In compliance with the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and associated Public Governance, Performance and Accountability Rule 2014 (PGPA Rule), as well as the Commonwealth Risk Management Policy, the CEO has established an internal risk management policy and an Audit and Risk Committee. The committee’s role is to provide independent advice to the CEO on the appropriateness⁷ of Austrade’s financial reporting, performance reporting, system of risk oversight and management, system of internal control, and other functions relevant to the committee’s operation. The CEO approves a risk appetite statement to guide staff when making risk management decisions.

As we reshape our service offerings to meet the needs of businesses, Austrade faces a range of challenges, including supporting Australian businesses to cope with the effects of bushfires in Australia and also the impact of COVID-19 on trade and investment worldwide. In meeting these challenges, we are maintaining business continuity throughout the COVID-19 pandemic and supporting staff in Australia and around the world. Austrade recognises that our ability to identify and manage risk in a positive way is essential if we are to take advantage of opportunities.

Austrade will continue to foster a staff culture that is focused on regularly identifying, assessing and managing the risks associated with achieving organisational objectives. Austrade has a well-defined risk management framework, which includes a risk appetite statement that encourages staff to pursue innovation and actively engage and manage risk in an ethical manner and in line with individual risk appetite and tolerance. Austrade has also developed and implemented several staff training videos and updated reference materials that explain Austrade’s appetite and tolerance for different risk dimensions and how staff should apply this in their work.

Austrade managers develop mitigation strategies and actions for identified agency risks, and changes to these risk profiles are reported to the Audit and Risk Committee and the Executive Committee on a quarterly basis (or as needed), along with any emerging risks. This provides the CEO and Executive with oversight on the management and tracking of agency risks. Operational risks and mitigation strategies are documented. These risks are monitored by senior managers and discussed with the Audit and Risk Committee periodically.

Throughout 2019–20, Austrade continued to manage its exposure to risk and mitigate adverse consequences (including those caused by the COVID-19 pandemic) through the implementation of risk management principles and practices, as outlined in the Chief Executive’s Instruction on risk management, and in Austrade’s risk management policy and procedure, risk appetite statement and corporate governance framework.

Austrade’s 2019–20 agency risk management plan was prepared in accordance with the Commonwealth Risk Management Policy. The plan identifies risks with the potential to affect Austrade’s ability to achieve the objectives and priorities set out in our corporate plan.

INTERNAL CONTROLS

The Audit and Risk Committee and Austrade’s internal audit service provider have both noted the mature nature of the agency’s internal control framework. The main features include:

• policies and procedures, including Chief Executive Instructions, that support compliance with legislative and administrative requirements
• a positive compliance and management environment supported by an effective schedule of delegations
• an effective internal audit function that includes both performance and compliance audits
• an effective risk management framework, including fraud controls, risk management plans, security and business continuity management, and disaster recovery plans
• compliance with the Australian Public Service Values and Code of Conduct and the PGPA Act
• monitoring controls through effective planning at the corporate, operational and business unit levels, and ongoing budget management
• accountability mechanisms, including reports, reviews and individual performance management arrangements.

Each year, staff are required to complete mandatory Austrade corporate policy refresher modules to remain informed and aware of current corporate policies and procedures.

Internal audit

Austrade’s internal audit function seeks to improve Austrade’s operations. It is a major component of Austrade’s governance framework and helps Austrade to achieve its objectives by bringing a systematic, disciplined approach to risk management, improvement of controls, and the effectiveness of governance processes.

The activities of Austrade’s internal auditor are risk-based and detailed in an annual audit plan endorsed by the Audit and Risk Committee and approved by the CEO. All Austrade activities are considered to be within the ambit of internal audit. The internal audit plan seeks to coordinate internal audit activity with other assurance activities and mechanisms, including external audits.

During the year, a range of compliance and performance audits were undertaken by Austrade’s internal audit service provider, PwC. The internal auditor did not identify any serious control breakdowns.

Fraud control

Austrade maintains fraud prevention, detection, investigation and reporting procedures aligned with its obligations under section 10 of the PGPA Rule. Austrade takes a ‘zero tolerance’ approach to detected fraud and managing fraud risks. This is consistent with the organisational risk tolerance guidance in Austrade’s corporate governance framework.

Austrade’s Fraud Control Plan 2019– 2021 was endorsed by the Audit and Risk Committee in June 2019. The plan outlines how potential fraud against or within Austrade is to be minimised, rapidly detected, effectively investigated and appropriately managed (including referral to authorities), and how any resulting losses are to be mitigated or recovery proceedings instituted.

ANTI-BRIBERY ACTIVITIES

Austrade has a comprehensive training program to raise staff awareness and outreach to clients on strategies to deal with the risk of bribery in foreign markets. Since 2012, Austrade has delivered targeted training, online and in person, to Australian businesses, domestically and offshore, and to state governments in their offshore operations, articulating the risks of bribery when conducting trade in high-risk, low-governance jurisdictions. The program is delivered in-country through Austrade’s network of overseas offices via a variety of Austrade-hosted events, and in collaboration with local Australian chambers of commerce, partner agencies and civil society integrity organisations.

In the first half of 2020, Austrade reviewed all staff training and updated its online anti-bribery outreach program to provide clear, practical, accessible materials to business via the Austrade website. The outreach is focused on the evolving laws requiring businesses to ensure no bribe is offered in any part of their supply chains by any of their associates, and the prospect of prosecution for failing to prevent foreign bribery. This legal requirement will create a shift in responsibility direct to the boardroom of many of Austrade’s clients. Austrade is committed to supporting Australian businesses to comply by providing up-to-date materials, training, and access to the ‘badge of government’ in resisting corruption in low-governance jurisdictions.

Austrade will continue to play a central role in the Australian Government’s obligation to raise awareness of the evolving risks of foreign bribery among Australian businesses working overseas.

_{⁷For the purposes of the PGPA Act and PGPA Rule, and consistent with the rules of statutory interpretation, ‘appropriateness’ has its ordinary meaning of ‘suitable or fitting for a particular purpose’.}