Background

1. The Terrorism Reinsurance Scheme (the scheme) was established in 2003 initially as an interim measure to operate while terrorism insurance cover was unavailable in the private market following the terrorist events of 11 September 2001. The scheme was established under the Terrorism Insurance Act 2003 (TI Act) and is managed by the Australian Reinsurance Pool Corporation (ARPC), a public financial corporation within the Treasury portfolio.

2. The scheme has a total funding capacity of $13.4 billion (2017–18) and provides cover for eligible terrorism losses involving commercial property, associated business interruption losses and public liability. Through the scheme, insurance companies can reinsure the risk of terrorism losses by paying premiums to ARPC. Insurers are required to initially meet any claims in accordance with the terms and conditions of individual policies, with claims against the scheme met once an individual insurance company’s threshold has been reached.

3. The scheme is activated when the responsible Minister, after consulting the Attorney-General, announces that an event is a ‘declared terrorist incident’ under the TI Act. Since 2003, there has been one declared terrorist incident — the Lindt Café siege in December 2014. This resulted in claims being made by policy holders against their insurance companies, but no claims were paid out from the scheme as insurers were able to cover the costs from their individual insurance company thresholds.

Rationale for undertaking the audit

4. The Terrorism Reinsurance Scheme has been in place for 15 years and as at 30 June 2018 had a large claims funding capacity of $13.4 billion (including a $10 billion Commonwealth guarantee), funded through $169.6 million in annual premiums paid by the commercial insurance sector. The scheme is designed to ensure that Australia has the necessary cover to mitigate the risk of significant loss and negative impact on the economy in the event of a terrorist attack impacting commercial property.

Audit objective and criteria

5. The objective of the audit was to assess the effectiveness of ARPC’s management of the Terrorism Reinsurance Scheme by addressing two criteria:

• Are there processes in place that support the effective administration of the scheme?
• Do governance arrangements enable the effective oversight and management of the scheme?

6. The audit scope included:

• policy approval and policy management processes, claims management processes and supporting policy and process documents;
• governance arrangements, including of the Board and supporting committees, and risk management;
• stakeholder engagement activities; and
• monitoring and review of scheme performance, including the Department of the Treasury’s (Treasury) assessment of economy in providing the scheme.

Conclusion

7. ARPC is effective in managing the Terrorism Reinsurance Scheme.

8. ARPC has effective processes for reviewing and collecting premiums, as well as assessing whether the scheme’s participation requirements are being met. Suitable processes for assessing and paying claims have also been established, although these have not been implemented in practice as no claims have been paid against the scheme to date.

9. ARPC’s governance arrangements enable effective oversight and management of the scheme. Since the commencement of the scheme, mandated triennial reviews have confirmed the need for the scheme to continue. ARPC provides effective annual reporting of its performance. The ARPC Board is effective in overseeing the scheme, ARPC has a suitable organisational structure in place to support the operation of the scheme, and has appropriate arrangements for engaging and communicating with stakeholders.

Supporting findings

10. Premiums are set by the Minister and determined by postcode according to population density, and ARPC reviews the postcodes periodically. ARPC can price the risk by estimating the losses of a terrorist attack impacting Australian commercial property through specialist modelling that it has developed by partnering with experts in the field. Understanding the potential financial impact of a terrorist attack informs ARPC’s purchase of its own reinsurance (retrocession) to share the risk across the private insurance industry and reduce the Australian Government’s exposure. Treasury is responsible for setting the payments to Government required from ARPC however the level of payments is a significant proportion of ARPC’s annual premium revenue.

11. ARPC has a process to accept policy applications, effective processes to reconcile premiums due and paid, and a suitable debt management process. ARPC also has an effective process in place to review whether insurers are compliant with the requirements of the scheme and are paying the correct premiums.

12. ARPC has a suitable process for assessing claims made by insurers in the event of a declared terrorist incident. The process is logical and linear and is tested at regular intervals. Arrangements for paying approved claims have appropriate control points to manage risk and are consistent with ARPC’s payment practices. As ARPC has yet to pay claims under the scheme, the effectiveness of the claims process in practice remains to be seen.

13. There are regular reviews and reports on the scheme. There is a legislative requirement for the scheme to be formally reviewed every three years by Treasury, and all required recommendations were implemented by ARPC. Since the commencement of the scheme, these triennial reviews have confirmed the need for the scheme to continue. ARPC reports annually on its performance measures, however, those measures could be enhanced to fully meet the Department of Finance’s appropriateness criteria for performance information, particularly for ARPC’s strategic projects measure.

14. The ARPC Board is effective in overseeing the scheme, but could improve in two areas. The Terrorism Insurance Act 2003 requires the Board to inform the Minister of any conflicts of interest a member may have to due to outside employment, and this was not done when a potential conflict arose (noting that management of the conflict was handled correctly by the Board). The Board Charter requires the Board to assess its performance annually, however, reviews were undertaken most recently in 2012, 2013 and 2016 and a review is underway for 2019.

15. ARPC has a suitable organisational structure in place to support the operation of the scheme. Core functions to manage the scheme are undertaken by ARPC staff, and specialist advice on matters such as legal issues or the purchase of retrocession reinsurance is procured when required.

16. ARPC has effective communications activities and products that promote the scheme and inform industry of emerging trends, and ARPC regularly engages with stakeholders through various forums.

Recommendations

Summary of entity responses

17. The proposed report was provided to ARPC and Treasury who provided responses which are included at Appendix 1, and a summary of the responses is set out below.

ARPC

18. The scheme stakeholders will be pleased that ANAO concluded ARPC is effective in managing the Terrorism Reinsurance Scheme. This finding reflects ARPC’s vision to be an effective provider of terrorism risk insurance that facilitates private participation, supports national resilience and reduces losses arising from catastrophic events caused by terrorism. It also reflects the commitment of ARPC to constantly strive to improve outcomes and meet the objectives of the scheme.

19. ARPC agrees with the suggested area for improvement which is to enhance the corporate plan by strengthening the performance measure on strategic projects and implementing a performance measure for stakeholder engagement and communications.

20. ARPC notes the recommendation to the Treasury that it review the options available to rebuild ARPC’s capital following any terrorism event leading to significant claims on the scheme, with a view to minimising the need for premium increases. ARPC will support the Treasury in this review.

Treasury

21. The Treasury welcomes the ANAO’s report. It provides reassurance to the Government on ARPC’s performance, governance and preparedness to handle claims.

Background

1.1 Following the terrorist attacks in the United States on 11 September 2001, cover for terrorism¹ risk was progressively withdrawn by insurance companies across the world. The economic impact of the commercial loss was felt globally but in the United States alone, insured property losses totalled approximately $USD26 billion (in 2017 dollar value), one of the largest insurance losses in history.²

1.2 Insurers and reinsurers subsequently decided to reduce their exposure to terrorism, or stop covering the risk altogether. The large pool of assets uninsured for terrorism risk led to global uncertainty that could have had adverse economic impacts, including delayed commencement of investment projects and altered portfolio management decisions.

1.3 In response, the Australian Government announced in May 2002 that it would act to protect the Australian economy from the negative effects of the withdrawal of terrorism insurance cover. In particular:

… the Government was concerned that forcing property owners to assume their own risk for terrorism would lead to a reduction in financing and investment in the Australian property sector, including a substantial reduction in commercial building activity.³

1.4 As a result, the Terrorism Insurance Act 2003 (the TI Act) was established to address market failure and ensure terrorism insurance coverage for commercial property, associated business interruption losses and public liability claims.

1.5 The TI Act sets out the following:

• principles for the provision of insurance for terrorism risks — establishment of the Terrorism Reinsurance Scheme (the scheme);
• establishment, functions and powers of the Australian Reinsurance Pool Corporation (ARPC); and
• other requirements such as regular reviews of the Act and Ministerial Directions.

