Talented and capable

a female worker looking on while a male worker points to a computer screen

The EPA wants its people to be purpose-led, passionate and highly capable. To this end we consult our staff and invest in their development, as well as working to attract new people who share our aspirations.

We show the many ways people can make a difference through a career with the EPA (see adjacent stories). We also support people who are at the beginning of their working lives through structured graduate and intern programs and development pathways.

Staff say they value technical and professional training, a diversity of work, and the chance to work in teams, to learn from others and help solve problems. ‘We build staff capability in many ways,’ says EPA’s Director Capability and Talent, Erin Torsello. ‘We have a lot of training programs, both online and in-person; talent development and performance management; internal expressions of interest processes; and leadership development.’

decorativeWe offered more than 20 core courses and over 200 staff took part in face-to-face training

In 2021–22 staff development included corporate compliance and systems, wellbeing, health and safety, technical training, professional development and investigations. We offered more than 20 core courses. Over 200 staff took part in face-to-face training, with many more taking technical and professional development courses online. We also ran sessions to support staff wellbeing; covering sleep, diet, movement, ergonomics and resilience.

Public access to government information

Members of the public, the media, business and other organisations have the right to access government information under the Government Information (Public Access) Act 2009 (GIPA Act), unless releasing this information is against the public interest. This includes information that is not usually available to the public.

Under sections 7(3) and 125 of the GIPA Act and clause 8 of the Government Information (Public Access) Regulation 2018, the EPA has annual reporting obligations relating to:

  • the review of its proactive release of information to the public
  • its response to formal applications for access to information.

Proactive release program

The EPA program for the proactive release of information requires each of the agency’s branches to examine information that has been informally released or formally requested under the GIPA Act. This is as well as information held that may interest the public and can be made available for public use.

In 2021–22, information proactively released on the EPA website included:

  • a report on the NSW EPA’s review of Snowy Hydro Limited’s Cloud Seeding Program 2020 Annual Compliance Report
  • an air monitoring program to provide local air quality information during construction of the Warringah Freeway upgrade and Western Harbour Tunnel project, including links to view regular update on air quality data
  • information on legacy lead in soils in Wollongong, including a copy of the report Literature review of the levels of lead and other heavy metals in soil and roof dust in Wollongong and measures to manage any associated health risks prepared by the University of Queensland, dated 29 June 2020; and a copy of the Port Kembla surface soil testing report
  • information in relation to Minchinbury odours, including regular updates on monitoring results
  • information in relation to the clean-up of the oily wastewater overflow at Kurnell in April 2022, including actions taken by the EPA and sampling results
  • information in relation to the approved methods for the sampling and analysis of air, water and noise in NSW, including implementation and transitional arrangements, response tosubmissions and summary of changes.

Access applications received in 2021–22

This year the EPA received 108 valid applications for access to information. Most applications were made by members of the public.

We finalised 111 applications, including some received in the previous year. Some applications will be decided (and reported on) in 2022–23.

More than one decision can be made in relation to an access application. For the 111 applications we finalised this year, we made 122 decisions. Those decisions are on the table following.



Access granted in full




Access granted in part




Access refused in full




Information not held




Information already available




Refuse to deal with application




Refuse to confirm or deny whether information was held




Application withdrawn




For full details of the applications and outcomes, in accordance with statutory reporting requirements under clause8 of the GIPA Regulation, see Appendix E: Statistical information on access application.

Avoiding risky business

Managing risk is an important part of an organisation’s resilience. This work may not be visible but it positions us as well as possible to deal with disruptions.

Planning for business continuity

In 2021–22 the EPA’s Governance, Risk and Planning Branch focused on setting up a risk framework roadmap, which includes the policy and plan for business continuity. We ran a crisis-management exercise, which was like a ‘dress rehearsal’ for how we’d respond to a major disruption to our operations. ‘The exercise was a valuable way for us to build our organisational resilience and explore how business disruptions could impact the EPA. It also helped us validate our new procedures, identify gaps and test our response in a crisis scenario,’ says our Manager Risk and Governance, Joseph Budnik.

