COMCOVER AWARDS FOR EXCELLENCE IN RISK MANAGEMENT 2004 INDIGENOUS LAND CORPORATION (ILC) The ILC is a statutory authority with responsibility under the ATSIC Act for assisting Indigenous people to acquire and manage land in a sustainable way, so as to provide economic, environmental, social or cultural benefits. Since coming into existence in 1995, the ILC has acquired 171 properties with a total area of more than 5 million hectares. 113 of these properties have been granted to Indigenous groups. The remainder are leased to proposed title holding bodies pending demonstration of their capacity to manage them independently, or are managed by the ILC. The ILC provides land management funding and services on many of the properties it has acquired, as well as on land acquired by Indigenous groups through non-ILC mechanisms. It operates several commercial businesses in association with Indigenous groups. The ILC operates under the leadership of a Board. It has 95 staff located in Adelaide, Perth, Brisbane and Canberra. As a relatively “young” organisation, operating in a complex and diverse environment, the ILC made a false start toward establishing a risk management framework four years ago. At this time, it was envisaged that a “bottom up” methodology would be employed, with risk assessments being undertaken for every project-level activity. However, this approach proved to be impractical, disjointed and demanding of scarce operational resources. It was not long before ILC management asked the risk management team to develop an alternative, practical approach, as outlined below: KPI 1 – RISK MANAGEMENT FRAMEWORK In 1999, the ILC began development of a detailed Policy and Practice Manual to describe approximately 90 key systems, programs and activities. Drafting of the initial edition of the manual was managed by the ILC unit which now has responsibility for coordinating risk management and managing the ILC’s outsourced internal audit program. When it became evident that the ILC’s “bottom up” risk management methodology was not going to work, the ILC took several key steps to refine its approach to risk management:
� The ILC Board’s Audit Committee was redesignated as the “Audit and Risk Management Committee” in 2001 and its responsibilities were expanded to include the coordination of ILC risk management activities An independent external member was added to the Committee and this member was also charged with establishing and chairing a “Risk Management Steering Committee” of senior ILC officers The Risk Management Steering Committee invited a Comcover Risk Management consultant to attend its inaugural meeting and obtained very constructive advice about ways of developing and “marketing” an effective risk management framework within the organisation At this point, it became evident to the Risk Management Steering Committee that risk assessments and treatments should be integrated with the Policy and Practice Manual, with risk assessments being undertaken in conjunction with the development or review of each Policy or Practice Note, and the resultant risk treatments being “embedded” into the Practice Notes issued As the ILC was also reviewing its Corporate and Operational Plans at that time, the Committee suggested that each operational unit should identify the risk factors affecting their key tasks. Flowing from this, the ILC’s Corporate Management Team developed the first ILC corporate risk management plan in early 2003 (followed a short time later by a commercial business risk management plan) The ILC also decided to appoint an internal audit consultant in late 2002, resulting in the development of a risk-based internal audit plan for coverage of all key systems (one of the earliest audits was an examination of the ILC’s risk management program) In late 2003, to broaden responsibility for risk management within the ILC, the Corporate Management Team approved the appointment of 12 “content managers” – middle managers with expertise in the systems described in the Policy and Practice Manual – to coordinate regular risk-based reviews of Policy and Practice Notes relevant to their particular area of expertise in conjunction with representatives of other work groups affected by those systems (to reduce “silo” management) In mid-2004, the ILC Board approved a revised Risk Management Policy that recognised these new initiatives and responsibilities. A supporting Risk Management Practice Note was approved by both the Audit and Risk Management Committee and the ILC General Manager in July 2004
� A training program introducing the new risk management approach has now been delivered to almost all ILC staff, using a PowerPoint presentation, work books and practical examples that trace all steps of the risk management process as per AS/NZS 4360:1999. The Risk Management Policy and Practice Notes are available to all staff via the ILC intranet and in hard copy manuals. Ongoing support and training for “content managers” is currently being provided by the risk management team as the new methodology is implemented across the organisation. The ILC’s risk management framework has undergone a significant transformation in the last four years. With strong support from the ILC Board and General Manager, helpful advice from a Comcover consultant, and the energetic commitment of many middle managers, the ILC has wholeheartedly accepted the importance, necessity and benefits of having an enterprisewide risk management program. The ILC now has all of the key infrastructure in place that it needs to develop and maintain an effective risk management program – active committees at the Board and senior management levels, an approved risk management policy and corporate risk management plan, a unit with responsibility for coordinating risk management, a team of middle managers and operational staff with responsibility for integration of risk management into all aspects of ILC practice, a risk-based internal audit program, and communication protocols to underpin these arrangements. KPI 2 – RISK MANAGEMENT IMPLEMENTATION The ILC has assigned responsibility for risk management coordination to a 2person unit which also has responsibility for management of the internal audit contract and the compilation of a national Policy and Practice Manual. The manager of this unit is designated as the “content manager” for risk management – thereby having responsibility for the ongoing refinement of the Risk Management Policy and Practice Notes, development of risk assessment and treatment tools, development of training materials for other staff with responsibilities for risk assessment and treatment, liaison with the internal audit contractor in relation to the risk-based audit plan, and provision of secretariat support for the Risk Management Steering Committee.
