compliance and risk management framework

Compliance and RiskManagement Framework

Version 1, October 2020

Compliance and Risk Management Framework

Thisto:

Framework relates Risk Management Policy Document No: 6154088

Framework applies: Target audience:

All sites All Staff

Description: The Compliance and Risk Management Framework is designed to assist Councillors, employees and contractors of Logan City Council (Council) to achieve our strategic and operational goals and objectives with respect to Compliance and Risk Management. This framework articulates the requirement for Council to establish risk management practices in accordance with ISO 31000:2018 and AS/NZS 19600:2015.

Subject: Compliance and Risk Management

Keywords: Current Risk, Frequency, Hazard, Initial Risk Rating, Loss, Probability, Risk, Risk Analysis, Risk assessment, Risk identification, Risk evaluation, Compliance, Breach, Noncompliance

Related Legislation (including OHS legislation), Australian Standards, QLD Policy or Circular, other Documents, Professional Guidelines, Codes of Practice or Ethics:

ISO 31000:2018, Risk Management Guidelines AS/ISO 19600:2015 Compliance Management Guidelines Doc ID No: 5979417 Code of Conduct for Staff Doc ID No: 5992416 - Workplace and Safety Doc ID No: 13324550 – Audit and Risk Committee Policy Work Health and Safety Act 2011 Work Health and Safety Regulations 2011 Local Government Act 2009 Local Government Regulation 2012 Child Protection Act 1999 Privacy Act 1988 (Cth) Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth) Environmental Protection Act 1994 Business Continuity Institute Good Practice Guidelines 2018 Other state and federal legislation as applicable

Director responsible for Director, Organisational Services Framework:

Manager for Framework Administration and Corporate Governance Managers implementation:

Framework Contact Person: Corporate Governance Manager

Framework Review Due Date: 2 years from date of adoption or date of last review. Document Control

File: 1186813‐1 Document Id: 14119488 Version Number Description of Change Author / Branch Date 1.0 Creation Corporate Governance October 2020

DM 14119488 Compliance and Risk Management Framework

Table of Contents 1 INTRODUCTION......................................................................................................... 5

1.1 Structure of this Framework .......................................................................................... 5

2 OBJECTIVES ............................................................................................................. 5

3 ROLES AND RESPONSIBILITIES............................................................................. 6

3.1 Council .......................................................................................................................... 6

3.2 Audit and Risk Committee ............................................................................................ 7

3.3 Chief Executive Officer ................................................................................................. 7

3.4 Executive Leadership Team.......................................................................................... 8

3.5 Administration and Corporate Governance Managers .................................................. 8

3.6 Managers...................................................................................................................... 8

3.7 Employees and Contractors .......................................................................................... 9

4 COMMUNICATION..................................................................................................... 9

4.1 Internal stakeholders..................................................................................................... 9

4.2 External stakeholders ................................................................................................... 10

4.3 Reporting ...................................................................................................................... 10

4.4 Management Review .................................................................................................... 10

5 RISK MANAGEMENT ................................................................................................ 12

5.1 Architecture of the risk management framework ........................................................... 12

5.2 Overall process ............................................................................................................. 12

5.3 Risk Rating.................................................................................................................... 13

5.4 Risk escalation.............................................................................................................. 14

5.5 Risk treatment............................................................................................................... 14

5.6 Accountability................................................................................................................ 14

5.7 Integration into organisational processes ...................................................................... 15

5.8 Resources ..................................................................................................................... 15

5.9 Reporting ...................................................................................................................... 15

5.10 Monitoring and review of the framework ....................................................................... 15

6 COMPLIANCE MANAGEMENT ................................................................................. 16

6.1 Compliance Register..................................................................................................... 16

6.2 Legislative Changes ...................................................................................................... 16

6.3 Compliance Breach Management................................................................................. 16

6.4 Reporting to the Audit and Risk Committee and ELT.................................................... 18

6.5 Key Performance Indicators .......................................................................................... 18

6.6 Compliance audits ........................................................................................................ 18

6.7 Change Management ................................................................................................... 18

APPENDIX 1: RISK TREATMENT PLAN TEMPLATE...................................................... 19

APPENDIX 2: NOTIFIABLE BREACH REQUIREMENTS................................................. 20


APPENDIX 3: RISK TOOLS .............................................................................................. 22


1 Introduction

The function of this Compliance and Risk Management Framework (CRMF) is to provide Logan City Council (LCC) Councillors, employees and contractors with guidance in how to apply consistent and comprehensive risk management and how to manage its compliance obligations. This document supports Council’s Risk Management and Compliance Policies.

It identifies key activities needed for an effective risk management approach and provides information on how to identify, analyse, assess and treat risks. The risk management process contained in this framework aligns with the ISO31000:2018 Risk Management.

The Compliance elements of this framework outline Council’s approach to managing its compliance obligations in accordance with the requirements of AS/ISO 19600:2015 Compliance Management Systems.

