Comcover Connect - Issue 14

As we come to the end of the year, I would like to thank all Fund Members for all we have achieved in 2018.

We had an exciting 20th birthday year, including our conference, themed Building a positive risk culture. A big thank you to all Fund Members who attended.

More than 220 people heard presentations on a diverse range of topics and issues that are impacting on or will impact on the work we do.

The presentations by keynote speakers, Kate Hughes, Chief Audit and Risk Officer at RMIT; and Joe Buffone, from the Department of Home Affairs, and Mark Tattersall, from the Department of Foreign Affairs, were inspiring and really emphasised how important risk management is.

The conference capped off a busy 20th year for Comcover. As well as delivering our usual program of services and continuing to provide comprehensive cover to Fund Members, this year Comcover also successfully ran the awards for excellence in risk management, implemented a legal service provider forum series, and extended our educational offering to include all four risk management education pathways.

We are building on the success of our risk awards by making them an annual event from now so please chat to us about opportunities for your entity to be involved.

The education program will start again in February so log into the Comcover Learning Centre and register for any of the courses.

You will also find three new online learning programs I announced at the conference (see page 7).

Introduction to Comcover provides an overview of common risk and insurance terms and concepts. Liaising with Comcover is a induction program for all contacts and provides anyone new to Comcover an overview of Comcover’s role, functions and services. Even if you have been in your job for some time, it would be worthwhile completing that program and the additional course, Managing indemnity risk. In addition to the new eLearning courses, Comcover is sponsoring the launch of an insurance practitioners’ forum to connect our primary insurance contacts.

We also aim to refresh the format of Comcover Connect to make it a truly online resource for you. Keep an eye out for communication about this early in the new year.

2019 is already looking like a busy year.

I hope you enjoy your end-of-year break. Have a safe and happy festive season.

Tiffany Karlsson Assistant Secretary Risk and Claims Branch Department of Finance P: (02) 6215 2593

The advantages of pre-event planning and creating sound disaster recovery plans paid off for the Australian Taxation Office (ATO) when it faced real disasters.

Brendan Jones, Director of ATO’s Business Continuity Team, outlined five key principles for good disaster recovery planning to the Comcover conference and demonstrated how ATO’s planning was actioned when three disasters occurred – Cyclone Debbie in Queensland in 2017; a major flood in the Penrith, NSW, ATO office in 2015; and a storage area network outage in 2016.

Mr Jones’s key principles to develop disaster recovery plans for effective recovery from significant disruptions are:

• Having effective teams with clear command-and-control structures
• Leveraging on existing business-as-usual (BAU) teams
• Prioritising
• Testing the plan
• Post-incident reviews.

Mr Jones told Comcover Connect disaster recovery plans required an effective business continuity management team to develop, implement and manage the plan; a crisis/continuity management team (CMT); and executive endorsement.

‘You can get through disasters if the teams know the business, its priorities, and have effective crisis leaders. Without a clear command-and-control structure, everyone

will be trying to run the ship,’ he said.

Using existing BAU teams, for example IT incident management, building management, security, and communications, avoided ‘reinventing the wheel’. Each can be responsible for restoring areas that are their responsibility, with the disaster recovery team integrating them, being the liaison point, and ‘bringing all the threads together’.

Mr Jones said prioritising ensured recovery efforts focused on what was of critical importance. ‘Consider what will bring the most pain, affect customer satisfaction, or cost the business money,’ he said. ‘Not everything is critical.’

Testing was essential. ‘A plan can’t gather dust in a corner. You need simulations and exercises to test its validity.’

Post-incident reviews enabled the teams to learn lessons and update the plan.

Each of Mr Jones’s three case studies demonstrated successful implementation of the five principles.

When Cyclone Debbie approached Queensland in 2017, ATO had experienced a ‘practice run’ with the 2011 Queensland floods in which multiple ATO offices were temporarily closed and some staff members’ homes inundated.

Before Debbie struck the coast, the Townsville ATO office was proactively closed and subsequently three other south-east Queensland offices closed for half a day, affecting more than 3,000 staff.

ATO’s CMT was activated. The team contacted staff via text and used BAU response teams to ensure offices were safe and secure and IT powered down.

‘Because we had done lots of simulations and conducted post-incident reviews with prior cyclones, there were a lot of prior learnings,’ Mr Jones told Comcover Connect.

The disaster recovery plan implementation was successful. ‘There were a few "nitty-gritty" things, for example, not everyone got the text messages. It’s never an exact science.’

In 2015, a water tank on the ninth floor of ATO’s Penrith office leaked, sending megalitres of water cascading into the floors below. Fire stairs, lobbies, offices, and a computer room were flooded. The building was closed for three days and about 1,000 staff unable to attend work.

