Strong governance is essential to the department delivering outcomes in controlled, transparent and accountable ways.

The department's governance framework comprises the principles, practices and tools needed to ensure the approach to governance is consistent and coordinated. Major elements include:

  • coordinated business planning which reflects the department's Corporate Plan
  • performance monitoring, through regular review of strategic and organisational performance measures - see the Annual Performance Statement 2016-17 at Appendix A
  • strong management of the department's major programs and projects - see Program and project management below
  • a departmental risk management framework - see Risk management below.

Governance committee framework

The department's governance committee structure at 30 June 2017 includes the Executive Committee and eight supporting governance committees that provide advice and assurance to the Executive Committee. A number of the committees have an independent chair and/or members who are senior experienced professionals outside of the organisation who offer an additional level of independent oversight and advice.

Strategic governance committees

Executive Committee - provides advice to the Secretary on the department's strategic directions, and on significant management and investment decisions. It also monitors financial performance, risk and compliance standards. The Secretary chairs the committee which meets weekly.

Finance and Investment Committee - provides advice to the Secretary on financial issues and internal investment. The committee also considers approval for internal investments and their funding source. The Secretary chairs this committee which meets at least quarterly.

ICT Committee - provides advice relating to strategic ICT operations of the department including ICT investment and architecture decisions to achieve high quality government outcomes. The committee also provides strategic guidance on critical ICT risks and issues for resolution to ensure that there is sufficient planning and controls in place to mitigate strategic risks. The Secretary chairs this committee which meets at least quarterly.

Service Delivery Roundtable - provides assurance to the Secretary and the Executive Committee that service delivery managers have a shared understanding of current issues, risks and the way forward. The Secretary chairs this committee which meets fortnightly.

Advisory strategic governance committees

Audit Committee - reviews and gives independent advice and assurance on the appropriateness of the department's financial and performance reporting, and systems of risk oversight, risk management, and internal control. This committee has an independent chair, Mr Dominic Staun, and three other independent members—Ms Jenny Morison, Mr Nick Baker and Mr Andrew Dix. This committee meets at least five times a year.

Customer Committee - provides advice and assurance to the Secretary and Executive Committee that service delivery achieves high quality government outcomes that are consistent with best practice. The Deputy Secretary, Service Delivery Operations, chairs this committee. It has one independent member, Ms Sandra Lambert AM, and meets monthly.

Implementation Committee - provides advice to the Secretary and Executive Committee to ensure the effective implementation of significant departmental change initiatives and programs and projects. This committee is chaired by the Deputy Secretary, Programme Design, and has one independent member, Ms Sandra Lambert AM. This committee meets monthly.

Risk, Business Continuity and Security Committee - provides advice and assurance to the Secretary and Executive Committee that there is appropriate oversight of the department's risk, business continuity and security arrangements. This committee has an independent Chair, Ms Philippa Godwin PSM, and an independent member, Mr Andrew Dix, and meets monthly.

Workforce Management Committee - provides advice and assurance to the Secretary and Executive Committee on all departmental workforce and people matters. The Deputy Secretary, Shared Services, chairs this committee which meets at least monthly.

Program and project management

In 2016-17 the department continued to make progress in improving the way a large number of programs and projects across the department are managed and coordinated. This includes finding ways to better deliver Budget measures, legislative reforms and service transformation initiatives.

An important part of this was to identify how to further strengthen program and project management in the department. Work during the year included:

  • implementing measures to improve the quality of project planning
  • improving the quality and accuracy of reporting
  • improving governance over programs and projects
  • increasing transparency in terms of change control and decision making
  • adding new assurance controls
  • building capability through training of senior officials and program/project managers.

Public Interest Disclosure Act 2013

The Public Interest Disclosure Act 2013 allows for investigation of allegations of serious wrongdoing in the Australian Public Service.

Responsibilities and functions under the Act are delegated to a core group of staff to ensure control and oversight in managing disclosures.