1.1 Structure of this Framework

This CRMF recognises the common features and requirements of risk management and compliance in supporting good governance. Accordingly, this document has been structured to reflect this by using a common approach to risk and compliance in most areas apart from Sections 5 and 6 Risk Management and Compliance Management, which relate to Compliance and Risk separately.

2 Objectives

Compliance and Risk Management are the responsibility of all Councillors, employees and contractors, with specific risk responsibilities being allocated to different groups and levels within the organisation.

Compliance and Risk Management will support Council in being able to meet our values and deliver upon our objectives, via a consistent and comprehensive process. It will:

Increase the likelihood of us achieving our strategic and business objectives;

Encourage a high standard of integrity and accountability at all levels of the organisation;

Support more effective decision making through better understanding of risk exposures;

Create an environment that enables us to deliver timely services and meet performance objectives in an efficient and cost effective manner;

Safeguard our assets – human, property and reputation; and

Meet compliance and governance requirements.

In adopting a CRMF, Council has the following objectives:

Provide a consistent, systematic approach to the early identification and management of risks within an acceptable level;

Make available accurate and concise risk information that informs decision making, including business direction;


3

Adopt risk treatment strategies that are cost effective and efficient in reducing risk to an acceptable level;

Monitor and review risk and compliance levels to ensure that risk exposure remains acceptable; and

Ensure that the required compliance is maintained and is able to be demonstrated.

Roles and Responsibilities

Set out below is Council’s Compliance and Risk Management structure. This illustrates that compliance and risk management are not the sole responsibility of one individual but is supported at all levels in the organisation.

Compliance Risk Management

Council Provides strategic oversight and review

Approves Policy

Provides strategic oversight and review

Approves Policy

Audit and Risk Committee Monitors and reviews Council on the standard of its compliance and corporate governance

Reviews risk management performances

Endorses risk management strategy

CEO Drives compliance culture and is responsible to Council for the management of compliance obligations

Drives risk management culture and is responsible to Council for the management of risk

Directors Responsible to the CEO for the compliance obligations within their directorate. Leading by example and demonstrating their active commitment to, and support for, the compliance culture and performance targets

Responsible to the CEO for the risk management within their directorate . Demonstrate support for the risk management culture

Identify, assess and manage risks

Managers Responsible to their Director for the compliance obligations within their branch. Leading by example and demonstrating their active commitment to, and support for, the compliance culture and performance targets

Responsible to their Director for the risk management within their branch . Demonstrate support for the risk management culture

Identify, assess and manage risks relevant to their Branch

Program Leaders Identify and manage operational level compliance obligations

Identify, assess and manage operational risks relevant to their Program

Staff Conscientiously seek to comply with relevant obligations in the course of their duties

Ensure risks are being identified, assessed and controlled

Table 3-1: Compliance and Risk Management Responsibilities

3.1 Council

Council is accountable for compliance and risk management, which includes providing direction and support on the CRMF. Council reviews, amends and approves the CRMF biennially. Council has delegated responsibility for the CRMF to the Chief Executive Officer (CEO). This is to ensure a robust CRMF and effective compliance and risk management


processes are maintained. Delegated components include appropriate policies, procedures and systems which meet the requirements of International Standards ISO 31000:2018 and ISO 19600:2015.

The following activities are undertaken as Council responsibilities:

Establishing Compliance and Risk Management Policies;

Ensuring that risks are adequately considered when setting Council’s objectives;

Understanding the risks facing the organization in pursuit of its objectives;

Ensuring that adequate systems and controls are in place and operating to manage compliance and risks (this will be achieved through ongoing review of the CRMF system and documented controls is undertaken, including an annual review);

Monitoring the effectiveness of those systems and controls;

Reviewing, assessing and approving the level of risk appetite and tolerance;

Monitoring compliance with legal and regulatory duties and obligations e.g. via a Compliance Register and regular audits, as well as other relevant best practice standards; and

Ensuring maintenance of an effective framework of compliance, risk management and internal controls through oversight and recommendations.

Ensure adequate resourcing is available to reduce risk and address identified risks.

3.2 Audit and Risk Committee

The Audit and Risk Committee is an advisory of the Council which provides advice in respect to:

Monitoring and reviewing Council’s compliance with its obligation to establish and maintain an internal control structure and systems of risk;

Monitoring and reviewing of the establishment and implementation of CRMF;

Advising Council on matters of compliance and risk management;

Ensuring that adequate procedures are in place to effectively communicate information about risks and their management; and

Reviewing the effectiveness of the CRMF in identifying and managing risks and controlling internal processes.

3.3 Chief Executive Officer

The Chief Executive Officer has accountability for managing Council’s compliance and risk, and for implementing the CRMF by ensuring the following:

Adequate resources are allocated to maintain an effective CRMF;

Regular reviews of the CRMF are undertaken to ensure risk management systems are adequate and fit for purpose;

Leadership and commitment to the management of compliance and risk at Council is demonstrated; and

Appropriate and timely remedial action is taken in response to risk issues and events.