The CMT activated its communications plan to ensure staff were advised; and worked with BAU response teams to ensure the site was closed and secure. IT equipment was powered down and subsequently cleaned, powered up and restarted.

Critical staff and processes were relocated to ATO’s Parramatta site. A full post-incident review was conducted. The effort was rewarded with a 2016 award for Recovery of the Year from the Australasian Business Continuity Institute (ABCI).

In December 2016, ATO lost core IT services for three to four days when its outsourced data storage network (SAN) failed and the backup would not power up.

Less time-critical services were unavailable for 10 to 14 days and there were significant impacts for taxpayers, tax agents, businesses, software providers, the superannuation industry, and all ATO staff.

Mr Jones said the senior CMT had met just five days before the outage for a major cyber-attack simulation, so the team was familiar with its roles and responsibilities.

‘A tried-and-tested business continuity management team provided effective support though the entire outage, leveraging on an existing close working relationship with the IT incident management team,’ he said.

A clear understanding of ATO’s organisational priorities enabled IT to focus restoration efforts on the right systems and effectively prioritise the recovery. Critical online services were restored first and the SAN was rebuilt from back-ups with no data lost.

Mr Jones said post-incident reviews, internal and external, identified ‘a list of things to improve’.

‘Nothing tests you like a real incident,’ he said. ‘Had we not had the five disaster recovery plan principles in place, we would have been "dead in the water" for a much longer time.’

Mr Jones has run ATO’s business continuity program since 2011, chairs the Australian Public Service Business Continuity Management Community of Practice, and is a member of the ABCI’s 2020 think tank.

After Brendan’s presentation at the Comcover conference, Robert Edwards, Assistant Director, Department of Finance, and Comcover Relationship Manager, outlined the scope of business interruption cover available under the Comcover Statement of Cover.

He said key principles for effective recovery from business interruptions included:

• Factors to consider when Fund Members assess business interruption costs and set appropriate sums insured
• What business interruption covers and what is excluded
• The nature of the initial and other advice Fund Members need to provide to Comcover to manage business interruption claims
• Factors Fund Members should review and consider after events and monitor post loss.

A key point Robert stressed was ensuring Fund Members’ insurance and risk contacts worked closely with their business continuity teams to test the financial adequacy of cover sought.

If you have questions about property and business interruption cover, contact your Relationship Manager on 1800 651 540 (option 3).

Kate Hughes is not your average chief risk officer and she’s the first to admit it.

She doesn’t even think the title chief risk officer (CRO) reflects her daily work. ‘My job is to help our executive team make decisions with risks in mind,’ she told Comcover Connect in advance of her presentation to the 2018 Comcover conference.

Ms Hughes, Chief Audit and Risk Officer for RMIT University in Melbourne, has enterprise-wide responsibility for risk management, compliance, policy and internal audit. Before joining RMIT in February, she was CRO for Telstra.

She says her RMIT role is one of an alchemist. ‘I have a helicopter view of the university that enables me to understand risks in a holistic way. I’m not blind to the past, but want to test and challenge how things are done.’

She says risk management has a brand problem and risk management professionals are partly responsible because they use the wrong language.

Ms Hughes’s tips for success in risk management include:

•  Stop using jargon – ‘Most people will never read [the international risk management standard] ISO 31000.’
•  Be less technical and theoretical – ‘Talk about risk as a normal part of managing a business or organisation.’
•  Use language that is relatable – ‘Matrix, consequence, likelihood, controls, and treatments are not as easily understood as profit, expenditure, revenue, and reputation.’
•  Don’t simplify risks to the extent no one can understand what they mean.
•  But don’t complicate risk descriptions so people can’t determine how to manage them.
•  The average executive is not a risk professional, they are a leader with a busy diary. Be succinct and remind them why risk management matters.
•  Understand the value you bring to the conversation and leverage that.
• Think about the ‘lived experience’ of the most important risks and ensure you translate that well.

Ms Hughes said the questions to ask in risk management were ‘what’; then ‘so what’, ie, why does it matter; and ‘now what’, ie, what do we do about it. The greatest emphasis should be on the latter.

Key risks for RMIT included ensuring graduates emerged with the ability to do the roles for which they had been trained. Students had to understand what they were learning and apply it, not just learn by rote and memory, otherwise the integrity of their degree was undermined.

‘Universities are a business. They need to be sustainable into the future. My role is to think about what risks are in the way of achieving that,’ Ms Hughes said.

‘As RMIT goes global, there are new risks to manage, including geopolitical and bribery and corruption. Managing them well is not about facilitating endless risk workshops, it’s about strategic risk management. As we deliver our strategy we need to mitigate the risks of that strategy; we need to look ahead and take action in advance.’

