Your governance and risk survival guide to the new financial year

The new financial year is fast approaching and with it key changes and milestones across key governance and risk management issues.

Following last month’s federal election and change in government there will be more change to come as 2022 progresses. In the meantime, here’s our guide to what’s ahead for the governance and risk professional on the following issues:

  • A net zero climate change roadmap for Australia
  • The introduction of a national ICAC
  • Modernising the Corporations Act and Treasury portfolio laws
  • Digital Transformation falls to finance
  • Critical infrastructure laws
  • Exceptions to Director Identification requirements.

A clear net zero roadmap for Australia

The newly elected Labor government has announced plans for a new super department focusing on climate, energy and the environment in a bid to meet community and economic pressure to normalise net zero targets and reduce real-world emissions.

The creation of the new portfolio will be charged with delivering the Government’s “job-creating climate change and energy agenda and give Australia’s environment the protection it deserves”.

Public concern over climate change was a clear factor in the election of Australia’s new Labor government, with Prime Minister Anthony Albanese doubling down on his commitment to implement real change, determined to establish Australia as a renewable energy superpower.

Following Labor’s win, the new government is determined to stick to the climate policies it took to the election and will be held accountable by the teal independents and Greens MPs – all of whom campaigned heavily for stronger climate action.

Labor’s Powering Australia plan pledges to reduce national greenhouse gas emissions by 43% by 2030, based on 2005 levels and is more ambitious than the previous government’s 2050 net zero target.

The new administrative arrangements will come into effect on July 1, 2022.

The introduction of a national ICAC

Labor’s pledge to formulate legislation for a national anti-corruption commission by the end of 2022 is shaping up as the first big test for the new government.

Prime Minister Anthony Albanese has promised a national ICAC would be given "the scope to look at what they see fit" free from interference from outside influences.

Under the arrangement, Labor has outlined seven design principles for a federal ICAC it says will have “broad jurisdiction to investigate Commonwealth ministers, public servants, statutory office holders, government agencies, parliamentarians, and personal staff of politicians” for “serious and systemic corruption”.

It would be able to hold public hearings, examine public tip-offs, investigate MPs and ministers, act retrospectively, and make findings of corruption.

The deadline for establishing the independent commission is the end of 2022.

Modernising the Corporations Act and Treasury portfolio laws

The Corporations Amendment (Meetings and Documents) Act 2022 (Cth) (Act) was passed on February 22, 2022.

What began as a suite of temporary relief measures introduced in response to the COVID-19 pandemic that allowed companies to hold hybrid meetings – a mix of online and in-person gatherings for shareholders – are now permanent changes to the Corporations Act 2001.

Companies can now continue to use technology to validly execute documents, hold meetings and distribute meeting materials on a permanent basis.

New laws for signing and executing documents came into effect from February 23, 2022, while to meetings and sending documents changes have applied since April 1, 2022.

The Act includes a 12-month opt-in review of annual general meetings to enable a proper assessment of the benefits of using technology to engage with members. The Act will be reviewed after February 23, 2024.

Digital transformation falls to finance

In an important shift for public sector reform, the Department of Finance has been given responsibility for data policy, including the Digital Transformation Agency and deregulation.

The move brings the $10 billion annual digital transformation agenda together with public sector reform, under new Finance Minister Katy Gallagher who has oversight of the Australian Public Service.

The shift of the data policy function to Finance is expected to accelerate the delivery of key digital platforms, ending the duplication of technologies across the Australian Public Service.

Also, on the work list are plans to finally launch the much-awaited new myGov app and website, a portal designed to give citizens a “single front door” to federal government services.

Central to the service is the establishment of a working digital identity system that verifies people’s identity so that services can be joined together and customised to individuals’ needs around key life events and scenarios such as an emergency response.

Draft legislation to operationalise what is known as the Trusted Digital Identity Framework (TDIF) is awaiting whoever is going to be the new minister in charge of digital transformation.

The new agency will commence responsibilities on July 1, 2022.

Director identification numbers

More than 400,000 directors had applied for a digital identification number by April this year. Under the new Federal Digital Business plan a range of changes introduced between 2021 and 2024 promised to modernise Australia’s business registers.

The sweeping changes would oversee companies, business names and financial services licences, starting with the establishment of the Australian Business Registry Services (ABRS), which combines the existing Australian Business Register (ABR) and more than 30 other Australian Securities and Investment Commission (ASIC) registers.

The ABRS is tasked with issuing director identification numbers (Director IDs) to help verify the identity of a person claiming to be a director and prevent instances of identity fraud or illegal phoenixing activity.

Director IDs became compulsory for all company directors from April 5, 2022 and once obtained will remain associated with that director forever to prevent falsification of identity.

The only exception are directors appointed before November 1, 2021, who have not accepted any new appointments since that date have until November 30, 2022 to apply for a Director ID.

Critical infrastructure laws

Following increasing concerns over rising cyber breaches, ransomware attacks and foreign interference, amendments to the existing Security of Critical Infrastructure (SOCI) Act were passed in December 2021 and March 2022.

These major changes to the nation’s security of critical infrastructure laws have been expanded to cover more sectors and asset classes.

The laws are no longer limited to the traditional sectors of electricity, gas, ports and water sectors but now include financial services, banks and markets, supermarkets, data storage or processing, communications, education and transport.

While not all sectors or asset classes have had the new obligations ‘switched on’ just yet, some will come into effect later this year with non-compulsory ‘grace periods’ that will have significant implications for the way cyber security teams conduct investigations and report on cyber incidents.

The most pressing change applies to organisations gathering asset information to identify if they are the owner, operator or direct interest holder of a critical infrastructure asset. An asset audit should be undertaken to ensure that critical infrastructure assets are properly identified to ensure reporting obligations are met. This change is not compulsory until October 8, 2022.

The second update is for organisations to ensure existing cyber incident response plans include a process to swiftly identify a cyber incident and assess the level of impact on critical infrastructure assets.

Owners or operators of critical infrastructure assets who become aware of a cyber security incident that has had a significant impact on an asset (materially disrupting the availability of essential goods or services provided by the asset) must reported the incident within 12 hours.

All other cyber security incidents must be reported within 72 hours. Changes to incident reporting timeframes come into effect from July 8, 2022.

The Australian Signals Directorate (ASD) must be notified of cyber security incidents and non-compliance carries civil penalties.

Return to News Update