DVA’s governance and management framework is based on the principles of performance assurance and accountability within a risk management framework.
Good governance is an integral part of sound and accountable decision-making and enables us to deliver the Government’s outcomes. Ensuring that our governance structures and frameworks are efficient and fit for purpose is a key way in which we can achieve this.
During 2018–19 an external consultancy conducted a review of DVA's governance arrangements in the context of six core elements: committee structures; committee membership; decision-making; oversight; performance monitoring; and committee operations.
An outcome of this review was the design and implementation of a revised DVA governance committee structure (depicted in Figure 4 below). Relative to previous arrangements, this structure has been simplified. It provides a clear purpose for each governance entity, provides for a more efficient use of senior management resources, addresses risk and avoids duplication.
The revised structure supports us in making decisions and implementing the principles and objectives of corporate governance consistent with our obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
Figure 4: DVA departmental governance committee structure
Corporate and operational planning
The DVA Corporate Plan is published on our website and covers the next four financial years. The plan is focused on how we can ensure we achieve our strategic priorities and purposes now and into the future, as we set about fulfilling our vision to be a world class veterans’ support system. The Corporate Plan is consistent with the requirements under paragraph 35(1)(b) of the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
DVA conducts continual business planning through annual business plans developed at the division, branch and business unit levels to align our strategic direction with business priorities at all levels of the organisation. The business plans demonstrate how we go about achieving our key activities to deliver programs and benefits for the wellbeing of veterans and their families, respecting and commemorating service and providing strategic and evidence-based policy advice to government.
Risk management is an integral part of delivering services to veterans and their families and being accountable to the Government. Our focus on risk management is reflected in the DVA Corporate Plan and the Risk Management Framework.
The Risk Management Framework provides the necessary foundations and organisational arrangements for managing risk across the department. It complies with the PGPA Act and aligns with the Commonwealth Risk Management Policy and the international standard ISO 31000:2018 Risk Management—Guidelines. Business risks and fraud risks receive oversight from internal governance committees and the Audit and Risk Committee.
During 2018–19 DVA continued to embed a strong risk culture and behaviours across all levels of the organisation. DVA reviewed its existing enterprise risks under the oversight of the Executive Management Board and the Audit and Risk Committee. The Risk Management Framework and related policies were reviewed and updated to reflect changes in the department’s operating environment.
The annual Comcover Risk Management Benchmarking Survey gives DVA an opportunity to benchmark our risk management maturity and review and measure the extent to which risk management has been integrated into business operations. The survey also helps us to identify areas for improvement and prioritise our risk management activities.
In the 2019 survey, DVA achieved an overall maturity level of ‘Advanced’. This maintains the level achieved in 2018 and is one level above the average maturity of all 2019 survey participants, which was ‘Integrated’.
DVA’s Business Continuity Plan provides assurance that we will continue to provide essential services in the event of a major disaster or significant interruption to services. It is an integral part of the Risk Management Framework.
During 2018–19 the DVA Business Continuity Plan was not invoked.
In 2018–19 DVA’s internal audit services were provided by KPMG contractors based in Canberra. KPMG carried out independent and objective assurance activities in accordance with DVA’s Internal Audit and Assurance Strategy and the Institute of Internal Auditors standards. These activities included performance, financial and program reviews; ICT audits; and assistance and advice relating to fraud control, risk management and corporate governance.
Fraud and non-compliance
DVA has an obligation under the Commonwealth Fraud Control Framework to prevent, detect, investigate and report fraud-related activities and outcomes. We ensure compliance through the community compliance model. This model allows those who want to comply to do so easily, while those who choose not to comply will have appropriate action taken against them, including prosecution where necessary.
During 2018–19 DVA:
held quarterly meetings of the Risk and Fraud Management Committee, focused on fraud control, policy and activities and fraud awareness issues
monitored the DVA Fraud Control Plan 2018–2020 and fraud policies to ensure they were up to date and relevant
revised the Enterprise Fraud Risk Assessment in line with departmental structural changes
required all staff to undertake appropriate fraud awareness training through two mandatory e-learning courses
conducted a fraud awareness campaign during International Fraud Awareness Week in November 2018.
DVA identifies potential fraud matters through activities such as post-payment monitoring, data matching and internal audits, and responding to allegations from members of the public. We received 341 allegations of fraud in 2018–19—a slight increase from 333 allegations in 2017–18. The allegations predominantly referred to client and service provider matters.
DVA undertakes fraud investigations and, where appropriate, refers matters to the Commonwealth Director of Public Prosecutions and/or the Australian Federal Police. We referred two cases in 2018–19. As a result of fraud investigations finalised in 2018–19, $1,548,294 in ineligible payments was identified and referred to the relevant business areas for debt recovery.
In 2018–19 DVA conducted a significant review and update of the operational governance of its integrity and security functions.
The modernisation of DVA’s case prioritisation model is entering its final phase, and we expect that a final product will be ready for endorsement and implementation in the first quarter of 2019–20. The model aims to enhance the efficiency of assessing and prioritising allegations of fraud against the Commonwealth.
DVA implemented recent changes to the whole-of-Government Protective Security Policy Framework, including a change from 36 to 16 mandatory requirements. We updated the Agency Security Plan to reflect these changes and ensure compliance. The Security Committee was established, ensuring that best-practice governance structures are in place and that key and arising risks to DVA's information, people and assets are appropriately managed. We are on track to complete our security maturity report on 18 October 2019.
Business areas are obliged to notify DVA of any potential privacy breaches.
In 2018–19 DVA received 90 notifications of potential breaches. Following investigation, 41 matters were determined to be privacy breaches and 35 were found not to breach privacy. The remaining cases were still under investigation at the end of 2018–19.
In cases where a privacy breach did occur, staff involved in the breach were counselled and the importance of all staff exercising care and caution when processing matters dealing with personal information was reiterated. In applicable cases, recommendations and changes were made to relevant practices and procedures so as to minimise the risk of future breaches.
DVA is required to report significant privacy breaches to the Office of the Australian Information Commissioner. In 2018–19 we reported no significant breaches to the Commissioner, and the Commissioner made no reports to the Minister under section 30 of the Privacy Act 1988 about any act or practice of DVA.