enterprise risk management naracoorte … · · 2015-12-17... is committed to a structured and...

ENTERPRISE RISK MANAGEMENT

NARACOORTE LUCINDALE COUNCIL

GUIDELINES

December 2015

NLC Enterprise Risk Management Guidelines

NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 2 of 45

Contents

INTRODUCTION .................................................................................................................. 3

1. Enterprise Risk Management Principles .................................................................... 5

2. The Enterprise Risk Management Framework .......................................................... 5

3. The Risk Management Process ................................................................................. 8

4. Establishing the context ............................................................................................. 9

5. Key Stakeholders ....................................................................................................... 9

6. The Business Objective ........................................................................................... 10

7. Key Phases and Key Processes .............................................................................. 10

8. Risk Assessment ..................................................................................................... 12

9. Risk Identification ..................................................................................................... 12

10. Risk Categories ........................................................................................................ 13

11. Risk Analysis ............................................................................................................ 14

12. Assess Consequence and Likelihood ...................................................................... 14

13. Determine Risk Level ............................................................................................... 20

14. Risk Evaluation ........................................................................................................ 21

15. Risk Treatment ......................................................................................................... 22

16. General .................................................................................................................... 22

17. Selection of Risk Treatment Options ....................................................................... 22

18. Preparing and Implementing Continuous Improvement Plans ................................. 23

19. Monitoring and Review ............................................................................................ 24

20. Scanning Risk Sources ............................................................................................ 25

21. Risk Monitoring and Reporting ................................................................................. 25

22. Review of the Risk Profile ........................................................................................ 26

23. Emerging Risk Identification .................................................................................... 27

24. Executive Risk Reporting ......................................................................................... 27

25. Review of the Risk Management Framework .......................................................... 28

26. Reporting to the Audit Committee ............................................................................ 29

27. Communication and Consultation ............................................................................ 29

28. References ............................................................................................................... 30

Appendix 1 – Risk Register ................................................................................................ 31 Appendix 2 - Sample Template Risk Record (optional) ..................................................... 36 Appendix 3 - Aligning Risk Management to Strategic and Business Planning, Budgeting and Performance Management .......................................................................................... 37 Appendix 4 – Definition of Terms ....................................................................................... 44 Appendix 5 – Roles and Responsibilities ........................................................................... 45



INTRODUCTION

The Naracoorte Lucindale Council (NLC, the Council) is committed to a structured and

systematic approach to the management of risk across the whole organisation in accordance

with current industry standards and best practice.

Enterprise Risk Management (ERM) involves the management of risks that impact (either

positively or negatively) on the organisational strategies used to achieve corporate

objectives.

During our normal day to day activities we face internal and external factors and influences

that make it uncertain whether, when and the extent to which we will achieve or exceed our

objectives. The effect this uncertainty has on our objectives is “risk”.

Each and every one of us has a responsibility for managing risk.

All our activities involve risk. We manage risk by anticipating, understanding and deciding

whether to modify it. Throughout this process we communicate and consult with stakeholders

and monitor and review the risk and the controls that are modifying the risk.

Risks will always continue to emerge due to the increasing complexity and scope of our

operations, the changing nature of our environment and our relationships with stakeholders,

and the increasing need for accountability.

Risk Management is an integral part of good business practice and involves the

implementation of cost effective strategies such as foreseeing opportunities and/or potentially

damaging events, implementing risk treatment actions, and providing decision makers with

information to effectively assess potential risks.

Enterprise Risk Management (ERM) encapsulates the extension of Risk Management from a

purely business unit focus to an organisational wide operational and strategic focus. This is

designed to identify the whole range and relative priority of risks that have to be managed by

the organisation as a whole and allow all reasonable steps including any necessary action at

Executive level to help ensure these risks are adequately managed.