Ms Hughes said risk management must be deeply embedded within organisations so it was considered at the inception of new ideas or partnerships and occurred ‘almost invisibly and seamlessly’.

Good risk thinking and having critical response strategies in place built resilient organisations that bounced back quickly.

Risk management’s role was to help identify things that would stand in the way of the organisation achieving its strategic objectives and work as a team to ‘help kick those things out of the way’.

Ms Hughes said true risk leaders:

• Help their organisations make better decisions by having well-timed, succinct, meaningful risk assessments that drive decision making and become part of business as usual processes
• Promote strategic alignment so risks are well understood across the enterprise and the risk appetite is clear, consistent and aligned with strategy
• Create a risk management culture in which risks are considered, understood and integral to all business conversations and processes to promote integrity in decision making
• Help their organisations build resilience and agility by developing risk processes that encourage quick recoveries.

Ms Hughes said the risk management profession had a disproportionate focus on bad things happening, so maintaining personal resilience was critical.

That was achieved through having a capable team and

having your own ‘cheer leaders’, people who encouraged you and gave you the courage to get through adversity and face challenges. There was a difference between encouragement and recognition.

It was also important to ‘refill the bucket’ by spending time doing things that reminded you your skills were being used for betterment.

She encourages her teams to ‘get out into the business of your business’.

Ms Hughes’s team – covering risk management; policy and governance; education compliance; and internal audit – will help at this year’s graduation ceremony. The aim is to temporarily take their focus from their daily roles, enabling them to ‘see the bigger picture, the importance of our job’.

‘We will graduate 9,000 students into the workforce. That’s 9,000 things that went right this year,’ Ms Hughes told Comcover Connect.

The Whole of Australian Government (WoAG) travel arrangements and associated policies drive enhanced value for money and service levels for official travel.

The WoAG Travel team manages deeds of standing offer for:

• travel management services
• domestic and international air travel services
• accommodation program management services
• travel and card-related services
• car rental services.

To support WoAG Travel’s objectives, the WoAG Travel team organises and hosts a WoAG Travel Exhibition every two years. Comcover and its service delivery partner International SOS participate at the WoAG Travel Exhibitions.

The event enables travel managers, travel bookers, and travellers from participating entities to familiarise themselves with details of the travel arrangements, engage directly with WoAG Travel suppliers, and learn more about products and services offered by the suppliers.

Products and services include new and existing offers available for official travel booked under the negotiated deeds of standing offer, such as additional baggage or transfers.

As a key engagement strategy, WoAG Travel supports and encourages all staff involved in official government travel to review their booking behaviours and increase their awareness of benefits available through the negotiated agreements.

The exhibition is an opportunity for entities to connect with travel-related government service providers, including Comcover, which provides cover for domestic and international travel; International SOS, which provides routine and emergency medical and security assistance to international travellers and expatriates posted overseas; and the Department of Foreign Affairs and Trade, which provides international travel risk assessment and advice.

More information about WoAG Travel arrangements is available on the Department of Finance website.

If you require assistance or guidance about the WoAG Travel arrangements, please contact the WoAG Travel team at woagtravel@finance.gov.au.

"A secure cyberspace provides trust and confidence for individuals, business and the public sector to share ideas, collaborate and innovate."¹

Cyber security is important to preserve national security and the Australian Government’s reputation for how it handles data.

Management of cyber risks by selected government entities has been the focus of a new Australian National Audit Office (ANAO) audit.

ANAO’s fourth audit of entities’ management of cyber risks was developed to examine whether entities:

• have effective arrangements in place to manage cyber risks
• monitor and report against cyber security deliverables
• have a culture of cyber resilience.

Consistent with previous cyber audits, the audit found a relatively low level of maturity in managing cyber risks. It highlighted the need to strengthen cyber requirements of the Protective Security Policy Framework.

Cyber risk is not an emerging risk. It is a current risk, however the nature of the risk is constantly evolving and changing and so must strategies for managing it. Cyber attacks continue to present a challenge for public and private sector organisations and the audit includes key learnings for all entities.

The report is on ANAO’s website at: https://www.anao.gov.au/work/performance-audit/cyber-resilience-2017-18… traliangovernmententities.

Comcover can assist. If you would like guidance on managing cyber risk, please contact the Comcover Risk Management Team on 1800 651 540 (option 4) or email comcover@comcover.com.au.

Comcover provides risk education opportunities to help you better engage with risk in your day-to-day work.

Comcover’s learning programs are available free to Commonwealth officials via the Comcover Learning Centre.

