From Tiffany’s desk ....
As we come to the end of the year, I would like to thank all Fund Members for all we have achieved in 2018.
We had an exciting 20th birthday year, including our conference, themed Building a positive risk culture. A big thank you to all Fund Members who attended.
More than 220 people heard presentations on a diverse range of topics and issues that are impacting on or will impact on the work we do.
The presentations by keynote speakers, Kate Hughes, Chief Audit and Risk Officer at RMIT; and Joe Buffone, from the Department of Home Affairs, and Mark Tattersall, from the Department of Foreign Affairs, were inspiring and really emphasised how important risk management is.
The conference capped off a busy 20th year for Comcover. As well as delivering our usual program of services and continuing to provide comprehensive cover to Fund Members, this year Comcover also successfully ran the awards for excellence in risk management, implemented a legal service provider forum series, and extended our educational offering to include all four risk management education pathways.
We are building on the success of our risk awards by making them an annual event from now so please chat to us about opportunities for your entity to be involved.
The education program will start again in February so log into the Comcover Learning Centre and register for any of the courses.
You will also find three new online learning programs I announced at the conference (see page 7).
Introduction to Comcover provides an overview of common risk and insurance terms and concepts. Liaising with Comcover is a induction program for all contacts and provides anyone new to Comcover an overview of Comcover’s role, functions and services. Even if you have been in your job for some time, it would be worthwhile completing that program and the additional course, Managing indemnity risk. In addition to the new eLearning courses, Comcover is sponsoring the launch of an insurance practitioners’ forum to connect our primary insurance contacts.
We also aim to refresh the format of Comcover Connect to make it a truly online resource for you. Keep an eye out for communication about this early in the new year.
2019 is already looking like a busy year.
I hope you enjoy your end-of-year break. Have a safe and happy festive season.
Tiffany Karlsson Assistant Secretary Risk and Claims Branch Department of Finance P: (02) 6215 2593
Pre-planning pays off
The advantages of pre-event planning and creating sound disaster recovery plans paid off for the Australian Taxation Office (ATO) when it faced real disasters.
Brendan Jones, Director of ATO’s Business Continuity Team, outlined five key principles for good disaster recovery planning to the Comcover conference and demonstrated how ATO’s planning was actioned when three disasters occurred – Cyclone Debbie in Queensland in 2017; a major flood in the Penrith, NSW, ATO office in 2015; and a storage area network outage in 2016.
Mr Jones’s key principles to develop disaster recovery plans for effective recovery from significant disruptions are:
- Having effective teams with clear command-and-control structures
- Leveraging on existing business-as-usual (BAU) teams
- Testing the plan
- Post-incident reviews.
Mr Jones told Comcover Connect disaster recovery plans required an effective business continuity management team to develop, implement and manage the plan; a crisis/continuity management team (CMT); and executive endorsement.
‘You can get through disasters if the teams know the business, its priorities, and have effective crisis leaders. Without a clear command-and-control structure, everyone
will be trying to run the ship,’ he said.
Using existing BAU teams, for example IT incident management, building management, security, and communications, avoided ‘reinventing the wheel’. Each can be responsible for restoring areas that are their responsibility, with the disaster recovery team integrating them, being the liaison point, and ‘bringing all the threads together’.
Mr Jones said prioritising ensured recovery efforts focused on what was of critical importance. ‘Consider what will bring the most pain, affect customer satisfaction, or cost the business money,’ he said. ‘Not everything is critical.’
Testing was essential. ‘A plan can’t gather dust in a corner. You need simulations and exercises to test its validity.’
Post-incident reviews enabled the teams to learn lessons and update the plan.
Each of Mr Jones’s three case studies demonstrated successful implementation of the five principles.
When Cyclone Debbie approached Queensland in 2017, ATO had experienced a ‘practice run’ with the 2011 Queensland floods in which multiple ATO offices were temporarily closed and some staff members’ homes inundated.
Before Debbie struck the coast, the Townsville ATO office was proactively closed and subsequently three other south-east Queensland offices closed for half a day, affecting more than 3,000 staff.
ATO’s CMT was activated. The team contacted staff via text and used BAU response teams to ensure offices were safe and secure and IT powered down.
