Risk Management Framework
NAIF is a body corporate, established under the Northern Australia Infrastructure Facility Act 2016 (NAIF Act), to provide grants of financial assistance to the States and Territories for the construction of Northern Australia economic infrastructure (as defined in the Northern Australian Infrastructure Facility Act 2016 (NAIF Act)). The Minister for Resources and Northern Australia is the relevant Minister under the Act.
Unless otherwise stated, definitions in the NAIF Act or the Northern Australia Infrastructure Facility Investment Mandate Direction 2018 (Investment Mandate) apply.
Guidelines to the Board when making Investment Decisions are set out in NAIF’s Investment Mandate, which includes consultation requirements and eligibility criteria, and the types of financial assistance that can be offered.
The NAIF Board of Directors (the Board) comprises between five and seven members including the Chair, all of whom are appointed by the Minister. The Board Audit & Risk Committee (BARC) comprises three members. NAIF is required to conform to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Accordingly, NAIF will comply with the Commonwealth Risk Management Policy (the Commonwealth Risk Policy), published by the Commonwealth Government Department of Finance and dated 1 July 2014.
1.2 Risk Culture
A key role of the Board and BARC is to set a culture that embraces risk management as an essential part of NAIF’s business operations. The four key elements of NAIF’s risk culture are:
- Setting the tone from the top through the Board and BARC’s active involvement in the risk management process;
- Risk awareness entrenched throughout the organisation so that it becomes a core function that is considered in the course of day-to-day business processes. This is achieved through, amongst other things, recruitment and development of personnel knowledgeable in project financing risks, key performance measures and on-going communication of risks;
- Appropriate risk-taking behaviours are rewarded and inappropriate behaviours challenged and sanctioned via feedback and performance reviews; and
- Adequate disclosure of incidents through ‘no-fault’ incident reporting.
The Three Lines of Defence (3LOD) risk management and assurance model supports NAIF’s risk culture through clear ownership of risks by business Management, ongoing monitoring and review of risks and controls via the quarterly Enterprise Risk Management Forum, and periodic testing of risk awareness and adherence to the Risk Management Framework (RMF) by internal and external audit functions
1.3 Risk Management Approach
The approach to risk management outlined in this document is consistent with the International Standard for Risk Management, (ISO31000) the requirements of the NAIF Act and the Commonwealth Risk Management Policy.
This approach to risk management is designed to support NAIF in the achievement of its strategic objectives.
While NAIF is not bound by the Australian Prudential Regulation Authority (APRA), its Risk Management Standard (CPS220) and associated Prudential Practice Guide (CPG220) provide a good framework for corporate governance and risk management. APRA regulations and guidance have been incorporated where appropriate.
The 3LOD model is recommended by APRA and is embedded within NAIF’s RMF. This approach to risk management is shown in Figure 1 below.
Figure 1: Three Lines of Defence Model based on CPG220 (2018)
2.1 Document hierarchy
The RMF forms part of a hierarchy of documents that govern NAIF’s approach to risk management as per Figure 2 below.
Figure 2: Hierarchy of Risk Management documents
2.2 Roles and Responsibilities
The roles, responsibilities and accountabilities relating to risk management are outlined in NAIF’s Risk Management Policy.
2.3 Risk Management Performance
Risk accountability is recorded in Executive Management key performance indicators, positions descriptions and information systems. Performance is assessed as part of the annual performance review.
Risk management is embedded into business processes and decision making, and all Staff are expected to take responsibility for risk management within their roles. All new Staff participate in an induction program which provides information on policy requirements, and all Staff undertake annual compliance training, which includes risk management obligations. All Staff have risk and compliance related expectations captured within role descriptions and annual performance review templates.
Risk management performance is also evaluated through the compliance plan and external and internal audit reviews.
Risk management performance will be reported to the BARC and the Board and to the Minister through government required reporting.
The BARC will use this information as part of its Charter to assess the adequacy of the internal control environment, and whether Executive Management are effectively managing the risks.
2.4 Review of RMF, RAS and Risk Management Policies
Executive Management reviews the RMF on an on-going basis and advises the BARC if material changes are required via the quarterly Risk Management and Compliance (RMAC) Report.
On an annual basis, the BARC formally reviews:
- this RMF;
- the Risk Appetite Statement, in accordance with s12(5) of the Investment Mandate; and
- key risk management policies.
Amendments are submitted to the Board for approval.
Compliance with, and effectiveness of, the RMF will also be reviewed by internal and/or external audit at least once every three years, and the results reported to the BARC.
The review of the RMF by the internal and/or external auditor will assess, at a minimum, whether:
- the framework is implemented and operating effectively;
- it remains appropriate, having regard to the current corporate plan, and changing or emerging government policies;
- it remains consistent with, and supports implementation of, the Board’s risk appetite;
- it is supported by adequate resources;
- the RMF adequately documents NAIF’s risk management framework; and
- NAIF’s risk culture adequately supports the implementation of the RMF and operation within risk appetite.
In addition, internal audit performs an annual review of compliance with the RAS for Investment Decisions made during the previous financial year, in accordance with the Corporate Plan ‘effective risk management’ performance criterion.
