Risk Management Strategy

(1)

Risk Management Strategy

2012 - 2014

Mission:

To support and develop a sustainable, thriving and resilient

community through leadership and partnerships

NOTE: This Document should be read in conjunction with the Indigo Shire Council Risk Management Policy

Author: Jo Riley – Manager Governance & Risk

Review period: 2 Years

Approved:

(2)

SECTION 1: INTRODUCTION

This Strategy has been developed in support of the Indigo Shire Council’s (“the Council”) Risk Management Policy with the intention of improving and enhancing existing risk management practices throughout the organisation.

Indigo Shire Council is committed to ensuring that Risk Management is an important element and integral part of the wide range of activities undertaken by and on behalf of Council in a complex Local Government environment. Therefore, Council has developed a Risk Management Framework to assist Council in achieving its goals and objectives including those set out in the Council Plan.

This Framework is based on principles that are the current industry best practice and is strongly influenced by the international standard for Risk Management: AS/NZS ISO 31000:2009.

This Strategy is to be employed by all Councillors, staff members, contractors, committees and volunteers engaged in Council business and assists in defining the responsibilities and accountabilities of individuals and committees involved in the Risk Management process.

1.1 Purpose

The purpose of this document is to align effective risk management practices across Council within a common framework that can be clearly understood and applied by everyone engaged in Council business.

The Risk Management Strategy assists the organisation to prevent and/or minimise the adverse effects of risks associated with its operation and to capitalise on any positive opportunities. The consideration of Risk Management should be applied at all stages of an activity, function or project and is an integral part of the overall risk management process. The implementation of a Risk Management Strategy for Indigo Shire Council will create some key opportunities which are outlined in Section 2.1.

(4)

SECTION 2: FRAMEWORK FOR MANAGING RISK

The Risk Management Framework is the structure within Indigo Shire Council that supports the risk management practice, reporting, responsibilities and accountabilities at all management levels.

The success of Indigo Shire Council’s Risk Management Framework will depend on the effectiveness of the foundations and processes that embed it throughout the organisation. The Framework will assist in communicating risk information, promoting greater awareness and will lead to improved co-ordination of risk management processes. It will guide Council on how we will identify, evaluate, prioritise and treat risks, with a view to maximising opportunities and avoiding, reducing, sharing or eliminating threats. It also identifies how Risk Management will be monitored and reported.

The Risk Management Framework comprises the following elements: • Risk Management Policy

• Risk Management Principles • Risk Management Objectives

• Organisational Structure and Operating Environment • Risk Criteria

• Risk Management Process

• Communications / Reporting • Roles and Responsibilities

Mandate and commitment

Framework for managing risk

Monitoring and review of the framework Continual improvement of the framework Implementation of risk management process

(5)

2.1 International Standard for Risk Management Principles

AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines (“the Standard”) is internationally recognised and is considered best practice for compliance. The Standard sets out eleven principles which need to be applied for risk management to be effective. All elements of the Framework are based upon these principles and provide an understanding of managing risks at all levels of the organisation:

Risk management:-

1. Creates and protects value

Risk Management contributes to the achievement of objectives and improvement of performance in e.g. human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.

2. Is an integral part of all organisational processes

Risk Management is not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and an integral part of all organisational processes, including strategic planning and all project and change management processes.

3. Is part of decision making

Risk Management helps decision makers make informed choices, prioritise actions and distinguish among alternative courses of action.

4. Explicitly addresses uncertainty

Risk Management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.

5. Is systematic, structured and timely

A systematic, timely and structured approach to Risk Management contributes to efficiency and to consistent, comparable and reliable results.

6. Is based on the best available information

The input to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.

7. Is tailored; aligned to the organisation’s context and risk profile

Risk Management is aligned with the organisation’s external and internal context and risk profile.

8. Takes human and cultural factors into account

Risk Management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organisation’s objectives.

9. Is transparent and inclusive

Appropriate and timely involvement of stakeholders, and in particular, decision makers at all levels of the organisation, ensures that Risk Management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

10. Is dynamic, iterative and responsive to change

Risk Management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.

11. Facilitates continual improvement of the organisation

Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation.

(6)

To achieve this, Indigo Shire Council will aim to:

• embed risk management into the organisation through the integration of risk management processes;

• create and maintain a high level of consultation, awareness and ownership by stakeholders;

• recognise and align risk management with the organisation’s external and internal context and risk profile; and

• continually monitor and review risk management to ensure we recognise and respond to changes affecting our risk management processes.

In line with the Standard, the process of embedding risk management and increasing involvement and ownership by stakeholders will be implemented through awareness and communication of the Strategy.

2.2 Approach to Risk Management

Senior Management Commitment

The Chief Executive Officer, General Managers and Senior Managers of the Indigo Shire Council are committed to the pro-active management of all risks in a systematic way in order to enhance our operation as “one organisation” rather than as a group of individual entities. The risk management process makes a significant contribution towards establishing the priorities in the allocation of resources. Managers at all levels are accountable and responsible for the management of risk within their areas of control.

Corporate Governance

Every organisation is governed by a set of rules and principles, which enable its effective and transparent operation. Transparency in decision making, accuracy in reporting and adequacy in compliance are all essential elements of good governance. The three pillars of governance are: • Risk Management: which identifies and assesses threats and opportunities confronting the organisation's attempts to achieve their business objectives and defines effective response strategies.