‘Because we had done lots of simulations and conducted post-incident reviews with prior cyclones, there were a lot of prior learnings,’ Mr Jones told Comcover Connect.
The disaster recovery plan implementation was successful. ‘There were a few "nitty-gritty" things, for example, not everyone got the text messages. It’s never an exact science.’
In 2015, a water tank on the ninth floor of ATO’s Penrith office leaked, sending megalitres of water cascading into the floors below. Fire stairs, lobbies, offices, and a computer room were flooded. The building was closed for three days and about 1,000 staff unable to attend work.
The CMT activated its communications plan to ensure staff were advised; and worked with BAU response teams to ensure the site was closed and secure. IT equipment was powered down and subsequently cleaned, powered up and restarted.
Critical staff and processes were relocated to ATO’s Parramatta site. A full post-incident review was conducted. The effort was rewarded with a 2016 award for Recovery of the Year from the Australasian Business Continuity Institute (ABCI).
In December 2016, ATO lost core IT services for three to four days when its outsourced data storage network (SAN) failed and the backup would not power up.
Less time-critical services were unavailable for 10 to 14 days and there were significant impacts for taxpayers, tax agents, businesses, software providers, the superannuation industry, and all ATO staff.
Mr Jones said the senior CMT had met just five days before the outage for a major cyber-attack simulation, so the team was familiar with its roles and responsibilities.
‘A tried-and-tested business continuity management team provided effective support though the entire outage, leveraging on an existing close working relationship with the IT incident management team,’ he said.
A clear understanding of ATO’s organisational priorities enabled IT to focus restoration efforts on the right systems and effectively prioritise the recovery. Critical online services were restored first and the SAN was rebuilt from back-ups with no data lost.
Mr Jones said post-incident reviews, internal and external, identified ‘a list of things to improve’.
‘Nothing tests you like a real incident,’ he said. ‘Had we not had the five disaster recovery plan principles in place, we would have been "dead in the water" for a much longer time.’
Mr Jones has run ATO’s business continuity program since 2011, chairs the Australian Public Service Business Continuity Management Community of Practice, and is a member of the ABCI’s 2020 think tank.
Applying business interruption cover after disasters
After Brendan’s presentation at the Comcover conference, Robert Edwards, Assistant Director, Department of Finance, and Comcover Relationship Manager, outlined the scope of business interruption cover available under the Comcover Statement of Cover.
He said key principles for effective recovery from business interruptions included:
- Factors to consider when Fund Members assess business interruption costs and set appropriate sums insured
- What business interruption covers and what is excluded
- The nature of the initial and other advice Fund Members need to provide to Comcover to manage business interruption claims
- Factors Fund Members should review and consider after events and monitor post loss.
A key point Robert stressed was ensuring Fund Members’ insurance and risk contacts worked closely with their business continuity teams to test the financial adequacy of cover sought.
If you have questions about property and business interruption cover, contact your Relationship Manager on 1800 651 540 (option 3).
Events calendar 2019
Risk Management Benchmarking Survey opens – 4 February
Comcover Seminar Series – Salary for super purposes and allowances – Ashurst – 13 February Register for the Comcover Seminar Series through the Comcover Learning Centre
Business Continuity Community of Practice – 14 February Then every second Thursday of the month during 2019 Email Brendan Jones – BCMHelpdesk@ato.gov.au
Risk Management Benchmarking Survey closes – 15 March
Dates for Comcover’s 2019 education program workshops are being finalised. More information about the Generalist, Specialist and Executive pathway workshops will be on the Comcover Learning Centre early in 2019.
CRO role ‘an alchemist’
Kate Hughes is not your average chief risk officer and she’s the first to admit it.
She doesn’t even think the title chief risk officer (CRO) reflects her daily work. ‘My job is to help our executive team make decisions with risks in mind,’ she told Comcover Connect in advance of her presentation to the 2018 Comcover conference.
Ms Hughes, Chief Audit and Risk Officer for RMIT University in Melbourne, has enterprise-wide responsibility for risk management, compliance, policy and internal audit. Before joining RMIT in February, she was CRO for Telstra.