NAIF began operations on 1 July 2016 after the NAIF Act was passed by Parliament on 3 May 2016. NAIF has a mandate to invest up to $5 billion over 5 years to encourage and complement private sector and other financiers’ investment in infrastructure that benefits Northern Australia.
NAIF’s role is to grant financial assistance for the construction or enhancement of Northern Australia economic infrastructure to promote economic and population growth (refer to NAIF Act and Figure 3 below).
Figure 3: The role of NAIF
Risk Management forms an integral part of NAIF’s strategy. Effective, best practice risk management enables NAIF to overcome financing challenges unique to its mandate. Figure 4 below illustrates the relationship between the four pillars that constitute NAIF’s strategy.
Figure 4: Four pillars of NAIF’s strategy
4. Risk Management Process
An effective risk management framework requires a continuous process of identification, assessment, management and monitoring of all material risks that could adversely affect current and future operations. In accordance with ISO31000, the following risk management process has been adopted:
Figure 5: Risk Management Process
4.1 Establish Context
The initial business context for NAIF was considered by:
- Conducting an external assessment – reviewing the external environment to understand the impact of political, regulatory, economic, social, technological, environmental, financing and legal trends.
- Conducting an internal assessment – understanding NAIF’s capacity and capability to meet objectives.
- Developing risk measurement criteria – establishing risk measurement criteria relevant to NAIF’s operations.
On an annual basis, as part of its planning process, the Board will consider the recommendations provided by the BARC in respect of the risk management process and NAIF Risk Register as per section 4.6.
Monitoring and review (refer to 4.6) continues throughout the year. Any major changes to the environment (e.g. loss of key staff, changes to regulations etc.) that occur during the year are discussed by Executive Management and may lead to a recommendation to the BARC to re-assess the risk.
4.2 Identify Risks
Identification of Initial Risks
This step utilises the output from 4.1 above to identify events or situations that might affect the achievement of objectives. The purpose of this step is to ensure that the full range of potential risks is considered. The key risks identified are maintained in the NAIF Risk Register, which sets out a summary of the root causes of each risk and the controls in place to adequately manage and monitor the risks.
Management monitors and reviews risk on an on-going basis and reports regularly to the BARC as per 4.6 below. New risks that emerge between annual planning meetings are reported by exception.
4.3 Analyse Risks
Identification of Initial Inherent and Residual Risks
Once risks have been identified, they are analysed. As part of the annual planning process, Executive Management will:
- Assess the inherent risk by rating the likelihood of the risk occurring and its potential impact, if no controls were in place.
- Assess the residual risk by considering the effectiveness of controls, and then rating each risk with controls in place.
Risks may be re-analysed between annual review meetings as a result of:
- Changes to the environment (4.1 above), and/or
- New risks that are identified at step 4.2; and/or
- Changes to risk or control ratings identified through the monitoring and evaluation processes at step 4.6.
The relevant risk is assessed using the criteria in Appendix 1 and the NAIF Risk Register is updated as required.
4.4 Evaluate Risks
Risk evaluation involves comparing the estimated levels of residual risk to the Board’s appetite for risk (refer to Appendix 1), in order to decide whether to avoid, transfer, mitigate or accept these residual risks:
- Accept risk – the Board may choose to accept risks where the risk is within the Board’s risk appetite and the Board is satisfied the controls are sufficient to prevent the risk from escalating.
- Mitigate risk – the Board may choose further risk mitigating actions where the risk is currently outside the Board’s appetite for risk, or where the Board is concerned that a risk may escalate.
- Transfer risk – the Board may choose to transfer the risk to a third party where this is deemed to be the most appropriate method of ensuring the residual risk remains within the risk appetite (e.g. using third party insurers or outsourcing arrangements).
- Avoid risk – the Board may choose to avoid risks where it is not satisfied the residual risk can be managed within the Board’s risk appetite.
Any new risks identified, or changes to existing risks, resulting from the ongoing review in steps 4.1 to 4.3 above, will be evaluated using the same approach.
4.5 Treat Risks
Having completed a risk assessment, risk treatment involves implementing the controls and risk mitigating strategies that have been agreed in step 4.4 above. Risk treatment is an ongoing process and is the responsibility of Risk Owners.
4.6 Monitor and Review Risks
On an annual basis, Executive Management will provide a report to BARC including any recommendations for amendments to the risk management process and the NAIF Risk Register, taking into account the:
- External environment – review the external environment to understand the impact of political, economic, social, technological, environmental, financing and legal trends.
- Internal environment – formally review NAIF’s recent performance and its capacity and capability to meet objectives
- Risk measurement criteria – review the risk measurement criteria details in Appendix 1 of this document in the context of i) and ii) above to ensure they remain relevant.
The BARC will review the report, and make recommendations to the Board for consideration as part of its annual planning process.
- Assurance over the existence and operation of key controls will be provided by external audit and internal audit in line with the approved audit plans.
- Assurance over the existence and operation of specific controls will be covered by the compliance plan.
- Incidents and audit issues that occur during the year are discussed by relevant members of Executive Management and may lead to a recommendation to the BARC to re-assess the risk or controls.
