Comcover Connect
2014 | ISSUE 1
From Robert’s desk …
Welcome to the first issue of Comcover Connect.
Comcover Connect is something new from Comcover, a regular quarterly newsletter for Fund
Members. It will have an education focus by providing information on risk and insurance issues
across the Commonwealth, promoting examples of better practice risk management and
exploring new and emerging risk issues.
It will include information about Comcover’s services and learning resources.
In this issue:






The Commonwealth Risk Management Policy (the Policy) came into effect on 1 July this year.
Understand how the Policy aims to establish an environment that encourages Fund
Members to engage with risk, demonstrate innovative thinking and reduce unnecessary red
tape.
Indigenous Business Australia (IBA) was the first Commonwealth entity to seek a desktop
review of its existing risk framework to ensure alignment with the Policy. Comcover Connect
explains what was achieved and the benefits for IBA in undertaking the process.
Cyber attacks have become more sophisticated, better targeted, and use lower profile multistage attacks, compared with the large-scale disruptive activity that was more common in
the past. We outline the risk and provide some practical strategies to avoid becoming a
target.
As the deadly Ebola virus continues in several west African countries, Comcover’s partner
International SOS provides advice for travellers on managing the risk.
Norton Rose Fulbright partner Sarah Ralph explains the ramifications of a court case that
exposed unsatisfactory employment practices. There are some simple lessons to be shared
that can reduce the likelihood of such claims occurring.
The delivery of risk services as part of Comcover’s integrated service delivery model is
profiled on page 8.
I hope you enjoy and learn from these articles, and that the information in Comcover Connect
will assist you in improving your entity’s risk management capabilities.
I welcome your feedback on the content and your suggestions on potential articles you would
find valuable. Please email comcover@comcover.com.au with your feedback.
Happy reading.
Robert Antich | Assistant Secretary
Risk, Insurance and Special Claims (Comcover) Department of Finance
Comcover Connect |
1
Ebola low risk for Commonwealth travellers
An uncontrolled outbreak of Ebola virus in several west Africa countries has prompted
many Commonwealth travellers to seek reliable information to allay their fears.
The outbreak, the largest ever reported both in case numbers and geographical spread, is
occurring in Guinea, Liberia, and Sierra Leone. It is the first time the virus has affected large
cities.
However, the practical effects for Commonwealth travellers have been minor.
Comcover’s overseas medical and travel assistance provider, International SOS, advises that,
now as always, Commonwealth travellers need to be vigilant in maintaining their health while
travelling and pay strict attention to hygiene. Travellers should wash their hands frequently,
practice good hygiene and stay at least one metre away from obviously sick people.
Travel advice for affected areas:
Anyone who is sick is advised not to travel. Continue to monitor the situation for updates,
especially just before travel, as the situation may change.




Follow strict hygiene procedures, including frequent hand washing.
Avoid direct contact with sick people and their body fluids.
Avoid funerals.
Avoid healthcare facilities treating Ebola patients.
Consider:





Some commercial airlines have suspended flights to affected countries and charter air
movements are extremely limited.
In Liberia, almost no reliable access to medical care is available. Many medical facilities,
including in Monrovia, have closed or are over capacity, are severely limited in their
capability and do not have stringent infection control. The majority of Ebola cases are being
cared for outside designated treatment units.
Illnesses, including potentially life-threatening conditions, cannot be managed adequately.
Less-serious illnesses may become life threatening.
International evacuation is highly challenging and may not be achievable.
Some areas have been quarantined, and the quarantine may be enforced by security.
For staff remaining in country:





