Applying the Three Lines of Defence Model to Project Risk Management 2 Table of Contents

Project Risk Management Applying the Three Lines of Defence Model to Project Risk Management 2 Table of Contents

Introduction 4 Enterprise Risk Management 6 Project Risk Management 8 Bridging the Gap – Applying Three Lines of Defence to Project Risk Management 9 Guiding Principles in Applying the Three Lines of Defence 13

A Closer Look at Project Risk Reviews 19

3 Introduction It is no longer change, but disruption that is the norm

Change = projects = risk start–ups and felt by business leaders – they at the rate of 20-40%, with a further 35-55% A clear sign that the Australian economy are driving significant change across all described as ‘challenged’2. is experiencing disruption is the rate that industries and organisations. Much of that A recent report from Gartner highlights the gap is growing between businesses change is implemented through programs that 32% of Information, Communication with increasing revenues and those with and projects of work. The challenge for most and Technology (ICT) projects do not declining revenues.1 Businesses are organisations is that the track record for complete on budget and have an average facing more intense pressures to respond project success is patchy at best. Projects budget variance of 19%3. While the to changing customer demands and are synonymous with change, and change, average figures are concerning, there are new market entrants. Policy makers are by its very nature is risky. Often quoted also the catastrophic failures, which cost reshaping their agendas. The forces of reports from Standish over a 20 year period exponentially more than was originally disruption are not just driven by have consistently reported project failures intended, not counting the reputational cost.

1 Building the Lucky Country #2: Short fuse, big bang?, Deloitte Touche Tohmatsu, 2012 2 Standish Group, Chaos Reports 1994-2015 3 Gartner, 2014 ‘IT Key Metrics Data 2015: Key Applications Measures: Project Measures’

4 Financial exposure to project risk is typically unquantified and growing

The extent of exposure to financial risk from project failure receives surprisingly little attention, particularly for ICT projects. For a start, there is scant reporting or statistics on the cumulative spend for organisations in any one year on projects. In 2015 the Victorian Auditor-General was highly critical in a report on Government’s accountability for ICT projects expenditure, stating:

‘It seems incongruous that there are financial reporting directions requiring agencies to report on their consultancy and government advertising spend and yet there is none for ICT, which costs government significantly more…I urge the Department of Premier and Cabinet, as the agency now responsible for the leadership of ICT use in the Victorian Government, to task agencies and entities across all sectors to better account for the significant expenditure of taxpayers funds for ICT projects.’ 4

Typically, organisations spend anywhere The current state of project risk between 10% and 40% of their annual management Purpose of this budgets on ICT projects. This represents There are various ways organisations a significant financial exposure for any manage project risks to keep their projects document organisation, particularly when considering on track. In large organisations, this is the high rate of failures and budget typically managed through a combination The purpose of this document variances. Despite this, the application of of the following roles/groups: is to outline a point of view and project risk management measures is still guiding principles on how to • Project management teams inadequate both in quality and consistency cohesively manage project risks. • Project Boards / Steering Committee as well as the linkage of project risk to By applying risk, controls and • Business-as-usual and end user the enterprise risk frameworks. In an assurance principles through the stakeholders environment where the mechanism to Three Lines of Defence model, • Project Management Office (PMO) implement change is by way of complex we explore the roles of project • Portfolio office projects, adequate management of these management teams, risk functions • Enterprise risk management specialists project risks is critical. and assurance functions in project • Compliance officers risk management. • Quality inspectors • Internal auditors.

Smaller organisations primarily manage project risk through the project management team with support from a project management or portfolio office. However, Gartner reports that only 28% of organisations they surveyed had risk assessment processes in place for their ICT development projects5.

4 Victorian Auditor General 2015, ‘Digital Dashboard: Status Review of ICT Projects and Initiatives’ 5 Gartner, 2014 ‘IT Key Metrics Data 2015: Key Applications Measures: Project Measures’

5 Enterprise Risk Management Increasingly, effective enterprise risk management utilises a ‘three lines of defence’ model

The three lines of defence in effective risk management and control The Three Lines of Defence model was created following the Global Financial Crisis to provide a cohesive and coordinated approach to risk and assurance by organising essential roles and duties into three levels or ‘lines of defence’. The model (Figure 1) has become a generally accepted industry framework for managing enterprise risk at the strategic, tactical and operational levels and sets out how risks can be managed effectively6. It is appropriate for any organisation regardless of size or complexity.