When effectively implemented and maintained, the management of risk enables us to -

a) increase the likelihood of achieving objectives

b) encourage proactive management

c) be aware of the need to identify and treat risk throughout the Council

d) improve the identification of opportunities and threats

e) achieve compatible risk management practices between our own business units and

between us and other organisations

f) comply with relevant legal and regulatory requirements and good practice

g) improve financial reporting

h) improve governance



i) improve stakeholder confidence and trust

j) establish a reliable basis for decision making and planning

k) improve controls

l) effectively allocate and use resources for risk treatment

m) improve operational effectiveness and efficiency

n) enhance health and safety performance as well as environmental protection

o) improve loss prevention and incident management

p) minimise losses

q) improve organisational learning

r) improve organisational resilience

The intent of these guidelines is to facilitate the implementation of the ERM policy by

providing a framework that integrates the process for managing risk into our overall

governance, strategy and planning, management, reporting processes, policies, values and

culture, in a manner that is holistic, inclusive and consistent.

Risk Management is compulsory as part of the Enterprise Risk Management in the

Naracoorte Lucindale Council policy. These guidelines are provided to assist in the

implementation of this Policy and should be used as a guide only. However, the risk

methodology used to manage risk must be documented. These guidelines and the policy are

located on the NLC network.



1. ENTERPRISE RISK MANAGEMENT PRINCIPLES The following Enterprise Risk Management Principles have been endorsed by the Naracoorte Lucindale Council for use throughout the council.

1. The Executive is committed to a management culture that embeds enterprise risk management in all council processes.

2. The Executive and each department will manage risk consistent with the agreed set of ERM principles and NLC ERM guidelines.

3. ERM forms part of all policy and operational decision making.

4. ERM is integral to planning and budgetary processes and is reflected in performance management agreements of senior executive staff.

5. Executive and departmental level risks are monitored, reviewed and subject to regular reporting based on the best available information.

6. ERM addresses uncertainty and at the Executive level means ‘aim for no surprises’.

7. Stakeholder relations and engagement will be risk managed in relation to any change management activity.

8. ERM processes and tools will focus on ‘ease of use’ and integration into existing activities.

2. THE ENTERPRISE RISK MANAGEMENT FRAMEWORK The Enterprise Risk Management (ERM) Framework helps to ensure that risk is managed across the council in a holistic manner, is integrated into our culture, business practices and business plans, is inclusive of all levels of staff and is applied in a consistent manner.

ERM supports the needs of the council at both the Management level as well as the operational level. A two-tier collaborative risk model is shown in Figure 1, which involves strengthening and enhancing risk governance and management practices at both Management and operational levels.

The approach to governing the risks at the portfolio level recognises the diverse nature of the departments’ activities and risks and therefore, should be tailored to the departments’ operations.

A principles-based approach (see previous page) to managing risks within the departments will provide the required flexibility at departmental level while still enabling us to achieve a minimum required consistency of risk management across the council and enabling operations to demonstrate effectiveness of risk management activities.

Risks are escalated to Council based on consideration of the NLC-wide risk environment including stakeholder expectations, community concerns, government reputation, senior management interventions, and as identified by the Audit Committee.



Figure 1: Two Tier Collaborative Risk Model

The ERM framework has focus in the following areas:

Strategic or Transient Risks – risks associated with: carrying out our business objectives as articulated in high level plans; major programs/initiatives; risks that are associated with strategies that are transient or short term in nature. Risks are identified, documented (usually in a risk register), and managed using structured processes at all business unit levels (Council wide, departmental, regions, directorates and other business units). Corporate reporting systems are used to report achievement of objectives and management of identified risks. For information and guidance on reporting templates and how to create a risk register refer to Appendix 1 and 2 Operational or Business-As-Usual Risks – this relates to the management of risks associated with day to day business or operational activities. Risks are identified, documented (usually in a risk register), and managed using structured processes at the business unit’s operational level. Existing reporting systems are used to report achievement of objectives and management of identified risks.

To support both strategic and operational risk management, we have established specific policies, procedures and guidelines to help ensure effective management of risks which include but are not limited to:

o business continuity

o volunteers

o corruption prevention

o emergency planning & response

o work health & safety

o project management

o safety and security for users of council facilities

o hire of council equipment

Executive Risk

Governance

Combined Top Down/Bottom Up Approach

Operational Risk

Governance



o building construction

o road repairs and construction

The ERM framework provides for consistent and ongoing processes for identifying, analysing, treating/responding to, monitoring and reporting on risk so that any changes in risk exposures or areas requiring immediate action are highlighted promptly so that appropriate improvement actions can be implemented.

