Federal Register of Legislation - Australian Government

Primary content

Rules/Other as made
These rules support members of the Board to satisfy their obligations under the Commonwealth Authorities and Companies Act 1997 and the NDIS Act and support the long-term financial sustainability of DisabilityCare Australia. The rules require the Board to ensure there is a risk management framework which is documented in a risk management strategy and operationalised through the risk management function. The risk management declaration ensures that the Board remains accountable for its risk management responsibilities.
Administered by: Treasury
Made 25 Jun 2013
Registered 27 Jun 2013
Tabled HR 12 Nov 2013
Tabled Senate 28 Jun 2013

 

National Disability Insurance Scheme—Risk Management Rules 2013

I, WILLIAM RICHARD SHORTEN, Minister for Financial Services and Superannuation, determine these rules under section 125B of the National Disability Insurance Scheme Act 2013.

 

Dated                                 25 June 2013.

 

 

 

WILLIAM RICHARD SHORTEN

Minister for Financial Services and Superannuation

 

 


Contents

 

Part 1     Preliminary                                                                                                 3

1             Name of instrument........................................................................ 3

2             Commencement............................................................................. 3

3             Interpretation.................................................................................. 3

Part 2     General responsibilities of the Board                                                  3

4             General responsibilities of the Board............................................... 3

Part 3     Risk management framework and risk management strategy     4

5             Establishment, maintenance and content of risk management framework       4

6             Kinds of material risks.................................................................... 5

7             Reviews of risk management framework.......................................... 5

8             Risk management strategy.............................................................. 6

Part 4     Risk management function                                                                    6

9             Risk management function.............................................................. 6

Part 5     Risk management declaration                                                              7

10            Preparation and content of risk management declaration.................. 7

11            Qualifications to risk management declaration.................................. 8

 


Part 1         Preliminary

1                Name of instrument

These Rules are the National Disability Insurance Scheme—Risk Management Rules 2013.

2                Commencement

These Rules commence on the later of:

(a)           the day after they are registered; and

(b)          1 July 2013.

3                Interpretation

In these Rules:

Act means the National Disability Insurance Scheme Act 2013.

Agency—see section 9 of the Act.

Board—see section 9 of the Act.

Board member—see section 9 of the Act.

Ministerial Council—see section 9 of the Act.

NDIS means the National Disability Insurance Scheme (as defined in section 9 of the Act).

Part 2         General responsibilities of the Board

4                General responsibilities of the Board

(1)          The Board must ensure that:

(a)           it prepares a written risk management strategy as soon as reasonably practicable after the commencement of these Rules; and

(b)          the Agency has a sound risk management culture; and

(c)           the members of the Agency’s senior management take the steps necessary to monitor and manage all material risks that are likely to be faced by the Agency, consistent with the risk management strategy; and

(d)          the Agency’s operational structure is such that it facilitates effective risk management; and

(e)           the Agency develops policies and processes for making decisions affected by risk that are consistent with the risk management strategy; and

(f)           the Agency dedicates sufficient resources to risk management; and

(g)          the Agency recognises the uncertainties involved in the measurement of risk and understands the limitations and uncertainties relating to the output of models used to measure components of risk; and

(h)          the Agency establishes, and has in place at all times, appropriate controls in relation to risk that are consistent with the Agency’s risk profile and are understood by, and regularly communicated to, relevant staff of the Agency.

(2)          The Board must also ensure that the scheme actuary is involved in decisions made by the Agency and the Board in relation to risk, to the extent that that involvement is appropriate and consistent with the scheme actuary’s duties and the National Disability Insurance Scheme—Rules for the Scheme Actuary 2013.

Part 3         Risk management framework and risk management strategy

5                Establishment, maintenance and content of risk management framework

(1)          The Board must, as soon as reasonably practicable after the commencement of these Rules, establish a risk management framework, and must have such a framework in place at all times.

(2)          The risk management framework must provide a reasonable assurance that the Agency’s risks are managed prudently and soundly.

(3)          The risk management framework is to deal with the systems, structures, processes and people within the Agency that identify, assess, mitigate and monitor all internal and external sources of risk that could have a material impact on the Agency’s operations, funding and financial sustainability.

(4)          The risk management framework must include:

(a)           a written risk management strategy prepared in accordance with section 8; and

(b)          policies and procedures to identify, assess, monitor, report on and mitigate all material risks, whether financial or not, that are likely to be faced by the Agency; and

(c)           clearly defined managerial responsibilities and controls in relation to risk; and

(d)          a review process to ensure that the risk management framework is effective in identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating, material risks.

Note:   The risk management framework is not necessarily a written document, although it will include various written documents such as the risk management strategy.