Managing risks to achieving EPA objectives

In 2021–22 the EPA embedded the Risk Management Policy, the Risk Management Framework and Operating Procedures and a new EPA strategic risk register into its operations.

Risk coordinators started presenting a ‘deep dive’ analysis of a selected risk to each meeting of the Audit and Risk Committee.

Throughout the year, the EPA consistently applied its assurance framework. This framework provides transparency for the EPA Chair and Board, the Chief Executive Officer (CEO) and the Executive about whether the organisation’s regulatory work is achieving its committed outputs and outcomes.

The assurance framework:

  • includes a review process that lets us identify and mitigate risks to service delivery
  • allows us to capture and regulate best practice
  • supports the continuous improvement of EPA practice and risk management.

Climate-change risks to EPA operations

This year the EPA prepared its first Climate Change Impacts, Risks and Adaptation Statement. As its name indicates, the statement sets out the economic, financial and physical impacts, risks and opportunities of climate change on our operations. It is consistent with the framework established by the Task Force on Climate-related FinancialDisclosures.

We’ll integrate climate-change risk into our existing risk management framework. We’ll also do regular ‘horizon scanning’ to identify external drivers of change and macro-trends across different fields, including climate change, that can create risks or opportunities and influence the EPA’s regulatory response.

The Environment Legislation Amendment Act 2022 strengthens the EPA’s independence

The Act makes administrative changes to the governance of the EPA, including formalising the separation of the Chair and CEO roles.

The Act provides that the CEO, rather than the Chair, is to manage and control the affairs of the EPA, subject to policies and decisions of the Board and directions of the Minister under the Protection of the Environment Administration Act 1991 (POEA Act). The Chair of the EPA is now called the Chair of the Board.

In terms of the Board, the Act provides that the functions of the Board include determining policies and plans relating to organisational governance and risk management.

Audit and Risk Committee

The EPA’s Audit and Risk Committee (ARC) is the EPA Board’s only subcommittee and reports directly to the Chair. The committee has been established in accordance with the NSW Treasury’s Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08). This independent committee has no executive powers.

The committee provides assurance to the Board that the EPA has effective and efficient systems, polices and processes to manage risk. It does this by monitoring, reviewing and providing advice about the EPA’s governance processes and risk management and control frameworks.

Refer to the Audit and Risk Attestation Statement on the following page for a list of the ARC members.

In 2021–22 ARC meetings were held in July, September and November of 2021, and in April and May 2022.

In fulfilling their duties, the EPA’s Chief Financial Officer, Chief Risk Officer and Chief Audit Executive have independent access to the committee and the Board. This approach increases assurance for the Board that the EPA is managing its risks appropriately while discharging its regulatory, financial and audit responsibilities.

The CEO completes an internal audit and risk management attestation statement that indicates all Treasury requirements have been met. This begins on the next page.

Cyber security

The EPA has assessed its cyber security risks, which are discussed at Executive and Board level during quarterly risk review and assessment processes. Cyber security is provided through DPE corporate cluster services. Incident response protocols are tested annually.

The Cyber Security Attestation Statement for 2021–22 is reproduced in Appendix G.


Internal Audit and Risk Management Attestation Statement
2021-2022 Financial Year

I, Carmen Dwyer, Acting Chief Executive Officer and Accountable Authority of the Environment Protection Agency (EPA), am of the opinion that the EPA has internal audit and risk management processes in operation that are, excluding any exemptions or transitional arrangements described below, compliant with the seven (7) Core Requirements set out in the Internal Audit and Risk Management Policy for the General Government Sector, specifically:

Core Requirements  Compliant,
or In Transition
 Risk Management Framework   
1.1  The Accountable Authority shall accept ultimate responsibility and accountability for risk management in the Agency.   Compliant
 1.2 The Accountable Authority shall establish and maintain a risk management framework that is appropriate for the Agency. The Accountable Authority shall ensure the framework is consistent with AS ISO 31000:2018.  Compliant
 Internal Audit Function  
 2.1 The Accountable Authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purpose   Compliant
 2.2 The Accountable Authority shall ensure the internal audit function operates consistent with the International Standards for the Professional Practice of Internal Auditing  Compliant
  2.3 The Accountable Authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the 'model charter' Compliant

