Risk management and internal audit supports the achievement of our purposes and key performance indicators (KPIs), and ensures we comply with our legislative and contractual requirements in an ethical, efficient and effective manner. At an operational level, the Managing Director and SEG are accountable for these functions, however, the framework is overseen by the Board Audit Committee (BAC).
As DHA has a unique risk profile when compared with other government entities, the Managing Director and Board sought to strengthen our risk and internal audit functions in 2016–17. A Chief Risk Officer and Internal Audit Manager were engaged. Each manages a separate yet complementary program to actively manage, evaluate and provide guidance on organisational risk and internal controls.
Risk management
Our risk management plan has been developed to be consistent with the Commonwealth risk management policy and the international standard on risk management (ISO 31000:2009). The plan is updated annually and a detailed evaluation is undertaken biannually. Risk identification is informed by environmental scans, feedback from first line risk owners, the Chief Risk Officer, senior executives, the Chief Financial Officer, the Managing Director and the Board.
Our risk management function is being transformed from a compliance-based function focused on minimising risk to be integrated in organisational decision making. The aim is to use risk management to identify and pursue opportunities in line with our risk appetite and tolerances, and prioritise activities, allocate resources and deliver the purposes in our Corporate Plan more effectively and efficiently.
Compliance, fraud and corruption management
Compliance, fraud and corruption control is a subset of our risk management framework. Our fraud control framework establishes processes and controls for the prevention, detection, monitoring, reporting and evaluation of suspected fraud. The framework is consistent with the Commonwealth fraud control framework (section 10 of the PGPA Rule. There were no reports of suspected fraud made in 2016–17.
Business continuity and disaster recovery
Business continuity is a subset of our risk management framework. Our Business Continuity Plan (BCP) sets out processes in the event of a crisis or disruption to our business to enable continuation or timely resumption of critical functions.
In accordance with improvements we are making to our risk management framework, we will revise our BCP in 2017–18 to ensure it suits our unique risk profile and is consistent with the Government’s Protective Security Policy Framework and Australian National Audit Office (ANAO) guidance.
Case study: Tropical Cyclone Debbie
Queensland was severely impacted by Tropical Cyclone Debbie during the week of 24 to 31 March 2017. Branded as the most dangerous cyclone to impact Queensland since Cyclone Yasi in 2011, the event caused significant flooding along the eastern coastline.
In the lead up to the cyclone, we established a core group of staff to monitor weather conditions, determine how our operations may be affected and employ our Business Continuity Plan (BCP) as needed.
We elected to close our regional offices and contact centres in Brisbane, Ipswich and Townsville to ensure the safety of our staff. To ensure continuity of service during the danger period, calls were managed by other contact centres and offices. Staff in these offices also postponed all planned property inspections. We also provided updates to ADF members and their families, investors and other stakeholders during the danger period via social media.
Thankfully, our staff and tenants were all safe and the cyclone caused only minimal damage to a small number of properties we manage. While we did not need to implement our BCP in full, it was a good opportunity to test elements of it and to demonstrate that our proactivity, collaboration and teamwork in these types of situations is highly effective so as not to disrupt our service delivery.
Internal audit
Our internal audit program provides independent and objective business assurance to the Board, including the Managing Director, and demonstrates that internal controls support the achievement of business objectives. The BAC monitors the implementation of audit recommendations and reports progress to the Board. In doing so, the program assists the BAC to review organisational systems and procedures for managing performance, and to meet its performance reporting obligations in accordance with the PGPA Act.
Our three year internal audit plan is reviewed annually to align with current and emerging risks. It provides a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal audits are conducted across a range of business areas and encompass the review of financial and non-financial operations.
In 2016–17, internal audit services were provided by KPMG under a co-sourced arrangement. Reviews were completed on acquisitions, development projects, procurement, tenancy management and information management systems.
Significant issues relating to non-compliance with finance law
In accordance with section 19 of the PGPA Act, the Board (as accountable authority of DHA) must notify our responsible Minister as soon as practicable after a significant non-compliance with finance law issue is identified.24We must also include a statement of any significant issues reported to the responsible Minister in our annual report for that reporting period.
We reported two instances of significant non-compliance with finance law for the 2016–17 reporting period:
- A breach of section 27 of the PGPA Act, whereby a staff member who had tendered their resignation downloaded DHA intellectual property to a portable storage device without authorisation. The matter was swiftly identified through our security reporting systems, the materials were recovered and the staff member’s separation date was brought forward. All staff were reminded of their obligations in respect of information technology security and data management. Work was underway as at 30 June 2017 to further restrict staff members’ ability to download data to a portable storage device.
- A breach of section 25 of the PGPA Act, whereby former staff may have had access to an electronic newspaper subscription service after their separation date. The subscription was immediately cancelled once the matter came to our attention. We also updated various policies and procedures, including our separation process, to ensure that any subscriptions for staff are cancelled as part of our clearance process.
24Finance law incorporates the PGPA Act, any rules covered by the PGPA Act, any instrument under the PGPA Act and an Appropriation Act.