Governance framework

ARPC’s governance framework is set out in the Terrorism Insurance Act 2003 (TI Act) and ARPC’s status as a corporate Commonwealth entity for the purposes of the PGPA Act and the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). ARPC is established as a body corporate under the TI Act (section 12) and comprises a Chair and between four and six other members (referred to as the Board). Board members are appointed on a part-time basis by the Minister. During the reporting period, the Minister was the Hon. Michael Sukkar MP. The role and functions of ARPC are set out in the TI Act and include:

1. to provide insurance cover for eligible terrorism losses (whether by entering into contracts or by other means)
2. any other functions that are prescribed by the regulations.

The Board appoints the Chief Executive who is responsible for managing the affairs of the Corporation, subject to directions of, and in accordance with the delegations and policies determined by the Board. The Minister may give written directions in relation to the performance of ARPC’s functions and the exercise of its powers. The Minister gave one written direction in FY2020-21. All Ministerial Directions are published on ARPC’s website. The Board is the accountable authority for the purposes of the PGPA Act. As required by the PGPA Act (section 45), ARPC has an audit committee (the Audit and Compliance Committee) which was constituted by four Board members to 4 October 2020 and subsequently three members after Ms Karen Payne’s term as a Board member expired. Under the PGPA Act (section 22), the Minister for Finance may make an order (a Government Policy Order) specifying that a policy of the Australian Government is to apply in relation to one or more corporate Commonwealth entities. During the reporting period, there were no Government Policy Orders (GPOs) applicable to ARPC. ARPC prepares a Corporate Plan on a rolling four-year basis, in accordance with the PGPA Act (section 35) and provides it to the Minister and the Minster for Finance as well as publishing it on the website. The Corporate Plan details strategic priorities and planned key activities which are reported in the annual report. The TI Act requires there to be a review undertaken every three years for the need of the Act to continue in operation. The next review will be undertaken by The Treasury in FY 2021-22. The Board and ARPC’s leadership team are committed to maintaining best practice corporate governance standards that are fit-for-purpose for ARPC’s operations. ARPC continues to monitor governance trends in the public and private sectors. Back to top

Board

During 2020-21, the Board comprised a Chair and between four and six other (non-executive) members. The term of appointment of one Board member expired on 4 October 2020. On 30 June 2021, the term of three Board members ceased. Effective 1 July 2021, Elaine Collins was appointed for a further term and Jan van der Schalk was appointed to the Board. Julie-Anne Schafer was also appointed to the Board on 14 September 2021. ARPC would like to thank Karen Payne, Janet Torney and John Peberdy whose terms ceased during the financial year. The Board’s role is to govern ARPC and includes setting the strategic direction and financial objectives and monitoring their implementation as set out in the Corporate Plan. The Board has a mix of skills and experience across diverse fields including insurance, finance, investment, actuarial, strategy, across the public and private sectors. The names and details of ARPC Board members who held office during 2020-21 are outlined below.

Board members

BEc PGDip Professional Accounting FAICD Terms: 1 July 2017 – 30 June 2020 1 July 2020 – 30 June 2023 Ian Carson was reappointed Chair of the Board on 23 April 2020. Ian is Executive Chair at Tanarra Restructuring Partners. Previously Ian was Chairman of Markets at PwC and prior to this was Chair of PPB Advisory, a professional advisory firm, of which he was a founding partner. Ian is co-founder of SecondBite, a for- purpose organisation which rescues nutritious food that would otherwise go to landfill. Ian is President of The Victorian Arts Centre Trust and Trustee of The Melbourne Cricket Ground. In 2017, Ian was awarded an Order of Australia for his work in Food Rescue and Business. In 2018, together with his wife Simone, he was appointed ‘Melbournian of the Year’.