Figure 1: Three lines of defence

Enterprise Risk

1st line of defence Business Units Day to day risk • Functions that own and manage risks directly. Responsible for management and control corrective actions to address process and control deficiencies.

2nd line of defence Risk and Compliance Functions that oversee risk • Functions that develop and maintain risk management policies and methodologies, identify and monitor new and emerging risks and enforce the enterprise risk management model • Limited independence • Reports primarily to management. Project Board

Board of Directors 3rd line of defence Internal Audit Executive Management Independent assurance • Functions that provide independent assurance that risk management is working effectively • Greater independence • Reports to governing body.

6Internal Institute of Auditors, 2013. The three lines of defence in effective Risk Management and Control, IIA.

6 Roles and responsibilities of Executive •• External auditors, regulators, and other When coordinated effectively, external Management, Board and Regulators external bodies reside outside the auditors, regulators, and other groups Across the three lines of defence, Executive organisation’s structure, but they have outside the organisation can be considered Management and the Board of Directors an important role in the organisation’s as additional lines of defence, providing play a key role in risk governance. From an overall governance and control structure. assurance to the organisation’s enterprise risk perspective: This is particularly the case in regulated shareholders, including the governing body •• The Board of Directors sets and industries, such as financial services and senior management. However, monitors the organisation’s risk appetite, or insurance. because the scopes and objectives of these reviews vary depending on the intention processes, risk model and reporting Regulators sometimes set requirements and audience, the risk information they framework intended to strengthen the controls in an gather is generally less extensive than what •• Executive Management translates the organisation. On other occasions, they is addressed by an organisation’s internal organisation’s risk appetite and strategy, perform an independent and objective three lines of defence. processes, risk model and reporting function to assess the whole or some part framework into operations of the first, second, or third line of defence with regard to those requirements.

7 Project Risk Management

There are a number of project methods and frameworks adopted by organisations, each of which considers project risk management. For the purposes of this document, we use one of the most prevalent methods, PRINCE2®

PRINCE2®, risk management and Figure 2: PRINCE2® Project Management Team Structure9 project assurance

PRINCE2®, a project and program User Project Board Supplier methodology developed by the UK’s Office groups groups of Government Commerce, has become Senior User Executive Senior Supplier an international standard for project User Supplier management. PRINCE2® recommends representative representative (area 1) (area 1) project risk management to be systematic and include the ‘proactive identification, Supplier User User project Business project Supplier project representative assessment and control of risks that representative assurance assurance assurance (area 2) might affect the delivery of the project’s (area 2) objectives’7. It sees program and project assurance as integral to mitigating project Legend risks. Program and project assurance is the Within the project management team Lines of authority responsibility of the Project Board, but can From the customer Project Assurance responsibility be delegated. PRINCE2® advocates three Lines of support/advice types of assurance: user, business and From the supplier supplier. ‘Project assurance is not just an independent check. Personnel involved in project assurance are also responsible for supporting the Project Manager, by giving advice and guidance’8.

7,8,9 Managing Successful Programs (MSP) MSP with Prince2, 2009

8 Bridging the Gap – Applying Three Lines of Defence to Project Risk Management

This section outlines the principles and considerations for applying the three lines of defence in project risk management

An organisation can benefit when the Three Lines of Defence model is applied to project risk management by: •• Having a cohesive and proactive approach to identify, assess, mitigate, report, monitor and manage project risks •• Having a holistic and consistent approach to project risk management across the organisation •• Providing appropriate coverage and identifying ‘blind spots’ which may not be identified •• Clarifying roles in each line of defence, from project management, control functions (e.g. enterprise project management offices (ePMOs)), internal audit and external providers.

9 Applying the three lines of defence to There are some occasions where the first The second line of defence provides project risk management line of defence may be facilitated by a subject matter expertise through a As the first line of defence, the project PMO (or Project Support Office). This PMO facilitation or support role to assist the management team ensures that project may include risk coordinators residing first line in project risk management. The risks are identified, analysed, owned and within the project. In this scenario, project specific functions will vary by organisation, managed appropriately. Risk owners are management remains responsible for industry, size and risk of the project, but accountable for ensuring that corrective ensuring that projects risks are managed typical functions in this second line of actions are implemented to address appropriately, with the PMO proactively defence are outlined in Table 1. project process and control deficiencies. facilitating the risk management process. Project management ensures that project risk management activities are consistent with the project’s goals and objectives.