• Compliance: which identifies regulatory and statutory obligations and defines organisational obligations.

• Audit: which ensures the critical response strategies and processes are being implemented effectively and are delivering the benefits for which they are designed. Sound risk management not only contributes to good governance, it also provides protection in the event of adverse outcomes. Provided risks have been managed in accordance with the Council’s guidelines, protection occurs on two levels. Firstly, the adverse outcome may not be as severe as it might otherwise have been. Secondly, those accountable can, in their defence, demonstrate that they have exercised a proper level of diligence.

2.3 Organisational Context

Local Government is a complex, multi business enterprise that has constant conflicts in allocating limited resources to build and maintain infrastructure and deliver community programs. The Framework is an important tool to assist in making consistent decisions in a strategic, operational and project context. For the Framework to work, both internal and external factors must be considered as they will influence the way in which objectives are set and priorities are determined.

(7)

The political, social, economic, legal and physical environments are important in the day-to-day operation of Council. It is essential that the internal and external environment within which the activity is conducted be adequately understood if the subsequent steps of the process are to have a meaningful context.

Managers need to identify their role in contributing to the Council’s wider goals, objectives, values, policies and strategies when making decisions about risk. These assist with defining the criteria by which it is decided whether a risk is tolerable or not, and form the basis of controls and management options.

Key Questions in establishing the context:-

• What are the Council’s strengths and weaknesses? • What are the major outcomes expected?

• What are the major threats and opportunities presented?

• What are the significant factors in the Council’s internal and external environment? • What is the policy, program, process or activity to which the risk management process

is being applied?

• What problems were identified in previous reviews? • What risk criteria should be established?

• Who are the stakeholders? Defining our Internal Environment

To understand the internal environment we need to consider the organisational structure, key/core processes, resources available, their capacity and their relationship and interdependency.

As Council manages activities that are community based, risks need to be addressed with potentially non-economic outcomes.

Internal factors which may affect Council’s management of risk include strategic plans and policies, organisational processes and procedures, systems and technology, the management of corporate records and availability of evidence, budget allocation, staff culture, and internal relationships.

These internal and external factors, will affect the organisation’s risk appetite; that is the level of risk the organisation is willing to retain or pursue, and the setting of the risk criteria and policy. Understanding risk appetite helps to determine what level of risk is acceptable or unacceptable, and the level of additional controls and risk treatment required.

Indigo Shire Council has a low to medium appetite for risks related to service delivery, finance, health and safety, environment, reputation and legal/regulatory, where effective controls are in place. Where the level of risk is high or extreme, additional controls are required to reduce the level of risk. Where the level of risk cannot be reduced below a rating of high, close monitoring of risk controls is required to ensure that controls continue to be effective.

(8)

Defining our External Environment

External factors include community expectations, state government policy and personnel, federal and state legislation, carbon economy, funding, and reputation and relationship management.

2.4 Organisational Culture

One of the most crucial elements of a successfully integrated Risk Management Framework is having a culture that promotes and facilitates its proactive use.

Risk Management is a corporate priority and as such, all staff are required to actively participate in the risk management process, as outlined in individual position descriptions. The Performance Development Process provides for risk management related indicators being reviewed on a quarterly basis.

Actions arising from the treatment action plans for specific risks may be used as performance measures for individual or business performance plans.

External Context • Economic conditions • Ratepayer issues • Political conditions • Growth of Shire • Funding • Other agencies • Perception of ratepayers • Reputation • Councillor performance • Reputation • Contractual • Feasibility • Economic Internal Context • Culture • Governance Structure • Staff Structure

• Strategies & Policies

• Systems • Budget • Skilled resources • Processes • Support services • Compliance • Staff performance • Budget • Project Management Skills • Contract Management • Processes Strategic Risks

These are the risks associated with long-term Council or Department objectives.

Operational Risks

These are the risks associated with normal business functions of Council Departments

objectives.

Project Risks

These are risks associated with specific projects or undertakings made by Council.

Any project will go through a lifecycle incorporating conception, planning, scoping,

contracting, design, construction, testing/commissioning,handover and operation. Project risks exist at every stage, and they need to be identified and managed.

(9)

SECTION 3: OBJECTIVES – RISK MANAGEMENT & THE COUNCIL

PLAN

Scope of Risk Management objectives

Risk management addresses a very broad range of potential exposure to risks across the entire operations of the Council which include core activities as outlined below:

Council Plan Objectives

Indigo Shire Council’s key strategic document, the Council Plan 2011 - 2014, identifies Council’s commitment to the management of risk. This is evident in the following strategic objectives:-

Objective Strategy Action

1.1 Provide Good Governance (p10)

Build a workplace culture that is committed to the Health

& Safety of employees and contractors

Continue to incorporate OH&S policies and procedures into normal business as usual practice via training, education and internal communications;

1.1 Provide Good Governance (p10)

Build a workplace culture that is committed to the Health & Safety of employees and contractors

Improve our monitoring and

evaluation in the OH&S area to ensure we provide a safe and healthy work environment;

2.3 Manage and maintain to a high standard assets critical to our economic prosperity (p15)

Identify critical assets and prioritise actions

Maintain a prioritised Capital Works Program and ensure it is revised at least annually to check relevant priorities and cost estimates;

(10)

3.1 Optimise our financial

sustainability (p19)

identify the challenges, risk

and opportunities for

financial sustainability;