1.6 Terrorism insurance pools exist in 23 other countries including France, Germany, Russia, Spain, the United Kingdom and the United States. Many of these terrorism schemes are public sector schemes, including public-private partnerships backed by a government guarantee.

1.7 The TI Act was initially established as a temporary measure and is subject to reviews at least every three years, to determine whether it needs to continue in order to address gaps in terrorism coverage in the commercial insurance market.

Australian Reinsurance Pool Corporation

1.8 The scheme is administered by ARPC, which is a corporate Commonwealth entity⁴ under the Public Governance, Performance and Accountability Act 2013 and a public financial corporation.⁵

1.9 ARPC’s key role is to provide reinsurance cover to the insurance industry on the same basis as that provided by commercial reinsurers.⁶ ARPC’s vision is ‘To be an effective provider of terrorism risk insurance that facilitates private participation, supports national resilience and reduces losses arising from catastrophic events caused by terrorism’. This vision was the original focus of the scheme and remains unchanged today.

1.10 ARPC reports against four key performance indicators:

• providing reinsurance for eligible terrorism losses;
• encouraging private sector participation through retrocession;
• compensating the Government; and
• maintaining financial sustainability and organisational resilience.

1.11 Part 3 of the TI Act establishes the ARPC Board which is appointed by the Minister⁷ and consists of a Chair and at least four members, with a maximum of six. In 2017–18 the ARPC Board comprised the Chair and six directors, who were all non-executive members. Under its Charter, the Board can hold as many meetings as necessary for the efficient performance of its functions, but it usually meets around six times each financial year.

1.12 ARPC does not engage staff under the Public Service Act 1997 however it chooses to align with the Australian Public Service (APS) classification structure for its 22 staff, based in Sydney. More detail on the ARPC structure and staff roles is in Chapter 3.

1.13 ARPC is not funded by direct appropriation. It is self-funded through its operations — the payment of premiums by insurance companies and investments. In 2017–18 ARPC’s total premium revenue was $169.6 million and its net assets were approximately $426 million.

1.14 The ARPC’s Investment Policy (May 2018) sets out the principles for investing ARPC’s funds. The approach is conservative and focuses on liquid investments such as cash and fixed term deposits which can be readily accessed in the event that claims need to be paid quickly. The Board has overall responsibility for setting and approving the strategy, and the ARPC executive is responsible for implementation of the strategy and management of investments.

1.15 The 2014 National Commission of Audit, which was established to examine the scope and efficiency of the Australian Government, recommended that seven agencies be abolished, including ARPC. The report stated: ‘With continued recovery in terrorism insurance markets, there is scope for a gradual Commonwealth exit over the coming years’.⁸ This recommendation has not been taken up by the Government and both the 2015 and 2018 reviews of the scheme recommended that it continue.

The Terrorism Reinsurance Scheme

1.16 Reinsurance is where an insurance company purchases its own insurance to protect itself in case a major event occurs and the insurer is required to meet a large cost of claims. Reinsurance is about sharing the risk across a number of insurance companies.

Coverage of the scheme

1.17 The scheme commenced on 1 July 2003 and covers the following losses arising from a terrorist attack:

• commercial properties or infrastructure privately owned by the insured — for example, physical assets such as buildings, tangible contents, power plants, farms, private rail, mixed used properties (combination of residential and commercial) and high value residential properties valued over $50 million;
• interruptions to business — loss arising from the damage to or inability to utilise commercial properties affected by a terrorist attack and covered by the scheme; and
• public liability — an example is if a damaged property that is insured under the scheme causes damage to a neighbouring ineligible property, the owners of that ineligible property could bring action against the owners of the insured property for damage due to the terrorist attack.⁹

1.18 Assets not covered by the scheme include residential properties valued under $50 million, aviation and maritime assets/infrastructure. Other exclusions relating to the scheme are nuclear events, acts of war, radiological damage, cyber attack, and property owned by the Australian and state/territory governments (however, local government property is included).

Determining premiums

1.19 The premiums charged by ARPC are set by Ministerial Direction and determined by postcode across three tiers according to population density (see Table 1.1).

Table 1.1: Postcode tier rates

Source: https://arpc.gov.au/our-customers/postcodes/

1.20 The postcode tier rates are applied to the insurers’ total gross written premiums¹⁰ excluding any fire services levy, stamp duty and goods and services tax. In order to apply the correct tier rates, insurers undertake the calculation at an individual policy level, that is, the location/postcode of each insured asset, and then aggregates this information as a total and reports it to ARPC once a quarter.

1.21 Periodic reviews of the postcode tiers have resulted in affected insurers in those postcodes experiencing an increase in their premiums when a postcode is moved to a higher tier. Since the commencement of the scheme, there have been three Ministerial Directions updating the postcode tiers — 2015, 2017 and 2019.

1.22 Since the inception of the scheme, there has been one change in the overall premium percentages across the three tiers, resulting in increased premiums for all participating insurers from 1 April 2016 (discussed further at paragraph 2.27).

Participation in the scheme

1.23 Participation in the scheme is optional and insurers can decide to cover the risk of terrorism damage themselves or purchase reinsurance from the private insurance market. The majority (99 per cent) of insurers that provide commercial property insurance in Australia choose to reinsure with ARPC. In 2017–18, there were 235 insurers that purchased reinsurance from ARPC, covering over 800,000 eligible properties with a combined total value insured of approximately $3.7 trillion.

1.24 Insurers that do not cover losses due to terrorism are eligible to participate in the scheme. The insurers’ policies are required to contain an exclusion clause, such as: ‘This Policy does not cover any damage, loss or liability caused by, or arising from any Act of Terrorism’. If an insurer includes terrorism risk, then its policies would not have an exclusion clause and the insurer would provide cover in the event of a terrorist incident causing commercial property loss.

1.25 Under section 6 of the TI Act, if the Minister declares that a terrorist incident has occurred, this renders terrorism exclusion clauses in eligible insurance policies invalid. It is important to note that the announcement of an event being a ‘declared terrorist incident’ is specifically for the purposes of the TI Act and allows eligible insurers to submit claims to ARPC. Other events may be considered terrorist attacks, but the consequences of the attacks do not impact commercial property in terms of damage and therefore do not require access to the scheme.

1.26 Since the commencement of the scheme, there has been one declared terrorist incident — the Lindt Café siege in Sydney on 15–16 December 2014. This resulted in claims being made by policy holders against their insurers, but as the amount of claims was below the insurers’ retentions¹¹, no claims were paid from the scheme.

1.27 Following the announcement of a declared terrorist incident, the scheme will provide cover, in excess of the insurer’s retentions, to those insurance companies that have a reinsurance agreement with ARPC and have paid their premiums.

1.28 The scheme’s financial arrangements are set out in Table 1.2.

Table 1.2: Scheme funding model

Note a: Industrial special risks insurance is an insurance that covers medium to large enterprises against financial losses they might incur because of loss or damage of their physical assets.

Note b: The reduction percentage is declared by the Minister if the total payments following a declared terrorist incident would be more than $10 billion. Discussed further at Chapter 2, paragraph 2.23.

Source: ANAO analysis.

Retrocession insurance

1.29 ARPC purchases its own reinsurance, which is known as retrocession reinsurance. Under the TI Act and the Explanatory Memorandum, the aim of this is to encourage the re-emergence of the commercial market to provide terrorism insurance coverage in Australia and to distribute ARPC’s risk.¹² ARPC negotiates and places an annual retrocession program with major global reinsurers, aiming for value-for-money while encouraging maximum global insurer participation.

Rationale for undertaking the audit

1.30 The Terrorism Reinsurance Scheme has been in place for 15 years and as at 30 June 2018 had a large claims funding capacity of $13.4 billion (including a $10 billion Commonwealth guarantee), funded through $169.6 million in annual premiums paid by the commercial insurance sector. The scheme is designed to ensure that Australia has the necessary cover to mitigate the risk of significant loss and negative impact on the economy in the event of a terrorist attack impacting commercial property.

