Risk management is central to NBN Co's (nbn or the Company’s) ability to successfully manage the challenges of deploying and operating the nbn™ broadband access network.
The Board of Directors and management are committed to implementing a robust risk management framework that will enable proactive identification, assessment and management of all risks.
nbn is required to address risk management in the context of its status as a GBE. The PGPA Act and the Commonwealth GBE Governance and Oversight Guidelines (January 2018) (GBE Guidelines) prescribe the requirements nbn must meet to fulfil its obligations to its Shareholder Ministers to enable them to exercise their accountability to Parliament and to the general public.
nbn is responsible for providing a Corporate Plan to its responsible Shareholder Ministers, of which risk identification, measurement and risk management strategies are key elements.
The nbn™ Risk Management Policy outlines nbn's commitment to operating a robust system of risk oversight and management, responsibilities for risk across the Company and the essential behaviours for a strong risk culture.
The nbn™ Risk Management Policy and Framework communicates our objectives, approach and responsibilities with regard to risk management throughout nbn. The policy and framework also communicate nbn's commitment to support the development of a sound risk management culture.
The Board is ultimately accountable for the management of risk and ensuring that effective risk management practices are in place across nbn. In order to fulfil its risk management responsibilities, the Board is assisted by the Audit and Risk Committee. The Board reviews nbn’s strategic risk profile biannually.
Internal Control Framework
The Board is responsible for the overall Internal Control Framework and for reviewing its effectiveness but recognises that even best practice internal control systems are unlikely to preclude all errors and irregularities. The framework is intended to provide appropriate assurance on:
- Accuracy and completeness of financial reporting against the key performance indicators in the GBE Guidelines;
- Safeguarding of assets;
- Maintenance of proper accounting records;
- Segregation of roles and responsibilities;
- Compliance with applicable legislation, regulation and best practice; and
- Effectiveness and efficiency of operations and information technology systems.
Internal controls have been implemented to identify, evaluate and manage significant risks in relation to the achievement of nbn’s objectives. These internal controls cover financial, operational and compliance risk, and take the form of appropriate financial delegations, financial planning and reporting, compliance with appropriate procurement standards, strategic and operational planning, and internal audit practices.
nbn formally adopted and implemented the Integrated Assurance Framework which links enterprise level risks to controls and assurance activities.
Internal Audit is a key component of nbn’s governance framework. It provides independent and objective assurance and consulting activities designed to add value and improve nbn’s operations.
The Internal Audit function is independent, with the Chief Audit Executive, the General Manager Group Internal Audit, Fraud and Risk reporting directly to the Chair of the Audit and Risk Committee. This ensures free and unrestricted access to the Audit and Risk Committee and the Board. The Audit and Risk Committee, in turn, has been constituted by the Board to review and endorse an annual internal audit plan. The Internal Audit function operates in accordance with a Board approved charter which is reviewed and approved annually by the Audit and Risk Committee and the Board.
The Auditor-General is responsible for auditing the financial statements of nbn. In addition, nbn’s Annual Report is tabled in Parliament and its financial accounts lodged with the Australian Securities and Investments Commission.
The Audit and Risk Committee meets with the external auditor during the year to:
- Discuss the external audit plans, identify any significant changes in structure, operations, internal controls or accounting policies likely to impact the consolidated financial statements;
- Review the results and findings of the external auditor, the appropriateness of accounting and financial reporting, performance reporting, risk oversight and management, the internal control system and the implementation of any recommendations made; and
- Finalise annual reporting, review the preliminary financial report prior to sign-off and any significant adjustments required as a result of the external auditor’s findings.
Fraud risk and reporting
nbn has in place a comprehensive fraud control program that covers prevention, detection, investigation and reporting strategies. In addition, nbn has adopted a methodology consistent with Australian Standard AS 8001:2008: Fraud and Corruption Control and AS/NZS ISI 31000:2009 Risk Management - Principles and Guidelines. As part of its commitment to these standards, nbn has a zero tolerance approach to fraudulent and/or corrupt behaviour.
The nbn™ Fraud and Corruption Control Policy and the Fraud and Corruption Control Plan also contribute to the sound management of fraud risk, and detail the requirements and responsibilities for the prevention, detection and response to fraud and corruption. In addition, the nbn™ Fraud and Corruption Control Policy seeks to promote behaviour that is consistent with the Code of Conduct and allows nbn to act appropriately and consistently in the investigation and reporting of suspected fraudulent or corrupt activity.