3.4 Executive Leadership Team

The management of compliance and risk is an integral part of Council’s operations and not an add on activity. The Executive Leadership Team (ELT) member’s role includes:

Implement and maintain the CRMF;

Foster an environment in which adopting effective compliance and risk management is encouraged;

Build and maintain a proactive compliance and risk management culture within Council;

Design, operate and monitor a system of internal controls appropriate for the needs of Council, its directorates and functions;

Assign and embed control and compliance responsibilities;

Be responsible for identification of material risks (strategic), risk assessment, risk controls and determining the consequence and likelihood of residual risks; (N.B. To assist with this process Council has developed risk registers to capture information relating to risks, their consequences and controls);

Maintain an adequate system of risk management which assists in mitigating risks and ensures early detection of risk management issues and that ensures corrective action is taken; and

Take prompt action to mitigate risk exposure.

3.5 Administration and Corporate Governance Managers

The Administration and Corporate Governance Managers will be responsible for the administration of the risk and compliance management systems and provide advice to others for undertaking the following administrative matters in relation to the CRMF:

Ensure the CRMF remains appropriate for Council by updating as necessary;

Arrange for risk and compliance management training, as required;

Manage risk registers to ensure that they are updated by Managers, as per this CRMF;

Report to the Executive Leadership Team and the Audit and Risk Committee on compliance and risk management; and

Arrange annual risk workshops.

3.6 Managers

All Council Managers will be required to:

Promote and actively lead a culture of compliance and risk management within the workforce;

Ensure risks are identified, assessed and controlled in accordance with the CRMF;

Actively monitor and report on risk mitigation for identified risks and new risk exposures;

Comply with the CRMF; and

Lead or participate in risk assessments as required.


3.7 Employees and Contractors

All Council employees and relevant Contractors will be required to:

Actively identify, assess, monitor and report on new risk exposures and risk mitigation for identified risks;

Comply with the CRMF;

Be aware of their compliance and risk management responsibilities under this framework to assist Council in achieving desired outcomes; and

Participate in risk assessments as required.

4 Communication

Council has a wide range of internal and external stakeholders whose requirements need to be taken into account during the compliance and risk management processes and to whom reports on the results of the compliance and risk management processes should be reported.

The main objectives of the communication and stakeholder engagement processes are to:

Ensure that the interests of stakeholders are understood and considered;

Ensure the stakeholders participate appropriately in the risk identification and rating process;

Ensure that different views are appropriately considered when evaluating risks; and

Ensure agreement with and support for the compliance and risk mitigation and management processes which are to be implemented.

4.1 Internal stakeholders

Internal stakeholders include the following:

Council (elected members);

Audit and Risk Committee;

Wholly owned subsidiaries (Invest Logan, Mayors Charity Trust);

Staff; and

Contractors

Internal stakeholders have a need for effective, consistent compliance and risk management processes to assist them in their day-to-day operations, as well as to guide Council itself in the more significant strategic decision making processes.

Sections 5


Risk Management and 6 Compliance Management of this document detail their involvement in each of the processes.

4.2 External stakeholders

Council has a wide variety of external stakeholders including:

The Logan Community;

Community groups supported by Council;

Government agencies (State and Federal);

Regulators (State and Federal);

Developers; and

Contractors.

External stakeholders, being a diverse group, have a widely varied input in respect to compliance and risk management processes. All stakeholders though would seek to have confidence that the compliance and risk management processes were resulting in good governance practices being adopted by Council.

4.3 Reporting

Reporting is discussed in Sections 5 Risk Management and 6 Compliance Management of this document.

4.4 Management Review

The Executive Leadership Team shall review the Compliance and Risk Management Framework biennially to ensure its continuing suitability adequacy and effectiveness including:

consideration of previous actions;

policy;

objectives;

resourcing;

changes;

performance measures;

non-conformance;

audit results; and

stakeholder feedback.

Output of management reviews include:

recommendations on policies;

objectives;

structures;

personnel;


changes to processes;

areas to be monitored;

corrective action to non-conformance;

gaps in systems; and

recognition of exemplary behaviour.


5 Risk Management

The success of risk management at Council depends on the CRMF providing the foundations and arrangements that will embed the framework throughout the organisation. The framework assists in managing risks effectively through the application of the risk management process (see Section 5.1) at varying levels within the organisation. The framework ensures that information concerning risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant levels.

5.1 Architecture of the risk management framework

Council’s risk management system comprises two levels of risk registers – strategic and operational. Each considers risks in relation to the objectives of its own organisational context. Compliance related risks are included within each level of risk register. This is illustrated in Figure 5-1.Error! Reference source not found.: Architecture of the risk management framework

The Strategic Risk Register considers long term risks impacting on Council as a whole. The Strategic Risk Register is presented to the Executive Leadership Team and Audit and Risk Committee at least every quarter;

The Operational Risk Registers consider the risks associated with the day to day operational matters and generally those contained within a one year time horizon; and

Project Risk registers are developed per project as required to monitor and manage project related risks.

