NATIONAL COMPETITION COUNCIL - ncc.gov.au

NATIONAL

COMPETITION

COUNCIL

Risk Management Plan

2020

National Competition Council Policy

Document

May 2020

NCC Risk Management Plan 2020

Page 2

1 INTRODUCTION

1.1 What is risk management?

Risk management is the culture, processes and structures that are directed towards taking

advantage of potential opportunities while managing potential adverse effects. The purpose is

to achieve an appropriate balance between realising potential opportunities and minimising

adverse effects. This requires systematically managing activities that involve a material

degree of risk of loss or other damage to the Commonwealth.

The National Competition Council (Council) has developed this document to deliver its

obligations under the Public Governance Performance and Accountability Act 2013 (PGPA Act).

In particular, this document assists the Accountable Authority to meet its obligations under

section 16 of the PGPA Act. Section 16 of the PGPA Act provides that, effective from 1 July

2014, accountable authorities of all Commonwealth entities must establish and maintain

appropriate systems of risk oversight, management and internal control for their respective

entities. This document has been developed in accordance with the Commonwealth Risk

Management Policy 2014. In accordance with the PGPA requirements, the Council regularly

reviews its Risk Management Plan. The Council’s Risk Management Plan explicitly

acknowledges the requirement for the Executive Director and staff providing secretariat

services to the Council to promote the efficient, effective and ethical use of Commonwealth

resources.

The Council recognises the importance of properly identifying and treating the risks associated

with its functions and activities. In particular, a productive, innovative and efficient agency

requires a careful approach to managing risks and to assessing risk management.

This Risk Management Plan includes appendices as follows.

Appendix A contains the Council’s Risk Management Policy Statement.

Appendix B details the manner in which the Council has assessed its level of risk.

Table 2 of this appendix sets out the risks facing the Council and assesses the threats

to the Council in 2020 and beyond based on judgments about the likelihood and

consequences of each risk.

Appendix C contains the Council’s Risk Management Register and Work Plan for

2020-21. The appendix analyses and prioritises the risks identified in Appendix B to

determine required management actions. The register and work plan includes action

dates for the implementation of risk management strategies.

Appendix D summarises staff roles and responsibilities in relation to risk

management.

Appendix E summarises the Council’s business continuity arrangements.

1.2 Objectives of risk management

Losses relating to functions and activities can emanate from internal and external sources.

Losses can arise from client dissatisfaction, adverse publicity, poorly performing executive and

ACCC staff undertaking Council work, equipment or computer failure, legal and contractual


Page 3

matters and fraud.

It is not possible to have a totally risk free environment. The Council must assess what

constitutes an acceptable level of risk against judgments about the costs and benefits of

particular courses of action.

The Council’s objectives in adopting a risk management plan are to:

ensure that the major risks faced by the Council are identified, understood and

appropriately managed

ensure that the Council’s planning and operational processes focus on areas where

risk management is needed, and

create an environment where Councillors, the Executive Director and staff utilised at

the ACCC take responsibility for identifying and managing risk.

2 BENEFICIAL OUTCOMES

2.1 Why have risk management?

Risk management is an integral part of business planning. Appropriate risk management

policies and practices minimise the Council’s exposure to the consequences of adverse events.

Such events may include:

an inability to meet stakeholder requirements

provision of incorrect information or inadequate advice to a government minister

and consequent failure of policy to achieve its objectives

injury to Councillors

a potential or actual financial loss to the Australian Government

damage to or destruction of or loss of Australian Government property

organisational and political embarrassment

loss of professional reputation

changes to government(s) policy affecting the functions, workload and integrity of

the Council, and

an audit or legal problem.

The risk management process comprises the systematic application of management policies

and appropriate written procedures and practices to identify, analyse, evaluate, monitor and

minimise risk.

2.2 Benefits of a risk management plan

Implementation of an integrated and rigorous approach to risk management:

increases the chances of avoiding costly and unacceptable outcomes, particularly

those arising from unexpected events

provides a better understanding of Council issues and functions and supports

continuous improvement in the Council’s operations

allows the Council to better contribute to the development of regulation and policy

relating to third party access;


Page 4

helps maintain morale of Councillors and ACCC staff utilised to do work for the

Council

provides a reporting framework to assist with meeting corporate governance

requirements, and

allows for more structured and accountable business planning and project

management.

