Go to top of page

4.8 Risk management

The Agency has a structured approach to identifying, managing, escalating and communicating key risks early. This is critical to the effective and efficient delivery of the Scheme. The Agency is committed to ensuring that participant supports, provider services and other critical business functions are maintained or quickly restored in the event of a significant outage, incident or crisis. The proactive use of risk management within the Agency has allowed us to support effective business planning and operations with an evidence-based approach within the appetite and tolerances set by the Board.

The Chief Risk Officer (CRO) assists the Board and the ELT by providing objective risk reviews, oversight, monitoring and reporting.

On an annual basis, the Board determines the strategic risks for the Agency, which are directly aligned to the Corporate Plan. The Board determined 11 strategic risks for 2019–20 in the areas of participant experience and outcomes, provider market growth and quality, stakeholder expectations, Scheme sustainability and Agency operational stability. The strategic risks are monitored against key indicators and performance is reported to the Board on a quarterly basis. The strategic risks are complemented by operational risks and controls which are owned and managed at group level.

In 2019–20, the Agency established and tested a robust Business Continuity Management Framework (most recently during the Victorian and New South Wales bushfire emergency and the COVID-19 pandemic) to ensure the rapid resumption of participant and provider services and critical business activities in emergency situations.

In 2019–20 an Agency-wide review of the prevailing operating risks was undertaken to validate the accuracy and robustness of the Agency risk and control framework. This resulted in the removal of risk, controls and treatment duplication by 40 to 60 per cent. A system–based quarterly risk review process is planned for all critical and high risks in line with the Agency’s risk governance requirements, including strategic and regulatory risk mapping.

In 2019–20 the Agency launched its Integrated Risk Management System—a central repository for capturing and managing strategic and operational risks, regulatory obligations, audit recommendations, incidents and business continuity plans. The system will give accountable executives enhanced awareness of risks and controls. Linkages will provide a holistic view of the Agency risk profile, which will enhance risk-based decision-making.

The Agency’s Risk in Change guide has been integrated into the Agency Change Management Framework. This will facilitate a structured approach to identifying and mitigating risks associated with strategic projects and significant operational change.

In October 2019 the Agency commenced a 12 month Regulatory Assurance Program to deliver risk-based assurance coverage over a number of key regulatory obligations to ensure the Agency’s control environment is effective. Two reviews were completed in 2019–20, on the NDIS Act; and on privacy and freedom of information requirements.

In February 2020 the Agency implemented the SpeakUp platform to raise risk awareness and sustain a strong risk culture across the Agency. Since its launch, the number of incidents and potential process improvements identified and reported has increased—this has enabled us to respond promptly and take remedial action.

4.8.1 Scheme integrity

Internal

The Internal Fraud function is responsible for meeting obligations under the Commonwealth Fraud Control Framework 2017.

During 2019–20 the Internal Fraud function has enhanced the Agency’s effectiveness in dealing with reports of suspected fraud from the public, staff members or other stakeholders. The Agency continued to develop the internal fraud control process, capabilities and targeted detection profiles to manage fraud risks and reports of suspected fraud. The function has improved workflows and efficiencies in detecting, preventing, investigating and responding to internal fraud matters.

The Agency uses specific measures for countering the risk of corruption, including where staff members are targeted by external parties and staff members engage in fraudulent behaviours in order to gain a benefit or cause a loss during or through their employment with the Agency. In 2020–21 the Agency will develop the Staff Integrity Framework, which will enhance our ability to manage internal fraud risk.

Internal fraud practices ensure that our stakeholder sector remains connected and our approach to fraud, corruption and staff integrity is consistent and aligned.

External

The Agency maintains a zero–tolerance approach to fraud and invests heavily in the prevention and detection of fraud. Prevention initiatives include education and awareness raising for internal and external stakeholders. This includes raising awareness of scams, which tend to increase in number during times of crisis.

In 2019–20 the Agency fully implemented its Fraud and Compliance Roadmap, completing a detailed two-year capability-building plan and embedding a more mature capability to support the Agency and the accountable authority to meet its obligations to government.

The Agency also refreshed its Fraud and Corruption Control Plan, strengthening governance and responsibilities and presenting a view of the Agency’s fraud and corruption risks to the ELT and the Board. The Fraud and Corruption Control Plan aligns with the Commonwealth Fraud Control Framework 2017.

In 2019–20 the Agency moved to a rolling program of risk assessment activities to continue to strengthen the fraud and corruption control environment and to further embed fraud risk management in the Agency’s core business. The program prioritises higher risk areas and allows for inclusion of new or emerging risks. Re–prioritisation exercises were conducted to incorporate risks arising from the bushfire crisis and COVID–19 pandemic measures.

The Agency’s fraud and corruption risk register has been improved and feedback and insights from the Australian National Audit Office’s 2019 performance audit on the NDIS Fraud Control Program have been acted upon.

The Agency has recruited and embedded permanent employees who specialise in fraud and corruption control. These experts continue to work with risk and control owners across the business to identify control vulnerabilities, assess control effectiveness and introduce additional mitigating treatments.

The Agency continues to prioritise the effective handling of reports of suspected fraud from the public or other stakeholders. The Agency’s appropriate assessment, investigation and response to allegations of suspected fraud is a key element in maintaining the confidence of stakeholders, including governments and the Australian community.

In 2019–20 the Agency introduced a scams helpline to support participants and other stakeholders who have had their personal information compromised through a scam. The Agency has continued to invest in data analytics and data matching, infrastructure and data and intelligence analysts. More advanced analytics and machine learning has been piloted to complement these current capabilities. These advanced methods and tools will draw upon industry best practice to further extend the Agency’s fraud detection capability and continue to develop our analytics maturity.

