[Insert image here

to match your presentation – contact Meg in BD to obtain images]

Governance & Legal Risk Management12 July 2016

Michael Gorton AM

Principal

[

The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly.

Disclaimer

2

3

NOT FOR PROFIT

GOVERNANCE & LEGAL RISK

MANAGEMENT

> Liability> Entity> Individuals> Vicarious Liability

> Accountability> Delegation> Reporting

> Risk Management> Legal Risk> Financial Risk> Business Risk

> Compliance

Governance & Management

4

Governance Structures

5

C O M M IT T E E S O F F IC E R S

B O A R D O F M A N A G E M E N T

O W N E R S

> Vision/Mission> Strategy – Strategic Plan> Review/monitor Business Plan> Appoint and monitor CEO (and operations)> Share Stakeholder Engagement> Review and monitor Risk Framework and

Plan

Role of the Board

6

> Manage the business> Accept delegations> Responsible for staff> Implement Strategic Plan and Business Plan> Share Stakeholder Engagement> Manage risks> Report to the Board

Role of CEO (Management)

7

> Internal / External> Short term / Long term> Strategic / Micromanaging

What type of Board are you?

8

> Personal negligence> Vicarious liability – authorised to act on behalf of

(agent)> Indirect (vicarious liability)

> Employees

> Agents (some contractors may be “agents”)

> Agency

> Real authority

> Ostensible authority> Authorised> “Branded”

Liability

9

> Directors Liability> Negligence/duty of care

> Exercise due care and diligence (“Business Test”) – in good faith/for a proper purpose / informed / rationally believe in the best interests of the company

> Cannot be inactive

> Must read, question, understand

> Cannot just rely on management/auditors/lawyers (Centro)

Liability continued

10

> Directors Liability> Responsible for statements/misstatements (James

Hardie)

> Shadow directors/officers (James Hardie)

> Not gain from improper use of position

> Not gain from improper use of information

> Conflict of interest

> Insolvent Trading

Liability continued

11

> Common Law> Actual> Perceived> Declare/notice> Do not vote if any direct or indirect benefit

> Corporations Act (s.191-194)> Material personal interest> Declare/notice> Do not vote> Must not be present while matter considered

Conflict of Interest

12

> Directors> Corporate manslaughter and other crimes –

authorised, personal involvement> O H & S> Environmental law

> Insurance> Public liability> Professional indemnity> D & O

(Ensure coverage for all people and all risks)

Liability continued

13

> Levels of delegation

> Systems of Accountability and Reporting Regimes

> Risk Register/Risk Management Framework

> Policies> Quality of care and service> Safety (including emergency)> Legal risks

> Education and Training

> Notice Requirements/Compliance Checklist/ Sign-off

> Incident Monitoring/Complaint Handling

> Audit

Key Governance Issues

14

> Charter> Role and responsibilities of Board

> Role and responsibilities of CEO

> Decision making process

> Setting “expectations”

> Decision making checklist> Proposal clear?

> In the company’s interest

> Fit with strategic plan/business plan?

> Pros & cons considered

> Affect on legal/financial risk?

Governance

15

> Code of Conduct (behaviour/conflict/etc)> Board Process

> Meetings> Minutes/Papers/Reports> Committees> Time for strategy> Link to compliance/risk management

Governance continued

16

> Avoiding Liability> Good care and service

> Protocols, policies and procedures

> Risk Management systems

> Checklist and reporting

> COMMUNICATION!!

> Complaint handling procedures – timely, sensitive, communicative

> NOTES AND RECORDS

> Insurance

Legal Risk

17

18

QUESTIONS

CONTACT

Michael W Gorton AMPrincipal

Russell Kennedy LawyersLevel 12, 469 LaTrobe Street, Melbourne

Tel: (03) 9609 1625Email: mgorton@rk.com.au

Not For Profit Legal Risk Management

19

Level 12, 469 La Trobe Street, Melbourne, VIC 3000 P: +61 3 9609 1555Level 8, 28 University Avenue, Canberra, ACT 2601 P: +61 2 6171 9900

Liability limited by a scheme approved under Professional Standards Legislation

Not For Profit Risk ManagementJuly 2016

Michal Jozwik

22

10 Principles for Good Governance We believe the following ten principles provide a useful starting point for NFP boards when considering what constitutes good governance in an organisation’s particular circumstances:

1. Roles and Responsibilities2. Board Composition3. Purpose and Strategy 4. Risk – Recognition and Management5. Organisational performance6. Board Effectiveness7. Integrity and Accountability8. Organisation Building9. Culture and Ethics10. Engagement

Risk – Recognition and Management

23

“By putting in place an appropriate system of risk oversight and internal controls, boards can help increase the likelihood that their organisation will deliver on its purpose.”