3 RISK MANAGEMENT POLICY AND PROCESS

3.1 The Council’s risk environment

The Council’s Risk Management Plan is framed in light of the initiatives and objectives as set out

in its Corporate Plan 2019-2020. The Risk Management Plan takes into account the Council’s

size and the nature of its operations. The Council is a small, non-commercial, government

agency that is financially dependent on a Parliamentary appropriation. The Council helped

deliver the National Competition Policy (NCP) reform program Australian governments

committed to in 1995 until the conclusion of the NCP in 2005-06, and now advises government

ministers concerning third party access to the services of national monopoly infrastructure. In

doing so, the Council advises governments and ministers (Commonwealth, state and territory),

makes some (limited) decisions and consults with a range of external stakeholders.

From 1 July 2014 the Council entered into a Memorandum of Understanding (MOU) with the

Australian Competition and Consumer Commission (ACCC), whereby the ACCC provides

secretariat services to the Council. Hence, rather than directly engaging staff (and other

resources), the Council draws on ACCC staff and resources when required. The new

arrangements are structured so as to maintain the Council’s independence, whilst enabling the

Council to provide high quality and timely recommendations in response to access-related

applications. The ACCC has its own Risk Management Policies, Procedures and Guidelines which

are applicable to its staff, including when they are undertaking Council work. The Council and

the ACCC have also put in place a Conflict of Interest Protocol, and Confidential Information

Protocol, for ACCC staff working on Council matters.

3.2 Risk identification and treatment

The Council faces risks that may affect:

its reputation, and/or that of its Councillors and/or stakeholders in regard to quality

of the information, advice and recommendations it provides

its performance against strategic priorities, such as the achievement of legislated

milestones, and

the integrity of its decisions and processes.

As well as the strategic and performance-related risks inherent in its work, the Council also

enters into contracts of a commercial nature. This may create additional financial and

commercial risks.

For each category of risks it faces, the Council has assessed the likelihood and potential

consequences of an adverse event, prioritised each category of risk according to the level


Page 5

of threat facing the Council and determined its risk appetite. The Council has then determined

strategies for managing risks, devoting greatest resources to the risks considered to present a

severe, substantial or major threat. (Appendix B identifies the potential risks facing the Council

and assesses and prioritises the level of threat posed by each risk. Appendix C provides a

Work Plan for managing the identified risks.)

Under the MOU, the ACCC provides a range of services to the Council. This arrangement gives

rise to some risks that are shared between the entities (e.g. the provision of IT equipment and

payroll/accounting services). These risks are mitigated and managed through the risk

management frameworks, policies and strategies implemented by the ACCC. Furthermore, the

annual testing of ACCC/AER business continuity planning specifically includes considerations of

potential impact arising from an ACCC/AER business event to the Council; and should such

impact eventuate, the ACCC will notify the Council and/or the Council’s Audit Committee.

3.3 Risk Management Plan

Accountable authority responsibilities

The accountable authority of the Council is responsible for an entity’s performance in managing

risk. The accountable authority defines who is responsible for determining an entity’s appetite

and tolerance for risk and allocates responsibility for implementing the entity’s risk

management framework. The responsibility for the day-to-day management of risk lies with

staff at all levels.

Staff responsibilities

All ACCC staff working on Council matters are expected to contribute to minimising risks.

The Executive Director is responsible for ensuring that the risk management

processes and controls identified in the Work Plan are built into the strategic and

business planning of the Council.

The Executive Director is responsible for coordinating the implementation of the

Risk Management Plan and reporting to the Council in a timely and effective

manner.

The Executive Director is responsible for overseeing the implementation of

processes relevant to the Council’s work, including ensuring that ACCC staff working

on Council matters understand the Risk Management Plan and implement endorsed

processes.

The Council’s Audit Committee provides general direction on the scope and implementation of

the Risk Management Plan. The Audit Committee considers the Council’s performance against

the plan and reviews the Council’s risk management arrangements every two years.

(Appendix D summarises staff roles and responsibilities in relation to risk management.)

4 OUTCOMES

4.1 Deliverables

The key deliverables in the Risk Management Plan are the management actions identified in the


Page 6

Work Plan (see appendix C).