She says her RMIT role is one of an alchemist. ‘I have a helicopter view of the university that enables me to understand risks in a holistic way. I’m not blind to the past, but want to test and challenge how things are done.’
She says risk management has a brand problem and risk management professionals are partly responsible because they use the wrong language.
Ms Hughes’s tips for success in risk management include:
- Stop using jargon – ‘Most people will never read [the international risk management standard] ISO 31000.’
- Be less technical and theoretical – ‘Talk about risk as a normal part of managing a business or organisation.’
- Use language that is relatable – ‘Matrix, consequence, likelihood, controls, and treatments are not as easily understood as profit, expenditure, revenue, and reputation.’
- Don’t simplify risks to the extent no one can understand what they mean.
- But don’t complicate risk descriptions so people can’t determine how to manage them.
- The average executive is not a risk professional, they are a leader with a busy diary. Be succinct and remind them why risk management matters.
- Understand the value you bring to the conversation and leverage that.
- Think about the ‘lived experience’ of the most important risks and ensure you translate that well.
Ms Hughes said the questions to ask in risk management were ‘what’; then ‘so what’, ie, why does it matter; and ‘now what’, ie, what do we do about it. The greatest emphasis should be on the latter.
Key risks for RMIT included ensuring graduates emerged with the ability to do the roles for which they had been trained. Students had to understand what they were learning and apply it, not just learn by rote and memory, otherwise the integrity of their degree was undermined.
‘Universities are a business. They need to be sustainable into the future. My role is to think about what risks are in the way of achieving that,’ Ms Hughes said.
‘As RMIT goes global, there are new risks to manage, including geopolitical and bribery and corruption. Managing them well is not about facilitating endless risk workshops, it’s about strategic risk management. As we deliver our strategy we need to mitigate the risks of that strategy; we need to look ahead and take action in advance.’
Ms Hughes said risk management must be deeply embedded within organisations so it was considered at the inception of new ideas or partnerships and occurred ‘almost invisibly and seamlessly’.
Good risk thinking and having critical response strategies in place built resilient organisations that bounced back quickly.
Risk management’s role was to help identify things that would stand in the way of the organisation achieving its strategic objectives and work as a team to ‘help kick those things out of the way’.
Ms Hughes said true risk leaders:
- Help their organisations make better decisions by having well-timed, succinct, meaningful risk assessments that drive decision making and become part of business as usual processes
- Promote strategic alignment so risks are well understood across the enterprise and the risk appetite is clear, consistent and aligned with strategy
- Create a risk management culture in which risks are considered, understood and integral to all business conversations and processes to promote integrity in decision making
- Help their organisations build resilience and agility by developing risk processes that encourage quick recoveries.
Ms Hughes said the risk management profession had a disproportionate focus on bad things happening, so maintaining personal resilience was critical.
That was achieved through having a capable team and
having your own ‘cheer leaders’, people who encouraged you and gave you the courage to get through adversity and face challenges. There was a difference between encouragement and recognition.
It was also important to ‘refill the bucket’ by spending time doing things that reminded you your skills were being used for betterment.
She encourages her teams to ‘get out into the business of your business’.
Ms Hughes’s team – covering risk management; policy and governance; education compliance; and internal audit – will help at this year’s graduation ceremony. The aim is to temporarily take their focus from their daily roles, enabling them to ‘see the bigger picture, the importance of our job’.
‘We will graduate 9,000 students into the workforce. That’s 9,000 things that went right this year,’ Ms Hughes told Comcover Connect.
Computer-generated ‘decisions’ spark new risks
At the Comcover conference, Ashurst Partners Melanie McKean and Tim Brookes presented on potential impacts increased use of artificial intelligence (AI) may have on ways the Commonwealth delivers services, projects and programs in the future. In Understanding the opportunities and risks of new and emerging technology – Is artificial intelligence an increasing legal risk for the Commonwealth? Melanie and Tim identified that, while new technologies present opportunities, they also bring risks which require identification and management. There have been new developments in how governments and organisations need to manage those risks.
In this article, Tim and Mitchell Bazzana summarise Pintarich v Deputy Commissioner of Taxation, which deals with interesting questions on AI and the grounds on which it may make legally binding decisions.