6                Kinds of material risks

The risk management framework is to deal with the following kinds of risks:

(a)           operational risks, including risks of unexpected costs resulting from inadequate or failed internal processes, people and systems;

(b)          risks arising from the Board’s objectives and plans in respect of the Agency’s functions;

(c)           risks to the financial sustainability of the NDIS;

(d)          other kinds of risks that, alone or in combination with others, may have a material impact on the Agency.

7                Reviews of risk management framework

(1)          The Board must ensure that:

(a)           there are effective and comprehensive reviews of the risk management framework, conducted by persons (including, if appropriate, external consultants) who are operationally independent and appropriately trained and competent; and

(b)          the frequency and scope of such reviews are appropriate having regard to the size and complexity of the Agency’s operations.

(2)          For paragraph (1)(a), a person is not operationally independent if the person plays, or has played, a significant role in the development or implementation of the risk management framework.

(3)          A review must include:

(a)           a review of the risk management function; and

(b)          a review of the risk management strategy; and

(c)           a review of the Agency’s controls and procedures in relation to risk.

8                Risk management strategy

(1)          The risk management strategy must:

(a)           outline the risk governance relationship between the Board, committees of the Board and the senior management of the Agency; and

(b)          describe the processes for the Agency to identify and assess risks; and

(c)           describe the process for the Agency to establish mitigation and control mechanisms for individual risks; and

(d)          describe the process for monitoring and reporting issues in relation to risk (including the communication and escalation of such issues); and

(e)           describe how the Agency is to:

(i)            ensure that relevant staff are aware of issues relating to risk; and

(ii)          instil an appropriate culture in relation to risk; and

(iii)        ensure that the risk management strategy is accessible to the Agency’s staff; and

(f)           identify persons and positions in the Agency with roles and responsibilites in relation to risk, or groups of such persons and positions, and set out those roles and responsibilities; and

(g)          describe the review process mentioned in paragraph 5(4)(d).

(2)          The risk management strategy, and any material amendments to the risk management strategy, must be approved by the Ministerial Council.  The Board must submit the strategy or amendments to the Ministerial Council as soon as reasonably practicable after the strategy or amendments have been approved by the Board.

(3)          The risk management strategy must be reviewed (including any reviews conducted in accordance with section 7) at least annually.

Part 4         Risk management function

9                Risk management function

(1)          The Board must designate a part of the Agency or a person in the Agency that, at a minimum:

(a)           is responsible for assisting the Board, committees of the Board and the senior management of the Agency to develop and maintain the risk management framework; and

(b)          is appropriate to the size, operations and complexity of the NDIS; and

(c)           is operationally independent, meaning that they are not directly involved in the Agency’s functions in relation to the funding or provision of supports under the NDIS; and

(d)          is conferred with the authority and the access to the Board, committees of the Board and senior management of the Agency, necessary to conduct its activities effectively and independently; and

(e)           is resourced with staff who have clearly defined roles and responsibilities and the experience and qualifications appropriate to those roles and responsibilities; and

(f)           has access to all aspects of the Agency that have the potential to generate material risk, including information technology systems and system development resources; and

(g)          is required to notify the Board of any significant breach of, or material deviation from, the risk management framework.

(2)          The first designation of a person or body under subsection (1) must take place as soon as reasonably practicable after the commencement of these Rules.

Part 5         Risk management declaration

10             Preparation and content of risk management declaration

(1)          The Board must, after the end of each financial year of the Agency’s operations that commences after 30 June 2013, provide the Ministerial Council with a risk management declaration signed by 2 Board members on behalf of the Board.

(2)          The risk management declaration is to state that, to the best of the Board’s knowledge and belief, and having made appropriate enquiries:

(a)           the Agency has systems in place for the purpose of ensuring compliance with the Act and the Commonwealth Authorities and Companies Act 1997; and

(b)          the Board and the senior management of the Agency are satisfied with the efficacy of the processes and systems for the production of the Agency’s financial information; and

(c)           the Board has in place a risk management strategy that complies with the requirements of these Rules; and

(d)          the Agency (including the Board) has, throughout the relevant financial year, substantially complied with the risk management strategy; and

(e)           the risk management strategy is operating effectively; and

(f)           the risk management strategy in its present form has been submitted to and approved by the Ministerial Council.

11             Qualifications to risk management declaration

The Board may qualify a risk management declaration (for example, if the Board cannot make an unqualified declaration of a matter mentioned in subsection 10(2)).  A qualification must describe:

(a)           the circumstances giving rise to the qualification; and

(b)          whether those circumstances involve any contravention of the Board’s obligations under the Act or these Rules; and

(c)           the steps taken, or proposed to be taken, to remedy the circumstances giving rise to the qualification.