- All instances of a significant breach are reported to the Chair of the BARC within 10 days of the breach being determined by the CEO. Significant breaches will be reported to the Board at the next available Board meeting.
- BARC receives the quarterly RMAC Report which includes risk status, emerging risks, Tolerance Measures and assessment against risk appetite.
- From December 2019 Key Risk Indicators will be included in the quarterly RMAC Report (refer Appendix 2 Attachment 2).
- Specific reporting against NAIF financial assistance outstanding, including performance and status against Tolerance Measures is made to each Board meeting by management.
4.7 Managing Shared Risks
NAIF has been established to grant financial assistance to States and Territories to meet the objectives and purpose of the NAIF Act. The Master Facility Agreement entered into with the Commonwealth, NAIF and the relevant States and Territories, and other associated documentation, states the credit risk of projects is with the Commonwealth but the State or Territory (as relevant) is the lender of record. The Sates and Territory have absolute veto power on NAIF granting financial assistance. The responsible minister has a more limited veto.
The NAIF Board has certain responsibilities in respect of financial assistance including making Investment Decisions.
These arrangements create shared risks in relation to the assessment, advancement, management and administration of NAIF financial assistance.
Under s13(1) and s14 of the Investment Mandate, NAIF is required to consult with a number of parties in assessing Investment Proposals:
- The Minister for Resources and Northern Australia is the responsible Minister under the NAIF Act, and has the right to reject a proposal to provide financial assistance under specified circumstances (s11 NAIF Act)
- Infrastructure Australia for Investment Proposals >$100m (s14(1) Investment Mandate)
- Relevant jurisdictions (being the State or Territory in which the infrastructure project is located) as soon as practicable after receiving an Investment Proposal; (s14(2) Investment Mandate) and
- Relevant government stakeholders including Commonwealth departments as appropriate.
Detailed communication requirements are addressed in NAIF’s assessment process, Master Facility Agreements and other processes and protocols agreed from time to time.
In addition, NAIF has a Service Level Agreement (SLA) with Export Finance Australia for specified services, including:
- Assisting with transaction due diligence, environment and technical review, credit assessment, and loan management; and
- corporate and administrative services (including financial management and reporting, human resources, information technology, communications and property management).
Risk Management Criteria
Inherent risks are rated by the Board on the basis of likelihood and impact utilising Table 1 below. The residual risk rating is then calculated by assessing the effectiveness of controls in accordance with Table 2.
Risk Heat Map
NAIF’s Key Enterprise Risks are rated using the product of Impact and Likelihood rankings as depicted in Table 1 below.
A number of factors are taken into account when assessing the impacts of risks. These include impacts on various aspects of NAIF’s activities, as per Table 1. Measures of impact apply to one or more risk events occurring in any 12 month period. Project risks are captured within individual project risk assessments.
Table 1: Sample Risk Heat Map
Table 2 defines the effectiveness of the risk mitigating controls.
Table 2: Control Effectiveness
|Effective||Control is in operation, applied consistently, documented and communicated. Control monitoring demonstrates that the control can be relied upon to prevent the risk materialising and to ensure objectives are being achieved.|
|Ineffective||Control is not adequate due to poor design or implementation. The control should be replaced with a known effective control or an action plan developed to address deficiencies in the control.|
Guidelines for Applying Control Effectiveness Ratings
In applying the control effectiveness to the inherent risk rating, consideration should be given to whether the control is preventive or corrective in nature as follows:
- Preventive controls – Controls are only effective in reducing the likelihood of the inherent risk, the risk retains its impact rating and moves horizontally to the left on the Risk Heat Map. Examples of preventive controls include NAIF’s credit assessment process, “vetting” of potential proponents, systems access controls and firewalls to prevent hacking.
- Corrective controls – Controls are only effective in reducing the impact rating of the risk, this moves the risk vertically downwards on the Risk Heat Map. Examples of corrective controls are Business Continuity Plans and compliance audits.
Both preventive and corrective controls need to be in place if the impact and likelihood ratings are both to be reduced.
Whilst managing risk is everyone’s responsibility, NAIF has an assigned Risk Owner for each Key Enterprise Risk. Risk Owners are expected to understand and manage assigned Key Enterprise Risks by monitoring key controls and reporting relevant issues as and when they arise. Risk Owners attend a quarterly Enterprise Risk Management Forum to ensure NAIF achieves an enterprise-wide resolution of risk related matters.
Key Enterprise Risks
NAIF’s primary focus is on its Investment Decisions and NAIF has structures in place to manage the risks associated with this function including detailed due diligence and credit approval processes.
In addition, NAIF must manage a comprehensive list of strategic, governance and operational risks. NAIF’s KER’s fall into the following broad categories:
- Strategic: risks related to meeting strategic objectives and expectations of key stakeholders;
- Investment Decisions: Project assessment and credit related risks;
- Governance, Legal & Regulatory: compliance with relevant obligations such as confidentiality, conduct and AML/CTF; and
- Operational: risks associated with running a viable and efficient business including resourcing, business continuity, outsourcing and health and safety
Figure 6: Key Enterprise Risks