Risks may pass from one register to another via the escalation process which is detailed in Section 5.3.

Within Council there are other risk management practices in use. These relate to:

the assessment of Work Health and Safety (WHS) risks;

Individual risks within WHS or Project Risk Registers should be managed within their own risk systems, however where multiple reoccurrences (which may indicate a systemic issue, or an issue of high organisational importance) arise, these should be identified as a single risk in the Operational System, as detailed in Section 5.3.

5.2 Overall process

The process of how a risk progresses from identification through treatment and recording to Council notification is illustrated in Figure 5-1.


NoMatter raised as a risk

Is it a risk?

Yes

Normal admin. procedures

Manage at Operational

Level

High / Extreme

Should risk be included at the Strategic

Level?

No

Yes

Manage at Strategic Level

High / Extreme

Risk rated at Operational

Level

Advise Council

Figure 5-1: Risk management process

5.3 Risk Rating

The Risk Tools in Appendix 3: Risk Tools define the criteria to evaluate the significance of risk at Council.

Once risks have been identified, clearly defined and documented they must be rated to understand the implications of each risk and which ones need to become the focus of the risk management process. It is important to first assess the most credible level of consequence (not the worst case) and then determine the likelihood that the event will occur at that level of consequence. These should be considered in relation to the controls that are in place and


their current effectiveness. As an example, the risk of asset failure from lack of maintenance should be assessed given the conditions and controls currently in place in Council with its asset management procedures and inspections, rather than in isolation with no controls.

5.4 Risk escalation

Where risks are rated on the Branch or Directorate Operational Risk Register as “high” or “extreme”, they should be elevated to the Strategic Risk Register for consideration by ELT. The ELT should consider if the risk is of sufficient significance at the strategic level to warrant inclusion in that risk register and if it is, then accept it, rate it against the objectives at the strategic level and then allocate it to a member of the ELT for mitigation, as necessary. Alternatively, the Operational group should be informed that they are to deal with the risk at their own level. As risks are mitigated, they may be “passed back” to the operational management level for routine management.

Where risks have been assessed as high or extreme at the Strategic level, the Chief Executive Officer shall notify Council.

5.5 Risk treatment

5.5.1 Preparing and implementing risk treatment plans

The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include:

Those who are accountable for approving the plan and those responsible for implementing the plan;

Proposed actions;

Resource requirements including contingencies;

Performance measures and constraints;

Reporting and monitoring requirements; and

Timing and schedule.

Treatment plans should be integrated with the management processes of Council and discussed with appropriate stakeholders. Decision makers and other stakeholders should be aware of the nature and extent of the residual risk after treatment. The residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. A template for Risk Treatment Plans is included in Appendix 1: Risk Treatment Plan Template.

5.6 Accountability

Council ensures that there is accountability, authority and appropriate competence for managing risk, including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficiency of any controls by:

Allocating risk owners, that have the accountability and authority, to manage risks;

Including responsibility for risk management at all levels in the organisation ensuring Councillors, employees and contractors understand their responsibility for risk management; and

Establishing performance measurement and external and/or internal reporting and escalation processes.


5.7 Integration into organisational processes

Risk management is embedded in all of Council’s practices and processes. The risk management process is part of, and not separate from, those organisational processes. In particular, risk management is embedded within framework development, business and strategic planning and review, and change management.

Council requires that employees assess risk in accordance with Council’s risk management approach.

5.8 Resources

Council has allocated the following resources to risk management:

Audit and Risk Committee;

Chief Executive Officer;

Directors

Managers;

Staff;

Budgets to facilitate risk assessment and management processes, including the development of the CRMF; and

Budgets to facilitate risk and compliance management training and ongoing improvements to risk management within Council.

5.9 Reporting

Reporting on risk will occur on a quarterly basis, other than where projects require more regular reporting on their specific project risk registers:

Project Managers will report to Branch Managers on specific project risk registers;

Branch Managers will report to Directors on their branch risk register;

Directors will report to ELT on their directorate risk register; and

ELT will report on the strategic risk register to Council via the Audit and Risk Committee

5.10 Monitoring and review of the framework

In order to ensure that risk and compliance management is effective and continues to support organisational performance, Council will:

Measure and evaluate risk management performance against indicators, which are annually reviewed for appropriateness;

Biennially review whether the CRMF is still appropriate and suitable to support achieving the objectives of the organisation;

Annually report on risk and how well the CRMF is being followed; and

Annually review the effectiveness of the CRMF.


6 Compliance Management

6.1 Compliance Register

Council has developed a Compliance Register identifying areas of compliance and allocating responsibility:

The register provides all Councillors, employees and contractors with an awareness and understanding of legislations that are relevant to their functions; and

It allocates accountability with regards to legislative compliance.

