nbn has adopted a formal Risk Management Policy that is consistent with Standards Australia AS/NZS ISO 31000: 2009 Risk Management – Principles and Guidelines and the ASX Corporate Governance Principles and Recommendations (Principle 7: Recognise and Manage Risk).
nbn is required to address risk management in the context of its status as a GBE. The PGPA Act and the Commonwealth GBE Governance and Oversight Guidelines (August 2015) (GBE Guidelines) prescribe requirements nbn must meet to fulfil its obligations to its Shareholder Ministers to enable them to exercise their accountability to Parliament and to the general public.
nbn is responsible for providing a Corporate Plan to its responsible Shareholder Ministers, of which risk identification, measurement and risk management strategies are key elements.
nbn’s Risk Management Policy and Framework communicate objectives, approach and responsibilities with regard to risk management throughout nbn. The policy and framework also communicate nbn's commitment to support the development of a sound risk management culture.
The Risk Management Policy describes a “three lines of defence” principles-based approach to risk management, and forms part of a robust risk management framework to allow for the proactive identification, assessment and management of material risks.
The Board is ultimately accountable for the management of risk and ensuring that effective risk management practices are in place across nbn. In order to fulfil its risk management responsibilities, the Board is assisted by the Audit and Risk Committee. The Board reviews nbn’s strategic risk profile biannually.
The Board is responsible for the overall Internal Control Framework and for reviewing its effectiveness but recognises that even best practice internal control systems are unlikely to preclude all errors and irregularities. The framework is intended to provide appropriate assurance on:
Internal controls have been implemented to identify, evaluate and manage significant risks to the achievement of nbn’s objectives. These internal controls cover financial, operational and compliance risk, and take the form of appropriate financial delegations, financial planning and reporting, compliance with appropriate procurement standards, strategic and operational planning, and internal audit practices.
nbn formally adopted and implemented the Integrated Assurance Framework which links enterprise level risks to controls and assurance activities.
Internal Audit is a key component of nbn’s Governance framework. It provides independent and objective assurance and consulting activities designed to add value and improve nbn’s operations.
The Internal Audit function is independent, with nbn’s Chief Audit Executive, the General Manager Group Internal Audit, Risk and Fraud reporting directly to the Chair of the Audit and Risk Committee to ensure free and unrestricted access to the Audit and Risk Committee and the Board. The Audit and Risk Committee, in turn, has been constituted by the Board to review and endorse an annual internal audit plan. The Internal Audit function operates in accordance with a Board approved charter which is reviewed and approved annually by the Audit and Risk Committee and the Board.
The Auditor-General is responsible for auditing the financial statements of nbn. In addition, nbn’s Annual Report is tabled in Parliament and its financial accounts lodged with the Australian Securities and Investments Commission.
The Audit and Risk Committee meets with the external auditor during the year to:
nbn has in place a comprehensive fraud control program that covers prevention, detection, investigation and reporting strategies. In addition, nbn has adopted a methodology consistent with Australian Standard AS 8001:2008: Fraud and Corruption Control and AS/NZS ISI 31000:2009 Risk Management - Principles and Guidelines. As part of its commitment to these standards, nbn has a zero tolerance approach to fraudulent and/or corrupt behaviour.
nbn’s Fraud and Corruption Control Policy and the Fraud and Corruption Control Plan also contribute to the sound management of fraud risk, and detail the requirements and responsibilities for the prevention, detection and response to fraud and corruption. In addition, the Fraud and Corruption Control Policy seeks to promote behaviour that is consistent with the Code of Conduct and allows nbn to act appropriately and consistently in the investigation and reporting of suspected fraudulent or corrupt activity.