Formulation of a 10-year financial plan, incorporating long term budgeting, and links to the Council Plan 3.3 Encourage and facilitate appropriate economic growth and employment opportunities (p20)

Strategic assessment of the existing status and need for wider economic

development across the municipality to

build and nurture a more resilient Council economy

Identify business and economic development opportunities and threats that can be addressed by Council;

4.2 Provide a safe environment for our community (p23)

develop an integrated

Community Safety Plan;

Implement the key approved

priorities of the Community Safety Plan

maintain appropriate emergency management capabilities;

Finalise the review and update all Emergency Management policies, plans and procedures

Provide safe facilities; Strategically implement

recommendations from inspections by Council’s insurers

Benchmarking Target (p31)

Traffic Management and Parking

Seek funding assistance to address deficiencies identified in the Link Road Safety Audit Review 2010 Benchmarking Target

(p34)

Recreational Facilities Support Committees of Management and other volunteer community group through continuation of Asset and

Community Grants Programs,

regular forums/information sessions around key issues e.g. risk management, insurance, sourcing grants.

Linkages to Council Planning and Budgeting Cycles

The Risk Management Strategy raises issues ranging from the highest strategic level of the organisation down to the detailed issues of service delivery and the caretaking of community assets.

The risk program provides an effective and transparent prioritisation tool for decision making when annual financial resource allocations are decided.

January Mid year Budget Review and commencement of Annual Budgetary process (Qtr 2)

February Council Plan Review Risk Management Review Review of the Risk Register

Potential for new initiatives associated with risk management Annual Staff Performance Reviews

April Quarterly Budget Review (Qtr 3) Quarterly Council Plan Review Annual Budget Review

(11)

Commence Annual Business Plan/Council Plan preparation

June Annual Budget adoption

Annual Business Plan/Council Plan adopted by Council

July Annual Report Preparation

Annual Financial Accounts preparation

August Annual Report Preparation based on end of financial year (Qtr 4) Annual Financial Accounts preparation

September Annual Financial Accounts to Auditor General

Annual Report including Financials Audit lodged with Minister October Quarterly Budget Review (Qtr 1)

Quarterly Council Plan Review Quarterly Risk Management Review November Annual CMP & JMAPP Insurance Audits

SECTION 4: ROLES AND RESPONSIBILITIES

Role

Successful implementation of risk management requires a consistent and systematic approach at all levels of Council. Councillors, Managers, employees and contractors are responsible for ensuring that risk management is given high priority in both strategic and day-to-day conduct of the Council and its related activities.

Responsibilities

Successful risk management requires the full support and acceptance of management and staff at all levels of Council, applied via a consistent and systematic approach in the day-to-day management of risks. The Council, management, staff and contractors are responsible for ensuring that risk management forms part of the consideration for all major projects, events or activities that are conducted by or on behalf of the Council. This is to ensure the long-term sustainability of the organisation and to continually strengthen our relationships and trust with our stakeholders.

Risk Management responsibilities have been added to all Position Descriptions within the organisation and will be added for all future roles.

As part of the Annual Review process, the General Technical Competencies within each Position Description will be reviewed with the staff member, and they will then be rated against the risk management skills required for their position.

Notwithstanding our whole of organisation approach to risk management responsibility, our Risk Management Framework has specific elements which require defined alignment of roles and responsibilities.

The specific roles associated with the Risk Management Strategy and their interdependencies are identified in Appendix 4.

(12)

SECTION 5: RISK MANAGEMENT PLANNING

The Risk Management Strategy acknowledges the limitations of Council resources to deal with risk treatments. However, identification of risks should not be limited by the knowledge that there are insufficient funds to immediately change how we currently manage all of Council’s risks.

This Risk Management Strategy approaches the understanding and identification of risks faced by Council in the broadest context. The approach to be used is to “identify risks with a mindset of abundance, but then manage risks in an environment of scarcity”.

This approach is based on the philosophy that it is better to be aware of risks (even knowing that only the most critical can be dealt with after application of a prioritisation process), than to be ignorant and surprised when a risk event occurs, and then be guilty of negligence.

In order to implement and nurture a true culture of Risk Management within Council, Risk Management will occur at four levels within the organisation. These levels are not mutually exclusive but should feed from one level to the other:

Strategic Context

A framework for effective risk management requires integration with the strategic and organisational planning within Council. This Risk Management Framework has been established within the context of the delivery of the Council Plan, Council Strategy and policies. It is essential that the Risk Management processes at all levels in the Council are carried out in the context of these strategic directions and the respective operational plans. Risk management must be carefully planned and managed. This will ensure that the process produces worthwhile results. In order to get the best results from strategic risk management, Council will do the following:

(a) Initiate communication, consultation and participation (b) Lead by example and empower staff

(c) Develop and improve tools and reporting (d) Train participants

Operational Context

Risk Management Plans (RMPs) should be used for all major processes, events and activities at the operational level. It is important that all staff understand the need for completing a RMP in order to ensure the best possible chance of success for their processes or activities.

Part of the shift toward a risk management culture within the organisation is for risk management processes to be practiced as outlined in the framework.

Project or Event-based Context

Most business units, at one time or another, may have the need to complete a project or event. It is important to apply risk management processes to these projects or events in the same manner that we do operationally.

However, the main difference between the two is that the risk management tool may not necessarily be completed by a member of staff.