The Compliance Register contains the following information:

Name of the Act;

Corresponding Regulation;

The purpose of the Act;

Relevance to Council with reference to specific sections;

Corresponding Council policies, plans and publications, including plans that may be needed to ensure proper compliance to specific instruments;

Directorate(s) and Branch(es) impacted by the Act; and

The relevant Manager responsible for overseeing the compliance of the Act.

Corresponding Council policies, plans and publications shall be reviewed by the responsible Manager detailing that Council is meeting its obligations.

6.2 Legislative Changes

The requirements for managing Legislative changes shall be documented in a procedure that sets out the required processes and responsibilities for:

Receipt of change alert or equivalent;

Initial recording of legislative amendment in the Legislative register;

Assessment of the impact on Council;

Allocation of designated lead to coordinate further actions;

Update to policies / procedures / other documentation;

Development of required communication for change;

Release and distribution of communication; and

Tabling at Audit and Risk Committee.

6.3 Compliance Breach Management

A breach is defined as a non-compliance with a legislative, regulatory, standard or Council compliance obligation.

Compliance Breaches may either result from:

Breaches of Council Policies and/or;


Breaches in legislation.

6.3.1 Internal Reporting and Investigation

The Director is the representative of the CEO in their Directorate;

Breaches in compliance with any legislative, regulatory, standard or Council compliance requirement must be reported to the Corporate Governance Manager. ;

The Corporate Governance Manager is to report all compliance breaches with a potential consequence of ‘Major’ or ‘Catastrophic’ to the Executive Leadership Team and Audit and Risk Committee in line with Council’s Risk Matrix. See Table 6-1 below,

A breach may also be reported by a finding in a review or audit;

A reported breach shall be risk assessed for importance and consequence to Council;

The Manager of each relevant Branch, in consultation with the Corporate Governance Manager, shall recommend treatment for restoring compliance;

All breaches shall have a Risk Treatment Plan provided by the Corporate Governance Manager and endorsed by the Director Organisational Services; and

Consultation shall occur to ensure negative effects are not produced in other areas or Departments.

Negligible Minor Moderate Major Catastrophic

Politics, Leadership and Governance Examples: compliance with

legislation, directives, delegations, policies, local laws, code of conduct – staff and councillors, governance

Compliance with legislation, regulations, directives, policies, code of conduct, procedures etc.

A “working” relationship exists between Council and other levels of government. Non-compliance is managed internally without penalties or prosecution.

Non-compliance or policy failure is investigated (internally/externally) and is resolved without financial penalties or prosecution. Decision made re individual consequences.

Non-compliance requires formal, external investigation. High possibility of financial penalties and/or prosecution (individual/corporate ). Decision made re individual suspension or termination.

Formal, external investigation of non-compliance results in financial penalties and prosecution (individual or corporate), including imprisonment. Termination of individual.

Reputation Examples: media exposure, social media, political influences

Predominantly local publicity.

Positive reputation maintained.

Positive relationships with media stakeholders.

Isolated social media communications

Periodic, local, adverse publicity

Identified that service delivery may be impacted by media scrutiny.

Reputation variances within the community.

Positive relationships with media stakeholders maintained.

May cause some social media or formal complaints (justified or unjustified)

Increasing and broadening adverse publicity at local and state level.

Service delivery may be impacted by media scrutiny.

Sustained reputation variances within the community.

Relationships with media stakeholders may be strained.

Significant social media and / or formal complaints

Sustained, adverse publicity at local and state level.

Media scrutiny impacts service delivery.

Damage to reputation within the community.

Publicity may lead to an audit, inquiry, or other legal proceedings.

Impact of strained relationships with media stakeholders known.

Mass and extended adverse social media coverage.

Sustained, adverse media attention at local, state and nation level.

Possibility of worldwide media exposure.

Media scrutiny adversely impacts service delivery.

Sustained damage to reputation within the community.

Ongoing exposure may lead to audit, inquiry, or legal proceedings.

Irreparable damage to relationships with media stakeholders.

‘Viral’ adverse social media coverage (e.g. (hashtag on twitter).


Table 6-1: Compliance Breach Consequences

6.3.2 External Notification

Notifiable breaches in compliance within Council are to be reported to the relevant regulatory authorities in accordance with Appendix 2: Notifiable breach requirements.

6.4 Reporting to the Audit and Risk Committee and ELT

Reporting to the Audit and Risk Committee and ELT shall include:

Compliance breaches;

Compliance levels;

Significant changes to legislation or regulation and effect to Council;

Compliance improvement activities and recommendations; and

Key performance indicators for compliance management.