Audit approach

Audit objective, criteria and scope

1.31 The objective of the audit was to assess the effectiveness of ARPC’s management of the scheme by addressing two criteria:

• Are there processes in place that support the effective administration of the scheme?
• Do governance arrangements enable the effective oversight and management of the scheme?

1.32 The audit scope included:

• policy approval and policy management processes, claims management processes and supporting policy and process documents;
• governance arrangements, including of the Board and supporting Committees, and risk management;
• stakeholder engagement activities; and
• monitoring and review of scheme performance, including the Department of the Treasury’s (Treasury) assessment of economy in providing the scheme.

Audit methodology

1.33 The audit methodology included:

• reviewing the processes that ARPC undertakes to administer the scheme, in particular the claims management process and its supporting systems and documentation;
• reviewing the legislation, budget papers, corporate plans, annual reports, review reports, meeting minutes and general publications such as bulletins etc;
• assessing the Board’s role and the Executive team’s role in overseeing the scheme;
• discussions with ARPC and Treasury.

1.34 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $224,000.

1.35 The team members for this audit were Renina Boyd, Sonya Carter, Nathaniel Loorham and Michelle Page.

What is the process for determining risk, managing capital and setting annual reinsurance premiums?

2.1 The actual likelihood of a terrorist attack is difficult to accurately assess. Insurance risks generally include two elements — losses are accidental and predictable. Terrorism risk differs in terms of the first element because it is driven by deliberate human action and the motives behind an attack vary widely and are generally political or personal in nature.

2.2 Predicting the possibility of a terrorist attack occurring in Australia is dependent upon the activities of Australia’s counter intelligence agencies. The National Terrorism Threat Advisory System classifies the likelihood of a terrorist attack occurring in Australia and is overseen by the Home Affairs portfolio.

2.3 The Terrorism Insurance Act Review 2018 stated: ‘Whilst the ARPC has developed significant capacity to model the potential losses that could occur in a range of scenarios, estimating the probability of such an event occurring remains inherently problematic’.¹³ ARPC is able to model the possible consequences of a terrorist attack causing damage to commercial property in Australia, and then estimate the loss. This modelling can assist in pricing terrorism risk.

Loss estimate modelling

2.4 Loss estimate modelling informs ARPC’s advice to the Minister on whether an actual event should be a declared terrorist incident (DTI). In addition, ARPC can advise the Minister of the likely costs to the scheme in the event of a DTI. This estimate can in turn inform the calculation of an appropriate reduction percentage (discussed further at paragraph 2.23).

2.5 The key elements of ARPC’s loss estimate modelling are:

• building loss estimation models;
• analysing metropolitan and rural areas in terms of population density changes;
• utilising the expertise of other government agencies; and
• taking advantage of new technologies such as geospatial modelling.

2.6 ARPC utilises two dimensional and three dimensional blast (bomb) and plume (chemical and biological) modelling to assess the total capacity required by the scheme to cover probable maximum losses in Australia’s major capital cities.

Two dimensional modelling

2.7 In 2007 ARPC engaged Macquarie University’s Natural Hazards Research Centre, Risk Frontiers, to develop a two dimensional model to assist ARPC to evaluate its financial exposure to bomb blasts. The two dimensional model is a map-based tool that calculates quick estimates of insured losses due to blast impacts. This model uses location and device size to calculate potential losses. It is particularly useful to give ARPC an immediate loss estimate when very little is known about the details of a blast.

Three dimensional modelling

2.8 Developed since 2009 in collaboration with Geoscience Australia and the Attorney-General’s Department, the three dimensional model incorporates both blast and plume capability, and gives a more precise estimate of loss. ARPC’s three dimensional blast model is intended to accurately analyse pressure waves and the resulting damage to commercial property from blasts in all Tier A postcodes. The blast model includes the most dense central business district areas of Sydney, Melbourne, Brisbane, Adelaide and Perth, with multi-location analysis conducted in those cities to review expected losses from different sized blasts. ARPC uses its insurers’ total sum insured in the three-dimensional model to estimate the loss.

2.9 ARPC, in collaboration with Geoscience Australia, also uses a three dimensional plume model to analyse exposure and potential damage from the release of a biological or chemical agent in the Sydney and Melbourne central business districts. This capability draws on the expertise of several government agencies including Geoscience Australia, the Bureau of Meteorology, Defence Science and Technology Group (in the Department of Defence) and the Australian Federal Police, as well as external consultants. ARPC regularly analyses various plume scenarios and extended this in 2017–18 to include mobile drone delivery systems of selected agents in Sydney and Melbourne.

Geospatial modelling

2.10 In 2017–18 ARPC engaged Risk Frontiers to design and build a geospatial blast model to estimate the damage to commercial property from a blast event that could occur at any Australian mainland location. It is an extension of the two dimensional model on a national scale using real-time satellite imagery, and will improve coverage for regional areas. The geospatial model is being developed during 2019.

2.11 Geoscience Australia forms an integral part of ARPC’s blast and plume analytical capability. ARPC entered a new three-year maintenance and development contract with Geoscience Australia for 2018–21 to keep the models current, and extend the modelling into some new geographical areas.

2.12 Geoscience Australia also prepares modelling reports so ARPC can confirm the scheme capacity is adequate. These reports are provided as part of ARPC’s DTI test exercises (discussed at paragraph 2.60), as well as at regular intervals to provide indications of probable maximum losses in the largest capital cities.

2.13 The results of the modelling are shared with ARPC’s reinsurance brokers who use the information to inform retrocessionaires¹⁴ of ARPC’s ability to estimate losses. By providing this modelling, ARPC is able to negotiate better value-for-money premium rates as the retrocessionaires are provided with some visibility of what the estimated financial impact of a blast attack would be.

2.14 In addition to the loss estimate modelling, there are two other key elements of the scheme which aim to minimise the risk of having to access the Commonwealth guarantee and the risk of exceeding the level of funding the guarantee provides. These are ARPC’s retrocession program and the reduction percentage, discussed below.

Retrocession program

2.15 The Terrorism Insurance Act Review 2006 recommended when ARPC’s pool of funds reached $300 million it should either build the pool further, or purchase reinsurance for the scheme or undertake a combination of the two. The first retrocession contracts commenced on 31 December 2008.

2.16 The benefits of purchasing retrocession reinsurance are to:

• increase the scheme’s capacity;
• protect the Australian Government from financial risk (that is, the risk of having to access the guarantee); and
• encourage the commercial insurance market to offer terrorism reinsurance and share the risk across reinsurers.

2.17 The use of a retrocession program transfers risk from the Australian Government to the private sector. The greater the retrocession purchased by ARPC, the lower the likelihood that the Commonwealth guarantee will need to be called upon. By increasing the scheme capacity, retrocession also reduces the likelihood of the Minister having to announce a reduction percentage (see paragraph 2.23).

2.18 ARPC has a number of requirements for its retrocession program, for example: ARPC should purchase at least $2.5 billion in cover; and should aim to have at least 15 retrocessionaires.¹⁵ The requirements for the retrocession program are informed by the ARPC Board risk appetite and tolerance statement, measures set in the ARPC Corporate Plan, and the reinsurance placement strategy that is approved annually by the Board.

2.19 ARPC’s retrocession program runs for one year from January to December. ARPC engages a reinsurance broker to assist in purchasing retrocession, administering the contracts, payment of premiums on behalf of ARPC and in the event of a DTI, managing claims with retrocessionaires. The use of a broker is a practical approach due to the complexity of the risk, the large number of participants geographically dispersed across the globe, and the specialist and large scale nature of the retrocession program.

2.20 The retrocession program is underpinned by ARPC’s:

• Retrocession Policy;
• Retrocession Placement and Administration Procedure; and
• Retrocession Signing Guideline.