Table 1: Second line of defence functions (examples only)

Function Responsibilities

Risk Management •• Facilitates and monitors the implementation of effective risk management practices Function or Committee by project management •• Assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organisation for all projects, or a select number of projects which are high risk or critical to an organisation’s success.

Compliance Function •• Monitors various specific risks such as non-compliance with applicable strategies, policies and regulations. In this capacity, the separate function (e.g. an ICT architecture committee, business reference groups) reports directly to the project governance forum (e.g. Steering Committee, Project Board).

Enterprise PMO •• Monitors risks and reporting issues •• Supports the Project Director or Project Manager to ensure the first line of defence is properly designed, in place and operating as intended.

10 While the second line of defence can only be pseudo-independent of the project, its proactive role can make a significant difference to a project’s likelihood for success

It is possible that specific second line •• Providing guidance, advice or subject The third line of defence expertise may be outsourced or co- matter expertise to the project in provides the organisation’s sourced by an external provider. managing its risks, however not playing executive management, Board of Directors, a role in project delivery Audit and Risk Committee and/or Project These functions have some degree •• Aggregating project risks across Board with independent assurance on of independence from the first line of the portfolio and reporting these to the effectiveness of governance, risk defence, but are management functions Executive Management and Board management, and internal controls within by nature. As management functions, of Directors a project. This includes the manner in which the first and second lines of they may intervene directly in modifying •• Identifying shifts in the organisation’s defence achieve risk management and and developing the risk management implicit risk appetite and determining control objectives. From a project risk and internal control systems. Therefore, how this will impact on project management perspective, the third line of the second line of defence serves a risk management processes and defence function can provide these groups vital purpose, but cannot offer truly methodologies independent risk assessments to governing with insight on the organisation’s •• Facilitating and monitoring bodies. The responsibilities of these effectiveness in managing project risks, implementation of effective project risk functions vary on their specific nature, but especially for projects having a major management practices by project teams can include proactively: financial, compliance or regulatory impact to ensure consistency across projects to the organisation. The scope of this •• Developing, enforcing and maintaining •• Monitoring the adequacy and assurance usually covers: project risk management frameworks effectiveness of project controls, •• Efficiency and effectiveness of •• Identifying known and emerging risks accuracy and completeness of project project management practices and issues to Executive Management, reporting, project’s compliance/alignment •• Reliability and integrity Board of Directors, Project Sponsor, with policy and strategy, and timely of reporting processes project governance forums and project remediation of deficiencies. management in the project’s ability to •• Compliance with laws, regulations, deliver successfully When managing project risk, this policies, procedures and contracts •• Supporting project risk management arms-length, proactive advisory role •• That the risk of the project has been policies and processes, defining roles can make a significant difference to a assessed, an appropriate assurance plan and responsibilities, and setting goals project’s likelihood of success and can is in place, and the plan is being delivered. for implementation. This may be part of be a cost-effective means of uplifting the It should also ensure that the business the overall risk management policy or organisation’s capability. However, there functions used within the project are framework, or part of the organisation’s is a tradeoff. The more proactive and consistent with the organisational project management methodology advisory the role, the less independent standards and policies – including contract, it can be, and the more important it is to •• Assisting management in developing procurement, communication, safety, HR coordinate with the third line of defence. processes and controls to manage management, financial management and project risks and issues asset management. •• Providing guidance and training on project risk management policies This level of assurance is typically provided and processes by an external project assurance provider or through an organisation’s internal audit function.

11 Summarising the three lines of defence for project risk In a project environment, the Project Board (or Project Steering Committee) is ultimately accountable for the governance of the project and ensures that risks are managed appropriately. It plays a critical role in ensuring that the three lines of defence are cohesively working together and managing risks to enable the project to succeed. Executive Management and the Board of Directors provide oversight over the high risk projects and the organisation’s cumulative risk profile.

Figure 3: Three lines of defence

Enterprise Risk Project Risk

1st line of defence Business Units Project Management Day to day risk • Functions that own and manage • Owns and manages project risks by management and control risks directly. implementing project controls such as plans, schedules and budgets (to name a few).