BEc (Hons) FAICD FASFA Terms: 1 July 2015 – 30 June 2018 1 July 2018 – 30 June 2021 Chair, Audit and Compliance Committee Janet Torney was appointed a Member of the Board on 1 July 2015 up until 30 June 2021, when she completed her term. She was Chair of the Audit and Compliance Committee from 5 October 2017 to 30 June 2021. Janet is a non-executive director with strong expertise in strategy, governance, risk and change management and investments. She is Chair of Whitehelm Capital, Chair of Perpetual Super and Chair of Club Plus Super. In the not-for-profit sector, Janet is Chair of Girl Guides Australia and a Director of the Australian Cricketers’ Association. Janet’s career spans more than 30 years in the financial services sector – superannuation, investments, infrastructure, banking and insurance, in the engineering sector – manufacturing and consulting, and in the member-focussed sector – notably sport and female related. Janet is a Fellow of the Australian Institute of Company Directors and a Fellow of the Association of Superannuation Funds of Australia.

BSc(Hons)MEcFIAAFAICD Terms: 1 July 2015 – 30 June 2018 1 July 2018 – 30 June 2021 1 July 2021 – 30 June 2024 Member, Audit and Compliance Commitee Elaine Collins was appointed a Member of the Board on 1 July 2015 and is a member of the Audit and Compliance Committee. She is a non-executive director and actuary, with a career spanning 25 years in the insurance industry in Australia, New Zealand, Hong Kong and Singapore. She served in senior roles with KPMG and as a Partner of Deloitte, carrying out Appointed Actuary roles for more than ten years, with key expertise in strategic risk management, policy formulation and capital efficiency. Elaine holds non-executive Director roles with general insurer Zurich Insurance Australia Ltd (and Chair of its Risk, Compliance and Audit Committee), lenders mortgage insurer ANZLMI (and a member of its Audit and Risk Committees) and health insurer rt health. She also holds an academic role as a Professor of Practice with the Business School at the University of New South Wales. Elaine is a Fellow of the Actuaries Institute, a Fellow of the Australian Institute of Company Directors and a member of the Actuaries Institute’s Professional Standards Committee.

ANZIIF (Snr Assoc) CIP GAICD Terms: 1 July 2015 – 30 June 2018 1 July 2015 – 30 June 2021 John Peberdy was appointed a Member of the Board on 1 July 2015 and completed his term on 30 June 2021. John has a proven track record as a strategic senior executive, having delivered improved business outcomes, in Australia and New Zealand, within Ansvar Insurance, a market leader in the care, community, faith and education insurance sector. John has extensive experience delivering on business growth and profitability, initiating and driving change and optimising daily operations through effective leadership of a strong executive team. His expertise includes strategy and planning, business management, leadership and people management, risk management and general insurance. John has served on a broad range of boards in the financial services sector, including bodies, government authorities and public companies.

BCom FCA GAICD Terms: 5 October 2016 – 4 October 2019 23 April 2020 – 22 April 2023 Member, Audit and Compliance Committee Ms Robin Low was reappointed a Member of the Board on 23 April 2020 and is a member of the Audit and Compliance Committee. From 1 July 2021, Robin will be Chair of the Audit, Risk and Compliance Committee. Robin is a non-executive director. She is on the boards of four ASX listed companies: Appen Limited, AUB Group Limited, IPH Limited and Marley Spoon. She is also on the boards of three not for profit companies: Guide Dogs NSW/ACT, Primary Ethics and Public Education Foundation. She is a past deputy chairman of the Auditing and Assurance Standards Board. Robin is a chartered accountant, with over 25 years’ experience with PricewaterhouseCoopers, including more than 17 years as an assurance partner specialising in financial services, particularly insurance.