The framework provides for the identification and assignment of risk ownership to those who have the authority and responsibility to help ensure it is managed effectively.

The following section illustrates the risk management process itself.

For information and guidance on how to integrate risk management with strategic and business planning, budgeting and performance management refer to Appendix 3.



3. THE RISK MANAGEMENT PROCESS

Enterprise Risk Management (ERM) involves the management of risks that impact on the

organisational strategies used to achieve corporate objectives.

The process described in this section can be used as a methodology for conducting

strategic or operational risk assessments.

Details of all risks within a business unit or initiative should be recorded in a risk register.

The ERM process that we use is based on Australian Standard AS/NZS ISO 31000:2009

Risk management - Principles and Guidelines. This Standard provides the steps of the

risk management process as shown in the diagram below. Definition of Terms relating to

risk management is contained in Appendix 4. The numbers in the diagram represent the

sections in this document.

Figure 2: Risk Management Process

(Adapted from AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines)

(3.1)

(3.2)

(3.2.1)

(3.2.2)

(3.2.3)

(3.3)

(3.5

)

(3.4

)



4. ESTABLISHING THE CONTEXT

The purpose of this step is to define the context and

scope for the risk assessment.

This involves understanding the internal and external

environment in which risks occur including strategic,

operational, financial, competitive, stakeholder,

social, cultural and legal aspects of your functions.

This will provide the structure for the risk assessment

tasks that follow.

In this step you will need to identify the business

objectives and the strategies or key processes

developed to achieve the business objectives.

Below are some possible environmental characteristics that may affect the risk context.

1. Short timeframe to achieve actual results 2. In-house capacity limits in resources and skills/expertise to undertake all

aspects of project. 3. Interdependencies with other major initiatives. 4. Cross departmental impacts 5. Reliance on infrastructure capacity external to the organisation 6. Impact of unforeseen circumstances 7. Market trends and competition 8. Economic factors 9. Completion of capital works 10. Environmental conditions or influences 11. Community awareness and support.

5. KEY STAKEHOLDERS Key stakeholders have a significant role in risk identification as they have a vested interest in the outcomes. They include but are not limited to the following: 1. Community 5. Community Groups 9. Disabled 2. Business owners 6. Ratepayers 10. Indigenous 3. LCLGA 7. Council employees 11. Aged 4. Adjoining councils 8. Govt. – State & Fed 12. Unions



6. THE BUSINESS OBJECTIVE

The risk process is a recognition that in striving for a specific goal or outcome there are

often elements or risks associated with the achievement of those outcomes. If these risks

are not considered or addressed at the time of developing business plans they can delay,

frustrate or cause unexpected outcomes to arise affecting the achievement of the

objectives, or there may be opportunities that are missed.

The primary purpose of this step is to gain some assurance we will be focusing on the

correct risks, barriers, and opportunities in achieving our stated business objectives.

Part of the business objective step involves ensuring we are very clear about what we are

trying to achieve through the program and involves ensuring the business objective

addresses the following SMART criteria:

7. KEY PHASES AND KEY PROCESSES

The following key phases are essential for any initiative to be effective:

Planning Implementation Monitoring and reporting Evaluation and Review.

Planning – this represents any key process relied on to outline how an activity is intended to be carried out (eg policies, procedure manuals, guidelines, business cases that identify needs, strategic and business plans that set out targets, deliverables and key milestones, implementation plans etc.).

Implementation – this phase represents those key processes relied on to implement the plans from the planning phase (eg application of project management processes, application of resource allocation criteria, training, change management, accountabilities, recording of actions/decisions, meetings and actioning, matching of skills to tasks, succession planning).

Monitoring and Reporting – this phase represents those key processes relied on to monitor performance and progress against business plans which include targets, deliverables at key milestones on the activity and some reporting on the same. This monitoring and reporting might be in terms of KPI’s and other performance criteria set.