2.21 The reinsurance broker develops a final proposal for the yearly retrocession program, which is reviewed by ARPC’s Retrocession Committee (comprising the Chief Executive, the Chief Underwriting Officer and one Board member) and submitted to the Board for approval.

2.22 In 2018, ARPC purchased $3.065 billion in retrocession reinsurance at a cost of $58.3 million across 68 retrocessionaires. In 2019, ARPC purchased $3.315 billion in retrocession reinsurance at a cost of $61.0 million noting ARPC was able to achieve a slight reduction in pricing from the 71 retrocessionaires and this offset some of the additional cost in purchasing an additional $250 million in capacity. This increased capacity in the retrocession program assists in lowering the risk of the scheme having to access the Commonwealth guarantee.

Reduction percentage

2.23 Following a terrorist incident, ARPC will undertake modelling of expected losses. If the Minister expects that the losses from a DTI are likely to exceed the $10 billion Commonwealth guarantee (in addition to ARPC’s retention and the retrocession) the Minister must declare a reduction percentage under the Terrorism Insurance Act 2003 (the TI Act).¹⁶ This effectively limits the level of cover an insurer is required to pay out to the policyholder, and the property owner will need to bear the loss. An example of how a reduction could be applied was provided by ARPC:

A DTI is announced and ARPC estimates losses to cost $20 billion. As a result, the Minister declares a reduction percentage of 31.63 per cent. This means all policyholders initially will be short paid their claim by 31.63 per cent. Eventually the total claims cost $11.5 billion and therefore the reduction percentage is reduced to zero over time, which means all policyholders ultimately receive their full claim.

2.24 As the example shows, if a reduction percentage is declared the Minister can reduce it if the number and value of claims is not as high as originally estimated, however the reduction percentage cannot be increased. It is therefore crucial that ARPC’s estimates are as informed as possible so that the scheme is robust and the Australian Government is not exposed to undue risk or financial pressure.

Determining premiums

2.25 Premiums are set by Ministerial direction through Treasury, and are determined by postcode categorised into three tiers based on population density. Insurers are charged a percentage of the premiums that they charge policyholders. Subsection 11(2) of the TI Act allows ARPC to charge premiums.

2.26 The Terrorism Insurance Act Review 2018 stated that it is difficult to assess terrorism risk on a contract-by-contract basis therefore the scheme adopts a ‘community rating’ approach to charging premiums. That is, premiums are charged at the same rates for all insurers depending on which postcode tier the insured property is located.¹⁷ This method of determining and charging premiums is set out in the TI Act. The explanatory memorandum to the Terrorism Insurance Bill 2002 states the reasons for setting premiums in this manner:

Initial calculations suggest reinsurance premium levels between two and 12 per cent (depending on risk and location, and averaging five per cent) of underlying commercial property insurance premiums would be adequate to build the pool and would not be a significant cost to smaller commercial property owners if the cost was passed on by insurers.¹⁸

2.27 In 2015 there was an overall increase in premiums¹⁹ as a result of the Review of the Terrorism Insurance Act 2015 which found that:

… the current level of premiums is not enough to provide a return on the equity held by the ARPC that will be used as the first tier of funding in the event of a claim. An increase in the premium pool is, therefore, recommended.

2.28 The 2015 review noted that the premiums charged under the scheme were materially lower than what a commercial reinsurer would charge, but ARPC still needed to generate sufficient premiums to cover its ongoing costs.²⁰ A significant component of ARPC’s costs are the payments it is required to make to the Australian Government as part of the scheme (discussed further from paragraph 2.32).

2.29 The 2015 review found that the ratios between the premiums under the tiered structure should be maintained (that is, the different percentages between tiers A, B and C) but the level of premiums be increased. Following the release of the Ministerial Direction in December 2015, ARPC applied the premium increase from 1 April 2016.

2.30 In the next triennial review (2018) the Australian Government Actuary was asked to assess whether the pricing of the scheme on insurers was appropriate. The Australian Government Actuary found that:

Overall, premiums are adequate in the current market in that they generate an adequate return on capital and support the operation of the fund. However it is impossible to determine if premiums are actuarially adequate to meet the future costs of claims. By their nature, such claims are highly uncertain and there is no statistically credible database against which to test the adequacy of premiums in this manner. Any assessment of the adequacy of premiums remains highly uncertain. It also remains dependent on the effectiveness of security forces operating in Australia.

2.31 Postcode reviews assess whether postcodes (as per the Australia Post postcode boundaries) have been appropriately allocated to a premium tier. As populations and postcode boundaries change over time, ARPC performs postcode reviews periodically so it can charge insurers the correct premium. Where necessary, following each review, ARPC makes recommendations to the Minister regarding postcode tier classifications. This most recently occurred in late 2018 where a number of postcodes went to a higher tier. When a new Ministerial Direction is issued following a postcode review, a reasonable period of time is usually provided for ARPC to inform insurers of the changes. For example, the Terrorism Insurance (Premiums) Direction 2019 was made on 22 January 2019, with postcode changes taking effect from 1 July 2019.

Payments to the Australian Government

2.32 Subsection 38(3) of the TI Act allows the Minister to direct ARPC to make the following payments to the Australian Government:

• payments designed to ensure that ARPC does not have a competitive advantage once the commercial reinsurance market has re-emerged; and
• payments in the nature of dividends.

2.33 From the commencement of the scheme, ARPC has had the backing of a Commonwealth guarantee of $10 billion and it was always the intention of the TI Act that the Government would be compensated for providing this guarantee.²¹

2.34 In the early years of the scheme’s operation, no payments were required by the Government so that ARPC could build its net assets. In 2010–11 ARPC’s net assets peaked at over $600 million. As this was deemed sufficient net assets for ARPC, payments to the government commenced in 2011–12. This followed the Australian Government Actuary’s advice that the payment of annual amounts would not materially reduce the likelihood that the scheme could fully meet the costs arising from one or more DTIs. Table 2.1 sets out the payments to the Australian Government (past and future planned payments).

2.35 The payment arrangements for 2018–19 are discussed in further detail below, including actuarial consideration of the payments from the reviews of the Terrorism Insurance Act in 2015 and 2018.

Commonwealth guarantee fee

2.36 Since 2014–15 ARPC has paid $55 million per year as an annual charge for the $10 billion Commonwealth guarantee. The Australian Government Actuary states that the guarantee effectively operates like a layer of retrocession above the $3.315 billion purchased by ARPC. The $55 million is equivalent to a rate on line²² of 0.55 per cent of the guarantee and was set to be less than what commercial reinsurers charged.²³

Capital holding fee

2.37 In addition to the Commonwealth guarantee fee, the 2015 review of the scheme also recommended the introduction of a capital holding fee as compensation for the Government allowing ARPC to retain the capital built up over time from premiums charged to the insurance industry.²⁴ The 2015 review recommended: ‘… an additional amount of $35 million per annum to reflect the Commonwealth’s support in making the ARPC reserves available for payment of claims’. Background on the amount of the fee was discussed in the 2015 review which stated:

… the cost of the ARPC to reinsure the first $360 million of losses in the private market, which would currently be funded using the capital retained by the ARPC, would be between $30 million and $70 million. A similar value of $35 million is obtained by the Australian Government Actuary based on the ARPC holding a capital pool of $500 million. Both of these calculations draw on actual premiums paid by the ARPC for retrocession.

Dividend

2.38 From 2018–19, ARPC is paying a temporary dividend of $10 million to the government as the sole shareholder of the scheme. ARPC advised that it is classified as a ‘for profit’ government-owned corporation and, as such, pays dividends.

Total payments to Government

2.39 In summary, ARPC will collect approximately $170 million in premiums in 2018–19, and will pay $100 million to the Australian Government.