To ensure effective achievement of the deliverables, the Council:

has educated staff it utilises from the ACCC on its risk management procedures and

trains additional contractors as appropriate

monitors performance against its work plan

monitors the risks associated with contractors and clients, and ensures that

management of risks is appropriately considered in contracts

incorporates consideration of risk management performance into the performance

assessment of the Executive Director

considers performance against the Risk Management Plan annually

includes risk management, code of conduct and fraud control awareness in

induction material for ACCC staff undertaking Council work, and

ensures the Risk Management Plan, any changes to the plan, and related

information are provided to ACCC staff that undertake Council work, and that the

plan is published on the Council’s website and ACCC intranet.

4.2 Financial implications

The costs of implementing the Risk Management Plan are predominantly ACCC staff time,

particularly that of the Executive Director. Given its small size, narrow set of functions and

relatively low risk environment, the Council does not allocate funding explicitly for risk

management activities.

There is expected to be a net benefit from the operation of the plan, arising from lower

costs from reduced:

staff time lost as a result of adverse events

litigation costs, and

insurance premiums.

There will, of course, be other gains such as benefits from the provision of better advice and

information to governments and other key stakeholders and improved morale.

5. REVIEW

The Audit Committee reviews the Risk Management Plan every two years. The next review will

occur at the first meeting of the Audit Committee in 2022.


Page 7

Appendix A Risk Management Policy Statement

1. The Council is committed to the management of risks to protect:

the governments it advises

its other stakeholders

its quality of service

its assets and intellectual property

its contractual and statutory obligations, and

its image and reputation.

2. Risk management is a key part of improving the Council’s business and services. The Council’s aim is to achieve best practice in managing all risks.

3. Risk management standards involving risk identification and risk evaluation linked to

practical and cost-effective risk control measures are in place and are regularly reviewed.

4. Risk management is a continuous process demanding awareness and proactive measures

by all the ACCC employees who perform Council work and outsourced service providers to

reduce the occurrence and impact of risk events.

5. The Council’s Risk Management Plan assists the Executive Director and ACCC staff who

perform Council work to apply appropriate risk management arrangements and to develop

skills in dealing with and understanding risk management. The nine elements of the

program are:

Development of a risk management policy

Establishing a risk management framework

Defining responsibility for managing risk within the Council

Embedding systematic risk management into the Council’s processes, ie,

assessment and prioritisation of the risks facing the Council

Supporting the development of a positive risk culture

Consulting and reporting on risk management policy and any issues

Implementing arrangements to understand and manage shared risk, ie,

educating and training in risk management of ACCC staff who perform Council

work.

Maintaining risk management capability, and

Reviewing and continuously improving the management of risk


Page 8

Appendix B Threats posed to the Council

Introduction

This appendix identifies the risks facing the Council and prioritises them on the basis of the

potential overall threat that each risk poses to the Council in the period 2020 and beyond.

Assessing the threat posed to the Council

The Council has estimated the potential threat posed by each category of risk on the basis of

the likelihood of occurrence of the risk (frequency or probability) and the expected

consequence (impact or magnitude). The basis for the Council’s assessment of potential

threats is set out in Table 1.

Table 1 Level of threat posed by risks: likelihood of occurrence and consequences of risks

Likelihood

Consequences

Extreme Substantial Medium Minor Negligible

Almost certain severe severe high major significant

Likely severe high major significant moderate

Possible high major significant moderate low

Unlikely major significant moderate low very low

Rare significant moderate low very low very low

Examples of the level of threat

1 - Severe: consequences would threaten the survival of the Council

2 - High: consequences are significant for the effectiveness, operations and reputation of

the Council, but are unlikely to threaten the survival of the Council

3 - Major: consequences are signif icant for particular programs and operations and

threaten continuation of those programs or impair their effective undertaking

4 - Significant: consequences adversely affect particular programs and operations and the

effectiveness of the Council

5 - Moderate: consequences may affect effectiveness of particular programs and

operations

6 - Low: minor consequences for the Council and/or particular programs and operations

7 - Very low: negligible consequences for the Council and/or particular programs and

operations


Page 9

What is an acceptable risk?

Determining that a risk is acceptable does not imply that the risk is insignificant. A risk may be

considered to be acceptable because:

the threat posed is assessed to be so low (for example because the likelihood of

occurrence is rare) that specific treatment is not necessary

the risk is such that the Council has no available treatment, for example, the risk of a

change to a particular project might occur following a change of government

the cost of treating the risk is so high compared to the benefit from successful

treatment, or

the opportunities presented outweigh the threats to such an extent that the risk is

justified.