In 2019–20, the Scheme Integrity Branch conducted a range of compliance activities, including targeted and proactive engagement, and desk-based reviews, to treat payment risks through opportunistic and non-compliant behaviour from providers, plan management agencies, and participants identified through tip-offs and a diverse range of fraud detection profiles.

The Scheme Integrity Branch has used targeted activities to engage with over 1,800 providers, plan management agencies and participants to reinforce their obligations and responsibilities when claiming payments arising from participant plans.

In 2019–20 the Agency received more than 5,000 tip–offs through the fraud reporting hotline and email. In response to increasing numbers of fraud tip–offs, the Scheme Integrity Branch commenced a Community Engagement Program pilot. The program is designed to increase the awareness of participants, providers and NDIA PiTCs of their rights, responsibilities and obligations based on analysis of fraud tip-offs.

The pilot began in outback Queensland, where there had been more than 20 tip–offs about one Scheme provider. The Agency, together with the NDIS Quality and Safeguards Commission, visited the provider, discussed the allegations and reinforced standards and expectations with the provider to ensure participants received the best possible supports. The pilot is assisted by local Agency service delivery staff, who ensure that any emerging issues are identified and addressed.

The NDIS Fraud Taskforce, initially established for two years from July 2018, has assisted the Agency to develop effective detection and response to fraud against the Scheme. The prevention and detection capabilities have now been developed into the standing structure of the Agency’s Scheme Integrity Branch. The investigation function has also matured, with successful investigations completed or currently before the courts and identified risks and business improvement opportunities fed back into the Agency. In June 2020 the Minister for the NDIS, the Hon Stuart Robert MP, approved the extension of the taskforce to 30 June 2021, allowing the joint activity of the Agency, the Australian Federal Police and Services Australia to continue focusing on serious and organised fraud affecting the Scheme.

Case study: NDIS Fraud Taskforce inquiry leads to imprisonment and forfeiture of proceeds of crime

In June and July 2018, the Agency received complaints from a range of sources about the activities and claiming behaviour of Melbourne service provider Langmann Care Pty Ltd. The NDIS Fraud Taskforce, supported by the Agency’s Fraud Intelligence Section, investigated the allegations and gathered evidence that the owner of this company, Mohamed Omar, had claimed $483,000 of Scheme funding for services to participants that had never been delivered. Omar was subsequently arrested and charged with a range of Commonwealth fraud offences.

Omar’s fraud involved NDIS plans of 230 participants. In some cases, the wellbeing of these participants and their families was detrimentally affected. Victim impact statements presented during court proceedings showed the dramatic personal impact the offending had on some of our community’s most vulnerable people.

Omar eventually pleaded guilty to the charges. On 11 July 2019 he was sentenced to four years of imprisonment. Also, as a result of the taskforce inquiry, high-end motor vehicles, luxury items and cash were seized from Omar and forfeited as proceeds of crime.

As at the end of 2019–20, the NDIS Fraud Taskforce has five further criminal prosecutions before the courts and a range of other complex and serious investigations are on foot.

A photo of Mohamed Omar being escorted by the police. The man escorting Omar is wearing a black suit. A uniformed police officer, wearing a police vest, is following behind them.

The Agency acknowledges that, in relation to fraud and corruption control, prevention is key. The strongest defence is a sound system of internal controls. The Agency has put in place a number of elements that will bolster effective fraud and corruption prevention – for example, a leadership commitment to effective risk management and an ethical culture, supported by appropriate levels of awareness about fraud-related issues among staff, including contractors and partners. The Agency also has adequate on-boarding and off-boarding processes; clear standards of conduct; and skilled and qualified fraud control, fraud intelligence and fraud investigations personnel.

4.8.2 Internal audit

The Internal Audit function works with the Risk Branch to successfully implement effective risk management and control. It operates as the ‘third line of defence’ within the Agency. Internal Audit provides independent assurance to management and the Board through the Audit Committee and also works with management to improve the risk and control environment, acting as a trusted adviser. It works with stakeholders to ensure they understand the Agency’s strategic direction and risk profile to deliver a fully aligned, risk-focused plan incorporating both assurance and advisory engagements. Through our stakeholder engagement, findings are raised with an understanding of the operating environment and relevant insights are communicated.

In 2019–20, the Internal Audit function delivered an approved internal audit plan to the Board Audit Committee. This plan is constantly updated—a formal review is performed every six months to ensure that it remains relevant and is focused on the key risks facing the Agency. The results of all audits were reported to the Board Audit Committee, and progress on action plans to manage issues was monitored through an online tracking system. The status of these actions was reported to both the ELT and the Board through the Audit Committee.

In addition to raising formal issues, the Internal Audit function also provides an Awareness and Action Rating for each assurance engagement. This rating focuses on the risk management culture of the areas audited. The results are included as part of the report delivered to the ELT and the Board Audit Committee. This method of reporting assists in further maturing the level of risk management culture across the Agency.

4.8.3 External audit

The Agency maintains a close working relationship with the Australian National Audit Office (ANAO), which provides both external auditing services on the annual financial statements and performance audit services. Details of performance audits delivered during the year that have an impact on the Agency are provided in Appendix 5.8. The ANAO’s audit report on the annual financial statements is included in 3.1.

All management actions taken to address recommendations raised by the ANAO are closely tracked, with regular reporting on their status to both the ELT and the Board.

The Auditor-General tabled the ANAO performance audit report on the NDIS Fraud Control Program on 25 June 2019. The ANAO concluded that the Agency is compliant with the requirements of the Commonwealth Fraud Rule and with best-practice directions from the Australian Government Investigations Standards. The audit recognised the Agency’s ongoing investment to improve the response to fraud and non-compliance.

The ANAO made six recommendations, all of which the Agency agreed to. All recommendations have been actioned and closed.