ARPC’s capital management

2.40 ARPC has a capital management policy which sets the methodology for calculating the appropriate target level of capital required in order for the scheme to meet its functions as per the TI Act, and be able to pay claims within its retention limit. Annually, ARPC calculates the capital thresholds and capital zones in the Capital Management Procedure prior to approval by the Board. ARPC’s capital thresholds for 2018 are set out in Table 2.2.

Table 2.2: ARPC capital thresholds 2018

Source: ARPC Capital Management Procedure 2018

2.41 APRC builds its capital reserves from premiums paid over time. Reserves have built up to substantial levels as there have been no claims made. As at 30 June 2018 the scheme had paid approximately $845 million to the Government, noting that $330 million of this was one-off dividends and special contributions between 2012–13 and 2017–18.

2.42 ARPC’s net assets in 2017–18 were $426 million, which was under the target capital threshold of $445 million. To assist ARPC to rebuild to its target capital level, in 2018–19 Treasury implemented the annual $10 million dividend and ceased the special distribution of $57.5 million.²⁵

2.43 In the 2018 review, the Australian Government Actuary regarded ARPC’s current capital as the ‘minimum appropriate level’ and stated that allowing the net assets to grow steadily over time towards ARPC’s maximum level would increase the resilience of the scheme.²⁶ The Actuary also recommended that Treasury consider the actions likely to be required following a material DTI to recapitalise ARPC.²⁷ In the event a DTI is announced and ARPC’s capital reserves are called on to pay claims, the Minister may increase premiums to the sector, which will rebuild ARPC’s capital reserves. However, in the context of the amount of premium revenue which has been transferred to Government over the period of the scheme, it may be appropriate for Treasury to consider recapitalisation from the budget and/or whether ARPC’s capital and payments to the Government could be adjusted. The scheme could then be strengthened in a way which would minimise the need for premium increases.

Are there effective processes for accepting policies, collecting premiums and assessing ongoing participation requirements?

Accepting policies

2.47 ARPC is not required to have a formal insurance policy approval process and instead, terrorism reinsurance cover is provided to any insurer that meets the requirements of the scheme and opts to take cover through the Reinsurance Agreement for Terrorism Risks (the agreement). Reinsurance provided by ARPC continues until the agreement is terminated by either the insurer or ARPC.

2.48 In October 2017 ARPC completed a significant update to the agreement through an insurance endorsement.²⁸ Following two rounds of stakeholder consultation and Board approval, ARPC made 16 changes to the agreement to overcome issues affecting the efficient operation of ARPC which were generally due to the agreement remaining largely unchanged since 2003. Updates included: ARPC being able to charge interest on outstanding premiums; enhanced termination rights for failure to pay premiums; and clarifying terminology that had caused some uncertainty. Three months’ notice was to be given prior to the changes taking effect, which ARPC provided to insurers in May 2017. The changes to the agreement were managed well by ARPC.

Collecting premiums

2.49 Under the agreement, insurers pay ARPC premiums on a quarterly basis.²⁹ Within 30 days of the end of each quarter (also known as the remittance date) insurers are to provide ARPC with:

• a statement setting out the total amount of premium payable to ARPC;
• payment of the premium; and
• notification that the premium has been paid.

2.50 Insurers that do not pay their premiums by the remittance date are identified through an age analysis report that ARPC produces on a weekly basis, and is reviewed by ARPC’s Chief Financial Officer each month. The report enables ARPC to identify and take action on debt in accordance with the reinsurance agreement and ARPC’s debt management policy. This policy requires ARPC to contact the insurer at 30 day intervals with escalating notices (see Table 2.3 below).

Table 2.3: ARPC debt management

Note a: Notice 3 can also provide notice of ARPC’s intent to terminate the agreement.

Source: ANAO analysis of ARPC debt management policy.

2.51 As at March 2019 there was $162,354 in outstanding premiums payable to ARPC, $26,812 of which were overdue by more than 90 days. This is a low amount relative to the $169.6 million in premiums paid to ARPC in 2017–18.³⁰

2.52 In pursuing debt, ARPC did not fully follow its process of issuing escalating notices at intervals as set out in its debt management policy. Of the six cases the audit reviewed³¹, ARPC emailed insurers notifying them of the outstanding premiums and seeking payment, however, there were some delays between premiums becoming overdue and ARPC contacting the insurers. ARPC advised that insurers with debt exceeding 90 days were based overseas, resulting in some language and business administration barriers which caused delays. Although the process was not strictly followed for the six cases reviewed, the very low levels of debt ARPC maintains and the key controls in place to monitor debt indicate that the overall process followed is suitable.

Assessing participation requirements

2.53 There are a number of fundamental requirements insurers must satisfy to take reinsurance cover with ARPC. To ensure that insurers are compliant with the requirements of the scheme, ARPC performs a rolling program of insurer reviews. ARPC’s reviews assess whether insurers:

• have processes to:
  • identify eligible insurance contracts (including a terrorism exclusion clause);
  • allocate risks to tiers;
  • calculate premiums;
  • remit premiums to ARPC;
• are submitting accurate quarterly premium reports to ARPC;
• are submitting accurate annual aggregate reports to ARPC;
• have claims processes capable of handling a DTI;
• are aware of their claims reporting obligations under the reinsurance agreement; and
• have business continuity and disaster recovery plans.

2.54 ARPC adopts a risk-based approach to its review program, aiming to review all Australian insurers, and a significant portion of Singapore and London-based insurers, once every two to three years. These insurers represent 98 per cent of ARPC’s premium income. ARPC advised that in 2019 it is refreshing the work program with a focus on improving review processes, templates and reports.

2.55 The audit analysed the insurer reviews performed by ARPC over 2017–18 and 2018–19. The reviews were fit-for-purpose in assessing insurer’s compliance with the scheme’s participation requirements and provided the opportunity to identify instances of non-compliance. Where issues were identified, ARPC made appropriate findings and recommendations, most of which were accepted by insurers.³²

Is there an effective claims management process and arrangements for paying claims?

2.56 No claims have been made against the scheme to date therefore it has not been possible to assess ARPC’s claims process in practice. However, ARPC has established a claims procedure and completed a range of work in preparation for claims to be made against the scheme.

Claims management

2.57 In April 2018 ARPC reviewed its claims procedure to make it easier to follow. This resulted in a more linear documented procedure which guides staff through the claims process step-by-step. Previous versions of the claims procedure were not formatted in this way and involved significant interpretation by ARPC staff, increasing the risk of process failure following a DTI. The re-write of the procedure also better aligned the process with ARPC’s RISe Claims system — the browser-based system used to manage claims.

2.58 The claims process consists of five main stages as shown in Figure 2.1.

Figure 2.1: Stages in ARPC’s claims process

Source: ANAO analysis of the ARPC Claims Procedure.

2.59 Each of the stages in Figure 2.1 contain appropriate controls to prevent ineligible claims being approved and paid. These were a mix of manual controls and IT controls (enforced through the RISe Claims system). Some examples of controls in the claims process are outlined in Table 2.4.

Table 2.4: Examples of claims process controls

Source: ANAO analysis.

2.60 In order to evaluate and improve its response to a DTI, ARPC conducts test events³³ twice a year.³⁴ The DTI test events are planned in accordance with a strategic risk-based test plan. The audit reviewed the DTI test events for 2017 and 2018 and found the tests provide an appropriate mechanism for ARPC to understand its performance and identify areas of weakness.

2.61 Some recent test events have focused on the claims process, providing ARPC with confidence in that process. In October and December 2017, ARPC conducted events that tested the previous version of the claims procedure, with elements of the re-written process tested during the March 2018 and November 2018 events. Each event has resulted in improvements being made to the process. Following the November 2018 event, ARPC’s internal auditors found ARPC’s response to the DTI scenario to be robust, including ‘preparation of systems and document repositories to capture and manage claim submissions’. ARPC could consider running an end-to-end test of the claims process in a future DTI test event to verify all aspects of the process, including the changes to the process discussed at paragraph 2.57.