By Partner Tim Brookes and Mitchell Bazzana, Ashurst
The Full Court of the Federal Court has found a taxpayer remained liable for interest charges despite receiving a computer-generated letter from the Australian Taxation Office purportedly remitting the taxpayer’s liability.
The case is Pintarich v Deputy Commissioner of Taxation  FCAFC 79.
Joseph Pintarich had a tax liability which included a general interest charge (GIC) component. In December 2014, an Australian Taxation Office (ATO) delegate of the Deputy Commissioner input information into a computer-based ‘template bulk issue letter’ which generated a letter.
The letter sent to Mr Pintarich from ATO purported to remit a significant portion of the GIC liability provided a lump-sum payment was made before a set date. The delegate did not review the letter’s contents before it was sent.
Despite paying the lump sum, Mr Pintarich was issued with further statements of account for the GIC. In May 2016, ATO told Mr Pintarich his request for the GIC’s full remission had been denied and only partial remission would be granted. Mr Patriarch argued the later ‘decision’ was ultra vires, because a decision had already been communicated to him in the computer-generated letter.
ATO later advised him the portion of the letter purporting to remit GIC liability had been included in error and, therefore, no decision on the application for GIC remission was made when the letter was sent. Mr Pintarich challenged that.
Did the computer-generated letter amount to a ‘decision’ by ATO?
The majority of the court found for there to be a ‘decision’ there needed to be both:
The primary judge’s finding ATO had not conducted a process of deliberation to decide whether to grant the taxpayer’s application for remission of GIC liability was unchallenged. On that basis, the majority held Mr Pintarich could not rely on the computer-generated letter because it was not a ‘decision’, since there had been no related mental process of reaching a conclusion. That was so, even though the letter was an objective manifestation of that conclusion. ATO was therefore not bound by the letter.
Although the majority acknowledged the outcome may seem unfair and create uncertainty about relying on communications with government agencies, they said there was a relatively small chance of a similar data entry error by ATO in future decisions.
Justice Kerr adopted a more practical approach and argued the legal concept of what constitutes a ‘decision’ must not remain static but should comprehend that technology has fundamentally altered how decisions are made. Noting many decisions are made without any explicit mental engagement, Justice Kerr said renouncing an objective ‘decision’ for a lack of subjective mental process undermined the fundamental principles of administrative law. He said determining whether a decision was made must be fact and context specific.
Justice Kerr disagreed the scenario was unlikely to arise again, given ‘the growing interdependency of automated and human decision making’ and he was concerned about the decision’s unfairness.
The decision has clear implications for administrative law and governments’ increased reliance on document automation and artificial intelligence for decision-making processes. It illustrates the risks of taking ‘decisions’ made by automated correspondence at face value and creates uncertainty on the reliability of automated decision-making processes. That may have broader effects when relying on those technologies in administrative decision making.
Historically, automation has helped apply rules to individual cases. However, automated systems are progressively becoming primary administrative decision makers. Difficulties will arise as automation collapses decisions into rulemaking, making it nearly impossible to determine whether a decision resulted from factual errors or distorted policy.
Full automation of decision making without the counter balance of human mental processes arguably risks dismantling critical procedural safeguards.
Procedural fairness may be impaired where computer programmers change the substance of rules when translating them from complex human language into binary computer code.
Even for programmers with a good understanding of statutory construction, the translation is difficult and meaning may be lost or distorted. Data input error can lead to incorrect decisions and problems may arise in verifying a program has correctly recorded the rules. For example, individuals may be unable to meaningfully challenge automated decisions where expert testimony about a computer system’s reasoning is unavailable.
The pervasive uptake of machine-learning algorithms and automated decision-making tools by governments worldwide also highlights the likelihood of increasing numbers of coding or data-input errors. That goes against the majority’s view that type of scenario was unlikely to occur more frequently in future.
Use of automated systems raises important questions about measures necessary to ensure the legality of decisions they make. Authority to use such systems is not always transparent or express. Increasingly, legislative schemes include mechanisms whereby decisions made by computer programs are deemed decisions of human decision makers, as in the Business Names Registration Act 2011 (Cth). However, it is not clear that is being dealt with comprehensively.