If a contractor is engaged for the provision of a professional service, then the staff member should ensure that, as a minimum standard, one or more of the Risk Management Tools be applied (See appendix 3) supplied prior to the works commencing. The resulting risk and opportunity management analysis should be closely scrutinized by the Project Team/Manager

(13)

to ensure that as many as possible of the risks and opportunities have been identified and that any risks that are outlined as Significant, High or Extreme, or any opportunities that are outlined as Significant, High or Outstanding should be elevated to the appropriate levels of the organization for a decision to be made as to how they should be managed.

For example:

The Council would like to construct a new Childcare facility. A builder has won the tender for the construction. The Project Manager/Team will request an analysis of the risks on the design of the building be supplied by the builder.

Assessment of risks during the construction phase of the project will then be supplied by the contractor in the form of OHS documentation.

Any RMP that is completed will be supplied to the Manager Governance and Risk and a copy filed immediately in TRIM.

5.1 Strategies for addressing Risk

Risk Treatment (or Risk Response)

Risk treatment involves identifying the most appropriate responses to reducing the risk level to a status acceptable to Council. There are a variety of response options available. Firstly, if the assessed risk level is “insignificant”, no further action may be required. A watching brief should still be maintained to ensure that the status of the risk does not alter.

The principle of effective risk management is a four tiered hierarchical approach to the management of risk that emphasises mitigation of the exposure, i.e. prevention rather than cure.

Management of risk will address the issue in the following priority order:- • Wherever possible, the risk should be eliminated.

• Where elimination is not possible, the risk should be transferred. If the risk is transferred, the external organisation in which it has an interest must have adequate insurances and Council must be indemnified and noted as an interested party.

• Where elimination or transfer is not possible, the risk should be reduced by undertaking a hazard analysis and risk assessment and preparing a treatment/control plan. This plan should identify the development of procedures, processes, policies & systems that will reduce the risk.

• As a final resort to mitigating risk, Council should ensure that it has adequate insurance and appropriate risk financing options for all risk exposures. Insurance should be the last resort in managing risk exposure in the organisation.

Prioritisation of Human Consequence

The Human consequence area is weighted higher than all other consequence areas at Council. This reflects the greater impact that a Human consequence will have on the organisation.

(14)

Sources of Risk

The following categories will be used during a risk assessment to identify potential organisational and business unit risk and opportunities but are not exhaustive:

Source Example Potential impact on

Leadership and

Corporate Governance

Change of key leadership personnel, strategic planning, relationships, corporate image, ethical conduct,

communication, segregation of

responsibilities

People Retention / loss of key personnel,

management activities and controls, succession planning, industrial relations,

skills training, relationships,

communication, ethics, work life balance

People

Business Continuity Continuity of supply of essential goods or services, records & information management, machinery maintenance & replacement, industrial action, utilities interruption, computer breakdown,

contingency planning, emergency

management

Council’s Reputation

Business Activity Customer service, customer

relationships, marketing & promotion, occupational injury / illness / wellbeing, physical security, property damage or loss / acquisition, environment, resources / assets management

Business performance

Political Change of government, legislative

changes, community expectations,

communications

Natural disaster Flood, storms, lightening, fire

Financial Planning & management, insurance,

initiatives & new services, fraud

Finances

Contractual & legal Contract management, professional liability, public liability, statutory compliance, errors and omissions, commercial & legal relationships

Harmful actions Sabotage, vandalism, terrorism, arson, theft /misappropriation

Environment

SECTION 6: RISK MANAGEMENT TOOLS

6.1 Risk Management Actions

Key objectives and associated actions underpinning Councils Risk Management function are detailed below.

(15)

Risk Management Strategy

2. Organisational Culture 3. Policies, Procedures & Processes 4. Reporting 5. Compliance & Audits 6. Continual improvement •Local Government Act. •Audit Recommendations. •Advent Manager Compliance Software. •Best Practice. •Learning Outcomes. •Legislative and Policy amendments •Improvements from implementation of Audit Recommendations •Sharing experiences and identifying improvement opportunities for the future. •Utilising Council’s values to guide and influence behaviour and decisions. •Lead by example and empower staff •Gap analysis •Roles & Responsibilities. •Risk Management Plan. •Risk Assessments. •Records Management •Insurance coverage •Organisational Risk Register •Audit Results. •Audit Committee. •Annual Report. •Council Plan. •I Spy. •Indigo Informer. •KPI’s. •CMG. 1. Training awareness & Communication •Staff Training Program. •Communication and consultation with staff through Team Meetings. •Continue to raise the profile of Risk Management with volunteers and community groups.

O

B

JE

C

T

IV

E

S

A

C

T

IO

N

S

(16)

Indigo Shire Council – Risk Management Strategy TRIM Reference No. INTERNAL12/244 Page 16 of 20

Objective 1 Actions – Training Awareness & Communication Responsibility Timeframe

Develop a risk management staff training program to be implemented on an ongoing basis and to include: • Risk awareness in Corporate and Councillor Induction

• Specific risk training/education relevant to position, such as:

o training session/s, whether delivered internally or using an external provider o attendance/participation in relevant risk forums/networks/workshops

• Self-paced study through Learning Seat, whether developed internally or externally developed/ sourced

Manager Governance & Risk/Manager

Organisational Development

Ongoing

Address the Senior Management Group and relevant staff at least annually on risk management issues. Manager Governance & Risk

Annually Keep volunteer Committees of Management and Community Groups informed of risk issues. Develop risk management Fact

Sheets for Council staff and specific groups (for instance, Special Committees, Volunteers, Sporting Groups and Seasonal Users, Event Organisers) summarising Council’s approach to risk management.