In 2016-17 the department received six public interest disclosures. Of the six disclosures received, two were assessed as not being a Public Interest Disclosure (PID) under the Act. After investigations were completed, including those continued from the previous year, only one PID resulted in sanction.

PID education is included in two topics of the Mandatory Refresher Training that all department staff are required to undertake.

Managing internal fraud

The department has a zero tolerance approach to fraud and takes internal fraud control seriously. The department's fraud detection program takes a multifaceted approach that includes internal data-matching, risk profiling and environmental scanning. To support fraud prevention the department's fraud awareness strategies promote messages about how the department identifies and reports suspected fraud, staff responsibilities, and awareness of current and emerging risks.

The department's Fraud Control Plan provides assurance that the department's identified fraud risks are managed appropriately. The plan meets the department's responsibility for compliance under section 10 of the Public Governance, Performance and Accountability Rule 2014  and the Commonwealth Fraud Control Framework 2014. The Fraud Control Plan ensures that the department takes a comprehensive strategic approach to fraud risk, and that all reasonable measures are in place to prevent, detect and deal with fraud.

The department uses a range of strategies to prevent and respond to internal fraud including:

  • fraud control planning, monitoring and reporting
  • a requirement that all staff adhere to the department's Fraud Strategy Statement
  • internal and external reporting mechanisms
  • collecting and analysing information and data to detect fraud
  • receiving and analysing allegations from internal and external sources
  • testing and analysing the effectiveness of fraud controls and, if necessary, making recommendations where appropriate to strengthen controls to prevent and detect fraudulent activity
  • conducting investigations in accordance with Australian Government Investigation Standards.

Substantiated incidents of internal fraud are referred to the CDPP for consideration of criminal prosecutions. The department also considers the need for administrative action against breaches of the Australian Public Service Code of Conduct (see Standards of behaviour at part 4.6 of this report).

The department promotes fraud prevention and awareness to staff across the department through:

  • Fraud Awareness Week including articles and executive messaging on fraud
  • mandatory fraud awareness training including tailored fraud awareness communication activities and presentations
  • an intranet page linking all relevant awareness information and tip-off forms.

Business continuity

The department has a business continuity program based on the international standard BS ISO 22301:2012 Societal security: Business continuity management systems-Requirements.

The 2016 Business Continuity Policy has refined the scope of the Business Continuity Program. This is a direct outcome of the program's increased level of maturity and is intended to align more closely to departmental requirements.

Business continuity analysis support the development of business continuity plans under this revised scope. The endorsed validation program formally tests business continuity plans to confirm response and recovery arrangements.

The progress of business continuity activities is reported to the department's Risk, Business Continuity and Security Committee.

Regulatory reform agenda

The government is committed to reducing the cost of red tape for individuals, businesses and community organisations by $3 billion over three years. The department contributed savings of $70 million to the government's target in the 2016 calendar year, as reported in the Annual Red Tape Reduction Report 2016. A copy of the report is available on the Cutting Red Tape website.

Information management

Data collected by the department assists in determining eligibility for social security and welfare services, and health-related services and payments. Information assists the department and other agencies to understand service delivery and program requirements. In addition, data can only be provided to both internal and external stakeholders that is consistent with legislation and protects the privacy of the consumer. The department's website contains statistical information and data and there is an option for stakeholders to request statistical information.

Beyond this direct activity, data sets are also used to support a broader government agenda, framed by the recommendations of the Public Sector Data Management Project, managed by PM&C and the release of the Australian Government Public Data Policy Statement. The use of the data sets for other purposes occurs within the strict boundaries of legislation, with a primary focus on privacy.

The department develops its data analytics capability by investing in staff. A workforce that better understands the value of data in strengthening its evidence base helps in the design of more effective policy and services that improve people's lives. As part of this, in 2017 the department offered for the first time a professional pathway in data analytics.