2nd line of defence Control Functions and Risk Risk Management, Compliance or Functions that oversee risk Management Enterprise Project Management Office • Functions that develop and (ePMO) Functions maintain risk management • Defines, enforces and maintains the policies and methodologies, standards and processes for project identify and monitor risk management new and emerging risks and • Supports the organisation in providing enforce the enterprise risk tools to manage new and emerging project management model risks, aggregating risks and monitoring the

Project Board • Limited independence effectiveness of project controls.

Board of Directors • Reports primarily to management. Executive Management

3rd line of defence Internal Audit Project Assurance Provider or Independent assurance • Functions that provide Internal Audit independent assurance that risk • Independently assesses the effectiveness management is working effectively of project risk management to provide the • Greater independence Board of Directors, Executive Management, Audit and Risk Committee and/or the • Reports to governing body. Project Board with confidence that the first and second lines of defence are operating effectively.

12 Guiding Principles in Applying the Three Lines of Defence

Applying the Three Lines of Defence model to project management is not a ‘one size fits all’ approach

The roles and responsibilities for each line of defence and who is assigned to perform each line is dependent on the organisation’s capabilities, industry, resources and the project’s risk profile, size, complexity and environment.

The following principles provide guidance on how the three lines can be used in project risk management along with a number of considerations to reflect upon.

13 necessarily get escalated to the Board or assurance function may sometimes play Principle 1 an independent person in the organisation. a role in performing second line activities. PMOs have also had little organisational Where both second line and third line Align with the organisation’s authority to intervene if a project is functions exist, reliance can often be placed capabilities, industry under-performing, or to ensure assurance on project assurance activities performed and resources recommendations are actioned. by the internal audit function or project assurance function within the ePMO to The second line of defence is where the The assignment of roles and responsibilities provide independent assurance to Executive most variation comes in. It is not for each line of defence to a function Management, the Project Board or an Audit only dependent on the organisation’s or individual are dependent on the and Risk Committee. capabilities and resources, but also on organisation’s capability, industry and the project’s risk profile, size, complexity Role of Internal Audit: Internal Audit has available resources. and environment (see Principle 2). typically focused on adherence to project The first line of defenceis typically Enterprise PMOs typically operate in management methodologies rather than provided by the project or program the second line to have oversight of reviewing the effectiveness of controls to 10 management team. It may also be project delivery and facilitate the project increase the likelihood of project success . provided by a PMO or Project Support risk management process. In larger At a minimum, Internal Audit should be Office specifically established for the project. organisations, it is frequently observed that ensuring that Executive Management and The role of business units in a project the ePMO will have second and third lines the Board of Directors are getting visibility environment should not be discounted, as responsibilities. Specifically, an assurance of high risk projects and the organisation’s their involvement will support the project function within an ePMO will operate in cumulative risk profile. A proactive in managing risks outside of the project’s the third line of defence to provide project assurance framework should be in place control, aligning with expected customer assurance expertise on higher risk projects. and have been provided by resources with outcomes and balancing the focus between the appropriate expertise and capability. The third line of defence must be customer needs and delivering in the Increasingly, Internal Audit is bolstering its independent of the project and is typically expected time, cost and quality. capability in providing project assurance by provided by an internal audit function sourcing external experts, and providing While PMOs may institute a form of or external project assurance provider. consistent and coordinated reporting the 11 governance, the results of their project In smaller organisations, the internal relevant governance forums. risk management activities do not audit function or an ePMO with a project

10,11 Huibers, S. 2015, ‘The Evolution of Project Auditing, 2015 Global Benchmark Study Results’

14 •• The third line function to perform a From a third line perspective, in addition Principle 2 greater number and different types of to the project sponsor and project board, gated reviews, targeted reviews and activities could also be reported to Consider the project’s risk health checks for higher risk programs executive management, other agencies profile, size, complexity and contexts. These checks and reviews (e.g. Treasury in Government) and the and environment may also be dependent on the level of Board or Audit and Risk Committee, control being provided in the second line. depending on the risk of the project.