6.5 Key Performance Indicators

Key Performance Indicators (KPI) shall be established at Branch and Directorate levels and adopted by the Executive Leadership Team.. The KPIs on compliance shall be communicated to the Corporate Governance Manager. Suggested KPIs include:

Relevant policies and procedures exist to detect and prevent bribery;

Annual review of Compliance Management undertaken;

Induction training includes Compliance – number of staff trained;

Breaches reported vs breaches investigated and resolved;

Internal Audits conducted; and

Internal audit Findings / Improvement Opportunities Implemented (percentage of total findings).

6.6 Compliance audits

Audits of the Compliance Management System are conducted in accordance with the Internal Audit Schedule with audit reports submitted to the Audit and Risk Committee.

6.7 Change Management

Council’s Change Management Process shall ensure that all applicable changes are planned and reviewed to identify and mitigate any unintended consequences relevant to compliance obligations.


Appendix 1: Risk Treatment Plan Template

Risk No.

Risk: Risk Owner:

Risk Rating

Consequence (C) Likelihood (L) Residual Risk Level

Causation:

TREATMENT:

Existing Controls:

New Treatments: WHAT do you intend to do (i.e. general strategy)?

Control Expected benefits Expected constraints

New Treatments: HOW do you intend to do it (i.e. specific actions)? Addresses C or L or both (tick)

RESOURCES required for implementation?

WHERE will new treatments be incorporated (e.g. business plan, operational plan, budget etc.)?

WHO is the Risk Owner (accountable officer)?

WHO will implement the new treatments?

WHEN will the new treatments be developed?

WHEN will you review new treatments for effectiveness?

HOW will you know when it’s done (i.e. what are the measurable indications that the planned new treatments have been implemented)?

Performance

Indicators:

CLOSE OUT: The above treatment plan has been fully implemented

(signed) Risk Owner Date


Appendix 2: Notifiable breach requirements

Category Legislation Breach / Notifiable Incident

LCC Person Responsible for notifying regulator

Further Information

Existing Council Document (Policy,Procedure, Guide etc)

WHS Work Health and Safety Act 2011 (Qld)

Electrical Safety Regulation 2013 9Qld)

Death, serious injury or serious illness of a person or involves a dangerous incident.

Serious electrical incident or dangerous electrical event

https://www.worksafe.qld.gov .au/injury-prevention-safety/incidents-and-notifications/what-is-an-incident#incident

Environment Environmental Protection Act 1994 (Qld) s 320

environmental harm.

serious environmental harm

material environmental

https://environment.des.qld.g ov.au/management/complian ce-enforcement/obligations-duties

Information Privacy Act 1988 (Cth)

Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth)

Information Privacy Act 2009 (Qld)

Eligible data breach where;

- there is unauthorised access to, unauthorised disclosure of, or loss of, personal informationheld by LCC; and

- the access, disclosure or loss is likely to result in serious harm to any of the individuals whom the information relates.

https://www.oaic.gov.au/priva cy-law/privacy-act/notifiable-data-breaches-scheme

Child Child Protection Act 1999 Reasonable suspicion that a child has https://www.csyw.qld.gov.au/ Protection (Qld) s13E(2) suffered, is suffering, or is at

unacceptable risk of

suffering, significant harm caused by physical or sexual abuse; and may not have a parent

able and willing to protect them from harm

child-family/protecting-children/about-child-protection/mandatory-reporting


Category Legislation Breach / Notifiable Incident

LCC Person Responsible for notifying regulator

Further Information

Existing Council Document (Policy,Procedure, Guide etc)

Financial & Procurement

Local Government Act 2009 (Qld)

Local Government Regulation 2012. (Qld) s 307a

Material loss of asset

Reportable loss of asset

https://www.dlgrma.qld.gov.a u/local-government/accountability/fra ud-management.html


Appendix 3: Risk Tools

Consequence Table Negligible Minor Moderate Major Catastrophic

Service DeliveryExamples: communication, data, technology software, hardware, records,

assets, property, buildings, equipment, plant, fleet, supplies, human resources

injury prevention, workplace relations

recruitment, retention, succession staff, contractors, volunteers project management: scope

quality, risk management, stakeholder consultation and communication, procurement, governance

Minor issue with communication, information systems, technology, records, assets, facilities or infrastructure.

Service interrupted briefly. No impact on external

customers. Minor, localised workforce

issues. All requirements of effective

project management are in place.

Temporary restriction of access or disruption to essential services or critical business functions (< 1 day or < Maximum Allowable Outage).

Localised workforce issues. Business Continuity

Directorate Recovery Plan is reviewed.

Effective project management is in place, with internal and external stakeholder consultation required.

Restriction of access or disruption to essential services or critical business functions (< 24 hours or Maximum Allowable Outage).

Multiple sites impacted by workforce issues.

Business Continuity Directorate Recovery Plan is referenced.

Project management is in place with multiple internal and external stakeholders consulted.

Inadequate scoping may lead to partial completion of project or achievement of outcomes.

Restriction of access or disruption to essential services or critical business functions < 48 hours or Maximum Allowable Outage plus 12hours.