Manager Governance & Risk /Manager Community Planning

Ongoing

Include risk management advice in Leases, Licences and volunteer information sheets. Manager Governance & Risk /Relevant Managers

Ongoing

Inclusion of Risk Management as a discussion item within team meetings. All Senior Managers Ongoing

Objective 2 Actions – Organisational Culture Responsibility Timeframe

Incorporate the explicit consideration of risk management into business planning and budgeting processes and Council decisions.

All Senior Managers Ongoing Include Risk Management as a key entry in all relevant Council Reports and operational documents, in such a way that it adds

values to the reporting framework.

All Senior Managers Ongoing Facilitate the accurate and timely identification and management of risks with an overall aim to improve Council operations. All Senior Managers Ongoing Utilise Council’s values to guide and influence both the behaviour and decisions of those representing the organisation. In

particular, keeping these values at the forefront when considering the overall objectives of any decision or function.

Manager Organisational Development/All Senior Managers

Ongoing

Facilitate a process that enables identification of improvement opportunities in such a way that unauthorised actions are prevented from reoccurring and enhancements are encouraged.

Manager Governance & Risk/Manager

Organisational Development

(17)

Objective 3 Actions – Policies, Procedures & Processes Responsibility Timeframe

Undertake gap analysis of documented procedures for each department. Manager Governance &

Risk

December 2012

Develop schedule for development of written departmental procedures. Corporate Services

Co-ordinator

March 2013 Undertake review of how risk management obligations are met with Council’s contractor management practices. Manager Governance &

Risk/Manager Organisational Development/OH&S Officer

June 2013

Develop a procedure that links the risk management roles and responsibilities with performance evaluation to ensure that inconsistencies and unauthorised actions are appropriately addressed.

Manager Organisational Development

January 2013

Development of Risk Management Plans Manager Governance &

Risk/ All Senior Managers

December 2012 1. As part of any project evaluation, a Risk Management Assessment and business analysis be undertaken before a final

decision is made on the project scope including any tender that may be required

2. Include the requirement of a Risk Management Plan and Business Analysis in tender documentation for projects, contractors, architects and any other external body for works that they are responsible for.

Manager Governance & Risk/ Manager Project Delivery

June 2012

3. Ensure all projects undergo a risk assessment before commencement of the works and that the risk treatment plan provides the project manager with a tool to continuously monitor project improvement through the implementation of the plan. Issues and risks identified through the course of the project must be assessed.

Post gap analysis, develop procedure and/or tools for investigation of incidents (other than these related to staff OHS incidents which are handled separately).

Manager Project Delivery/ Manager Governance & Risk

December 2012

Ensure that all procedures include steps for the capture of key records, in line with the Records Management Compliance operational framework.

Manager Governance & Risk/Corporate Services Co-ordinator

Annually

Monitor agreements, leases and contracts with third parties, ensuring that they have appropriate indemnity and insurance clauses in place to reduce Council’s liability.

Manager Governance & Risk/Corporate Services Co-ordinator

Ongoing

At the commencement of significant planned activity a coordinated and cross-functional approach is taken to ensure that any risks that affect the activity are identified and addressed.

All Senior Managers Commencem ent of activity Development of the Business Continuity Plan includes consideration of Council’s Risk Management Strategy. Manager Organisational December

(18)

Indigo Shire Council – Risk Management Strategy TRIM Reference No. INTERNAL12/244 Page 18 of 20

Development 2012

Refine the Organisational Risk Register so that strategic, operational and project risks are categorised. Manager Governance & Risk

February 2013

Objective 4 Actions - Reporting Responsibility Timeframe

Report to the Senior Management Group and relevant key members of staff on risk management issues identified in the CMP Public Liability and Professional Liability Audit Report and the JMAPP Property Risk Management Audit.

Manager Governance & Risk

At least annually Inclusion of risk management status updates within Council’s Annual Report and Council Plan; Manager Governance &

Risk

Annually Use both the internal “ISpy” and external Indigo Informer newsletters to provide risk management status and initiatives updates

throughout the year;

Quarterly Attendance at team meetings by the Manager Governance & Risk and/or OH&S Officer as/when required. This may be to

discuss specific risk issues, or when the department’s Risk Register is being reviewed.

Manager Governance & Risk and/or OH&S Officer

As and when required Key Performance Indicators will be developed for the Risk Management program and measures against these used to focus

on necessary improvements and/or to recognise good performance and progress.

Manager Organisational Development

Attendance at CMG meetings to provide progress report on risk issues. Manager Governance &

Risk

Monthly Reporting to the Audit Committee and Council on risk related issues including those from the Risk Register which will provide

indications of system effectiveness in reducing the organisation risk profile over time, and identify any problems or inconsistency across the organisation.

Quarterly

Objective 5 Actions – Compliance & Audits Responsibility Timeframe

Communicate with the various Business Units to ensure that they are fully aware of the audit recommendations pertinent to their area(s) of operation.

Manager Governance & Risk/relevant Senior Managers

At least annually Where audit recommendations cannot be addressed, prepare a draft report for CMG for review; and final report for auditors

(for next audit), detailing reason(s).

Quarterly Review and monitor Council’s risk management audits and performance measures, as well as each department’s compliance

with Council’s Risk Management Policy.

