In 2019/20 we completed our first full year using the new risk reporting template developed in 2018/19, with all the risks on the risk register undergoing a thorough, scheduled review by the risk owner. After review, these risks were considered by the Senior Leadership Group, then reviewed by our Risk Assessment and Audit Committee.
This practical approach to risk was highly successful, with a number of risks being significantly updated, renewed or removed entirely based on the current risk environment. As at June 2020, there are a number of risks that have a higher risk rating and/or an increased level of treatment in response to the pandemic that has been affecting the risk environment since early March.
We progressed our Risk Management Framework, including engaging with Comcover to assist us in the process, and reaching out to other Commonwealth agencies that had recently revised their frameworks, to get best practice advice.
Improvements in our ability to manage and mitigate our risks will continue, with the recent procurement of a risk and compliance solution that will assist in the standardisation of our risk approach, and centralised management and reporting.
During 2019/20, four reviews were undertaken by the internal auditors, namely reviews of Business Continuity and Disaster Recovery Plans, Procurement and Payment Practices, Contract Management and Revenue Recognition and AIFS compliance to the Public Governance, Performance and Accountability Act 2013 and related legislation. All reviews confirmed that AIFS have maintained, in all material respects, effective control procedures.
During 2019/20 AIFS engaged BDO East Coast Partnership to provide internal audit services.
Following a major review and update of the Business Continuity Plan last year, we conducted several scenario tests this year to identify and rectify any gaps in our planning and ensure our readiness in the event of an incident.
We also undertook a modernisation of our access to the Business Continuity Plan, moving from a paper-based approach using BCP binders issued to each staff member to a secure cloud‑based solution, tailored to be accessible on mobile devices (mobile phones), so the BCP is readily available anytime, anywhere.
An internal audit of our Business Continuity Plan and readiness was undertaken that recommended minor changes to our Business Continuity planning. These changes are being enacted over the coming year.
Protective Security Policy Framework
October 2019 was the first reporting period for the new Protective Security Policy Framework (PSPF). Our results were in line with the majority of Australian Government agencies, indicating a solid implementation of the core and supporting requirements. All staff completed mandatory security awareness training in February 2020, and all security cleared staff completed an annual security check in September 2019. Our path to greater security maturity is informed by our Security Work Plan and is well underway.
The Privacy Team progressed its rollout of infrastructure to enable a culture in AIFS that respects privacy and support to build stakeholders’ trust and confidence. Some of the achievements include:
- data breach response plan enabling AIFS to identify, contain, escalate, assess and respond to data breaches on time to mitigate and remediate potential harm to affected individuals.
- privacy management policy to ensure active privacy management practices at AIFS when dealing with personal information
- data confidentialisation and disclosure control policy to mitigate the risk of identifying any individual or information about an individual in data held, used or disclosed by the Institute
- data de-identification framework to plan, implement and review data confidentialisation and statistical disclosure controls in a transparent and accountable fashion
- the celebration of ‘Privacy Awareness Week’, which included annual privacy training by all staff to promote privacy awareness drafting Privacy Impact Assessments for significant projects
- draft framework to record all personal information holdings to provide a unified view of how personal information is handled, managed and the risks associated.
We were not subject to any privacy or Freedom of Information decisions by the Australian Information Commissioner in 2019/20.