NOMINATION FOR 2005 COMCOVER AWARDS FOR EXCELLENCE IN RISK MANAGEMENT
MEDIUM AGENCIES CATEGORY DIRECTOR OF NATIONAL PARKS
The Director of National Parks is a corporation sole established under the Environment Protection and Biodiversity Conservation Act. Staff of the Department of Environment and Heritage (DEH) support the Director. At 30 June 2005 the staffing level was 281. The Chief Executive Officer of the corporation is personally committed to an efficient and effective risk management framework throughout Parks Australia – the Division of DEH that provides support for the Director’s functions. This commitment right from the top has been vital to instituting and entrenching risk management in the organization. The strong, continuing support of the Executive is essential for risk management to be effective. Our risk management framework has been developed progressively from its beginnings in 2001. This progressive improvement has been documented and strengthened through Comcover’s benchmarking over the last three years. Although the framework is now much more comprehensive and effective, we do not claim to have, or anticipate having achieved, a completed framework. We will continue to seek and incorporate improvements. We are nominating our framework because it is increasingly effective across the whole organisation, it is well integrated into our business, and it demonstrates leadership, commitment and progressive improvement.
Context
Parks Australia is unlike any other Commonwealth agency. We have offices in Canberra Darwin, Norfolk Island, Christmas Island and Cocos (Keeling) Islands. We also have staff in three national parks which are owned by their traditional Aboriginal owners and leased to the Director — Kakadu National Park (adjoining Arnhem Land), Uluru-Kata Tjuta National Park (in Central Australia) and Booderee National Park (south coast of New South Wales). Those three national parks each have a statutory Board of Management with a majority of Aboriginal members. Kakadu National Park is so large that some of its five district offices are separated by several hours drive. Some 25% of Parks Australia staff are indigenous. In addition the Director is responsible for the management of marine parks and reserves in diverse locations including the Timor Sea, Coral Sea, the Indian Ocean, near Macquarie Island, and Heard and McDonald Islands. Management of these marine reserves is delegated to other divisions of the DEH. The map (Attachment 1) shows the location of the Director’s responsibilities. The Director’s responsibility for marine reserves is delegated to the Marine Division of the DEH, apart from the Heard and McDonald Islands Marine Reserve, which is managed by the Australian Antarctic Division. Political context is significant, too. There are regular calls in the Northern Territory for the two icon national parks in the NT to be managed by the NT. This has given a major extra dimension to risk management.
Unusual risks
In addition to the usual risks associated with managing a medium-sized government agency, Parks Australia deals with a great range of safety risks and risks to the natural environment and cultural heritage we are charged with protecting Our parks are visited by large numbers of Australian and overseas tourists (1.39 million during 2004– 05), many of whom have little knowledge of safety in the rugged and remote environments of the parks they are visiting. Our staff often work in remote locations, sometimes with limited possibility of external support in an emergency. Staff routinely travel by foot, four-wheel motorbikes, small boats, larger vessels such as Customs boats, light aircraft and helicopters. 1
�Director of National Parks
Medium Agencies Category
2005
Risks which are particularly unusual in the public service context include having hundreds of thousands of visitors annually who are inexperienced in the conditions they will encounter in our parks. Specific risks include crocodile attack, bushfires, snake bite, falls from cliffs, visitors becoming lost, harsh weather conditions ranging from tropical to sub-Antarctic, stranding in isolated locations, and a range of risks to natural and cultural heritage such as pest animals and plants which affect natural and cultural values of these places, and natural weathering processes affecting rock art integrity. The dispersed nature of the organisation itself entails risks for governance. Some offices are small and remote, while the larger parks function substantially as independent units. Communication and consistent organizational culture between offices and staff in the field can be a challenge. The risk management framework has been important in improving management of risks across the organisation, helping overcome the geographical constraints and providing management consistency.