To support you in understanding basic risk management concepts and Commonwealth best practice risk management strategies, three new eLearning courses are now available in the Comcover Learning Centre.

Introduction to Comcover explains Comcover and how it helps entities and their staff to manage risks through:

• the Comcover Fund, which protects against the financial impact of insurable losses
• a range of services to promote better risk management practices in the public sector, including education delivered as eLearning, face-to-face workshops and events.

Managing indemnity risk was developed to help you better understand indemnities and how to reduce the likelihood and consequences of the risks they present.

If your job requires you to design, implement, and embed risk management in your entity, Liaising with Comcover provides extensive information to help you provide risk management advice and support in your entity.

Designed for officials who are, or will become, authorised Comcover liaison personnel, the course provides opportunities to learn more about the roles of Comcover’s insurance and risk contacts and how Comcover can help influence positive outcomes through effective and efficient management of risks.

Education program 2019

Workshops

Our risk education extends to practical workshops.

Over the past two years, more than 90 per cent of workshop participants indicated they would recommend the education program to others and believed the program was valuable in further developing their risk management capabilities.

Comcover again plans to deliver Generalist, Specialist and Executive level workshops in 2019.

Dates will be released soon.

2019 Awards for Excellence

Planning is in progress to deliver the 2019 Awards for Excellence in Risk Management.

Comcover normally presents the awards every second year. However, the number of high-calibre entries in 2018 has encouraged the Secretary of the Department of Finance, Rosemary Huxtable PSM, to convert the awards into an annual event.

Start thinking about your 2019 nomination now.

Comcover provides overseas travel cover to Fund Members for baggage and personal effects, and medical expenses and medical emergencies.

To effect travel cover, the person travelling must satisfy the definition of a ‘traveller’ under section 5 of the Comcover Statement of Cover 2018-19. A key requirement is that the travel must be approved and funded by a Fund Member.

A Fund Member’s limit of cover is specified in the entity’s Schedule of Cover which is available in the Comcover Gateway on the Comcover Launchpad.

Baggage and personal effects

Cover for baggage and personal effects is provided for a range of circumstances, including the cost of repairing or replacing baggage and personal effects belonging to or the responsibility of a traveller that are lost, destroyed or damaged. Comcover will also cover a Fund Member for money stolen if the money belongs to or is the responsibility of a traveller on official travel.

Cover is also provided for insurable losses in response to major incidents or natural disasters where the traveller is at risk of injury or illness. That includes emergency evacuations under the terms and conditions specified in section 14 of the Statement of Cover.

Several exclusions apply to baggage and personal effects. They include that Comcover will not pay for any loss or claim unless the travel has been approved in accordance with relevant legislation and the entity’s internal policies, instructions and guidelines. The exclusions are detailed in section 14(4) of the Statement of Cover.

Medical expenses and emergencies

The Statement of Cover will respond to a range of events related to medical treatment, including injury, illness or death of a traveller. Comcover will pay compensation to a Fund Member, or a traveller directly if they are not indemnified by a Fund Member, subject to terms and conditions.

Comcover also provides cover for the cost of medical

repatriations under medical supervision.

The Statement of Cover includes some exclusions. They include any claims where a traveller would be reasonably considered unfit for travel or is travelling against the advice of a medical practitioner. The exclusions are detailed in section 15(3) of the Statement of Cover.

If you have any questions about travel outside country cover, contact your Relationship Manager on 1800 651 540 (option 3).

The Statement of Cover 2018-19 and an associated Information Bulletin are available on the Department of Finance website and in the Comcover Gateway on the Comcover Launchpad.

Managing cyber security is one of the Commonwealth’s biggest challenges and continues to generate inquiries to Comcover about how the Comcover Statement of Cover responds and the extent of cover available.

At first glance, the Statement of Cover does not appear to provide cover for cyber security-related losses because there is no specific cyber security loss section. However, cover may be available for first and third-party losses caused by cyber security incidents under the property and liability sections.

Comcover’s information sheet How the Comcover Statement of Cover responds to cyber security events details circumstances under which cover may be provided.

Depending on the circumstances of the property loss, coverage for first-party losses may be provided for things like loss or damage to a network resulting in business interruption and loss of revenue.

The Statement of Cover’s liability section may be triggered when a third party alleges a Fund Member should be held liable for losses arising from a cyber event, for example where personal information has been released.

The fact sheet also contains links to other cyber security policy and guidance material resources Fund Members may find useful.

If you have any questions about cyber security incident cover, contact your Relationship Manager on 1800 651 540 (option 3).

A full list of resources, including advice circulars, Comcover Connect newsletters, information sheets, and FAQs, is on the Department of Finance website