PSM, GAICD Term: 23 April 2020 – 22 April 2023 Maria Fernandez has a distinguished career in the Australian Public Service. From 2015 to 2019, she was Deputy Secretary, Intelligence and Capability with the Department of Home Affairs. Before that, Maria was the first female head of an Australian intelligence agency as the Director (CEO) of the Australian Geospatial Intelligence Organisation. Maria’s experience also includes being Deputy Director of the Australian Signals Directorate, and Chief of Staff to the Minister for Defence and the Minister for Education. Maria provides strategic advisory and intendent assurance services to several public sector organisations, including the Department of Defence, Australian Space Agency, Geoscience Australia and the Bureau of Meteorology. In 2017 Maria was awarded a Public Service Medal for outstanding public service in advancing Australia’s interests. Maria is a Graduate of the Australian Institute of Company Directors and a graduate of the Harvard Business School Advanced Management Program.

BCom MCom LLB CA CTA GAICD Term: 5 October 2017 – 4 October 2020 Member, Audit and Compliance Committee Karen Payne was appointed a Member of the Board on 5 October 2017 and completed her term on 4 October 2020. Karen was appointed as the Inspector-General of Taxation and Taxation Ombudsman on 6 May 2019 for a term of five years. She was previously a part-time Member of the Board of Taxation and CEO of the Board of Taxation and prior to this, a partner with Minter Ellison Lawyers. Karen has more than 20 years’ experience as a specialist taxation advisor, specialising in the financial services sector. She is a solicitor admitted in NSW and the High Court of Australia, chartered accountant and chartered tax adviser. Karen is a member of the Australian Institute of Company Directors, the Tax Institute and Chartered Accountants in Australia and New Zealand.

Board meetings

The Board convened eight meetings during the 2020-21 financial year, comprising four meetings for general business, two out-of-session meetings and two strategic planning workshops. The table below lists the number of meetings attended by each member during the reporting period.

Number of meetings attended by each member of the Board in 2020-21

Board remuneration

Remuneration for Board members in 2020-21 was determined by the Remuneration Tribunal (Remuneration and Allowances for Holders of Part-time Public Office) Determination 2020 and the Remuneration Tribunal (Official Travel) Determination 2019. The base fee covers all activities undertaken by Board members in performing their duties, including part day meetings less than 5 hours, travel, committee work, teleconferences and representational activities. The Board has been assigned travel tier 1.

Board member annual fees and meeting fees

Audit and compliance committee

Established in accordance with the PGPA Act (section 45), the Audit and Compliance Committee (Committee) supports the Board overseeing the administration and governance of ARPC. Under the PGPA Rule (section 17), the Committee must consist of at least three appropriately qualified and skilled members. In the reporting period, the Committee had four members until 4 October 2020 and subsequently three members after Ms Karen Payne’s term as a Board member ceased. The functions of the Committee are set out in its Charter and include reviewing the appropriateness of ARPC’s:

• financial reporting
• performance reporting
• system of risk oversight and management, and
• system of internal controls.

The Committee performs these functions in addition to monitoring ARPC’s compliance with statutory obligations, overseeing the work of the internal and external auditors and ARPC’s governance framework. The Committee also provides a general forum for communication between members, ARPC’s senior executive team and the internal and external auditors. During the reporting period, the Committee reviewed all reports received from ARPC’s internal auditors, PwC and EY, and external auditors, the Australian National Audit Office (ANAO). The Committee monitored the implementation of internal audit recommendations and undertook an approach to market for internal audit services where EY was appointed internal auditors from October 2020. It also reviewed the financial statements to assist the Board with its declarations under subsections 41(2) and 42(2) of the PGPA Act 2013 with respect to ARPC’s accounts and records and annual financial statements. During 2020-21, four Committee meetings were held. The Committee members attended the number of meetings outlined in the table below.

Meetings attended by each member of the Audit and Compliance Committee in 2020-21

The Board changed the name of the Committee in late June 2021 to the Audit, Risk and Compliance Committee.

Organisational and Governance Structures

The chart below sets out the organisational framework of ARPC.