The level of involvement of each line of The Project Board is ultimately accountable defence depends on the project’s risk for project governance, which will include profile, size, complexity and environment. Principle 3 understanding the impacts of the risks For example, a large, complex project reported or escalated to them, and may require: Application is based on the providing strategic direction on how these •• A more proactive, frequent and efficient key stakeholders who need to risks can be mitigated. risk management and escalation process be informed and involved in for the first line •• The second line function/s to perform managing project risk targeted reviews for specific risk areas (e.g. security, fraud) which are sourced From a first, second and third line from an external party with specific perspective, the project sponsor and expertise. The scope of this role is project board are informed to provide broader, covering the project context oversight over how project risks (including governance), the project are managed. itself, and the solution being delivered. Increasingly, this external capability is being sourced through ePMOs to ensure a consistent service and appropriate skill sets are engaged12

12Huibers, S. 2015, ‘The Evolution of Project Auditing, 2015 Global Benchmark Study Results’

15 •• The costs associated with the level of Principle 4 Principle 5 involvement for project risk reviews are appropriate, justified and aligned with Document and approve Minimum impact and cost for the project’s risk profile the framework or plan to project risk reviews •• There are currently no clear guidelines undertake project risk activities on costing efforts relating to project Specifically from asecond and third risk review activities done in the second line perspective: The second line function defines, and third line. However, there is an enforces and maintains a risk management •• Project risk management activities, emerging trend that this cost can be 2% framework and/or project management especially risk reviews done on a project, of a project’s budget and is allocated to methodology to guide the first line are designed to support the project by second and third lines for a medium – function on how to manage project risks. minimising the impact on the project, risk project13 working with the project team and •• From a funding perspective, there are A project assurance plan which derives all supporting them in achieving project two main options for consideration: relevant project risk reviews for a specific success. However, the organisation whether funding for project assurance project is documented with an agreed should consider how often their is sourced from the project’s budget purpose, scope and approach. involvement will be with the project. or managed through a central funding For example, it is recommended that This ensures that each item in the plan source. There are pros and cons project reviews should start early in the has a distinct purpose and collectively for each option, but increasingly project’s planning stages, and then at addresses enterprise and project risks. organisations are mandating that it is a minimum, timed to coincide with key The responsibility for deriving an assurance funded by the project and costed into decision points and at regular points plan is dependent on the project’s risk the project’s business case. profile, size, complexity and organisation’s in the project lifecycle for longer term resources and capabilities. For a large and projects (i.e. reviews held no more than complex project, this will typically involve 6 months apart) the third line function coordinated with the first and second line functions.

13 Oakes, G. 2008, ‘Project Reviews, Assurance and Governance’

16 Consider if there is a need to integrate Principle 6 Principle 8 project risk registers with risk registers belonging to dependent projects, programs Align with project Integrated, risk-based (if the project is part of an overall program), management standards and action oriented operations and the whole enterprise. The link between project, operational and The approach for project risk management The three lines of defence work best enterprise risk registers will be important is aligned with current industry standards when they are operating in a cohesive and if a specific risk will materially impact in project management, such as PRINCE2®. integrated manner. The approaches for business-as-usual operations or the the first line (owning and managing risks), entire organisation. second line (defining methods and tools Principle 7 and supporting the first line) andthird line (project assurance) should be risk-based Consistent with risk and and action oriented. Specifically for the assurance frameworks second and third lines, project assurance plans, which derive all relevant project risk and standards reviews for a specific project, should be integrated with other project assurance The approach for project risk management plans (especially if the project is part of a is consistent with risk and assurance program) and the broader assurance plan frameworks for the organisation and the for the organisation. They should also be industry it is in. risk-based and lead to action. From a third line perspective, the approach and plan are consistent with From a governance perspective, the Internal Audit standards and frameworks, application of the three lines of defence will such as the International Professional need to be integrated or overlayed with the Practices Framework (IPPF) and Institute organisation’s governance framework of Internal Auditors (IIA) standards. and structure.

17 Example

Figure 4 shows an illustrative example of a governance structure for a medium sized, high risk project in a large organisation. In this scenario, the ePMO plays across the second and third lines, to support the first line with methodologies and tools (second line role) and working with an external project assurance provider and internal audit together to define and deliver a project assurance plan (second and third line role).