�As mentioned above, the specialist risk management unit is supported by a devolved team of middle managers – the “content managers” – who are responsible for monitoring and responding to changes in the risk management environment in their areas of content expertise; identifying, evaluating and treating risks in conjunction with operational areas affected by the systems in question; refinement of Policy and Practice Notes; and development and delivery of training packages or tools supporting risk treatments. The ILC sees “content managers” as the people best placed to recognise and respond to significant shifts in the risk environment, but also considers that ILC operational staff will often be the actual “early warning system” in relation to emerging risks or risk events. Accordingly, “content managers” have been asked to work closely with operational specialists in the identification of risks and development of risk treatments. This overcomes any tendencies towards silo management or the adoption of impractical risk treatments. This system of combining content specialists and operational specialists in the assessment and treatment processes is supported by a quality assessment process during the sign-off phase of Policy and Practice Notes (“content managers” must demonstrate that they have included internal stakeholders in these processes). All new or revised Practice Notes must be accompanied by a Risk Treatment Plan prior to approval by the General Manager. KPI 3 – NON-INSURANCE RISK TRANSFER The ILC has relatively limited opportunities to transfer non-insurance risks through contractual arrangements, as most external contracts are for minor works associated with the acquisition, management or maintenance of properties. The primary emphasis in these areas has been in ensuring that contractors hold relevant insurance and accreditation within the appropriate industry. Nevertheless, the ILC is currently performing a risk assessment in relation to contract management. The ILC’s most significant area of risk transfer occurs at the point at which land is divested to Indigenous title holding bodies. Early in its existence, the ILC’s emphasis was on transferring ownership of properties to Indigenous owners within one year of acquisition – generally as soon as the corporate
�structures for the title holding body had been established. However, it was found that, in many instances, this led to a lack of preparedness on the part of the receiving body to assume responsibility for all aspects of the operation of the properties. The ILC now takes a slower approach to transferring risk to Indigenous land holders. Generally, it will lease a property to the proposed title holding body for up to three years so that the group can develop and test business and/or property management plans, establish and test corporate structures, ensure that it has the requisite capacities and skills to manage all aspects of the property, and familiarise itself with insurance, occupational health and safety issues, and property maintenance requirements. These processes are underpinned by a comprehensive consultative process, so that the title holding body fully understands the risks for which it is assuming responsibility.
KPI 4 – INSURANCE RISK TRANSFER Because the ILC buys and divests properties on a regular basis, it has chosen to take blanket insurance coverage with Comcover. Whenever the ILC is about to acquire a new property, it advises Comcover of the valuation of the property, its purchase price, a list of buildings, infrastructure, machinery, plant and equipment, waters, livestock, etc. and their insurable values. The blanket coverage includes general liability, professional indemnity, and property loss, destruction or damage insurance. When a property is granted to an Indigenous group, the ILC usually retains insurance coverage for three months to allow for the transfer of title to be registered. It advises the grantees to take out full insurance coverage from the transfer date. The ILC maintains continuous corporate insurance coverage for general liability (including public liability), product liability, professional indemnity, director’s and officer’s insurance, property insurance, fraud and fidelity, business interruption, motor vehicles and goods and livestock in transit. The ILC has established procedures for the reporting, investigation and recording of incidents.