Temporary damage to property, assets, facilities or infrastructure.

Multiple sites impacted by significant workforce issues.

Master business continuity plan may be enacted.

Completion/success of the project could be impacted by time or cost increases 15% – 25%.

Loss of access or disruption to essential services or critical business functions > 1 week or Maximum Allowable Outage plus 1 week.

Permanent damage to property, assets, facilities or infrastructure.

Ongoing, significant workforce issues at multiple sites.

Master business continuity plan enacted. Completion/success of the project adversely

impacted by time or cost increases 25% – 50%.

RISK

CAT

EGO

RIES

Finance and Legal Examples: fraud, corruption, litigation, claims,

contract management, intellectual property, operational budgets, procurement, contracts management, public liability, professional indemnity, insurance

Loss of or unplanned expenditure of < 1% of budget.

Loss < 1K. Budget variation manageable

in the short term.

Loss of or unplanned expenditure of < 5% of budget.

Loss between 1K and 10K. Budget variation manageable,

absorbed over current financial year.

Loss of or unplanned expenditure of 5-10% of budget.

Loss between 10K and 100K. Impact on budget beyond

current financial year, but manageable within the next financial year.

Loss of or unplanned expenditure of > 10-20% of budget. Loss of 100K to 500K.

Impact on budget with recovery over proceeding 2 or 3 financial year.

Loss of or unplanned expenditure of >20% of budget.

Loss of 500K or more. Impact on budget with recovery over

proceeding 3 or more financial years.

Health and Safety Examples: injuries and illness to staff,

contractors and the public such as exposure to chemicals, vehicles, falls, and other workplace hazards

Report Only – Minor incidents where no injury was sustained.

Injury or illness where First Aid treatment is required (can be administered by a GP, First Aider or co-worker).

Injury or illness requiring treatment by a medical practitioner (MTI) .

Injury or illness requiring treatment by a medical practitioner or hospitalisation, AND where a full work shift or more is lost (LTI).

Any Notifiable Event to the WHS/ESO Regulator.

Permanent disability

Long term hospitalisation

Life threatening event / Death.



–

Politics, Leadership and Governance Examples: political influence, governance,

management, complaints, auditing, performance, resource accountability, service level agreements, strategic and operational planning, compliance with legislation, directives, delegations, policies, local laws, code of conduct

staff and

councillors, governance

Community Expectation Examples: expectations, feedback,

stakeholder engagement

Internal political/leadership issues. Community is unconcerned.

Effective governance and decision making.

Positive working relationships with other levels of government.

Compliance with legislation, regulations, directives, policies, code of conduct, procedures etc.

Stakeholder engagement occurs.

Community expectations known.

Minimal local feedback .

Political or leadership issues result in community concern.

Challenges identified with leadership and governance.

Decision making has potential to disrupt service delivery in 1 branch.

Introduction of new legislation impacts service delivery in 1 branch. A “working” relationship exists between Council and other levels of government.

Non-compliance is managed internally without penalties or prosecution.

Active stakeholder engagement.

Community expectations not fully known or understood.

Divergence between policy and public opinion identified.

Political or leadership/management issues result in ongoing community concern.

Ongoing challenges with leadership/management.

Decision making has potential to disrupt service delivery in multiple branches.

Introduction of new legislation impacts service delivery of multiple Branches.

Disagreement between Council and other levels of government.

Non-compliance or policy failure is investigated (internally/externally) and is resolved without financial penalties or prosecution. Decision made re individual consequences.

Unsuccessful stakeholder engagement.

Community expectations are not fully known or understood.

Clear divergence between policy and public opinion.

Political or leadership/management issues result in escalation of community concerns.

Instability recognised in leadership/management.

Decision making causes disruption to service delivery of 1 branch.

Introduction of new legislation impacts service delivery across Council. Ongoing disagreement between Council and other levels of government.

Non-compliance requires formal, external investigation. High possibility of financial penalties and/or prosecution (individual/corporate). Decision made re individual suspension or termination.

Stakeholder engagement fails. Community expectations are

not known or understood. Escalating community

concerns or complaints. Community campaigning may

occur. Major divergence between

policy and public opinion.

Ongoing political or leadership/management issues result in escalation of community concern for a sustained period of time.

Ongoing instability in leadership/management.

Decision making causes disruption to service delivery across Council.

Introduction of new legislation significantly impacts service delivery and capacity to ensure compliance across Council.

Ongoing disagreement results in irreparable damage between Council and other levels of government.

Formal, external investigation of non-compliance results in financial penalties and prosecution (individual or corporate), including imprisonment. Termination of individual.

No stakeholder engagement. Escalating, ongoing community concerns or

complaints. Active community campaigning. Loss of community support. Total divergence between policy and public

opinion.



Reputation Examples: media exposure, social media,

political influences

Predominantly local publicity. Positive reputation maintained. Positive relationships with

media stakeholders. Isolated social media

communications.