Organisational chart

In addition to the statutory framework, ARPC’s corporate governance framework is underpinned by the Board Charter (https://arpc.gov.au/wp-content/blogs.dir/3/files/2021/09/Board-Charter_Sept-2021-Final-Approved-21-Sept-2021.pdf), the Audit and Compliance Committee Charter (https://arpc.gov.au/wp-content/blogs.dir/3/files/2021/09/Audit-Risk-and-Compliance-Committee-Charter_Approved_21-September-2021.pdf) and a suite of policies and procedures that include risk management, financial management, privacy, fraud control, conflict of interest, public interest disclosure, security management and business continuity planning.

Board oversight of risk

The PGPA Act (section 16) provides that the Board ‘has a duty to establish and maintain systems relating to risk and control.’ The Board did this during the reporting period by having oversight of the Risk Management Policy and reviewing risk and tolerance levels, performance reports, risk strategies and controls at every meeting. In addition, each year the Board holds a strategic workshop which includes consideration of current and emerging risks ARPC may face, together with opportunities, and its Risk Appetite and Tolerance Statement (RATS). ARPC uses a risk matrix to estimate the likelihood and severity of its risks. These risks are assessed every six months and updated for continued relevance. New principal and emerging risks are also identified and evaluated at the six-monthly risk and control self-assessments or whenever change occurs. ARPC’s control environment continues to be refined to address emerging risks and the changing environment. Processes implemented to manage risk include:

1. Maintaining a Business Continuity Policy and Procedure. Employees access and test an alternative site up to three times per year. The site could be used if ARPC was unable to operate out of its Sydney CBD office. In addition, all employees are provided with the necessary tools to work remotely if required.
2. Implementing a range of IT security measures including alignment with the Essential Eight Maturity Model.
3. Having a deed of indemnity with each Board Member. In 2020-21, ARPC maintained and paid premiums for insurance covering members and senior executives against legal costs and other expenses that may be incurred in the performance of their duties. In compliance with the PGPA Rule (section 23), ARPC does not insure any ARPC officials against liabilities relating to breach of duty under the PGPA Act. The amount paid for Directors’ and Officers’ Indemnity Insurance in 2020-21 was $38,950 ($46,684 in 2019-20).
4. Upon commencement, all ARPC employees and Board members are required to sign a confidentiality agreement which outlines their obligations relating to confidential information.

Risk culture

A positive risk culture enables us to better administer our pool. ARPC believes a positive risk culture is a working environment where risks are considered and managed proactively and appropriately as part of day-to-day work. This type of risk culture enables transparency and open discussion about uncertainties and opportunities, encourages employees to raise issues or concerns, and provides processes to facilitate escalation of concerns to appropriate levels to support a proportionate response. Through the organisation’s risk management practices, ARPC aims to further improve enhance our risk culture to behave in a way that reflects our values. ARPC has developed the following statements to continue enhancing our positive risk culture:

• Our leaders understand and demonstrate good risk behaviours.
• We lead by example taking ownership and responsibility where required.
• We maintain a robust and clear control environment to manage risks.
• We are accountable for risk management and understand our roles.
• We speak up and feel confident to raise issues.
• We encourage the simplification of information and transparency of communication.
• We recognise the importance of attracting and engaging the right talent.

To further support ARPCs risk culture maturity journey, ARPC’s management developed a Risk Culture Maturity Framework.

Overview of risk culture enablers

Key components and activities of the risk culture enablers

Overview of ARPC’s Risk Culture Maturity Framework

Our risk management framework

The Board has oversight of ARPC’s corporate governance arrangements and is responsible for monitoring ARPC’s Risk Management function under the PGPA Act. The Board is responsible for setting ARPC’s risk appetite and reviews the RATS annually. Administration of the risk framework, including review of risks and controls and identification of emerging risks lies with management. Oversight and reporting of Risk Management is provided by the Enterprise Risk and Crisis Response team to the Board each quarter, through the Risk Report. ARPC’s five strategic priorities provide the basis for the risk framework below, with each risk tolerance statement in the RATS relating to a strategic priority. Underlying the framework are the risk and control registers, which outline financial and non financial risks facing ARPC, as well as the controls and mitigating strategies in place to mitigate these risks. The Key Risk Indicator (KRI) Report is used to measure ARPC’s risk exposure and outlines 12 key risk indicators mapped to risks in the risk register. In addition, the risk management framework is supported by risk and control self-assessments held every six months and regular risk review meetings held with senior management, as well as compliance testing performed over key processes at ARPC. ARPC has an enterprise incident management framework that provides a framework for the identification, reporting, investigating and remediation of incidents and breaches. ARPC has a risk system which is used to host the risk register, controls, obligations, perform assessments and manage enterprise incidents end to end. The tool acts as the single source of truth.