Ensure employees are fully briefed on the situation, preventive measures, and what to do if
they fall sick.
Tell employees to avoid high-risk activities and pay strict attention to hygiene.
Advise staff not to go to medical facilities treating Ebola cases.
If they need medical attention while in affected countries, call International SOS to be
directed to an appropriate facility.
In Liberia, avoid motorbike-taxis and regular taxis, which are not disinfected and may have
been used to transport people with Ebola.
ISOS has developed a smart phone app to give travellers instant access to travel security and health
information for any country. Specific country guides detail information such as disease risk, food
safety, medical care, safety advice, transport and cultural issues. The app is supported via platforms
such as Android (2.3 and higher), Blackberry (OS 6.0-7.0), Windows (OS 8.0 and higher) and
iPhone (IOS 4 and higher). The app can be downloaded free through app stores. It can be
customised to suit travellers’ personal preferences.
Comcover Connect |
2
If you need medical attention, call International SOS to be directed to an appropriate facility.
Comprehensive information is available on International SOS’s dedicated Ebola website page
and the following links:
Travel advice:
Information and advice for travellers
Latest news:
24-hour coverage of events and outbreak updates
Outbreak overview:
Background about the Ebola outbreak
Ebola facts:
Ebola transmission, symptoms and prevention
FAQs:
Frequently asked questions about Ebola
Affected countries:
In-depth, location-specific information
Education materials:
Simple, downloadable awareness talks, posters and flyers
Travel advice and bulletins on the Ebola outbreak are issued by the Department of Foreign
Affairs and Trade via the Smarttraveller website.
The Commonwealth Risk Management Policy – a brave new world
The Public Governance, Performance and Accountability Act 2013 requires Commonwealth
entities to establish an environment that encourages officials to engage with risk,
demonstrate innovative thinking and reduce unnecessary red tape.
To support that requirement, Comcover consulted other Commonwealth entities and worked
with Deloitte Risk Services to develop the Commonwealth Risk Management Policy (the Policy).
The Policy sets out nine elements that assist entities to embed risk management within the
culture of their organisations. The elements have been intentionally developed with sufficient
flexibility for Commonwealth entities to adapt their existing risk management practices to the
policy at a level commensurate with the scale and nature of their risk profiles.
A key objective of the Policy is to encourage a change in behaviour from a ‘compliance mentality’
to one where consideration of risk becomes part of the day-to-day operations and decisionmaking processes of all Commonwealth employees.
Comcover will monitor and review the policy over the next 18 months to determine how
successful it has been in achieving that and, if necessary, adapt the policy to better align it with
Commonwealth entities’ activities.
Since the Policy was released on 1 July 2014, Comcover has been providing support to entities
seeking to implement it. Comcover provided high-level advice or, in some cases, facilitated
access to specialist risk services through Comcover’s risk partners, Deloitte, RiskFlo and
Protecht.
Some early observations from this work include:

Entities with well-established risk frameworks are generally well on the way to aligning
their risk frameworks and systems with the Policy. In those cases, often only small changes
in terminology or relatively minor additional materials are required.
Comcover Connect |
3