Periodic, local, adverse publicity

Identified that service delivery may be impacted by media scrutiny.

Reputation variances within the community.

Positive relationships with media stakeholders maintained.

May cause some social media or formal complaints (justified or unjustified).

Increasing and broadening adverse publicity at local and state level.

Service delivery may be impacted by media scrutiny.

Sustained reputation variances within the community.

Relationships with media stakeholders may be strained.

Significant social media and / or formal complaints.

Sustained, adverse publicity at local and state level.

Media scrutiny impacts service delivery.

Damage to reputation within the community.

Publicity may lead to an audit, inquiry, or other legal proceedings.

Impact of strained relationships with media stakeholders known.

Mass and extended adverse social media coverage.

Sustained, adverse media attention at local, state and nation level.

Possibility of worldwide media exposure. Media scrutiny adversely impacts service

delivery. Sustained damage to reputation within the

community. Ongoing exposure may lead to audit,

inquiry, or legal proceedings. Irreparable damage to relationships with

media stakeholders. ‘Viral’ adverse social media coverage (e.g.

(hashtag on twitter).

Emergency and Disaster Response Examples: pandemic, terrorism,

environmental spills, hazardous substances, evacuations, fire, flood, storms, threats, toxic releases, chemical spills

No emergency or disaster response required by Council.

Emergency or disaster response required by Council results in disruption to service delivery of 1 branch for < 1 week or <MAO.

Review of business continuity plan recommended.

Emergency or disaster response required by Council resulting in disruption to service delivery for multiple branches for < 1 week or MAO.

Reference to Master Business Continuity Plan required.

Emergency or disaster response required by Council resulting in disruption to service delivery for multiple branches > 1 week or MAO plus 12hours

Master Business Continuity Plan may be enacted.

Emergency or disaster response required by Council resulting in disruption to service delivery for multiple branches > MAO plus 1 week.

Master Business Continuity Plan enacted.

Environment Examples: environment, bushland, parks,

creeks and waterways, wildlife habitat, preservation

Minor breach of policy or procedures.

Minor environmental damage is immediately remediated with minimal resources.

Minor localised impact; one-off situation easily remedied.

Moderate impact on the environment; no long term or irreversible damage.

May incur cautionary notice or infringement notice.

Severe impact requiring remedial action and review of processes to prevent reoccurrence.

Penalties and / or direction or compliance order incurred.

Long-term, large-scale damage to habitat or environment.

Serious / repeated breach of legislation / licence conditions.

Cancellation of licence and / or prosecution.


Effectiveness of Controls Rating Description

1 Fully Effective (Prevents the risk from being realised)

2 Substantially Effective (Mostly prevents the risk from being realised)

3 Partially Effective (Sometimes prevents the risk from being realised)

4 Ineffective (Does not prevent the risk from being realised)

Likelihood Table LIKELIHOOD PROBABILITY FREQUENCY

AND/OR EXPOSURE ANECDOTAL EXAMPLES

Almost certain > 95% to 100% Several times a week Most people are strongly aware of the risk occurring on several occasions

Likely > 70% to 95% Monthly or several times a year Several people have recollections of a similar event occurring several times over the years

Possible > 30 – 70 % Once every 1 -2 years Several people have recollections of a similar event occurring, but are not really sure where or when, and on more than one occasion

Unlikely > 5% - 30% Once every 2 – 5 years Never heard of it, but it sounds like something that we know has happened elsewhere before

Rare > 5% Greater than every 5 years Nobody has ever heard of it happening


=

=

Risk Matrix CONSEQUENCE RATINGS

LIKE

LIHO

OD


Almost certain M7 H9 H6 E3 E1

Likely M8 M5 H7 H4 E2

Possible L3 M6 H8 H5 H1

Unlikely L4 L1 M3 M1 H2

Rare L5 L2 M4 M2 H3

Response RISK RATING ACTION REQUIRED H&S RESPONSE and RISK OWNER

Green Low (L: 1-5) Risk may be managed by routine operations or procedures with ongoing monitoring. Implement controls and undertake tasks.

Yellow = Medium (M: 1-8) Risk is managed by routine operations with ongoing monitoring. Implement controls and additional treatments and undertake task with approval from Task/Site Supervisor.

A detailed action plan must be implemented and monitored to reduce risk rating.

Approval from Branch Manager required before commencing task.

Orange = High (H: 1-9) Risk Owner authorises and approves further treatments.

Escalation is required to the Director, through the Manager for further review and approval.

A detailed action plan must be implemented and monitored to reduce risk rating. Do not commence task.

Escalation is required to the CEO, (Branch Manager > Director > CEO) for approval.

Red Extreme (E: 1- 3) Risk Owner* authorises and approves further treatments.

Escalation is required to the CEO, (Manager > Director > CEO) for further review and approval. CEO may escalate to Council if required.