Overview of ARPC’s Risk Management Framework

Overview of ARPC’s approach to Enterprise Risk Management

Managing risk and uncertainties

Section 4 of the Financial Statements describes the major risks faced by ARPC and explains how these risks are managed. In summary, ARPC’s risks comprise:

• Insurance risk
  • Underwriting risk
  • Claims risk
• Operational risk
• Capital risk
• Market risk
  • Interest rate risk
  • Pricing risk
• Credit risk
  • Investment counterparty risk
  • Receivables counterparty risk
  • Retrocession counterparty risk
• Liquidity risk

Back to top

Internal audit

ARPC’s internal audit function is overseen by the Audit and Compliance Committee. ARPC outsources its internal audit program and PwC was the internal auditor until 11 October 2020. Following a tender process, EY was appointed 12 October 2020 as the outsourced internal audit provider. During 2020-21, the five-year rolling Strategic Internal Audit Plan (SIAP), which is closely aligned to the risk register and risk appetite and tolerance statement, was approved by the Committee and the Board and included in the 2020-21 Internal Audit work plan. The new plan includes an assurance map which will assist guide future audit and compliance activities. EY works closely with the Committee, CEO and senior management to identify and analyse business risks. The Committee regularly meets with EY, its internal auditor, and independent of management periodically. Audit findings are reported to the Committee. Management actions or improvements identified through audits are agreed with management, approved by the Committee and tracked to completion on the Audit Issue Register. Internal Audit has routine discussions with External Audit to avoid any duplication of work and external audit has full access to internal audit work.

2020-21 Internal audit program

The Internal Audit Workplan for 2020-21 was successfully completed, with all management actions or improvement opportunities accepted, recorded and tracked on the Audit Issues Register. The annual program also has flexibility to accommodate Board or Management requests for ad hoc audits and management-initiated reviews. Internal audit reviews The following internal audits were completed during 2020-21 as per the SIAP:

• Business Resilience
• Fraud Risk Management
• Payroll Post Implementation

Internal audits 2020-21

Management-initiated reviews

There were three management-initiated reviews undertaken in the reporting period, one by PwC and two by EY. As they were not defined as internal audits, they did not receive a formal rating and the outcomes were provided to the Audit and Compliance Committee. Any observations or findings are considered by management and incorporated into business improvement activities. They form part of ARPC’s ongoing commitment to improving internal controls and business processes. The three management-initiated reviews related to payroll process mapping, IT security and retrocession contracts.

Fraud control

Every two years, ARPC reviews and updates the ARPC Fraud Control Policy and underlying fraud risk assessments. The Fraud Control Policy allocates responsibilities for fraud risk management and control among the Audit and Compliance Committee, the CEO, ARPC management and employees. The Policy outlines legislative and governance requirements, and is framed around key fraud control strategies:

• prevention
• detection
• response, and
• monitoring, evaluation and reporting.

The Fraud Control Policy complies with requirements under section 10 of the PGPA Rule, which provides the minimum standard for the management of risk and incidents of fraud by accountable authorities (the Board). ARPC employees were provided with training in compliance with the Fraud Control Policy and the PGPA Rule.