The Council is willing to accept significant, moderate, low or very low risks, and through the Executive Director and/or the President will act to monitor and manage severe, high or major risks. The Council has determined its risk appetite and associated management/treatment actions for each level of risks, as set out in the section below.

Treatment of risks

Treatment involves deciding what management measures need to be put in place to minimise

the threat posed by identified risks. Treatment options include:

measures aimed at avoiding or minimising the risk

measures to reduce the threat posed by the risk, either by reducing the likelihood of

the risk and/or its consequences

measures aimed at improving the capacity of the Council and the ACCC staff who

perform Council work to deal with actualised threats

transferring the threat by shifting the risk to another party via, for example,

contracting out or insurance, and

accepting the risk without taking any action to avoid it, but monitoring the risk and

ensuring that the Council has the financial and other capacities to cover associated

losses and disruptions.

Risk appetite and strategic approach to managing each level of threat

No. Level of threat Appetite Responsible officer(s) and action

1 Severe No appetite Executive Director to develop a detailed management plan; specific management by the President and the Executive Director

2 High Low appetite Executive Director to develop a detailed management plan; specific management by the President and the Executive Director

3 Major Moderate appetite

Ongoing monitoring and management action by the Executive Director

4 Significant Moderate appetite

Ongoing monitoring by relevant ACCC staff with action as necessary


Page 10

5 Moderate Moderate appetite

Ongoing monitoring by relevant ACCC staff with action as necessary

6 Low High appetite Ongoing monitoring by relevant ACCC staff with action as necessary

7 Very low High appetite No action generally required

Risk register

Table 2 provides a register of the level of threat to the Council in the period 2020-21 from

identified, unmitigated risks.

Page 10


Table 2 Register of unmitigated risks and assessment of threat 2020-21

Threat Description of the risk Likelihood of

occurrence

Consequences of

occurrence

Assessed threat to the

Council

1 Political, funding or regulatory function changes that affect the Council Possible Extreme High (2)

2 Inability to maintain a quorate Council comprising appropriately qualified non-

conflicted Councillors

Possible Substantial Major (3)

3 Incorrect or poorly reasoned advice or information to the Treasurer, governments or

other stakeholders


4 Litigation against the Council arising from incorrect or poorly reasoned advice or

process


5 Damage to credibility from overturn of a recommendation Possible Substantial Major (3)

6 Inability to fund significant litigation Unlikely Substantial Significant (4)

7 Essential information lost, including information that is the property of external

parties

Rare Extreme Significant (4)

8 Secretariat arrangements with ACCC fail to support the Council’s independence,

including through actual or perceived conflicts of interest with the Council

Possible Substantial Significant (4)

9 Financial loss, including due to fraud against the Commonwealth Unlikely Substantial Significant (4)

10 Failure of contractors to fully comply with their contract obligations Unlikely Medium Moderate(5)

11 Failure to meet reporting deadlines Possible Medium Significant (4)

12 Inability to secure suitable personnel to perform secretariat services Unlikely Substantial Significant (4)

13 Lack of access to or failure of ACCC’s IT and communications systems /equipment and support that the Council relies upon

Possible

Medium Moderate (5)

14 Improper disclosure of information, including emails to Councillors Rare Substantial Moderate (5)

15 Councillor injury or illness due to workplace causes including official travel (work

health and safety matters)

Rare Medium Low (6)

Page 11


Threat Description of the risk Likelihood of

occurrence

Consequences of

occurrence

Assessed threat to the

Council

16 Councillor illness due to exposure to COVID-19 while on official duties Rare Medium Low (6)

Page 12


Appendix C Risk Management Action Plan 2020-21

Table 3 describes the risk management treatments (actions) to be implemented and the residual risk rating after treatment.

The Council is comfortable with the residual level of risk once the risk mitigation actions have been implemented.

