when ‘officials understand the risks their entity faces and consistently make appropriate risk-based decisions aligned with the entity's risk appetite and tolerance’.
The initiation of risk culture assessments via a light-touch ‘taking the pulse’ survey began in April. Responses to risk questions on last year’s APS Employee Census indicated quite a high number of staff were unaware of how risk was managed within AIFS. By doing a brief in-house survey we gained some insight into our current risk culture, which we can use as a benchmark over time and to foster greater awareness of AIFS risk appetite and risk tolerances as part of business as usual activity.
In September 2018, we undertook a substantial review of all enterprise-level risks. Subsequent to the review, we assigned each risk to a risk owner and identified the frequency with which each risk should be identified (such as annually, biannually or quarterly). A risk review reporting template has been developed for this task and each reviewed risk is now considered by the Senior Leadership Group (SLG). The eight key enterprise risks are reviewed by the SLG each month.
Our risk management plan includes a major review of our Risk Management Framework. As a first step, we cast a wide net to identify different ways in which other organisations, including other Australian Government agencies, structured and implemented their frameworks. In 2019/20 we will use this information to substantially redesign our own framework, which hasn’t been substantially changed in 12 years.
During 2018/19, two reviews were undertaken by the internal auditors, namely reviews of our Information Management Security and Payroll practices and our compliance to the Public Governance, Performance and Accountability Act 2013 and related legislation. Both reviews confirmed that we have maintained, in all material respects, effective control procedures.
We currently engage BDO East Coast Partnership to provide internal audits.
We completed a major review and update of our Business Continuity Plan. In the event of a critical incident the plan provides the necessary guidelines to enable us to:
- take appropriate action to safeguard staff and property
- take action to prevent or minimise potential disruption to critical business processes
- plan and effectively manage the recovery of operations of the business to a satisfactory level.
A scenario planning exercise was undertaken by the Business Continuity Management Team in February 2019 to test the new documentation.
Protective Security Policy Framework
The Australian Government Protective Security Policy Framework (PSPF) underwent a major update in 2018/19 with the first changes coming into effect in December 2018. All staff attended mandatory training in December 2018 and January 2019 following the changes. We will continue to implement and adhere to the core PSPF requirements in accordance with the new guidelines published by AGD.
During 2018/19, we implemented the first year of our Privacy Management Plan to comply with the requirements of the Australian Government Agencies Privacy Code 2018 (Code) and Australian Privacy Principle 1.2. We tailored the plan to the specific needs of our agency. In the last year we focused on updating our Privacy Management Policy, which details how we manage personal information. We also provided privacy training to all AIFS staff around their obligations under the Privacy Act and the Australian Privacy Principles.
We were not subject to any decisions by the Australian Information Commissioner in 2018/19.