Audit and Risk Committee
 3.1 The Accountable Authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks, and its external accountability obligations  Compliant
 3.2 The Accountable Authority shall ensure the Audit and Risk Committee has a Charter that is consistent with the content of the 'model charter'   Compliant

Audit and Risk Committee – Membership

The independent chair and members of the Audit and Risk Committee are:

  • Chair – Christine Hawkins AM (5 year term of appointment, commenced 11 April 2019)
  • Member – Michael Rennie (3 year term of appointment, commenced on 18 May 2020)
  • Guest – Elizabeth Wild (attended during 2021-22 as a guest and achieved prequalification
    on 22 June 2022, with a proposed 3 year term of appointment commencing on 30 July 2022)
Carmen Dwyer
Accountable Authority
A/Chief Executive Officer
Environment Protection Authority
Date 30.06.2022 
Amanda Cleary
Chief Audit Executive 

EPA internal audit

The Government Sector Audit Act 1983 requires statutory bodies to establish and maintain an effective internal audit function.

The EPA’s internal audit program is an independent and objective assurance and consulting activity that is part of the EPA’s wider integrated assurance function. Along with other assurance activities, it is designed to improve the organisation’s operations, which it does by evaluating and improving the effectiveness of risk management, control and governance processes.

The EPA conducts its own program and, where there is benefit, may also participate jointly in the internal audit programs of the Department of Planning and Environment.

The Lead Audit and Assurance heads the EPA’s internal audit function. The NSW EPA Internal Audit Charter provides the framework for internal audits and the EPA’s Audit and Assurance Forward Plan sets out the program for conducting assurance activities (including internal audit) for 2020–21. This plan is reviewed at least annually to ensure that assurance work remains fit for purpose and appropriately focused on the EPA’s risks.

The Audit and Risk Committee conducted its annual review of the EPA’s internal audit charter to ensure it continues to be consistent with the agency’s financial, risk management and governance arrangements and current best practice.

Public interest disclosures and reportable conduct

A public interest disclosure is a disclosure of alleged corrupt conduct, maladministration, serious and substantial waste of public money or a breach of the Government Information (Public Access) Act 2009 (GIPA Act). In 2021–22 no public interest disclosures were made to the EPA: see Appendix F. The EPA’s Public Interest Disclosure: Internal Reporting Policy and Procedures is available to staff on the EPA intranet.

Allegations of corrupt conduct are reported to the Independent Commission Against Corruption. In 2021–22 the EPA made five such reports.

Operational and key risk areas

The EPA maintains risk registers that detail the potential risks and their management. The table below summarises our management approach to key risk areas.


Management approach

Business continuity and disaster recovery

An incident could cause a disruption to, or loss of, EPA physical infrastructure and/or kill or injure people.

Building organisational resilience through the development and implementation of the Business Continuity Framework, which provides the leadership requirements, roles and responsibilities, team structures, workflows for each program component and processes for monitoring performance.

Putting in place security audit and management plans for EPA offices.

Putting in place emergency management systems for all offices. This includes training fire wardens in how to act in emergencies and performing periodic evacuation drills.

Putting in place an information management framework.

Periodically backing-up electronic data.

Internal controls and safeguards

If the internal control environment is inadequate, there could be a loss of funds and of communitytrust.

Providing management oversight via the Executive.

Putting in place an internal audit program and regularly reviewing its priority areas, findings and the completion of follow-up actions.

Segregating duties and internal controls, to help to prevent and detect fraud.

Participating in performance audits conducted by the NSW Audit Office.

Regularly reviewing the EPA Code of Ethics and Conduct.

Including ethics and conduct in induction training.

Putting in place an internal reporting policy and procedures for public interest disclosures.

Having in place the Managing Misconduct and Serious Misconductpolicy.


ICT services, including cybersecurity, are provided at the cluster level.