2.62 In preparation for a DTI, ARPC also gained assurance that its RISe Claims system, which automates most of the claims process workflow, will perform as designed. In 2018 ARPC tested the end-to-end RISe Claims workflow and recent system functionality enhancements. The RISe Claims system passed all major milestones during testing, and ARPC has scheduled a further desktop review of RISe Claims for later in 2019.

Payment of claims

2.63 As no claims have been paid against the scheme, there is no historical basis for determining whether there is an effective process for paying claims. However, ARPC’s documented process for paying claims adopts a similar method to that used to pay its other accounts payable. ARPC utilises Treasury’s Financial Management Information System in a shared services arrangement for the payment of claims.

2.64 Following a DTI and in line with the claims procedure, ARPC intends to audit 80 per cent of claims by total value. Post-DTI audits will assess the accuracy of claims paid, including identifying any payments wrongfully made (for example, due to a claim failing to be correctly adjusted and quantified). To support its post-DTI audits, ARPC has developed a draft audit methodology and as at March 2019, was investigating potential IT support tools.

Are there regular reporting and reviews of the scheme?

Triennial reviews

3.1 Three yearly reviews of the Terrorism Reinsurance scheme are mandated under the Terrorism Insurance Act 2003 (the TI Act). These reviews have been undertaken since 2006, and are conducted by Treasury.

3.2 The primary function of the triennial reviews is to assess the continued need for the scheme due to market failure in terms of terrorism insurance coverage. Earlier reviews broadly assessed the effectiveness and efficiency of the scheme, and over time the reviews have focused on emerging issues. For example, the 2015 review examined whether the scheme should be extended to mixed use and high value residential buildings, and if the overall pricing of the scheme remained appropriate. The 2018 review explored emerging issues such as the risk of property damage resulting from cyber terrorism and included a report from the Australian Government Actuary.³⁵ From 2015, the reviews have also included assessments by external providers to inform Treasury’s analysis.

3.3 In 2015, the terms of reference included investigating possible alternative models of ownership for ARPC and the related costs and benefits. Based on overseas models, the options explored included private sale and a mutual structure. The 2015 review concluded that there was no compelling case for a major change in the ownership or administration structure of ARPC in the short term. It also concluded that if market conditions change, further consideration could be given to alternative options and that the appropriate next step would be to undertake a scoping study to consider the viability of those options.

3.4 Each review to date has confirmed that a market failure continues for terrorism insurance, and the need for the scheme (and ARPC) to continue to fill this gap. The triennial reviews have also included a range of recommendations since 2006, such as:

• the purchase of retrocession once the fund reached $300 million;
• increased retentions;
• the payment of dividends to the Australian Government;
• increased premiums; and
• extension of the scheme to mixed use and high value property.

3.5 As outlined at Appendix 2, the triennial review recommendations were almost all accepted and implemented. The two recommendations that were not accepted had reasonable justifications after further analysis and investigation was undertaken by ARPC and Treasury.

3.6 The next review scheduled for 2021 will again examine the need for the scheme and may address other emerging issues such as cyber terrorism.

Measuring and reporting performance

3.7 The purpose of ARPC as expressed through its vision and mission is ‘To be an effective provider of terrorism risk insurance that facilitates private participation, supports national resilience and reduces losses arising from catastrophic events caused by terrorism’.

3.8 The corporate plan is the source of an entity’s performance criteria. The corporate plan is also expected to ‘set the foundations upon which a reliable performance narrative can be built’³⁶ and having appropriate performance criteria assists an entity in meeting this expectation.

3.9 ARPC has developed four key performance indicators (KPIs) and six performance measures to cover its activities as set out in Table 3.1.

Table 3.1: ARPC’s key performance indicators and performance measures

Source: ARPC Corporate Plan 2018–22.

Assessment of appropriateness of ARPC’s KPIs and performance measures

3.10 The Department of Finance’s (Finance) Resource Management Guide No. 134 Annual Performance Statements for Commonwealth Entities notes that ‘appropriate performance information is relevant, reliable and complete’.³⁷ The audit’s assessment of ARPC’s performance criteria against these characteristics is shown in Table 3.2. The basis for this assessment is drawn from the characteristics of ‘good performance information’ defined by Finance.³⁸ It should be noted that Finance’s guidance on performance information has a best practice focus rather than prescriptive rules.

3.11 The audit assessed whether ARPC’s performance information was:

• Relevant — each measure clearly indicated who benefited from the activity, was linked to the purpose as expressed through its vision and mission, and was understandable;
• Reliable — each measure is measurable (including a benchmark or basis of targets), and free from bias;
• Complete — the package of performance measures as a whole collectively address the organisation’s purpose, and is balanced, for example, contains both quantitative and qualitative measures.

3.12 In assessing ARPC’s performance information, the audit examined the measures, assessment criteria, KPIs and the detail under those measures set out in ARPC’s corporate plan. The results of the analysis are provided in Table 3.2.

Table 3.2: ANAO’s assessment of ARPC’s performance information

Source: ANAO analysis of ARPC’s annual report and corporate plan.

3.13 Four of the six ARPC performance criteria fully met the characteristic of ‘relevant’. There would be benefit in ARPC more clearly articulating how performance measures four and five are related to its purpose.

3.14 Four of the six ARPC performance criteria fully met the characteristic of ‘reliable’. ARPC should consider: more clearly articulating the rationale for the retrocession program targets for measure three; and including a target for progress or completion of measure six and an indicator of effectiveness.

3.15 ARPC’s performance measures as a whole mostly demonstrated the characteristic of ‘complete’. The majority of ARPC’s performance measures are quantitative and mostly financial in nature, however this is appropriate given the nature of ARPC’s business. The measures are aligned to the activities in the corporate plan which provides a collective basis for assessing progress against ARPC’s purpose, however, the performance measures do not capture all of ARPC’s activities. For example, ARPC undertakes a substantial amount of stakeholder engagement and communication activities, but at this point in time does not measure and report on the overall effectiveness of those activities (discussed at paragraph 3.63).

3.16 As ARPC is currently reviewing its corporate plan, this is a timely opportunity for ARPC to assess its KPIs and performance measures to ensure they provide a holistic view of its performance.

Does the board effectively exercise its roles and responsibilities, and oversee risk?

ARPC Board administration

3.17 The ARPC Board has developed a Charter that is clearly aligned with the TI Act and sets out the Board’s obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The Board charter was initially drafted and adopted in 2004, and has undergone numerous revisions since then.

3.18 Board meetings occur approximately six times each year. These are well attended with all but one of the seven Board meetings examined having full attendance. The Board makes decisions in line with its powers as outlined in the TI Act and the Board Charter. The minutes for these meetings are comprehensive and action items are tracked and closed when completed.

3.19 The audit examined the process for the past two appointments to the ARPC Board, including the Chair. ARPC conducted a robust merit-based process, including engagement of a specialist recruitment agency which undertook the assessment to select candidates to recommend to the Minister. As per section 13 of the TI Act, the Minister appointed the Board Chair and Board member position from a pool of candidates.

Conflict of interest

3.20 The ARPC Board has a conflict of interest policy for its members which includes a three stage process: avoid the potential conflict where possible; disclose the potential conflict to the Board as soon as practical; and implement controls specific to the issue to overcome the potential for the conflict to impact on ARPC’s business and reputation. Actual or potential conflicts of interest are discussed and recorded at the start of each Board meeting. Conflicts of interest can also be reported to the Chair or Board Secretary at any time.

3.21 The controls for dealing with actual or perceived conflicts of interests can include exclusion from sections of Board meetings relating to the conflict, and seeking legal advice where necessary. When a potential conflict of interest arose in 2017–18, the ARPC Board followed those measures, including seeking legal advice and acting on it.