Ongoing Full implementation of Council’s Advent Manager Compliance Software to ensure compliance with various obligations. Manager Governance &

Risk

December 2012

(19)

Objective 6 Actions – Continual Improvement Responsibility Timeframe

Arrange an independent review of Council’s insurance policies. Manager Governance &

Risk

30 June 2013 Develop process for sharing outcomes of significant incident analyses with relevant personnel. This formal process would allow

Council staff to investigate the actual cause of a given incident as well as identify any contributing factors, effectively reducing the likelihood of repeat incidents.

Manager Governance & Risk and/or OH&S Officer Keeping abreast of industry best practice, and continually strive to improve Council’s management of risk by including findings

and recommendations within Council’s risk management communications (including the risk management function’s report to Senior Management, Audit Committee & OH&S Committee where relevant).

Manager Governance & Risk and/or OH&S Officer

Ongoing

The ongoing identification of new and altered risks by:

o the quarterly inclusion of Risk Management as a discussion item in team/ department/ management meetings o reviewing external resources (such as insurance advice, court decisions, and legislation changes)

o considering the results of internal audits and assessments, claims investigations, and incident analysis o confirmation of reporting mechanisms for employees to raise risk management issues to management

Communication by Manager Governance & Risk and/or OH&S Officer

(20)

(21)

Appendices

1. Definitions

All definitions have been taken from the AS/NZS ISO 31000 Risk Management Principles and guidelines (International Standard). For a full list of definitions, please refer to the ISO Guide 73: Risk Management – Vocabulary document.

Terminology Definition

Enterprise Risk Management Includes the methods and processes used by organisations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

Risk The effect of uncertainty on objectives

Risk Treatment (Response Strategy)

The process of developing, selecting and implementing controls. Risk treatment can involve:

• avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;

• seeking an opportunity by deciding to start or continue with an activity likely to create or enhance the risk; • removing the source of the risk;

• changing the nature and magnitude of likelihood; • changing the consequences;

• sharing the risk with another party or parties; and • retaining the risk by choice.

Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation, risk elimination, risk prevention, risk reduction, risk repression and risk correction. Risk Controls The measure to modify risk. Controls are the result of risk

treatment. Controls include any process, policy, device, practice, or other actions designed to modify risk.

Risk Appetite The amount and type of risk an organisation is prepared to pursue or take. This is usually defined as either a formal statement, or within the parameters of your Risk Appetite Table (Consequences and Likelihood Matrix)

Risk tolerance The organisation’s readiness to bear the risk after risk treatments in order to achieve its objectives

Risk Register A record of information about identified risks.

Strategic Risk The effect of uncertainty on the strategic objectives of Council as outlined in the Council Plan.

(22)

Indigo Shire Council – Risk Management Strategy – TRIM Reference - INTERNAL12/660 Page 2 of 10

2. Risk Management Process

The Risk Management process is the “how to” element of the Risk Management Framework and is defined in the Australian / New Zealand Risk Management ISO Standard as “the systematic application of management policies, procedures and practices to the task of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk”,

The process includes the following elements: • Communication & Consultation • Establishing the Context • Risk Identification • Risk Analysis • Risk Evaluation • Risk Treatment • Monitor and Review

This process will be applied consistently across Council for all risk management activities whether they relate to strategic or business planning, policy / process development and review or project implementation.

In each case, the risk assessment will focus on the specific objectives of the subject of the assessment.

(23)

Risk Management Process

Establish the context • The internal context • The external context • The organisational context • The Risk Management context • Develop criteria

• Define the structure Identify Risks

• What can happen?

• When and where?

• How and why?

Determine likelihood

Determine Consequences

Identify existing controls

Determine Risk Level

Evaluate Risks

• Compare against criteria • Set risk priorities

Accept Risk

Treat Risks

• Identify treatment options • Evaluate treatment options • Select treatment options

• Prepare and implement treatment plans • Analyse and evaluate residual risk.

C

om

m

un

ic

at

e

an

d

C

on

su

lt

D

oc

um

en

t,

M

on

ito

r

an

d

R

ev

ie

w

Yes No

(24)

(25)

RISK CATEGORIES

Each Risk may have an impact on one or several aspects, or Category, of Council’s operation. For each identified Risk, consideration must be given to the impact on the following Categories.

Category Type

Strategic Council Policy

Council Plan Town Planning Ownership / Title Political

Compliance (Laws/Acts/Local Laws/Contracts)

Priority Legal Best Value Business Continuity

Financial Current Budget

Future Budget Recurrent Costs Loans

Operational Available Skills and Resources

Maintenance Responsibility and costs Design and Construction

Liability and Insurance Contract Management Priority

Security

Procedures and systems Audit Environmental Sustainability Pollution EPA compliance Native Vegetation Habitat Monitoring

Community Public Health and Safety

Public Relations Perception

(26)

4. Roles and Responsibilities

Role Responsibility

Council • Adopt a Risk Management Policy that complies with the requirements of AS/NZS ISO 31000:2009 and to review and amend the Policy in a timely manner and/or as required.

• Adopt the Risk Management Framework for the Indigo Shire Council. • Be satisfied that risks are identified, managed & controlled appropriately to

achieve Council’s Strategic Objectives. • Appoint and resource the Audit Committee.

• Provide adequate budgetary provision for the financing of risk management including approved risk mitigation activities.

• Review Council’s risk appetite.

Audit Committee • Review adequacy and effectiveness of the Risk Management Framework.