Figure 4: Governance Structure Example

Board of Directors

Audit and Risk Executive Management Committee

Project Board Project Assurance Internal Audit Senior Responsible Provider Owner (Chair)

ePMO

Project Project Director PMO Legend Project 1st line of defence Key relationship Manager Indirect relationship 2nd line of defence (engage as required) Project Team 3rd line of defence Governance oversight across all lines of defence

18 A Closer Look at Project Risk Reviews

Increasingly, effective enterprise risk management utilises a ‘three lines of defence’ model

The three lines of defence in effective Many large organisations have a panel of •• An external assurance partner is chosen risk management and control external providers or a preferred partner. through a competitive process that From a second and third line perspective, Often, the project is given the choice of includes someone independent to the a project assurance plan defines all reviews determining who from the panel should project. The selected partner takes to be undertaken during the life of the provide these services. In determining a accountability for proactive project risk project to help manage project risk and provider, the key factors to consider should management throughout the project’s improve delivery confidence. This plan be experience, capability and relevance. lifecycle, and is committed to the should align with the original business Our recommendation is that: project’s success. case, which will drive the budget and •• The mandate for project risk scope for this activity irrespective of reviews is embedded in investment whether it is provided internal or external decision committees to the organisation. Ideally, reviews should be linked to the organisation’s risk appetite, •• Assurance plans are developed for however most organisations are only just all major programs (especially those starting to consider risk appetites in their that support the delivery of an assurance design. organisation’s strategy)

19 The three dimensions In all projects, there are three dimensions to a project that can be the subject of project risk reviews, depending on the risk:

•• Project Environment: the context that the project is operating in •• Project Delivery: how the project is being managed •• Solution: the ability of the solution to meet business requirements.

In each of these dimensions, there are areas of risk that can be an area of focus:

Table 2: Project Risk Review Dimensions

Project Environment Project Delivery Solution

•• Governance •• Business case •• Lifecycle related specialist products •• Strategic alignment •• Benefits •• Technical environment adequacy •• Process alignment •• Scope (including privacy/security) •• Positioning with other projects and •• Schedule •• Solution sustainability change initiatives •• Cost •• Business case alignment •• Business environment risk •• Project integration •• Integration with existing systems/ processes •• Stakeholder management •• Quality and Testing •• Business process controls •• Corporate culture •• Organisational change •• Business Continuity •• PMO Support. •• Human resourcing •• Target Operating Model •• Communications •• Data Migration and Management •• Procurement •• Business readiness. •• Risks and Issues •• Planning •• Contract and Vendor Management •• Deployment strategy •• Integration and Interfacing.

The assurance plan would typically contain one of the four types of reviews:

Deep Dives or Specific areas of risk to the project context, delivery or solution are assessed in detail to identify Targeted Reviews any areas to improve delivery or reduce specific areas of risk (e.g. data migration, security).

Health Checks Higher level, broad assessment of project context and delivery which is used to identify areas of program risk and opportunities to improve successful delivery.

Continuous Assurance Checkpoint review (at least monthly intervals aligned with project governance meetings) and continuous review which include a point in time project assessment, attending key governance meetings and assess risks and activities particular to the stage of the project.

Gateway Reviews Point in time assessment to support a decision-making milestone.

20 To determine the level of involvement for a project, an assurance plan should be developed in the early stages of a project. Ideally a risk workshop is conducted, involving the key project stakeholders and experts in the particular type of project to identify the major risks. These risks form the basis for the assurance plan, taking into consideration these risks, the organisational capability to deliver, govern and assure the project, governance and funding requirements both internal and external to the organisation, the program structure and the project duration.

Sample Assurance Plan

To provide a holistic assurance activity across the second and third lines of defence, the following outlines a sample assurance plan with deep dive topics determined by the outcomes of a risk workshop.

Figure 5: Sample Assurance Plan

Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Project Initiation Project Definition Project Execution Project Transition Benefits Realisation

2nd line of defence

Continuous Assurance 3rd line of defence

Legend

Deep dives/ Targeted review

Health check

Gateway Review

21 Contact Us

Sid Maharaj National Project Risk Lead Partner Tel: +61 (0) 406 568 171 [email protected]

Phil Goulstone Project Risk, Sydney Tel: +61 (0) 406 705 611 [email protected]

Alastair Banks Project Risk, Melbourne Tel: +61 (0) 414 252 138 [email protected]

Natalie Smith Project Risk, Brisbane Tel: +61 (0) 405 106 221 [email protected]

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the ‘Deloitte Network ‘) is, by means of this publication, rendering professional advice or services.

Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.

About Deloitte Australia In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms, Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please visit Deloitte’s website at www.deloitte.com.au. Liability limited by a scheme approved under Professional Standards Legislation. Member of Deloitte Touche Tohmatsu Limited

MCBD_HYD_11/16_53793