Table 3 Risk Management Action Plan 2020-21

Risk Description of the risk Assessment of the threat posed

by the unmitigated risk

Risk mitigation action Timing of management

action

Assessment of the threat

posed after risk mitigation

action 1 Political, funding or

regulatory function changes that affect the Council

High (2) 1. Contact with Commonwealth ministers and ministers from other jurisdictions and their advisors to explain access issues under Part IIIA and the National Gas Law

2. Contact with Treasury and other agencies to monitor potential changes in policy and legislation

3. Council participation where possible at senior level, in external processes covering areas of work that are relevant to the Council

All controls in place.

This risk is largely

outside Council’s control.

High (2)

2 Inability to maintain a quorate Council comprising appropriately qualified non-conflicted Councillors

Major (3) 1. Ministers and Treasury kept aware of their responsibilities on Councillor appointments

2. Three Councillors appointed at all times 3. Liaise with Treasury to outline the value of having a fourth Councillor

All controls in place

Significant (4)

3 Incorrect or poorly reasoned advice or information to the Treasurer, governments or other stakeholders

Major (3)

1. ACCC staff conducting Council work are appropriately supervised and monitored

2. Regular meetings with ACCC staff conducting Council work are held with Executive Director

3. Recognised economic and legal experts contracted to provide advice on significant matters where the Council does not have expertise

4. Council meetings to provide oversight and advice 5. Effective links with governments 6. Advices, information, etc to governments and others on sensitive and

key issues approved by Council, Executive Director and/or President

All controls in place

Significant (4)

Page 13





action



action 4 Litigation against the

Council arising from incorrect or poorly reasoned advice or process

Major (3) 1. Recognised economic and legal experts contracted (for legal experts, using APS Legal Services Multi-use List or similar) to provide advice on significant matters where the Council does not have expertise

2. Council meetings to provide oversight and advice 3. Advice, information, etc to governments and others on sensitive and

key issues always approved by the Council, Executive Director and/or President


Executive Director monitors relevant APS processes.

Significant (4)

5 Damage to credibility from overturn of a recommendation

Major (3) 1. Recognised economic and legal experts contracted (for legal experts, using APS Legal Services Multi-use List or similar) to provide advice on significant matters where the Council does not have expertise

2. Council meetings to provide oversight and advice 3. Advice, information, etc to governments and others on sensitive and

key issues always approved by the Council, Executive Director and/or President

4. Best affordable legal representation is obtained


Executive Director monitors relevant APS processes.

Major (3)

6 Inability to fund significant litigation

Significant (4) 1. Insurance cover in place, reviewed annually 2. Appropriation available each year to cover normal legal costs and

measures to obtain additional funding if necessary


Appropriation (and reserves) sufficient to provide Council services including nominal budget allocation for external legal and

economic services.

Moderate (5)

Page 14





action



action 7 Essential information lost,

including information that is the property of external parties

Significant (4) 1. ACCC staff conducting Council work are located in secure office buildings with access available only via access card

2. Data maintained on servers is backed up nightly and located off-site, managed by the ACCC

3. Effective electronic document management 4. Councillors implement basic security measures for their electronic

devices when using Blackberry: including password protection and remote wipe capabilities (advice issued).

5. Files that contain sensitive information converted to pdf format and marked with appropriate document classification level

6. Council papers and Audit committee papers stored on Govteams or similar platforms, with access provided to Councillors (and ACCC staff as appropriate).


Effective document management system is managed by the ACCC’s systems

Significant (4)

8 Secretariat arrangements with ACCC fail to support the Council’s independence, including through actual or perceived conflicts of interest with the Council

Significant (4) 1. ACCC-NCC Conflict of Interest Protocol agreed between the agencies, and followed by ACCC staff

2. ACCC-NCC Confidential Information Protocol agreed between the agencies, and followed by ACCC staff

3. ACCC staff, including Executive Director, discharge duties to the Council in accordance with the Council’s direction

4. Regular consideration of matters at Council meetings to provide independent oversight of secretariat activities

5. External peer review mechanisms available to be utilised where cost-effective to do so

6. Periodic reporting by Executive Director to Council of ACCC staff working on NCC-related matters


Ongoing Council oversight on matters before it.

Significant (4)

Page 15





action



action 9 Financial loss, including due

to fraud against the Commonwealth

Significant (4) 1. Financial delegations and established processes for approval of expenditure in place

2. Fraud Control Plan in place and reviewed every two years 3. Certificate of (financial) Compliance process undertaken annually


Fraud Control Plan reviewed in May 2020.

