The NHFB is subject to legislation, regulations, standards and guidelines relevant to our status as a non-corporate entity under the PGPA Act and the Public Governance, Performance and Accountability Rule 2014.
We are also subject to both Commonwealth, State and Territory legislation when assisting the Administrator to fulfil their obligations under the NHR Act and Agreement.
We maintain an appropriate system of risk oversight, management and internal control in accordance with section 16 of the PGPA Act. Our enterprise Risk Management Framework and associated guidelines are reviewed annually. They are based on the International Standard on Risk Management (ISO 31000-2018) and align with the Commonwealth Risk Management Policy and guidance.
The NHFB manages risk to its five strategic objectives and works with the Administrator to assess and monitor broader risks to the successful operation of the Pool.
MANAGING RISK, EXPLORING OPPORTUNITIES
The NHFB continues to operate in a complex environment and 2019-20 has been one of the most challenging in terms of ‘the effect of uncertainty on objectives’. This was brought about by a number of differing priorities through the year such as the transition to a new Payments System, the new Addendum and our response to the COVID-19 pandemic.
While some of these challenges have been planned for, risk assessed and mitigated within acceptable risk tolerances, major disruptions like COVID-19 can test an organisation’s risk maturity and resilience as well as their internal capability and culture.
With a very small resource footprint, the NHFB responded well to each of these challenges while continuing to achieve our core business objectives and meet all our other regulatory and governance obligations as well.
This was possible because the NHFB has continued to develop and improve its risk management capability through a number of initiatives such as:
Setting clear direction and tone from the CEO and the Leadership team by promoting a proactive risk culture and including risk management as a standing agenda item in weekly Executive meetings and as a fortnightly ‘snapshot’ discussion with all staff;
Simplifying our risk management framework and establishing clear risk tolerances across our five key objectives; and
Empowering and supporting our staff to understand their role in managing risk and exploring potential opportunities.
OVERSIGHT AND ASSURANCE
Our formal governance structures and reporting arrangements adopt a ‘three lines of defence’ model to provide assurance over the effectiveness of current risk controls and the implementation of new treatments. This model ensures that we have robust, independent and objective oversight embedded at all levels to provide appropriate assurance.
In early 2020, the NHFB undertook a review of our risk processes to ensure we were effectively managing our risk exposure in our operating environment at that time. This review included all existing and emerging risks, potential sources and consequences as well as the effectiveness of existing controls and new treatments identified and implemented during 2019-20. The outcomes of the risk review were:
A review of our risk tolerance levels and a revised Risk Tolerance Statement for 2020-21.
A review and update of our Risk Management Policy and Framework.
A review and update of our Risk Management Instructions.
A revision of our consequence and likelihood criteria for a better alignment with our key objectives.
Revised residual risk ratings based on the continued effectiveness of all controls and the implementation of new treatments.
Simplified risk descriptions to reflect our maturity in understanding both the source and consequence of risk to objectives.
The introduction of a ‘residual risk action’ concept to balance the focus of managing risk with seeking opportunities.
Updating our risk register to reflect the implementation of new treatments and the revised residual risk ratings.