• Review risk management policies, procedures and guidelines.

• Review and approve allocation of audit resources in conjunction with the Indigo Shire Council’s Risk Profile.

• Receive reports regarding identified risks/mitigation and their effectiveness from Risk Management and Audit.

• Monitor changes to the Indigo Shire Council’s risk profile and highlight material changes to Council.

• Develop and maintain the Indigo Shire Council’s Fraud Prevention Policy. • Undertake a risk assessment of the Fraud and Corruption risks in relation

to Council’s operation.

• Facilitate mitigation of the risks associated with Fraud and Corruption within Council.

• Ensure investigation of incidents related to Fraud or Corruption within Council.

• Review risk management strategies.

• Monitor performance of implementing action plans arising from risk assessments including the risk assessments undertaken by the internal audit.

Audit • Evaluate the use and effectiveness of key response plans identified

through the risk management process.

• Review the implementation and effectiveness of the Risk Management Framework.

• Ensure audit plan takes into consideration identified strategic risks and associated response activities.

• Report to Senior Management Group and Audit Committee.

• Evaluate effectiveness of internal controls structure & financial reporting. Chief Executive Officer • Promote the effective management of risk across the Council’s operations.

• Ensure that Councillors are aware of risk management objectives. • Has ultimate responsibility for managing risk across the Council.

• Responsible for the recognition and adoption of risk management as a key function of Council, and to ensure the inclusion of risk management as a priority within Council’s Strategic and Operational Plans, Annual Report, and other appropriate Council documentation.

(27)

maintenance of sound risk management practice and processes for strategic and operational risks, to reduce or prevent the adverse effects of risk.

• Demonstrating a commitment to risk management for and by all staff. • Ensuring resources are appropriately allocated throughout the organisation

to meet Council’s risk management requirements.

• Report to the Audit Committee on fraud and corruption incidents, actions taken, risks and mitigation activities.

• Monitor, appraise and guide the risk & opportunity management performance of General Managers through the Performance Agreement and Annual Review processes.

Senior Management Group

• Ensure that all staff are fully conversant with, and understand the role of risk management within Council operations.

• Ensure that there is adequate protection of Councils operations and assets from risk on an ongoing basis; considering appropriate budgeting, implementation of safety procedures, and loss-control programs.

• Supervise contractors to ensure that risk management policies and procedures are applied.

• In conjunction with the Risk Management Coordinator and/or the OH&S Officer, ensure that a safe and healthy workplace environment is provided and that appropriate safe work practices and control measures are implemented and maintained.

• Ensure that liability risks to the community within the Shire boundaries are effectively managed.

• Support and encourage a risk aware culture within Indigo Shire Council by endorsement and promotion of Council’s Risk Management Framework. • Use the outcomes of the Strategic Risk Assessment to set priorities in the

Strategic / Business Planning Process.

• Provide an environment to enable implementation of risk management response plans on a prioritised basis.

• Ensure that all identified risks for which they are individually responsible are appropriately managed in accordance with the guidelines, processes and tools contained in the Risk Management Framework.

• Be satisfied that all risks are appropriately identified, managed and controlled by each responsible risk owner.

• Acceptance by the Corporate Management Group and Departmental Managers of their leadership role in Risk Management and a commitment to supporting the identified priorities with appropriate resources.

• Where resources are limited, an implementation plan should be developed to ensure continuous progress towards the best outcomes.

• A commitment to the monitoring of staff progress on their assigned accountabilities for Risk Management activities.

• The level of commitment given to risk management by management will greatly influence the commitment given to risk management by staff. • Actively contribute to the analysis of all significant incidents within

jurisdiction

• Undertake risk & opportunity assessments for all proposed projects in consultation with relevant stakeholders prior to the projects proceeding • Understand the principles of risk and opportunity management and their

(28)

application to all aspects of Council activity

• Ensure new team members’ inductions include all relevant policies processes

• Actively contribute to the analysis of significant incidents within the scope of the position

• Undertake risk & opportunity assessments for all proposed projects in consultation with relevant stakeholders

Risk Manager • To promote the implementation of risk management strategies and

programs designed to mitigate risks and potential losses to the Shire. • Facilitate risk management programs with all Business Units within the

Council

• Facilitating the establishment and maintenance of the risk register, and provide regular reports on the risk register and the status of Council’s risk management to the Corporate Management Team, Risk Management Committee and Audit Committee.

• Develop and facilitate the maintenance of an appropriate Risk Register. • Provide training and advice on risk management principles and processes. • Manage the Shires insurance portfolio and claims procedures.

• Conduct internal audits in line with Public Liability, Property and Fidelity insurance audits to ensure a high level of compliance is maintained • Develop and review risk management policies and procedures as required. • Develop, maintain and implement Council’s Risk Management Framework; • Alignment of the Risk Management Framework with the overall Corporate

Strategy.

• Define and maintain roles and responsibilities for risk management. • Report to the Senior Management Team and Audit Committee on the

Council’s risk profile and status of the implementation of the Risk Management Strategy.

• Based on priorities determined by the Senior Management Team, facilitate identification and assessment of risks to functions, business units, project teams & facilitate processes the establishment of appropriate response action plans.

• Develop and maintain an insurance portfolio to satisfy the requirements of the identified insurable risk categories.

• In conjunction with the Manager OH&S and the Manager Operations implement risk response / mitigation to identified 3rd Party risks.