As Justice Kerr noted, large-scale automation systems are ‘routinely relied on by ... Australian government departments for bulk decision making’. That reflects increasing budget constraints and rapid growth in the volume and complexity of legislation and the government decisions it requires.
Those systems are now well established, with the Administrative Review Council publishing guidance on their use in 2004. That was the catalyst for the Commonwealth Ombudsman’s 2007 Better practice guide to automated decision making. Where human decision makers have established processes for how and when automated decision-making tools can be used, it appears illogical to suggest human mental processes are required to make the decisions.
In the Pintarich case, the High Court refused an application for leave to appeal and therefore declined the opportunity to decide those issues.
WoAG travel drives value
The Whole of Australian Government (WoAG) travel arrangements and associated policies drive enhanced value for money and service levels for official travel.
The WoAG Travel team manages deeds of standing offer for:
- travel management services
- domestic and international air travel services
- accommodation program management services
- travel and card-related services
- car rental services.
To support WoAG Travel’s objectives, the WoAG Travel team organises and hosts a WoAG Travel Exhibition every two years. Comcover and its service delivery partner International SOS participate at the WoAG Travel Exhibitions.
The event enables travel managers, travel bookers, and travellers from participating entities to familiarise themselves with details of the travel arrangements, engage directly with WoAG Travel suppliers, and learn more about products and services offered by the suppliers.
Products and services include new and existing offers available for official travel booked under the negotiated deeds of standing offer, such as additional baggage or transfers.
As a key engagement strategy, WoAG Travel supports and encourages all staff involved in official government travel to review their booking behaviours and increase their awareness of benefits available through the negotiated agreements.
The exhibition is an opportunity for entities to connect with travel-related government service providers, including Comcover, which provides cover for domestic and international travel; International SOS, which provides routine and emergency medical and security assistance to international travellers and expatriates posted overseas; and the Department of Foreign Affairs and Trade, which provides international travel risk assessment and advice.
More information about WoAG Travel arrangements is available on the Department of Finance website.
If you require assistance or guidance about the WoAG Travel arrangements, please contact the WoAG Travel team at email@example.com.
Cyber security protects government reputation
"A secure cyberspace provides trust and confidence for individuals, business and the public sector to share ideas, collaborate and innovate."1
Cyber security is important to preserve national security and the Australian Government’s reputation for how it handles data.
Management of cyber risks by selected government entities has been the focus of a new Australian National Audit Office (ANAO) audit.
ANAO’s fourth audit of entities’ management of cyber risks was developed to examine whether entities:
- have effective arrangements in place to manage cyber risks
- monitor and report against cyber security deliverables
- have a culture of cyber resilience.
Consistent with previous cyber audits, the audit found a relatively low level of maturity in managing cyber risks. It highlighted the need to strengthen cyber requirements of the Protective Security Policy Framework.
Cyber risk is not an emerging risk. It is a current risk, however the nature of the risk is constantly evolving and changing and so must strategies for managing it. Cyber attacks continue to present a challenge for public and private sector organisations and the audit includes key learnings for all entities.
The report is on ANAO’s website at: https://www.anao.gov.au/work/performance-audit/cyber-resilience-2017-18… traliangovernmententities.
Comcover can assist. If you would like guidance on managing cyber risk, please contact the Comcover Risk Management Team on 1800 651 540 (option 4) or email firstname.lastname@example.org.
New eLearning courses
Comcover provides risk education opportunities to help you better engage with risk in your day-to-day work.
Comcover’s learning programs are available free to Commonwealth officials via the Comcover Learning Centre.
To support you in understanding basic risk management concepts and Commonwealth best practice risk management strategies, three new eLearning courses are now available in the Comcover Learning Centre.
Introduction to Comcover explains Comcover and how it helps entities and their staff to manage risks through:
- the Comcover Fund, which protects against the financial impact of insurable losses
- a range of services to promote better risk management practices in the public sector, including education delivered as eLearning, face-to-face workshops and events.
Managing indemnity risk was developed to help you better understand indemnities and how to reduce the likelihood and consequences of the risks they present.