Risk Management Framework
Risk management is a key strategy for successfully and efficiently achieving our business objectives and is integrated into all aspects of our business. Every business unit participates. Our remote areas apply risk management in their locations in their own local context so that risk management is meaningful on the ground, whether far out in the Indian Ocean, near the geographic centre of Australia, or in Canberra. The effectiveness of risk management in our remote locations has been recognised by Comcover “Highly Commended” awards for management of yellow crazy ants on Christmas Island in 2003 and project management of the Twin Falls issues in Kakadu National Park in 2004. Both those risks were potentially extremely serious for the organisation. The yellow crazy ants could result in the extinction of many of the 250 species which occur only on Christmas Island. The Twin Falls issues, though primarily relating to public safety, had very serious political implications as well. The recognition of our risk management efforts through the awards has provided further encouragement and stimulus for ongoing improvement. The Comcover risk management benchmarking was embraced by Parks Australia. This has provided invaluable feedback, information and opportunities to progressively improve our risk management framework. Risk management began with development in 2001 of risk watch lists for each of our terrestrial parks, island conservancies, the ANBG and sections. The CEO drove this initiative strongly. Our risk management framework is generally described in our risk management policy, which Case study – Responding to incidents formally came into effect in 2002. After some small amendments, the policy has recently been enhanced and updated in a scheduled Although climbing Uluru (Ayers Rock) is the review undertaken with broad consultation. We expect to finalise objective of many visitors to Uluru–Kata Tjuta the updated policy in a month or so. The risk management framework provides: • identification of accountabilities and responsibilities; • a scheme to rate risks, using defined levels of likelihood and consequence to derive a risk rating; and • an outline of risk management processes, identifying who is responsible and when the processes should be undertaken; and requires: • quarterly review of risk watch lists for parks, islands, and sections; • quarterly reporting on management of high and extreme risks; • monthly reporting of incidents; and • periodical aggregated reporting to management. It provides managers with valuable planning tools: • risk watch lists identify issues, treatments and priorities and feed into operational plans and park management plans;
National Park, the physically demanding climb is risky. Following a coronial inquiry, and assimilating years of experience, Parks Australia defined threshold weather conditions which trigger closure of the climb.
The climb is now closed to the public : at 8 am when the forecast maximum temperature is 36° C or more; whenever wind speeds exceed 20 knots (38 kph) at ground level or 25 knots (47 kph) at 2800 feet; or when rain, storms and/or lightning are present or likely in the next two hours. Introduction of closures when the weather creates undue risk has resulted in considerable reduction in the number of safety incidents, particularly those involving rescue operations.
2
�Director of National Parks • •
Medium Agencies Category
2005
incident reports inform risk assessment and management, and insurance; all provide managers with essential information and should save staff time by helping them focus on what is most important and helping them manage more effectively.
Risk Management Implementation
Risk management is now well entrenched in Parks Australia, having been a regular feature in the work of each section or park for the last three years. Responsibility for implementation of the risk management framework is distributed throughout the organisation. Each park and section: • reviews its risk watch list quarterly, including identifying controls; • manages its risks according to the identified controls but also using other opportunities; • manages contracts and permits which incorporate non-insurance risk transfer; • reports monthly on incidents (including near-misses); and • reports quarterly on management of high and extreme risks. Centrally, we have: • a part-time risk management coordinator in the Business Management Section; • a full-time OH&S manager to coordinate and oversee the OH&S management system (ParkSafe); • a corporate risk watch list; • a risk register for the whole organization, which enables database functions and systematic reporting; • an incidents database which enables diverse sorting and grouping, aggregating and reporting; • insurance management by the Business Management Section; and ParkSafe • a legal advisor. Progressively developed feedback loops in the risk management framework, and links with other planning processes (Attachment 2), help ensure consolidation and further development of the framework. For example: • identified risks are addressed in new statutory management plans for parks and reserves; • incident reports are analysed in a database and regular reports assist managers to identify trends and patterns; and • through that process, incident reports also inform review of risk watch lists. Having a risk management coordinator has helped promote the implementation of the risk management framework, and the OH&S manager has brought particular focus to safety issues.
To improve occupational health and safety culture and behaviour in Parks Australia, ‘ParkSafe’, which arose from the 2003 audit of the OH&S framework, was developed and introduced in 2004. ParkSafe is Parks Australia’s integrated occupational health and safety management system and is designed to provide a safe and healthy workplace for all employees and contractors working for Parks Australia. A key feature is an integrated health and safety framework containing a comprehensive range of policy and procedures accessible by all staff electronically. Comprehensive training is also undertaken as part of the program. By 30 June 2005 all three mainland parks and the ANBG had access to local ParkSafe training, involving 56% of park staff.