• Organising training and awareness opportunities to provide all levels of staff with the relevant skills and knowledge required for managing risk to their level of responsibility.

• Ensuring communication and awareness mechanisms are regularly utilised for the continual reinforcement to staff of the importance of risk management.

• Maintaining Council’s risk management policies, procedures, documentation and templates as required supporting the implementation and continuation of Council’s risk management framework.

• Promote implementation of risk management strategies and programs designed to minimise risks and potential losses to the Shire.

• Responsible for the implementation of the Risk Management Policy • Provide assistance and support for all risk management processes

(29)

Role Responsibility Organisational

Development Manager

• Ensure integration of Risk & Opportunity Management with organisational processes

• Maintain and review the Councils Business Continuity Plan

Project Manager • Ensure that the Council’s Risk Management Framework is applied to the projects within their area of responsibility.

• Where the project is considered to materially influence the achievement of Council’s Corporate Objectives, ensure that a project risk assessment undertaken and provided to the Manager Governance and Risk.

• In conjunction with the Manager Governance and Risk undertake risk assessments related to 3rd party liability risk and implement prioritised mitigation strategies.

Staff with Site Management responsibilities

• Report and analyse incidents, damage and hazards occurring at the site. • In conjunction with the Manager Governance and Risk and OH&S Officer,

develop and manage a contingency plan for the site. • Encourage the public to respect Council property.

• Ensure appropriate processes are in place to secure all buildings and assets

Engineers • Undertake risk assessments for all proposed projects in consultation with

the relevant stakeholders.

• Ensure design and construction includes agreed features to minimise future risk. Manager Assets, Manager Civil Operations, Superintendent of Works, Engineering Technical Officer – Assets, Project Engineer

• Develop and implement proactive and reactive inspection programs for Council assets within scope of Position Description

Youth Development Officer, Tourism Department, Community Strengthening, Arts and Culture

• Undertake risk for all proposed events in consultation with the relevant stakeholders.

• Ensure implementation includes agreed features to minimise future risk whilst allowing the organisation to take advantage of opportunities as they arise.

OH&S Officer • Develop & facilitate implementation of a Safety Management System throughout the Indigo Shire Council.

• Ensure that the Safety Management System is based on risk management standards and is consistent with the Indigo Shire Council Risk Management Framework.

• Report to Corporate Management Group on effectiveness of Safety Management System.

• Assist Manager Governance and Risk and Manager Operations in relation to safety related 3rd party risk assessments.

OH&S Officer and

Human Resources

Officer

• Organise and liaise with the Indigo Shire Council’s Workcover Insurer and coordinate claims management.

Individual Employees & Contractors

• Identify and assess risks associated with personal tasks and activities. • Ensure personal compliance with risk management policies and

(30)

procedures in performance of duties / activities.

• Ensure that any hazards identified are escalated to the relevant Line Manager.

• Perform duties in a manner that is within an acceptable level of risk to their health and safety, and that of other employees and the community.

• Comply with quality assurance procedures where applicable. • Make loss control and prevention a priority when undertaking tasks. • Report any hazard or incidents as detected to their Manager or the Shire

Responsible Officer (for contractors).

• Be aware of the risk management philosophy and processes of Council. • Understand and observe the Risk Opportunity Policy, Procedural

Guidelines and related procedures.

• Personal responsibility for sound operational risk management practices within the work environment commensurate with their position.

• Undertake risk & opportunity assessments for all proposed projects in consultation with the relevant Manager General Manager.

Committee members • Understand and observe appropriate risk management processes.

• Undertake risk assessments for all proposed projects in consultation with the Manager Governance and Risk relevant Manager or General Manager.

Volunteers • Understand and observe the appropriate risk management processes.

• Personal responsibility for sound operational risk management practices within the work environment commensurate with their role.

• Participate in risk assessments for all proposed projects in consultation with the Manager Governance and Risk, relevant Manager or General Manager where practicable.

5. Relevant Council documentation

• Organisational Risk Register • Risk management Policy • Risk Assessment Template

• Hazard, Incident and Injury Reporting Flowchart • Hazard, Incident and Injury Procedure

• Hazard, Incident and Injury Report Form • Incident Investigation Procedure • Incident Investigation Form

Risk Management Strategy

Risk Management Strategy

2012 - 2014

To support and develop a sustainable, thriving and resilient

community through leadership and partnerships

TABLE OF CONTENTS

SECTION 1: INTRODUCTION

1.1

Purpose

SECTION 2: FRAMEWORK FOR MANAGING RISK

2.1

International Standard for Risk Management Principles

2.2

Approach to Risk Management

2.3

Organisational Context

2.4

Organisational Culture

SECTION 3: OBJECTIVES – RISK MANAGEMENT & THE COUNCIL

PLAN

SECTION 4: ROLES AND RESPONSIBILITIES

SECTION 5: RISK MANAGEMENT PLANNING

5.1

Strategies for addressing Risk

SECTION 6: RISK MANAGEMENT TOOLS

6.1

Risk Management Actions

Risk Management Strategy

O

B

JE

C

T

IV

E

S

A

C

T

IO

N

S

Appendices

1.

Definitions

2.

Risk Management Process

C

om

m

un

ic

at

e

an

d

C

on

su

lt

D

oc

um

en

t,

M

on

ito

r

an

d

R

ev

ie

w

4.

Roles and Responsibilities

5.

Relevant Council documentation