Entry Submission – 2010 Comcover Awards for Excellence in Risk
Enterprise-wide Risk Management
Private Health Insurance Administration Council
The Private Health Insurance Administration Council (PHIAC) regulates the private health
insurance industry in Australia. It was established as a body corporate under section 82B of the
National Health Act 1953 in 1989 and continues its existence under 264–1 of the Private Health
Insurance Act 2007 (PHI Act) which came into effect from 1 April 2007.
The Council consists of a Commissioner, and two to four other members, all appointed for a finite
term, by the Minister for Health and Ageing. The Council appoints a Chief Executive Officer and
employs the number of staff (currently 30) it considers necessary to assist in the performance of its
functions and the exercise of its powers.
PHIAC is responsible to the Minister for Health and Ageing.
Under the PHI Act, PHIAC is instructed to strike an appropriate balance between the following
1. Fostering an efficient and competitive health insurance industry
2. Protecting the interests of consumers
3. Ensuring the prudential safety of individual private health insurers.
PHIAC is funded through a levy imposed on private health insurers under the Private Health
Insurance (Council Administration Levy) Act 2003 and is prescribed as a Commonwealth authority
under the Commonwealth Authorities and Companies Act 1997.
Enterprise-wide Risk Management
PHIAC is using Enterprise-wide Risk Management (ERM) to identify and bring together the
organisational components that contribute to the overall purpose of the organisation, in such a way
that assists manage all risks associated with that purpose.
Risks exist at all levels of the organisation and the relationship between these risks is symbiotic.
Through ERM these relationships are better understood across business operations with the
outcome being improved control through planning, compliance and reporting.
PHIAC has established an enterprise-wide risk management framework that is based on the
COSO Enterprise Risk Management Integrated Framework (better practice) and has been tailored
for PHIAC’s regulatory function and business environment.
Components of the ERM Framework
There are three components of the ERM framework:
1. Objectives – identifies the main categories of objectives within PHIAC
2. Internal Control – establishes the factors contributing to effective control of the PHIAC
internal working environment
3. Risk Management – defines the policy, governance and methodology for risk management
Figure 1 – PHIAC’s Enterprise-wide Risk Management
This chart summarises the risk management approach
It appears as a cube (of which we can see three faces – all
faces are connected – therefore the areas represented are
connected. The front face shows the areas of Risk
Management – Risk Policy, Risk Governance, Risk
Assessment and Risk Reporting. The top face shows the
Objectives – Strategic, Industry and Corporate. The side
face shows the Internal Controls – Purpose, Commitment,
Capability, Monitory and Learning.
ERM Framework Component – Objectives
Three categories of objectives have been established to define the main functions within PHIAC.
1. Strategic – those objectives that define the organisation’s purpose and establish outcomes
expected of PHIAC. Contained in the PHI Act 2007, Portfolio Budget Statements and
PHIAC Corporate Plan
2. Industry – those objectives that relate to the organisation’s function and establish clear
business deliverables for PHIAC. Contained in the PHI Act 2007, Portfolio Budget
Statements, PHIAC Corporate Plan, PHIAC Position Statements
3. Corporate – those objectives that relate to the operations of the organisation. Found in
legislation, management practices, etc
Across this component, 25 risks (strategic, industry and corporate) have been identified and form
the foundation of PHIAC’s risk universe. Each of these 25 risks has an owner identified who is
Completing a risk assessment;
Implementing and monitoring controls; and
Reporting on enterprise risks, risk levels and control effectiveness
This responsibility is embedded in duty statements and was relayed to relevant officers through a
presentation on ERM reporting.
Responsibility is further reinforced on a monthly basis, when each ERM risk owner is required to
report on their risks. This monthly reporting is consolidated into a monthly ERM risk report that is
provided to the PHIAC Executive Management Committee – see template at Attachment 2.
ERM Framework Component – Internal Control
PHIAC has adopted the COCO model of internal control developed by the Canadian Criteria of
Control Board. This framework defines the components of internal control as:
Monitoring and Learning
The application of internal control is based on achieving a balance of effective control in each
component so that staff are guided by an understanding of their purpose (the objective to be
achieved) and supported by capability (information, resources, supplies and skills). Staff also
need a sense of commitment to perform their tasks well and should monitor their performance
and the external environment to continually improve their performance.
Each component of the internal control framework has a number of specific controls that are
measured in PHIAC using a control self assessment (CSA) process. This measurement
establishes a level of effectiveness for each control, with the CSA being used to drive performance
improvement activity development at PHIAC’s strategic and operational planning meetings.