�KPI 5 – BUSINESS CONTINUITY MANAGEMENT The ILC has recently established a business continuity function within the corporate services area to provide coordination for all business continuity activities. The corporation already has several elements of a business continuity plan in place, particularly in relation to information technology and communication systems, and for the management of properties affected by significant natural events (bushfire, flooding, cyclones, etc.) but recognises that these need to be integrated into an overarching, risk-based strategy. A plan is currently being developed to address these issues in an integrated strategy. KPI 6 – COMMUNICATION The ILC has a comprehensive communication strategy for risk management at the corporate, program and operational levels. The ILC Board’s Audit and Risk Management Committee plays an active role in managing and promoting risk management throughout the organisation. It is supported by two senior management committees – the Corporate Management Team, which has responsibility for the development and review of the ILC Corporate Risk Management Plan, and the Risk Management Steering Committee, which oversees the implementation of this Plan and supports the activities of the Audit and Risk Management Committee. It reports its activities back to the Audit and Risk Management Committee on a quarterly basis. At the program level, the ILC has established a network of “content managers” with responsibility for coordinating risk-based reviews of 90 systems described in Policy and Practice Notes. As part of the quality assurance for this program, key areas affected by the policies and practices must be represented in the risk assessment and treatment process, ensuring that communication of responsibilities for risk treatments are clearly understood. At the operational level, ILC staff have access to the Corporate Risk Management Plan, the Risk Management Policy and Practice Notes, and supporting training materials through the ILC intranet. Risk treatments are embedded within Practice Notes that guide all key operational activities. Risk training materials have been included in induction materials. The ILC has detailed processes for ensuring that risks transferred to Indigenous groups on the divestment of land to them are fully understood. It
�works with these groups over a three year period in a lessor/lessee arrangement while long-term business and property management arrangements are established and the groups are able to experience the range of issues associated with operating the properties. This process is predicated upon identification and addressing of training needs, and is based upon regular communication and consultation. Ownership of the properties is transferred upon certification that the proposed title holding body is capable of assuming full responsibility for the property’s operation, including risk management. KPI 7 – TRAINING/AWARENESS Following approval of the revised Risk Management Policy and Practice Notes in mid-2004, the ILC General Manager approved a recommendation that all ILC staff should receive training in relation to the implications of these documents, particularly as the methodology involves staff throughout the organisation working as “operational experts” on teams chaired by “content managers”. At the date of writing, more than 90% of staff have attended this training and have access to ongoing on-line support materials. The specialist risk management team has also commenced specific on-the-job training for groups that are assessing and treating risks using the new methodology. “Content managers” have been encouraged to enrol in Comcover’s risk management training programs to increase their knowledge in managing risk workshops. Risk management materials have been included in the ILC induction package, and the ILC intranet has a section highlighting internal risk management resources and references. KPI 8 – RESOURCES The ILC has a two person unit with responsibility for risk management, internal audit contract coordination and management of the ILC Policy and Practice Manual. The manager has ten years of internal audit experience and has worked extensively with risk-based assessment systems. The ILC insurance function is managed separately by the Finance and Administration team. The Chief Financial Officer has formal training and experience in insurance and is supported by a larger team.
�The ILC also uses an outsourced internal audit function, which conducts reviews in accordance with a risk-based audit universe. All three of these functions are closely integrated and report to the Audit and Risk Management Committee on a regular basis. Additionally, through use of the “content manager” system described above, the ILC is broadening experience, “ownership” and resources available for risk management within the organisation. KPI 9 – MONITORING AND REVIEW The Audit and Risk Management Committee and the Risk Management Steering Committee both meet on a quarterly basis (as a minimum). The Audit and Risk Management Committee oversees, monitors and reviews the implementation of the Corporate Risk Management Plan (and subsidiary plans such as the Commercial Business Risk Management Plan). It is responsible for ensuring that the ILC has a comprehensive risk management framework in place and that risks are reviewed for each key ILC activity on a regular basis. The Risk Management Steering Committee monitors and reviews the timely completion of risk treatment plans for all key activities. It provides advice to the Audit and Risk Management Committee on the implementation of treatment plans. An electronic risk register is being developed to enable consolidated reporting of identified risks and treatments to both of these committees. “Content managers” are responsible for monitoring and reporting on the implementation of individual risk treatment plans in accordance with approved timelines. They are also responsible for monitoring the relevant risk environment context to ensure that risk assessments and treatment plans are adjusted when shifts in the risk environment occur. KPI 10 – MEASURING PERFORMANCE The ILC’s risk management methodology requires “content managers” to identify performance indicators for each risk treatment plan. These indicators feed back into operational plans for the relevant areas.
�Responsibilities, milestones and costs/benefits of treatments are also identified in all risk treatment plans so that performance and achievement of targets can be clearly measured.