Non-Insurance Risk Transfer
Commercial tourist operators require a permit to operate in any of our parks and reserves. As required by the Chief Executive’s Instructions, conditions attached to such permits contain provisions relating to safety and insurance (operators must hold public liability insurance for at least $10 million in respect of a single claim) and indemnity. Permittees must sign a release and indemnity. At least 24 safety incidents in two parks during 2004– 05 involved commercial tours. Our standard contract forms contain indemnity and insurance requirements. 3
�Director of National Parks
Medium Agencies Category
2005
We recently requested and received an internal audit report on the insurance function and risk management. It discussed transfer of risk to third parties via requirements in contracts, permits with commercial tour operators, and leases, subleases and licences with parties to use and occupy land. We are progressively implementing the recommendations.
Insurance Risk Transfer
We recognise insurance as an essential component of our risk management framework. With so much of our workforce operating in relatively dangerous environments, the risk of injury is substantial. 94 safety incidents involving staff, from near-misses to major, were reported in 2004–05. Although only 14 of those have resulted in claims, insurance through Comcare is essential. General insurance through Comcover is also essential, although the number of claims has been small and the amount of money involved has also been small relative to our premiums. Although more than 700 incidents of all kinds were reported during 2004–05, only five incidents during 2004–05 have resulted in insurance claims, of which the only one settled so far had an insurance payout less than $1000. The risk management framework and recorded incidents are taken into account when our insurance policy is being renewed. Although some risks are transferred through contracts and some through insurance, we still do everything we can to minimize those risks. Incident reports help to identify what risks need further treatment.
Business Continuity Management
The nature of the organisation means staff are experienced and talented at dealing with business interruptions. Fires, floods, cyclones, power failures and communication difficulties are common and almost routine. For example: • in three consecutive recent summers Booderee National Park had serious bushfires in or near the park, disrupting access and, with many staff on fire crews, disrupting work even when the fires were outside the park; and • the East Alligator District Headquarters is isolated by floodwaters for several months each year; Case study: Risk closes a national park • cyclones and tropical storms are fairly frequent in four Following extensive bushfires in December 2003– of our six national parks, often resulting in January 2004, Booderee National Park remained closed communications and IT outages. Development of a Business Continuity Plan began in April 2004. Following extensive consultation and input within the organisation, the draft Business Continuity Plan was audited in mid-2005. It includes business recovery plans for each of Parks Australia’s business locations. The Business Continuity Plan formally came into effect on 27 September 2005.
until a risk assessment and priority actions were completed.
Communication
Communication generally is an issue for Parks Australia, with so much of the workforce in isolated locations where IT and telecommunications can be unreliable. Reporting of communications disruption incidents in the monthly incident reporting has helped document problems which need external solutions. All remote locations have reported significant disruptions, some taking months to be resolved.
The initial post-fire tree assessment was conducted by a qualified arboriculturalist and experienced Park staff. Trees were marked, mapped into the Park GIS, and rated based on each tree’s likelihood of falling, and risk posed due to its location (consequence). Recommended actions included the removal of dangerous trees from high visitor use areas (campgrounds, walking trails, roads), or redesigning high use areas to save trees of high ecological value. Approximately 300 trees were removed from the Green Patch camping ground/visitor use precinct, and the area has since been extensively replanted. A second assessment is currently underway, and a tree risk assessment policy drafted which will see regular inspections and maintenance of trees in high use areas.
4
�Director of National Parks
Medium Agencies Category
2005
Communication with stakeholders is crucial in our business. Each park has a range of approaches to communication with visitors, including information desks in visitor centres, brochures and other publications, and interpretive and information signs. These cover a range of issues, but importantly deal with particular risks which may be encountered when visiting the parks. In the three parks leased from traditional Aboriginal owners, special arrangements ensure close liaison with the Aboriginal owners. In the external territories, good communication with each territory administration and island residents is vital. Recognising the need for improved communication with the media, a full-time public affairs officer was appointed in 2004. Communication specifically on risk issues is frequent, with: • risk management regularly discussed at Executive meetings; • monthly reporting of incidents; • quarterly review of risk watch lists and reporting on management of high and extreme risks; • ad hoc circulation of information on risk management, including training opportunities; • distribution of aggregated reports on risk management and incidents; and • a risk management section on the intranet. The updated risk management policy seeks improved communication on risk, including specifying processes and establishing a risk management working group. Despite the current communications arrangements, communication about risk issues is one area we recognise needs improvement. Benchmarking has identified this as a need and opportunity for improvement.