At this stage, accountability for the components of internal control has not been assigned to
individual staff based on the principle that all staff are responsible for the internal control
environment. Specific improvement activities developed to support improved internal control are
however assigned to individual staff.
Figure 2 – PHIAC’s Enterprise-wide Risk Management Framework
This chart summarises PHIAC Internal Control Framework.
Performance and Outcomes are at the centre with an number of other different values linked by a
line of Action.
Purpose connected by action flows to Commitment connected by action to Capability connected by
action to Monitoring and Learning connected by action back to Purpose.
ERM Framework Component – Risk Management
The Risk Management Framework sits within the ERM Framework and acts as a catalyst for the
processes supporting effective control of the internal working environment and achievement of
corporate and business objectives. The framework establishes the following elements of effective
Risk Policy – the policy statement on the purpose of risk management
Risk Governance – a model or framework for the management of risk management
Risk Assessment – the methodology for risk assessments
Risk Reporting – how risks are to be monitored and reported
The effective operation of all elements of the framework produces efficient and effective risk
management across all aspects of PHIAC’s business operations.
In 2010, PHIAC reviewed and republished its Risk Management Policy. This revised policy
outlines a policy statement, purpose, scope and objectives, and then defines further policy details
including governance, methodology, tolerance, escalation and reporting. Finally roles and
responsibilities are detailed, from the Board through to individual employees, and the commitment
to evaluation and review is re-established.
The revised PHIAC Risk Management Policy 2010 moves risk management towards a more
effective application of risk management supporting the achievement of strategic and corporate
objectives. It does this through authorising, informing, defining, driving, building, maintaining and
accounting for the processes of risk management and risk governance.
The policy also establishes the mechanism for determining levels of risk tolerance across the
organization. The approach that has been established is to set a minimum risk level that is
acceptable for all risks faced by PHIAC, regardless of the context in which it exists.
Through the tailoring of consequence and likelihood criteria as part of the risk assessment process,
risk levels remain firmly related to the objective against which they are identified and assessed. If
risk levels are assessed outside tolerance levels (as defined in the risk management policy), action
must be taken and the next level of management must be involved in reducing those levels.
The risk management policy is scheduled for review in July 2013.
Risk governance in PHIAC is the way in which risk management is integrated into the
organisation’s overarching governance framework and management system.
Risk management underpins effective governance in PHIAC through informing the development of
corporate, team and individual work objectives, and providing a framework for risk management
reporting to the Executive Management Committee, Audit & Compliance Committee and Board.
Risk management also forms the basis of the annual audit work program where audit topics are
selected from the risk universe based on a range of control criteria.
At the individual staff member level, all position statements in PHIAC include the following duty:
Identify, manage and report on risks to your work objectives. Comply with all relevant policies and
procedures to assist the control of enterprise-wide risk
The PHIAC Executive Management Committee receive a monthly enterprise-wide risk report, that
discusses key risks of concern and provides the following information about each enterprise level
Current risk level
Trend of the risk level
Status of the control framework
Comments, issues or concerns
Ultimately, responsibility for the performance of PHIAC rests with the PHIAC Board, whose key
responsibilities are detailed in the Board Charter. Included in these key responsibilities is the
Ensuring all major business risks are identified and effectively managed
To assist it discharge its responsibilities the Board has established an Audit and Compliance
Committee (A&CC) as a subcommittee of the Board. The A&CC receives the most recent monthly
enterprise-wide risk report at each of their meetings, and subsequently reports to the Board on the
management of risk within PHIAC as well as any specific risk issues that have been raised through
the enterprise-wide risk report.
Figure: Governance Framework
This chart summarises the Governance Framework of PHIAC.
The PHIAC Board and sub committees sit at the top of the chart. They have 2-way communication
with the PHIAC Executive Management.
PHIAC Executive Management feed down to a box on the side containing Statutory
Responsiblities, Political Direction and Risk Management. They also feed down to the Corporate
Plan. And they also feed down to another box on the side containing Audit and Assurance,
Performance Monitoring and Reporting.
Statutory Responsibilities, Political Direction and Risk Management also feeds through Corporate
Plan, Work Plans, Performance Agreements and Position Statements.
Corporate Plan feeds through to Audit and Assurance, Performance Monitoring and Reporting and
also down to Work Plan.
Work Plan feeds across to and Assurance, Performance Monitoring and Reporting and also down
to Performance Agreements
Performance Agreements feeds across to Audit and Assurance, Performance Monitoring and
Position Statements feed across to Audit and Assurance, Performance Monitoring and Reporting
and also up to Performance Agreements.
PHIAC’s risk management processes are based on the risk management processes detailed in the
International Standard for Risk Management: 31000:2009.