3.22 Section 16 of the TI Act includes obligations regarding conflicts of interest:

A member must not engage in any paid employment that, in the Minister’s opinion, conflicts or may conflict with the proper performance of the member’s duties.

3.23 In practice, this means that the Minister is to be informed as soon as possible of any paid employment that may conflict with, or be perceived to conflict with, a Board member’s role. While a potential conflict of interest was managed appropriately by the Board and ARPC when it arose, the final requirement of informing the Minister was not undertaken. After this issue was raised by the ANAO during the audit, ARPC subsequently advised the Minister by letter on 20 March 2019, as required by the TI Act.

Board performance reviews

3.24 The ARPC Board Charter states that the Board is to review its performance each year. Issues reviewed may include:

• its success in pursuing ARPC’s objectives;
• committee³⁹ effectiveness;
• procedural matters (including meetings frequency and detail, conduct of meetings, protocol and clarity of roles); and
• individual performance (including attendance, contribution and knowledge of briefs).

3.25 The ARPC Board has not consistently conducted yearly Board performance reviews. The Board conducted reviews from 2003 to 2009, and in 2012, 2013, and 2016; however, no reviews were conducted for the other years.

3.26 The ANAO reviewed the three most recent Board performance reviews from 2012, 2013 and 2016. The 2012 and 2013 reviews were self-assessments, and the 2012 review suggested no further action. The 2013 review found that the Board should establish closer links with Treasury and the Minister after the Federal election; establish a clear set of expectations for the new CEO; and ensure clarity around the separate roles and obligations of the Board and the executive management team. ARPC has since implemented each of these recommendations.

3.27 The externally facilitated 2016 Board assessment found the Board was an effective decision maker with a strong shared understanding of the challenges facing ARPC. It made 18 recommendations including stakeholder engagement; advising Government on crisis planning; review of the strategic plan; and building board resilience. ARPC Executive and Board agreed to eight of these recommendations, and restructured some of the recommendations to suit ARPC’s operating environment.

3.28 The Board intends to conduct a self-assessment of its effectiveness in 2019.

3.29 Although the ARPC Board has assessed its performance periodically, it should also assess the frequency of the performance reviews, for example, whether they should be undertaken annually or less regularly. The Board should then ensure its Charter reflects this and commit to undertaking the reviews.⁴⁰

Alignment with PGPA Act requirements for public sector boards

3.30 As a corporate commonwealth entity, ARPC and the ARPC Board are subject to the requirements of the PGPA Act and the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).

3.31 Key requirements of the PGPA Act and PGPA Rule as they apply to the accountable authority (the ARPC Board) and an assessment of their compliance are set out in Table 3.3. The ARPC Board arrangements are all compliant with the key applicable PGPA requirements.

Table 3.3: Assessment of ARPC Board against key PGPA requirements

Source: ANAO analysis.

3.32 Although the Commonwealth Risk Management Policy is not mandatory for ARPC, its corporate plan indicates it chooses to align with this policy as a matter of better practice. The Board receives reports on risk at each meeting, including performance against the risk appetite and tolerance statement and a summary of the risk register. The Board also undertakes a yearly strategic workshop where the risk appetite and tolerance statement is reviewed and endorsed. The results inform key areas of ARPC’s management of the scheme such as capital management, investments and retrocession reinsurance purchase.

Do ARPC staff functions directly support the operation of the scheme?

Staff responsibilities

3.33 In 2017–18, ARPC maintained a core team of 22 people to undertake the business-as-usual functions to support the operation of the scheme.

3.34 ARPC initially started with seven staff when the scheme was introduced in 2003. Once the scheme started to build momentum and ARPC had more insurers and increased net assets, staffing levels increased in proportion to the scheme’s maturity. Over the past five years, staffing levels have remained stable at between 20 and 22 staff.

3.35 As set out in Figure 3.1, ARPC is led by a Chief Executive and three senior executives (who are equivalent to SES officers). Their roles are specific and there is a clear delineation of responsibilities.

Figure 3.1: ARPC’s organisational structure

Source: ARPC Annual Report 2017–18.

3.36 ARPC’s structure, staff roles and staff levels reflect the type of work that the organisation undertakes on a day-to-day basis as it provides a specific insurance product which in turn requires a level of specialist expertise. Some of the key activities undertaken on a daily basis that are essential to the operation of the scheme are: loss estimate modelling, managing the retrocession program, undertaking insurer reviews to ensure compliance, client relationship management, finance and investments, supporting the Board, communications and general administrative support such as IT and human resources.

3.37 Common corporate functions of the organisation such as payroll, the finance system, travel, IT helpdesk, protective security and hardcopy publishing are provided by Treasury.

3.38 In 2017–18 ARPC’s total staffing costs were $4.3 million which is approximately 60 per cent of ARPC’s overall operating costs for that year ($6.9 million). With net assets of $426 million and annual premium income of $169.6 million, the operating costs of ARPC are very low. This is primarily because ARPC is a ‘business to business’ operating model and deals with insurance companies which have one reinsurance agreement with ARPC to cover all of the insurer’s policies, rather than individual policies with property owners or individuals. This means that ARPC does not need to have support such as sales staff, advertising and high volume claims processing.

3.39 ARPC reviews its organisational structure as required. In 2017–18 ARPC discontinued two senior executive positions: General Manager Insurance Audit and Claims; and General Manager Governance, Risk and Compliance. The functions were split between the Chief Financial Officer and Chief Operating Officer and two new EL2 roles were created to manage functions that were considered priority areas for ARPC’s operations: insurance audit; and governance and board secretariat.

3.40 ARPC chooses to align its staffing classification with the Public Service Act 1997 because it sits within the Treasury portfolio and is an Australian Government agency. The salary structure is similar to Treasury’s.

3.41 Around 60 per cent of APRC staff have an insurance background, including the senior executives who all have extensive insurance and/or finance backgrounds.

Managing segregation of duties and fraud risk

3.42 In small organisations, there is a risk that inadequate segregation of duties could lead to a higher risk of undetected errors or fraud. The 2017–18 ANAO financial statement audit found that ARPC has ‘…endeavoured to establish and maintain segregation of duties for a number of functions, including the preparation and review of reconciliation, request and approval of expenses and investments transactions’.⁴¹

3.43 Other ways that ARPC mitigates segregation of duties risk is by ensuring that claim approvals must have dual sign-off by ARPC staff, as well as claim payments (however these are made by separate staff to the claim approvers). This dual sign-off must be provided to Treasury before payments can be made.

3.44 ARPC’s Fraud Control Policy 2018–20 sets out the measures that the organisation will take to prevent, detect and deal with fraud in accordance with section 10 of the PGPA Rule, with the aim of protecting ARPC’s finances, information, property and reputation. The Fraud Control Policy is informed by the Fraud Risk Assessment, which was undertaken in mid–2018 and covered organisational policies and procedures on: financial management, claims, assets, procurement, travel, IT, retrocession reinsurance purchasing, and staff compliance matters. Overall, the risk assessment found there were four medium risks, 16 low and 11 very low.

Surge strategy

3.45 ARPC, as part of the ARPC Claims Procedure, developed a surge staffing plan so that it is able to manage claims activity following a declared terrorist incident. The number of temporary staff to be hired under the plan corresponds with the size of the incident, with small incidents expected to be handled within existing resources. ARPC established arrangements with recruitment firms to allow for the timely filling of surge staffing positions following a large event with significant claims against the scheme.

Specialist advice

3.46 Where specialist expertise is required or projects are undertaken, ARPC will procure consultants or contractors. In 2017–18 ARPC procured assistance for:

• capital management advice;
• retrocession advice;
• legal advice;
• communications support or advice;
• some staff development and recruitment, for example, the surge strategy; and
• additional IT support where required, for example, cloud migration.