If your job requires you to design, implement, and embed risk management in your entity, Liaising with Comcover provides extensive information to help you provide risk management advice and support in your entity.
Designed for officials who are, or will become, authorised Comcover liaison personnel, the course provides opportunities to learn more about the roles of Comcover’s insurance and risk contacts and how Comcover can help influence positive outcomes through effective and efficient management of risks.
Education program 2019
Our risk education extends to practical workshops.
Over the past two years, more than 90 per cent of workshop participants indicated they would recommend the education program to others and believed the program was valuable in further developing their risk management capabilities.
Comcover again plans to deliver Generalist, Specialist and Executive level workshops in 2019.
Dates will be released soon.
2019 Awards for Excellence
Planning is in progress to deliver the 2019 Awards for Excellence in Risk Management.
Comcover normally presents the awards every second year. However, the number of high-calibre entries in 2018 has encouraged the Secretary of the Department of Finance, Rosemary Huxtable PSM, to convert the awards into an annual event.
Start thinking about your 2019 nomination now.
Statement of Cover – travel outside country
Comcover provides overseas travel cover to Fund Members for baggage and personal effects, and medical expenses and medical emergencies.
To effect travel cover, the person travelling must satisfy the definition of a ‘traveller’ under section 5 of the Comcover Statement of Cover 2018-19. A key requirement is that the travel must be approved and funded by a Fund Member.
A Fund Member’s limit of cover is specified in the entity’s Schedule of Cover which is available in the Comcover Gateway on the Comcover Launchpad.
Baggage and personal effects
Cover for baggage and personal effects is provided for a range of circumstances, including the cost of repairing or replacing baggage and personal effects belonging to or the responsibility of a traveller that are lost, destroyed or damaged. Comcover will also cover a Fund Member for money stolen if the money belongs to or is the responsibility of a traveller on official travel.
Cover is also provided for insurable losses in response to major incidents or natural disasters where the traveller is at risk of injury or illness. That includes emergency evacuations under the terms and conditions specified in section 14 of the Statement of Cover.
Several exclusions apply to baggage and personal effects. They include that Comcover will not pay for any loss or claim unless the travel has been approved in accordance with relevant legislation and the entity’s internal policies, instructions and guidelines. The exclusions are detailed in section 14(4) of the Statement of Cover.
Medical expenses and emergencies
The Statement of Cover will respond to a range of events related to medical treatment, including injury, illness or death of a traveller. Comcover will pay compensation to a Fund Member, or a traveller directly if they are not indemnified by a Fund Member, subject to terms and conditions.
Comcover also provides cover for the cost of medical
repatriations under medical supervision.
The Statement of Cover includes some exclusions. They include any claims where a traveller would be reasonably considered unfit for travel or is travelling against the advice of a medical practitioner. The exclusions are detailed in section 15(3) of the Statement of Cover.
If you have any questions about travel outside country cover, contact your Relationship Manager on 1800 651 540 (option 3).
The Statement of Cover 2018-19 and an associated Information Bulletin are available on the Department of Finance website and in the Comcover Gateway on the Comcover Launchpad.
Statement of Cover – cyber
Managing cyber security is one of the Commonwealth’s biggest challenges and continues to generate inquiries to Comcover about how the Comcover Statement of Cover responds and the extent of cover available.
At first glance, the Statement of Cover does not appear to provide cover for cyber security-related losses because there is no specific cyber security loss section. However, cover may be available for first and third-party losses caused by cyber security incidents under the property and liability sections.
Comcover’s information sheet How the Comcover Statement of Cover responds to cyber security events details circumstances under which cover may be provided.
Depending on the circumstances of the property loss, coverage for first-party losses may be provided for things like loss or damage to a network resulting in business interruption and loss of revenue.
The Statement of Cover’s liability section may be triggered when a third party alleges a Fund Member should be held liable for losses arising from a cyber event, for example where personal information has been released.
The fact sheet also contains links to other cyber security policy and guidance material resources Fund Members may find useful.
If you have any questions about cyber security incident cover, contact your Relationship Manager on 1800 651 540 (option 3).
A full list of resources, including advice circulars, Comcover Connect newsletters, information sheets, and FAQs, is on the Department of Finance website