Safeguarding privacy

Recipient records and personal information

To protect the privacy of recipients and staff, the department has comprehensive processes to protect personal information. The department's privacy framework is guided by the Operational Privacy Policy which includes a number of requirements with which staff must comply. The policy reinforces that:

  • all staff acknowledge their privacy and confidentiality responsibilities every year
  • privacy incidents must be reported as soon as they are identified.

Personal information related to the administration of the department's programs and services is protected by the Privacy Act 1988 and the secrecy provisions in the various laws under which services are delivered, for example, the Social Security (Administration) Act 1999. Requests for personal information are considered under the Australian Privacy Principles and relevant secrecy provisions.

Privacy impact assessments

As new projects and program improvements are developed, the department considers their potential impact on privacy. Under the Operational Privacy Policy privacy impact assessments are used to:

  • minimise privacy risks and impacts
  • ensure compliance with legal obligations
  • ensure the department's commitment to safeguarding recipient privacy is met.

Privacy incidents

The department investigates all privacy complaints. Escalation and reporting processes minimise the effects of any substantiated privacy incident. In 2016-17 the total number of substantiated privacy incidents was 957.

Compensation for detriment caused by defective administration

In 2016-17 the department received 1,694 recipient compensation claims. Claims are paid when the department is legally liable to pay compensation, or under the Scheme for Compensation for Detriment Caused by Defective Administration.

The department approved a total of 649 compensation claims in 2016-17. This represents 43 per cent of all determined claims.

The department aims to process compensation claims within 90 days. In 2016-17, 83 per cent of claims were completed within 90 days.

Corporate records management

The government's Digital Continuity 2020 Policy promotes a consistent approach to information governance. The department has increased its digital record keeping capability and continued the transition to entirely digital work processes. In 2016-17 the department's online and self service capabilities led to further reductions in the volume of paper received and stored. Paper records that the department continues to receive are converted to digital records wherever possible.

Internally the department is focused on creating and maintaining administrative records digitally and thus reducing reliance on paper records. During the year the department also continued to consolidate existing warehouse storage facilities, resulting in improved efficiency of records management services.

Risk management

Risk management is integral to the department's environment. The department's governance framework and planning processes reflect this.

The department's risk management policy and framework are consistent with the international risk management standard AS/NZS ISO 31000:2009 Risk Management: Principles and Guidelines, and the Commonwealth Risk Management Policy. The policy and framework are reviewed regularly to ensure better practice. Also, risks are identified and developed during the strategic planning process through consideration of the department's risk environment and wider factors affecting the government and the Australian Public Service.

Risks are also identified as part of the department's business planning cycle. Senior executive staff manage risks and report on them regularly. Risks are reported to the department's Risk, Business Continuity and Security Committee and the Audit Committee reviews the appropriateness of the department's risk management system.

To assist in managing risks arising from urgent or high-profile incidents and issues, the department has an escalation process to ensure relevant stakeholders are quickly informed.

Comcover Risk Management

In 2016-17 the department participated again in the annual Comcover Risk Management Benchmarking Program which measured the department's capability using a flexible risk maturity model. Comcover again rated the department as having an advanced risk maturity level. This maturity level reflects the department's commitment to sound risk management and its integration with its operational capabilities.

Internal audit

Consistent with the definition set by the Institute of Internal Auditors, internal auditing is a risk-based objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluation and to improving the effectiveness of risk management, control and governance processes.

Each year the department develops a rolling audit work program that establishes internal audit priorities for the coming 12 months. The program for 2016-17 was developed in consultation with the Audit Committee and the Executive and was approved by the Secretary. In 2016-17, the department presented 51 internal audits to the Audit Committee.

Internal audit priorities are based on the 'three lines of defence' model that positions the Audit Division as the department's independent assurer (the 'third line').

Consistent with the Audit Committee's functions under the Public Governance, Performance and Accountability Act 2013, audits focus on enhancing the effectiveness of the system of risk oversight (the 'second line') so that improvements flow to wider areas of the system of internal control (the 'first line').

Page last updated: 15 November 2017