Many elements of the policy are already tested in the Comcover Benchmarking Survey –
check your results for pointers where effort may be required.
Entities getting the most from the policy are those that engage their senior executives in the
review process and encourage them to think how changes can be more fully leveraged to
achieve better business outcomes.
Key challenges for entities have been around risk appetite and tolerance, positive risk
culture, and embedding risk management in other processes. Traditionally, those are not
well covered in many frameworks. In some cases, entities are amending their frameworks
and merely paraphrasing the policy requirement. Entities need a more considered and
explicit statement of how they intend to meet the requirement. For example, compliance
with Element Five requires an entity to do more than simply state that a positive risk culture
is important and encouraged. It should detail mechanisms that will be implemented to
achieve that. They could include, for example, improved training, amendments to
performance management arrangements, or establishing ‘risk champion’ forums.
Remember, the Policy is about driving change in behaviours, not just creating documents.
Entities need to consider implementation and changes needed to support embedding
amended risk management plans. Training, education and awareness programs should be
developed and actioned.
Fund Members are encouraged to contact Comcover if they have questions on the policy or
would like to better understand what support might be available to them.
Early adopters have demonstrated that compliance with the policy is best achieved in
four steps:
1.
2.
3.
4.
Map your existing risk framework to elements of the policy to understand where you stand
Engage with your senior executives and involve them in the evolution
Determine where to prioritise your efforts and develop a compliance plan
Speak to colleagues in other entities or Comcover for tips and better practice initiatives
A copy of the Commonwealth Risk Management Policy can be downloaded from Comcover’s
website.
IBA commits to continuous improvement
Risk management is an iterative process and Indigenous Business Australia (IBA)
acknowledges that in its attitude to implementing the Commonwealth Risk Management
Policy (the Policy).
IBA CEO Chris Fry says risk management is part of IBA’s broader governance program and the
Commonwealth entity has always been committed to continuous improvement. IBA aims to go
beyond simply meeting the nine elements outlined in the Policy; it wants to make continual
progress in ensuring broad risk management awareness and training across the 250 staff
members in head office and regional locations.
IBA was the first Fund Member to take part in a desktop review completed by Deloitte risk
services, one of Comcover’s consortium service providers. The study confirmed IBA’s risk
management document suite was appropriate for a risk-mature organisation. Attaining a score
of 8.5 out of 10 in the 2014 Comcover Risk Management Benchmarking Survey showed IBA had
already implemented the foundation elements of an effective risk management program.
The study confirmed IBA’s risk framework provided a sound basis on which to manage risk and,
at a high level, was broadly aligned with the majority of the Policy’s requirements.
Deloitte saw opportunities for improvement in the following areas:
Comcover Connect |
4
1. IBA would benefit from the release of a CEO and board-endorsed risk policy statement
emphasising the importance of good risk management to IBA and the obligations of all staff.
2. IBA’s Risk Management Framework and Policy required some additional detail, particularly
in the areas of encouraging a positive risk culture, understanding and managing shared risks,
maintaining an appropriate level of risk capability, and embedding systematic risk
management into business processes.
3. Staff would benefit from a document explaining how and when IBA completed risk
assessments within its business units and activities, and how those informed, and were
informed by, the whole-of-entity risk profile. A diagram explaining the ‘cascade’ of risk
assessment and management responsibilities throughout IBA might be useful in
communicating that.
4. IBA should review and document its risk management capability requirements in a risk
management capability plan.
Since the study, IBA has continued to build on its risk management procedures that establish
specific measures to minimise risk to the portfolio and individual investments. It has developed
a relationship diagram that shows how IBA’s risk management framework and policy are
related, including responsibilities and links to element numbers within the Policy.
IBA’s key risk management measures within its investments and equity program include:





Clear comprehensive investment strategies dealing with portfolio construction and risk
limits;
Approval of investment selections and due diligence;
Regular monitoring, reporting and reviews, including using a risk radar tool;
External and internal audits in line with a detailed audit cycle; and
Robust valuation and financial impact measures.
The risk radar tool is an internally developed, comprehensive assessment tool that examines
potential investments across a raft of criteria.
IBA also continues to strengthen its governance, assurance and compliance framework, which
involves significant work to enhance portfolio management and risk management practices. A
key element is implementing common corporate governance principles (similar to the ASX’s
with a strong focus on risk) across IBA and its subsidiaries.
IBA has identified eight key risk types: strategy & execution; operational; financial; credit;
market; equity; legal, governance & compliance; and reputation. It has assessed its risk
tolerance/risk appetite across each and is communicating that throughout the organisation.
An implementation plan for IBA’s risk management framework and policy has been tabled at an
IBA audit committee meeting along with a draft capability matrix.
Mr Fry said Deloitte’s desktop study gave IBA’s board confidence that significant exposures were
covered and demonstrated that objectives were being achieved.
IBA in brief
Indigenous Business Australia (IBA) aims to increase the number of Indigenous Australians
successfully engaged in financial and commercial activities, through:



business ownership and support
home ownership
investments and joint ventures
IBA has investments across the tourism, industrial, retail, mining, telecommunications and
commercial property sectors.
Comcover Connect |
5
IBA’s vision is for a nation in which the first Australians are economically independent and an
integral part of the economy.
IBA is a Corporate Commonwealth Entity under the Public Governance Performance and
Accountability Act 1997, and is within the Prime Minister and Cabinet portfolio.
Desktop study ‘a good start’
IBA’s desktop study was “a good start”, but the next stage is a full health check of a
Commonwealth entity’s risk management program.
Sal Sidoti, a director in Deloitte’s risk services practice, said the study was a brief high-level
assessment that reviewed documentation to identify where an entity was aligned with the
Policy. “At this level, we don’t delve into the business to see how risk management is embedded
within the organisation.”
There was always a danger the document suite may not equate to practical implementation
within an entity.
IBA’s desktop study entailed several initial meetings to discuss IBA’s suite of risk management
documents and learn about the business and its key risks. After an initial report, there was a
further discussion to clarify and refine the findings, then a final report was presented to IBA’s
audit committee.
Mr Sidoti acknowledged IBA had a strong drive to make risk management work within the entity
and senior management and audit committee supported that drive.
One of the desktop review’s greatest benefits was the opportunity to share Deloitte’s learnings
from the large number of reviews it conducts with government and private sector entities. “We
bring knowledge of dozens of risk frameworks and can share the better practices with clients,”
Mr Sidoti said. “It’s a knowledge sharing activity, which goes both ways.”
Having an independent third party conduct the desktop assessment was advantageous and
assisted IBA to prioritise improvements to its risk management programs, Mr Sidoti said.
While IBA, a relatively risk mature entity, gained great benefit from the study, Mr Sidoti said
Commonwealth entities that were less risk mature had even more to gain. Deloitte works with
Fund Member entities to develop practical recommendations that reflect the level of risk
management maturity appropriate to their needs.
Commonwealth entities must take steps to avoid cyber attacks
Comcover Fund Members need to take greater responsibility for internal security
systems to prevent cyber attacks on their information and data, and implement policies
and procedures that reduce the potential for inappropriate use of materials from within.
Cyber attacks are on the increase in Australia and Commonwealth entities can find their systems
compromised by hackers who have found their way through security firewalls or staff who
inappropriately or illegally misuse government information.
The Australian National Audit Office (ANAO) last June released the findings of an audit of seven
Commonwealth entities’ IT security arrangements and their preparedness to stop or reduce the
effects of an attack.
The entities were the Australian Bureau of Statistics; the Australian Customs and Border
Protection Service; the Australian Financial Security Authority; the Australian Taxation Office;
the Department of Foreign Affairs and Trade; the Department of Human Services; and IP
Australia.
Comcover Connect |
6
The report said all Commonwealth entities were subject to more than 1,790 security incidents in
2012, with 685 considered sufficiently serious to warrant a Cyber Security Operations Centre
response. Outside government, in the same period, more than 4.5 million Australians were
victims of cyber attacks, costing the country’s economy more than $1.6 billion.
Cyber security policy and guidance
Cyber security is largely managed on a whole-of-government basis by the Department of Prime
Minister and Cabinet. Click here.
Commonwealth entities are responsible for protecting their assets and information from cyber
attacks. Entity business cases for ICT-enabled proposals to government must identify how cyber
security risks will be managed and how the proposal will comply with government cyber
security policies. The Attorney-General’s Department has issued policy and guidance about
cyber/information security. Click here.
The Department of Finance provides guidance to Commonwealth entities on cyber security
requirements for business cases. Click here.
The growth in cyber attacks shows entities’ security is no longer a role for junior or even
middle-management staff. Processes and policies that protect entities from external intrusions
and internal breaches or disclosures are increasingly a senior management responsibility.
Periodic assessment and review at a senior level of an entity’s overall security position is pivotal
in addressing potential future threats.
ANAO warned Commonwealth entities that protecting their systems from unauthorised access
and use was a key responsibility that should be addressed through preventive measures rather
than remedial actions after an attack had occurred.
The audit report acknowledged that, while most entities had introduced
or were in the process of introducing systems, structures and procedures to prevent IT
breaches, many had a long way to go before they could be considered fully compliant with
accepted Australian Signals Directive (ASD) security standards and the Protective Security
Policy Framework.
If all 35 strategies developed by ASD to assist entities to counter security breaches were fully
implemented, up to 85% of targeted attacks would be prevented. The audit supported a 2013
ASD direction that the top four strategies be implemented by all Commonwealth entities as a
matter of urgency.
Those strategies are:




whitelist or pre-approve programs and sites to protect against unauthorised and malicious
intrusions on individual computers;
apply patches to applications and devices to ensure security of internal systems;
deploy critical security patching to operating systems to mitigate extreme risk
vulnerabilities; and
restrict the number of people within an entity who can make changes to the operating
environment.
ANAO found all seven audited entities had adequate security controls in place to protect them
from breaches and disclosure of information from within their organisations.
However, their systems were not yet capable of effectively protecting the government from
external cyber attacks.
The audit recommended all Commonwealth entities implement the top four protection
strategies as soon as possible, strengthen internal access security arrangements for databases,
and conduct annual threat assessments on their systems.
Comcover Connect |
7
Comcover has urged Fund Members to be aware of the report and take steps to reduce their
exposure to cyber attacks and data breaches to ensure they are protected and compliant
with security standards.
Cover for losses resulting from cyber attacks
Comcover Fund Members’ protection against cyber security breaches caused by other parties
depends on the specific circumstances of the breach and the terms and conditions of the
Comcover Statement of Cover.
Coverage under the Statement of Cover depends on Fund Members complying with all relevant
legislation and policies. As cyber attacks become more frequent and more sophisticated, it is
vital that Fund Members adhere to IT security management and risk management policies.
Preventing highly disruptive breaches is paramount.
While the Statement of Cover does not specifically refer to cyber security breaches and risks, it
provides cover for the first and third party losses outlined below.
First party losses from cyber security breaches include network/system failures causing
business interruption and/or loss of revenue; software or hardware loss or damage; data loss or
damage; and costs from managing breaches, including communication, legal and staffing costs,
fines and other penalties.
The Statement of Cover provides that any losses caused directly or indirectly by erasure or
corruption of information on computer systems or other records arising from computer viruses
are not covered.
Third party losses include unauthorised personal, financial or commercial information
disclosure; defamation and infringement of intellectual property; physical injury and/or
property damage; and costs from managing breaches.
Under the Statement of Cover, losses are not covered for any liability arising out of liquidated
damages clauses or similar penalty clauses in contracts, except to the extent that liability would
have attached in the absence of such clauses. Losses are not covered for any liability arising out
of Fund Members’ breaches of contract unless liability would have arisen in the absence of that
breach. Losses resulting from fines, penalties, or multiple, punitive, exemplary or aggravated
damages are not covered.
Court sets new standard in sexual harassment claims
by Sarah Ralph, Partner, Norton Rose Fulbright Australia
The Full Federal Court’s Richardson v Oracle Corporation Australia Pty Ltd decision saw a
damages award of $130,000 (including $100,000 in general damages), which was a
significant increase in general damages awarded in sexual harassment claims.
The decision means it is now even more important that the risks of sexual harassment claims are
appropriately managed in the workplace as the Commonwealth faces the risk of significant
awards of damages.
What happened?
Ms Richardson brought a claim against a co-worker, Mr Tucker, and her employer, Oracle
Corporation Australia Pty Ltd, alleging she was unlawfully sexually harassed by Mr Tucker as a
result of unwelcome sexual advances and humiliating comments over a six-month period.
At first instance, Justice Buchanan found Mr Tucker had breached the Sex Discrimination Act
1994 (Cth) by sexually harassing Ms Richardson and Oracle was vicariously liable for Mr
Tucker’s conduct by failing to take reasonable steps to prevent the harassment.
Comcover Connect |
8
Decision of the Full Federal Court
Ms Richardson appealed against the decision on the basis the damages she received were
“manifestly inadequate”. The Full Federal Court allowed the appeal and increased the original
general damages amount from $18,000 to $100,000, with an additional $30,000 for economic
loss. Oracle was ordered to pay the appeal costs.
The key issue is that the Full Federal Court found general damages in sexual harassment cases
had not, until this decision, reflected community standards. General damages are awarded for
non-financial loss, such as pain and suffering and reputational damage.
Justice Kenny’s judgement said: “… a substantial disparity between the level of awards and the
typical compensatory damages provided to victims of sexual discrimination and harassment.
Such disparity bespeaks the fact that today an award for sexual harassment, though within the
accepted range for such cases, may be manifestly inadequate as compensation for the damage
suffered by the victim, judged by reference to prevailing community standards.”
General damages were awarded for the psychological and reputational damage Ms Richardson
suffered, and for the detriment the harassment caused to her sexual relationship with her
partner.
Vicarious liability: managing the risks
A critical take-away from the decision is that employers must take steps to prevent sexual
harassment from occurring in the workplace, otherwise they will be vicariously liable for their
employee’s behaviour.
Some key steps are:
 Have an up-to-date anti-sexual harassment policy that sets out the current legal position on
sexual harassment and how to make a claim in the workplace;
 Distribute regular reminders to employees via email
 about inappropriate workplace behaviour, including sexual harassment;
 Conduct training courses for all parts of the workplace (and regular refresher training) on
sexual harassment awareness and prevention;
 Investigate all complaints of sexual harassment and ensure there is an adequate reporting
system; and
 Take appropriate disciplinary action if sexual harassment claims are validated.
Managing the risks of sexual harassment claims occurring is important for several reasons:
 Managing legal and financial risks:
 The health and welfare of the workforce and particularly the complainant; and
 To protect the reputation of the Commonwealth and its employees.
To access the judgements, click here: 2014, 2013.
Sarah Ralph regularly advises on management of employment risks in the public sector. Thanks
to graduate lawyer Jacqueline Dowling for assisting with this article.
Norton Rose Fulbright is one of the firms available under the Comcover Legal Services Parcel
Arrangements.
While the Oracle case occurred in the private sector, it is a timely reminder of the changing
attitudes of courts and community standards.
Commonwealth entities should be mindful of the hidden cost of these claims. Aside from
damages awards, Comcover’s experience shows 55% to 60% of total claim costs are defence
costs.
In the Oracle case, it is likely costs to both parties far outweighed the damages award.
Comcover Connect |
9
In addition, there is lost senior management time and overall disruption to the entity in
defending employment disputes.
Comcover’s Risk Services promote best practice
A key Comcover objective is to promote best practice risk management across
Commonwealth entities that will improve policy formulation, support the delivery of
Australian Government programs and services, and deliver long-term benefits to the
Budget.
Comcover’s risk management program provides Fund Members the opportunity to access a
range of services to help them build their risk management capability and maturity. The services
include:



benchmarking an entity’s risk management capability;
measuring an entity’s alignment with the Commonwealth Risk Management Policy (the
Policy); and
access to high quality risk advisory services to assist with specific risk-related projects.
Deloitte, one of the largest risk service providers in Australia and globally, has been working
with Comcover to deliver risk management services for more than five years.
Its team applies best practice to Comcover’s risk management program, providing a
comprehensive suite of risk transformation, analytic and advisory services.
Its approach has been derived from experience working with some of Australia’s largest public
and private sector organisations.
The range of risk management services available includes tailored advice to equip
Commonwealth entities with the knowledge, skills and expertise needed to embed effective risk
management into day-to-day decision making.
That includes helping Fund Members to:





gain greater efficiencies through standardised risk management language and approaches;
share experiences and good practice;
determine and establish appropriate risk management frameworks and systems;
review and refine existing risk management frameworks and systems; and
respond efficiently and comprehensively to changes in government risk management
policies and requirements.
Because Fund Members’ requirements differ greatly, Deloitte prepares tailored packages of
support and advice according to entities’ needs. For example, they include programs to:





integrate risk into strategic planning;
establish informed and useful expressions of risk appetite;
build and foster a risk mature culture;
better define risk management roles and responsibilities; and
define or implement outcome focused risk management technologies.
Tools to enhance learning and collaboration
Comcover can provide Commonwealth entities with access to systems and tools to help them
deliver their risk management programs.
They include the Riskflo collaboration platform, and Protecht- ERM, an enterprise governance
risk and compliance management system designed for Fund Members at any stage of risk
management maturity.
Comcover Connect |
10
Riskflo provides an online, real-time cooperative environment that can be used to facilitate
workshops on risk management topics. Workshop participants, including subject matter experts,
managers and other stakeholders, are connected through internet-enabled devices.
The workshops are hosted by a facilitator with the system capturing risk data. The system
undertakes real-time analytics and can provide permanent records for reporting, future
reference, scenario analysis and audit.
Protecht–ERM automates and streamlines the process of documenting and reporting an entity’s
risk and compliance information. It can provide detailed stakeholder reporting, including
incidents and events.
Riskflo and Protecht–ERM can be accessed through Comcover’s suite of risk management
services.
To learn more about how to access Comcover’s risk management services, email
comcover@comcover.com.au or call 1800 651 540 (option 4).
Disclaimer: Comcover Connect contains articles for general information only. No responsibility is accepted
for errors, omissions or possibly misleading statements nor for any action taken because of any material in
this publication.
Comcover Connect |
11