“Risk is another board responsibility, no matter how big or small the NFP. Organisations should establish a sound system of determining risk appetite, oversight, recognition, management, treatment and control.”

24

Why is Risk Management Important?

Protect assets

Protect People

Cost efficiency

Improve planning

Reduced exposure

Regulatory compliance

And many others…

Common benefits of risk management:

25

Why is Risk Management Important?

We want to think about…

The future (proactive attitude)

Common language

Creating opportunities

Building a Risk Register

26

In theory as this is a simple process. All that is needed is to capture:The risks;Causes of risk;Rating;Controls;Further actions; andTreatments.

How to do it?

27

Employ a risk manager?

Hold a workshop?

Engage the team?

OH&S

IT systems

Service delivery

Economic changes

Changes in funding

Social changes

Legal & compliance

changes

OH&S

IT systems

Service delivery

Economic changes

Changes in funding

Social changes

Legal & compliance

changesOH&S

IT systems

Service delivery

Economic changes

Changes in funding

Social changes

Legal & compliance

changes

How to do it – Start with your objectives

28

Don’t start in heavy detail

Stra

tegi

c O

bjec

tives Loss of Contracts

Loss of Key Relationships

Market Place Competition

Major Asset Failure

OH&S

IT systems

Service delivery

Economic changes

Changes in funding

Social changes

Legal & compliance

changes

Bring it up and look top down – Strategic risks

Gaining Comfort

29

Now that we have a risk register, how do we know it works

Payroll Accounts Payable

Accounts Receivable

Human Resources

Procurement

Donations OH&SAccreditation &

Regulatory compliance

Capital Planning

Privacy

Digital engagement

NDIS & Consumer

Directed CareCommunity Engagement Agency Staff

Volunteer Recruitment & Training

…… and many more.

Risk Assurance Mapping

30

What assurance activities are in place?

Comfort that risks are being managed as required?

Prior Internal Audits

Assurance & Monitoring Activities

External/Financial Audit Coverage

Accreditation Activities

Management Monitoring Activities

Internal Quality Program

Strategic Risks

Internal Audit Plan

Risk & Control Map

How Internal Audit can help

31

Structure, Support & Training

Control Environment

Strong

Strong

Poor

Poor

Basic Developing Established Advanced Leading

Subjective Assessment of Process Maturity

Overall Subjective Assessment of Core Process Elements

8Overall we have assessed that there is a Medium risk exposure in relation

to payroll.;

Basic Developing Established Advanced Leading

Subjective Assessment of Process MaturityFocus on compliance?

Focus on process effectiveness and efficiency?

Align internal audit activities with your Risk Management Framework.

Recommendations rated against your risk appetite

Internal Audit & Risk Integration

32

Process Risks

Fraud

Error

MediumProcess Impact

CommitteeMonitoring

Associated Risks or Opportunity (can be

one or multiple)

Impact that this recommendation is

expected to have on the relevant process

Suggested level of monitoring of

implementation

Data Mining and Analysis

-

5

10

15

20

25

30

35

-

500

1,000

1,500

2,000

2,500

3,000

3,500

201107 201108 201109 201110 201111 201112 201201 201202 201203 201204 201205 201206

Num

ber o

f Exc

eptio

ns

Hour

s

Period

Unusually High HoursVariation to Median Hours Worked

Number of Exceptions

0

50

100

150

200

250

Within 1stPayment Cycle

Within 2ndPayment Cycle

Within 3rdPayment Cycle

Within 4thPayment Cycle

Within 5thPayment Cycle

Within 6thPayment Cycle

After 6th PaymentCycle

Termination Payments

Payment After Termination Date Number of Payments Percentage (%) Net Payment

($)Percentage

(%)

Within 1st Payment Cycle 235 55% 257,443 38%

Within 2nd Payment Cycle 159 37% 400,396 58%

Within 3rd Payment Cycle 14 3% 11,694 2%

Within 4th Payment Cycle 6 1% 2,342 0%

Within 5th Payment Cycle 1 0% 348 0%

Within 6th Payment Cycle 3 1% 1,998 0%

After 6th Payment Cycle 7 2% 10,736 2%

Total 425 100% 684,957 100%

Depth

Risk Mitigation

Data mining and analysis is a powerful technique which greatly increases the coverage of audit focused activities and is used with the following objectives in mind:

Highlight potential business process risks;

Provide added insight into the nature of activities undertaken within the business process and various trends; and

Assist in the detection of inappropriate organisational practices.

33

Wrap up

34

Started with risk management and covered Being future focused Creating a common language Gaining comfort How Internal Audit can help

35

Questions & Answers

36

Thank you!