Compliance

In the reporting year, ARPC continued to review and improve its compliance plan and program of compliance testing. Regulatory compliance was further supported by a program of mandatory training for employees on relevant legislation and policies, routine information sessions for employees on relevant topics and a process of six-monthly attestations by all senior managers covering key legislation including the TI Act, PGPA Act, PGPA Rule, the Privacy Act 1998 and Public Interest Disclosure Act 2013. Under the TI Act (section 40), the Board may delegate all or any of its powers or functions to the CEO or any person employed under the TI Act. Delegations made by the Board are documented and reviewed at least every three years. ARPC’s annual report is prepared and provided to the Minister by 15 October each year in compliance with the PGPA Act (section 46). ARPC’s annual financial statements comply with accounting standards prescribed by the PGPA rules and are audited by the Auditor-General as soon as practicable after preparation. The financial statements can be found in Chapter 6 of this document. ARPC also prepares a Corporate Plan on a rolling four-year basis, in accordance with the PGPA Act (section 35) and provides it to the Minister and the Minster for Finance by 31 August each year. Under the PGPA Act (section 39), ARPC prepares an Annual Performance Statement to report on progress against purpose, as stated within the preceding Corporate Plan. ARPC’s Annual Performance Statement is outlined in Chapter 3 of this document.

Project management governance

ARPC’s approach to project delivery is enabled by a strong governance structure. The Executive team provides project sponsorship to support Senior Leaders in undertaking project delivery. A contemporary online project management toolset provides transparent updates on project progress and reporting in real time. ARPC’s Project Management Office is the responsibility of the Chief Operating Officer and provides regular consolidated reports to the entire organisation and mentors Senior Leaders in developing skills in this discipline. Project status reports are presented to each Board meeting and strategic projects for the upcoming year are discussed and agreed upon at the annual Board strategy sessions held in March. The Project Management Office also undertakes improvement activities to ensure the ARPC program/project methodology remains fit for purpose.

Public interest disclosure

The Public Interest Disclosure Act 2013 (PID Act) promotes integrity and accountability in the Commonwealth public sector by encouraging the disclosure of information about suspected wrongdoing. It also protects people who make disclosures and requires agencies to investigate or take other appropriate actions. In accordance with the PID Act, ARPC has a PID policy/procedure which is made available on the ARPC webpage. During the reporting period, ARPC received no public interest disclosures.

Information publication scheme statement

In accordance with the Freedom of Information Act 1982 (FOI Act) and the Information Publication Scheme (IPS), ARPC publishes a range of information on its website. In compliance with the Act and IPS, ARPC publishes its organisational structure, functions, appointments, annual reports, consultation arrangements, submissions to Parliament, routinely requested information and details of the freedom of information officer. Further details are available on ARPC’s IPS webpage at: https://arpc.gov.au/ips

Judicial and administrative decisions

In 2020-21, there were no judicial decisions or decisions of administrative tribunals that could significantly affect ARPC’s operations.

Consultation arrangements

ARPC employees regularly meet with insurers, industry bodies and other interested parties outside the Australian Government for discussions on various matters. A summary of the stakeholder engagement activity undertaken by ARPC during the reporting period can be found in ARPC’s Strategy.

Consultancies

ARPC engages consultants to provide specialist skills to assist with key projects and tasks. During 2020-21, consultants were engaged (following the appropriate procurement processes outlined in ARPC’s Procurement Policy), to assist in the following areas:

• strategic planning and stakeholder engagement facilitation
• specialist technical projects and maintenance e.g. payroll migration, essential Essential Eight protection
• research projects e.g. cyber terrorism, insurability and societal resilience
• retrocession advice
• independent review/advice on legal, and accounting issues
• employee development and training
• work health and safety, and
• organisational structure design and recruitment.

Ecologically sustainable development

ARPC continues to pursue initiatives designed to minimise waste, conserve energy and minimise water usage in the office, such as using electronic meeting papers, double-sided printing and scanning and energy efficient lighting throughout the office. ARPC’s premise has a NABERS 4.5-star energy and 4-star water rating (out of 6 stars). The table below lists the strategies used by the building owners and ARPC to assist in reducing its environmental footprint.

Environmental footprint strategies

Back to top