Strategic projects

3.47 In addition to undertaking its business-as-usual activities, ARPC undertakes specific projects to support the insurance industry, inform the scheme’s evolution, or enhance the operation of the scheme, for example, the blast modelling discussed in Chapter 2. Examples of two other current strategic projects are provided in Appendix 3.

Are there effective stakeholder engagement and communications activities?

3.48 Stakeholder engagement is one of ARPC’s strategic priorities outlined in its corporate plan: ‘Engage, understand and collaborate with stakeholders’. ARPC has a Board-endorsed Communications and Media Strategy (the strategy) which covers matters such as:

• communication channels;
• ARPC’s key communications products;
• social media procedure (based on Treasury’s social media guidelines); and
• working with the media and managing communications in the event of a DTI.

3.49 The strategy also sets goals for ARPC’s communications and media activities including, for example: increasing awareness of ARPC and the scheme; confirming ARPC as a trusted expert in terrorism reinsurance and terrorism risk mitigation measures; and publishing articles to promote the scheme.

ARPC communications

3.50 ARPC produces a range of communications material and products designed to inform insurers and other stakeholders about the scheme, outlined in Table 3.4.

Table 3.4: ARPC communications material

Source: ANAO analysis of ARPC publications.

Stakeholder engagement

3.51 ARPC’s key stakeholders are shown in Figure 3.2 below.

Figure 3.2: ARPC stakeholders

Source: ANAO analysis of ARPC stakeholders.

3.52 ARPC interacts with its stakeholders in a variety of ways, depending upon the nature of the relationship. For insurers, ARPC has regular contact through phone discussions, letters and email correspondence for matters relating to their policies, DTIs, insurer reviews, updates on the scheme, and other communications such as information on research and emerging issues.

3.53 ARPC also interacts with the insurance industry and other stakeholders through:

• annual retrocession program consultations undertaken by the Chief Executive and Chief Underwriting Officer with retrocessionaires;
• the ARPC Annual Terrorism Risk Insurance Seminar (see more detail in paragraph 3.54 below);
• attendance at functions and the annual Organisation for Economic Cooperation and Development (OECD) Global Terrorism Risk Insurance Conference;
• participation and membership of International Forum for Terrorism Risk (Re)Insurance Pools (IFTRIP);
• networking functions with the ARPC Board; and
• face-to-face meetings.

3.54 The ARPC Annual Terrorism Risk Insurance Seminar is the most significant stakeholder event organised and hosted by ARPC. In November 2018 (the third annual seminar) the event focused on Australia’s counter-terrorism environment, cyber terrorism, private security guard forces in Australia and other insurance issues. Presentations were made by representatives from the Australian Security Intelligence Organisation, the Australian Strategic Policy Institute and the OECD, with nearly 90 people in attendance.

Communication with the media

3.55 ARPC has a media policy in place, with the most recent version approved by the Board in May 2018. It sets out how ARPC will manage communications with the media in business-as-usual and DTI environments, led by the Chief Executive as the key contact officer. The policy references ARPC’s Social Media Procedure which provides guidance to ARPC staff on how to appropriately manage social media platforms such as LinkedIn.

3.56 Since early 2018, ARPC has engaged a PR firm to assist ARPC to manage media and public communications in the event of a DTI. This includes media training for ARPC executive and Board members, and overseeing and evaluating the communications aspects of the DTI test exercises.

Engagement with government agencies

3.57 Meetings between ARPC and Treasury officials are held quarterly and typical topics of discussion include the triennial reviews, Board appointments and renewals, postcode reviews (for premium calculation), and updates on strategic projects. ARPC also aims to meet with the Minister twice a year.

3.58 ARPC regularly engages with other Australian Government agencies as well as state and territory governments and city councils. In 2018, ARPC met with agencies such as the Australian Government Actuary, the Department of Defence, Geoscience Australia, the Australian Prudential Regulation Authority, the Australian Security Intelligence Organisation, and the Department of Home Affairs. ARPC also engages with departments and agencies for specific purposes, for example, with Attorney-General’s Department for the development of the three dimensional blast model (see paragraph 2.8).

ARPC’s planning and monitoring of stakeholder engagement and communication

3.59 ARPC maintains an annual Stakeholder Engagement Timetable which sets out which stakeholders ARPC is planning to meet with, the contact persons, frequency of meetings, planned dates (by quarter), actual meeting dates, and which ARPC staff members attend. A summary of stakeholder meetings is submitted at every Board meeting as an attachment to the Chief Executive’s report.

3.60 ARPC monitors some of its communications products through website metrics and social media statistics. The strategy mentions the various measurements and metrics that will be used, however there is no detail as to how these will be applied to assess success or areas for improvement and the audit observed no specific reporting of results to date.

3.61 APRC also does not formally measure stakeholder engagement effectiveness. The stakeholder timetable tracks who ARPC met with and when, but not how the interactions went. The strategy states that ARPC will ask stakeholders two questions to seek feedback on ARPC’s engagement activities:

• Are you satisfied with the contact you are having with ARPC?; and
• Is there anything you think we should be doing to improve it?

3.62 ARPC is yet to commence this in a formal sense and would benefit from implementing a method to seek this feedback from as many stakeholder interactions as possible.

3.63 ARPC considers stakeholder engagement and communication to be important aspects of its management of the scheme. The ARPC Communications and Media Strategy is inclusive and sets out how ARPC will engage with stakeholders, the goals it aims to achieve and types of communications activities and products. ARPC is yet to commence formal evaluation and reporting on the effectiveness of the strategy’s stakeholder engagement and communications activities against agreed performance indicators.

Appendix 1 Entity responses

Appendix 2 Recommendations outlined in the Triennial Reviews

Note a: As part of this process, ARPC models the impact of any reallocation of postcodes to different tiers and advises the Government of its findings.

Source: ANAO analysis of ARPC documentation, including triennial reviews and board minutes.

Appendix 3 Examples of ARPC’s strategic projects

Risk mitigation handbook for business

1. In May 2018, Standards Australia accepted a proposal by ARPC to develop a Physical Protective Security Treatments for Buildings Handbook. This resource will potentially reduce the risk to the scheme by supporting Australian owners and operators of large-scale commercial buildings and infrastructure to assess the risk of terrorist attacks to their assets, and develop suitable treatment measures to protect their assets. The Handbook will reference existing standards, industry expertise and government advice/information.

2. The project was initiated by ARPC in response to its strategic priority ‘Thought leadership and stakeholder engagement’. ARPC is the ‘nominating organisation’ and ‘drafting leader’ of the handbook. It is not required to provide any financial commitment to the project but instead to support Standards Australia in the development and authoring of technical and non-technical draft content and the provision of specialist advice. ARPC’s Chief Underwriting Officer, Manager of Terrorism Risk Mitigation and the Communications Officer are the key staff working with Standards Australia on the handbook.

3. The final product will be available for purchase from Standards Australia but there will be a link to the handbook from ARPC’s website and it will be publicised through ARPC’s other communication and stakeholder engagement channels.

4. The project has also helped to inadvertently inform the cyber terrorism research project (see next item below) as Standards Australia’s project managers have been able to identify some IT stakeholders through their networks.

Insurance risk assessment of cyber terrorism in Australia research project

5. ARPC has engaged the OECD Directorate for Financial and Enterprise Affairs and the Cambridge Centre for Risk Studies to undertake a 12 month research study into the nature and cost of physical damage to commercial property (including business interruption) caused by acts of cyber terrorism.

6. The study will identify and explore current and prospective threats, likely scenarios as well as the practicalities of extending insurance coverage to include cyber terrorism in Australia. The project is managed by ARPC’s Communication Officer and the CFO is the project’s executive sponsor.

7. The final report, expected to be completed at the end of 2019, will be shared with Treasury to inform the next triennial review of the scheme and whether there is enough of an evidence base to expand the scheme to cover cyber terrorist attacks. The report may also be shared externally with stakeholders and a wider audience, if ARPC deems it appropriate.