A guide to risk management has been developed to support the consistent application of risk
management by PHIAC employees. By following the procedures and processes in this guide,
PHIAC employees are able to identify, control and report on risks to objectives that fall under their
PHIAC’s risk policy 2010 states that PHIAC will rigorously apply risk management principles and
practices across all aspects of its business operations. The guide to risk management assists
PHIAC employees to comply with the PHIAC Risk Management Policy.
In July 2010, all PHIAC staff participated in a one day training course conducted by Comcover,
covering risk management fundamentals. The course drew on both the existing risk management
training material and PHIAC’s guide to risk management. PHIAC is planning to conduct a more
advanced risk management training course early in 2011.
PHIAC has engaged a senior (EL2) risk management specialist as a permanent member of staff,
to support the application of risk management throughout the organisation. This role, Director of
Risk Management, supports all aspects of risk management including:
Assisting staff with risk assessments;
Conducting risk workshops; and
Selecting and tailoring risk management approaches to organisational requirements.
The engagement of risk management specialist at this level, demonstrates PHIAC’s commitment to
embedding risk management into the governance, management and operations of the
PHIAC has selected a risk assessment technique known as Control Self Assessment to assess
risks to the internal control environment. Using this technique, PHIAC accesses the views and
perceptions of those who have the most influence over the risks to the internal control
environment; its staff.
By accepting a range of risk assessment methodologies, PHIAC is able to match risk assessment
techniques with the range of contexts where risk management is applied.
Another example is the use of scenario modelling techniques to assist staff complete different
aspects of risk management process. PHIAC’s guide to Scenario Analysis and Modelling
Techniques provides staff with instruction on a range of applications.
Reporting against enterprise level risk levels and controls is integrated into PHIAC’s regular
reporting regime. Such reporting:
Demonstrates business control
Enables the structured escalation of issues
Informs decision making
Assists with resource allocation
Each month, staff accountable for each of the enterprise level risks report on the risks under their
responsibility. The report is based on the risk assessment that has been completed for these risks
and the monitoring of and improvement to the relative control framework.
These individual monthly reports are collated into a monthly enterprise level risk report for the
PHIAC Executive Management Committee (EMC).
The PHIAC A&CC and the PHIAC Board also receive an enterprise-wide risk report at each
meeting which is based on the monthly risk reports to the EMC.
PHIAC also maintains a business assurance framework to demonstrate its overall approach to
identifying, assessing, reporting and directing the management of high level risks and key
controlling activities throughout PHIAC.
The business assurance framework brings together the following functions to provide assurance on
the effectiveness and efficiency of PHIAC operations:
PHIAC Risk Universe
Audit and Compliance Committee
Risk Management Plan
PHIAC’s plan for maintaining effective risk management originates from the allocation of risk
management as a corporate risk, to an accountable position. That position is the Director Risk
As with most corporate risks, PHIAC’s approach to their control is to mandate them as work
objectives to specific staff. This results in an appropriate focus on each corporate risk as they
become work objectives which are risk assessed and planned for success.
Subsequently the work plan for the Directorate of Risk Management is a plan to achieve efficient
and effective risk management across all aspects of PHIAC’s business operations – PHIAC’s risk
Crisis management refers to the structures and plans that support the end-to-end management of
a crisis event.
A crisis event is any event that causes disruption to the operations of PHIAC’s business functions.
In PHIAC, crisis management incorporates:
PHIAC has developed a Crisis Management Framework (see Attachment 9) to provide the
foundation for the development of structures and plans (incorporating strategies and actions) to
support all aspects of crisis management in PHIAC.
Figure 5 – PHIAC’s Crisis Management Framework
This chart summarises PHIAC’s Crisis Management Framework.
Crisis Management is in between three overlapping areas: Emergency
Response, Business Continuity and Disaster Recovery.
Enterprise-wide Risk Management (ERM) enables PHIAC to look holistically across the different
aspects of its business operations. This perspective ensures risks to objectives at all levels of the
organisation are managed and are unlikely to be overlooked.
ERM provides demonstrable assurance to the Board and other stakeholders that PHIAC is likely to
achieve its corporate and business objectives because of the efficient and effective application of
risk management producing fit-for-purpose control frameworks.
The regularity and systemic nature of risk reporting, driven by the ERM and Governance
frameworks, provides ongoing and continual assurance regarding the control of risks to PHIAC.
The application of ERM across PHIAC is actively supported and embraced at all levels of the
organisation because it has been embedded as part of the system of management.
The specific role Director of Risk Management is a vital and important addition to PHIAC risk
management capacity. The director brings a high level of risk management skill and enables
PHIAC to bed risk management into every aspect of its operations in a business as usual sense.