Annual certificate of (financial) compliance / agency viability process undertaken in accord with Finance Minister’s requirements.

Moderate (5)

10 Failure of contractors to fully comply with their contract obligations

Moderate (5) 1. Performance of contractors against their obligations monitored 2. Arrangements for reporting to contractors on their performance

relative to their obligations in place 3. Contracts include, where feasible, performance indicators and penalties

for non-compliance


Low (6)

11 Failure to meet reporting deadlines

Significant (4) 1. Work program regularly reviewed 2. Project team meetings, as required, to review progress 3. Standardised application templates and processes with all information

required for public participation on the Council website 4. Strong emphasis placed on meeting statutory timeframes, including

reporting to Parliament in annual report


Council considers work program and oversees progress with major issues at meetings.

Moderate (5)

Page 16





action



action 12 Inability to secure key

personnel to perform secretariat services

Significant (4) 1. ACCC provides all secretariat services required by Council and has a large pool of staff available to it to perform its work

2. ACCC has an attractive work environment including diverse, challenging and rewarding work with maximum possible flexibility provided when possible

All controls in place and regularly reviewed.

Moderate (5)

13 Lack of access to or failure of communications systems / equipment managed by the ACCC

Moderate (5) 1. All equipment is managed by the ACCC. Refer to ACCC risk policy in this regard

ACCC has appropriate controls in place.

Moderate (5)

14 Improper disclosure of information, including emails to Councillors

Moderate (5) 1. Contracts incorporate Commonwealth Government requirements 2. Arrangements for accepting and protecting confidential material in

place, including protocols for publishing applications and related material

3. Full listing of material relied upon included with every recommendation decision

4. Appropriate protection on Councillors’ electronic devices when using Blackberry, including passwords (see also item 7)

Council outputs developed under supervision of the Executive Director and reviewed by Council before release.

Councillors use password protection on electronic devices.

Moderate (5)

Page 17





action



action 15 Councillor injury or illness

due to workplace causes including official travel (work health and safety matters)

Low (6) 1. ACCC’s Work Health and Safety Policy addresses most risks relating to the physical work environment

2. Appropriate insurance arrangements in place (Comcare, Comcover) including coverage for councillors on official travel

3. Travel policy providing appropriate travel and accommodation arrangements in place

All controls in place, including annual review of insurance cover.

Low (6)

16 Councillor illness due to exposure to COVID-19 while on official duties

Low (6) 1. Appropriate insurance arrangements in place (Comcare and Comcover).

2. ACCC’s work health and safety policy addresses most risks relating to the physical work environment. This includes protocols for physical distancing in the office and meeting rooms, the availability of hand sanitisers and additional cleaning of the ACCC offices.

3. Since March 2020, Council meetings are held online via MS teams or teleconference rather than in the ACCC offices to limit Councillors’ exposure to COVID-19.

All controls in place, including annual review of insurance cover and payment of increased premiums to cover the effects of COVID-19 pandemic.

Low (6)

Page 19


Appendix D Staff roles and responsibilities

Executive Director

Oversees the implementation of the Risk Management Plan

Ensures the ongoing review of risks and update of risk registers is performed under

supervision by the Council

Encourages a management climate which is aware of and supports risk management

Oversees development of processes to deal with new risk management issues

Ensures risk management controls and processes are built into strategic planning

processes

All ACCC staff who perform Council work

Identify new risk management issues and report problems to the Executive Director

in a timely and effective manner

Assist in developing processes to deal with new risk management issues

Page 20


Appendix E Business continuity

The Council has no staff or offices under the MOU with the ACCC, and therefore relies upon the

ACCC’s business continuity plan in most respects (which also takes into account the NCC’s

business needs).

Continuation of IT services and legal services

All the Council’s IT services are managed by the ACCC. The ACCC server, which holds the

Council’s data, is backed up and stored offsite in Canberra. Accordingly, the risk of data loss is

minimised in the event of damage to the ACCC office premises or server. The risks of managing

these systems are met by the ACCC.

The Council purchases legal services using the APS Legal Services Multi-use List (or equivalent).

While bearing in mind possible conflicts of interest, the Council anticipates that it should have

little difficulty obtaining the legal services it needs from firms on the APS list.

Documents

NATIONAL COMPETITION COUNCIL - ncc.gov.au