Training/Awareness
Comcover’s Getting Wired seminars and Champions’ Forums have been very valuable in educating staff, particularly the risk management coordinator. Some Canberra-based staff have benefited from attending Comcover’s regular training sessions. However, the isolation of so many of our staff has prevented their attendance at training in the capital cities where Comcover courses are held. More than half our staff have been trained in the new ParkSafe OH&S system by sending the trainer to the parks. The first training needs analysis of managers, undertaken in February 2005, indicated that although about half of our managers had received training in risk management, training was desired in (in decreasing priority order): • identification and assessment of risks and the development of risk management strategies; • procurement, project, contract management; • the Parks Australia risk management framework; • the benefits and use of risk management; • fraud; and • the use of insurance in managing risks. In an exciting development, in April 2005 Comcover (through a panelist) took risk management training to Booderee National Park. This provided an excellent opportunity for all park staff to participate and also involved some of the traditional Aboriginal owners who work in the park as contractors. As the park manager commented, the park staff, as a team, now have a shared understanding of the risk management issues and frameworks, and they now have the training and know-how to apply these principles on a day-to-day basis. We are working with Comcover to extend on-site training in risk management to our other parks and other areas. Most areas are too isolated for training in a capital city to be sufficiently accessible. This training program, which will deliver training which is particularly meaningful in the local context of each location, will significantly improve implementation of risk management.
5
�Director of National Parks
Medium Agencies Category
2005
Resources
A dedicated risk management coordinator is crucial although responsibility for risk management is dispersed throughout the organisation. The risk management coordinator is able to concentrate on implementing, reporting on, and further developing the risk management framework. We also have internal experts on specific issues – legal, finance, OH&S, media – and most of our park staff are expert in some aspects of risk management, especially in handling incidents. Our internal auditors are available to provide risk management advice in addition to undertaking audits. In addition, our Audit Committee reviews the audit reports and provides guidance on risk management. Comcover has been an invaluable resource, through the benchmarking process, the annual awards, and providing training in various fora (including through panelists) as well as providing advice and encouragement.
Monitoring and Review
Our risk management policy specifies a regular and comprehensive process of monitoring. Risk watch lists at the level of sections or programs and individual parks are generally reviewed quarterly, concurrently with reports on recent management of high & extreme risks. These go to the Executive, whose involvement is crucial to the monitoring and review process. Incidents – safety, conservation, IT and communications, financial and security, and compliance – are reported monthly. Usefully, specific risk treatments are sometimes identified when incidents are being reported. During the last year, incidents have also been compared with identified risks to inform the risk assessment process, and also inform the management of insurance. Aggregated reports on risks and incidents enhance the value of the lower level material; the content of the reports is being improved progressively. These reports enhance feedback into the risk management framework and implementation. This is, and will be, a continuing process for further improvement. For the last three years Comcover benchmarking contributed substantially to the monitoring of our risk management framework, providing a scorecard against the Comcover KPIs, recording improvements achieved and helping to identify further areas for improvements which have subsequently been put in place. Complementary to the benchmarking, our internal audit program, reporting to the Audit Committee has reviewed our Occupational Health & Safety Framework (in 2003), risk management framework (in 2003– 04), insurance coverage (in 2005) and the draft Business Continuity Plan (in 2005). All recommendations have been, or are being, implemented.
Case study – Monitoring and review Monthly incident reporting, which began in July 2002, alerted managers to security problems at Uluru-Kata Tjuta National Park and the Australian National Botanic Gardens. As a result new measures were introduced to control the problems at both sites. The outcome (below) was dramatic.
Financial/Security Incidents: ANBG
25 Number of incidents 20 15 10 5 0 2002-03 2003-04 Year 2004-05
Theft, Break-in & Vandalism Incidents: Uluru
60 Number of incidents 50 40 30 20 10 0 2002–03 2003–04 Year 2004-05
Measuring Performance
Risk management is included in individual performance agreements of senior managers including park managers. Executives are able to monitor risk management performance through the regular reporting from all business areas. In addition, central reports to executives and area managers enhance awareness of risk management performance. Furthermore, risk management is discussed regularly at Executive meetings.
6