If the EPA were not able to access ICT services or the integrity of the systems were compromised, this could impact business continuity.

Developing a service partnership agreement with the Department of Planning and Environment (DPE) that outlines service provision and requirements.

Seeking feedback on, and conducting regular reviews of, the service partnership agreement.

Using a change-management approach to upgrading and updating ICT systems, to facilitate better outcomes and staff uptake.

Fraud and corruption risk

The EPA is updating its Fraud and Corruption Prevention Policy and Framework, which outlines the EPA’s approach to developing and maintaining controls to prevent fraud and corruption.

This year our regulatory officers and grants management team conducted training in the prevention of fraud and corruption run by the NSW Independent Commission against Corruption (ICAC), with a focus on the administration of grants and regulatory operations.

Climate-change risk

The EPA follows a systematic process for identifying and articulating our climate-related risks, based on the Climate Risk Ready NSW Guide. In accordance with the guide, we have identified our climate-related risks as:

  • physical risks caused by increasing intensity and frequency of severe (acute or chronic) weather events
  • transition risks (policy, legal, reputational) associated with transitioning to a decarbonised economy
  • liability risks (the result of either physical or transition risks) resulting from people or businesses holding the EPA responsible for not acting sufficiently on climate change and seeking compensation from the EPA for losses they may have suffered.

EPA insurance

The EPA’s insurance arrangements are provided through the Treasury Managed Fund (TMF), which is managed by the NSW Self-Insurance Corporation.

The table shows the cost of the EPA’s insurance premiums over the past five years.

Area of risk






Workers compensation






Public liability












Motor vehicles






Miscellaneous losses*












* Insurance cover includes miscellaneous losses such as employee dishonesty, personal accident and protection during overseas travel.

Workers compensation costs have varied with changes in the number of employees over the five years reported.

Consumer enquiries, reports and complaints

EPA staff regularly handle general enquiries about environmental issues, reports on pollution incidents, and feedback and complaints about our work.

The agency values these interactions with consumers and stakeholders and stipulates in its Code of Ethics and Conduct that, when interacting with the public, EPA staff will:

  • act professionally, with honesty, consistency and impartiality
  • build relationships based on mutual respect
  • provide services fairly with a focus on customer needs.

Complaints from the public sometimes relate to dissatisfaction with the EPA’s response to a specific issue or the timeliness of action on a pollution report. Others reflect the community’s expectation that the EPA is the appropriate regulatory authority when, in fact, another State agency or a local council is responsible for the issue. In these cases, the complaint is referred to the appropriate body

Controlled entities

In 2021–22 the Environment Protection Authority Staff Agency (‘EPA Staff Agency’) was the only controlled entity of the EPA. The EPA Staff Agency is a Division of the Government Service responsible to the Minister for Environment and Heritage, established under the Administrative Arrangements Order 2014, dated 29 January 2014. Under the Order, the former Office of the Environment Protection Authority became the EPA Staff Agency.

As a not-for-profit entity, the EPA Staff Agency employs staff to enable the EPA to exercise its functions. This entity is consolidated with the EPA as part of the NSW Total State Sector Accounts. The EPA Staff Agency’s objectives, operations, activities, performance targets and performance measures are included throughout this Annual Report.

Privacy management

The Privacy Management Plan outlines ways in which the EPA complies with the principles of the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002. The plan is available on the EPA website.

Passing the testing test

Our protection from pollution is only as strong as the standards that control it.

Whether it’s air, noise or water pollution, if there are holes in the testing practices, we all end up with a false sense of security.

That’s why the testing practices and standards have been set out in black and white. The EPA’s Approved Methods documents for air, water and noise pollution have been written so that the same rigour and quality control will be applied no matter what’s being tested or who’s doing thetesting.

The noise measurement and analysis document is a new one, while the air and water documents were streamlined and amended this year to update the sampling and test methods. The methods in all three documents now align with the standards used for good laboratory and field practice and need to be complied with. Developing and updating the documents was a collaborative effort involving the EPA’s expert teams across air, noise and water pollution and DPE Science, Economic and Insights.