Evaluation and Review – this phase is sometimes more commonly understood as continuous improvement and relates to some form of improvement on past mistakes,

S pecific M easurable A chievable R elevant T imely



what went well, or lessons learnt. It can relate to new and innovative methods and technologies being adopted to replace existing approaches.

To help you identify the type of key processes that might fall under each of the four

phases the table below shows some examples.

EXAMPLES OF KEY PROCESSES

Planning Implementation Monitoring &

Reporting

Review

Governance structure

Consultation on changes and decisions made

Regular meetings with stakeholders key players

Reviewing best practice

Consultation with stakeholders

Compliance with guidelines, business rules

Monitoring and reporting requirements

Adopting new methods, technologies

Policies/guidelines available to staff

Application of Project management discipline

Capture and reporting performance against KPI’s

Abandoning failed strategies

Critical milestones/targets set

Allocation and matching of resources and skills

Prompt remedial action on poor performance, delays, and budgetary issues

Criteria for budget allocations

Roll out of training Reporting requirements followed up

Responsibilities and accountability requirements assigned

Recording of decisions, meetings, action records succession planning, accountability for outcomes

Analysis of data conducted

These phases can be used to help identify where there might be gaps in key processes

for the initiative which can point to potential sources of risk to the activity under

consideration.

Once these have been worked through we can conduct a risk analysis and risk

response for the initiative.



8. RISK ASSESSMENT

9. RISK IDENTIFICATION

Describing risks involves two elements namely an

event (or cause) and an impact (or consequence).

The context and key processes defined above will set

the boundaries for which risks will be included.

It is critical that all risks impacting on the achievement

of the business objectives are identified, whether or not

they are under the control of the Council.

If risks are not identified they will be excluded from

analysis from this point onwards.

To identify risks for each of the key business processes identified above, ask the

following questions:

What can go wrong (event or cause)?

or

What opportunities are available – how can we achieve our objectives more

easily (event or cause)?

and

What does this lead to (impact or consequence)?

It is important that you consult with people who are knowledgeable about the activity

being assessed. You can identify risks through individual staff interviews or by conducting

focus group meetings and workshops. The latter is recommended if the activity is

complex and involves staff in more than one area.

In describing risks, you should always relate the event and impact to the business

objective. It helps to use terms such as “resulting in” or “due to” which link the event to

the impact. An example is “Failure to meet commonwealth objective deadline, resulting in

withdrawal of current funds, loss of future funds, damage to relationship with

commonwealth, negative media, and damage to the Council’s reputation”. This example

shows that there are a number of potential impacts due to one event. This could then

lead to a number of possible risk treatment options.



10. RISK CATEGORIES

The following ten risk categories can be used to facilitate easy identification of risks.

These categories are the sources of risk i.e. where the risk can arise (see also Section

3.4.1). Examples of risk themes that would be grouped in each category are also

provided. Note: the list is not exhaustive, it is provided as a guide.

Service delivery delivery, achievement, assessment & reporting of

Councils strategic objectives & outcomes provision of quality community environments migrant, youth and Aboriginal community outcomes sport & recreation outcomes provision of information & communication

technologies corporate governance business development outcomes -p-communication

of core activities service delivery rate payer needs equity

Corruption & Fraud theft misappropriation conflicts of interest bribery falsification of records favouritism in recruitment misuse of resources including

communication devices

Human Resources attracting & maintaining key staff staff skills & qualifications staff disputes

Financial revenue expenditure assets & liabilities corporate credit cards

Stakeholder changes in government community expectations legislative changes unions media staff associations & councils

Legal & Legislative breaches of contract public liability professional liability legislative non-compliance government & industry

partnerships

Reputation service delivery stakeholder, employer & customer perceptions and

expectations brand protection

Health & Safety community welfare/protection staff welfare work health & safety

Business Continuity technological change natural disasters strikes computer breakdowns

Security intellectual property privacy of information property & equipment data integrity

Environment Biosecurity Bushfire Flood



11. RISK ANALYSIS

12. ASSESS CONSEQUENCE AND LIKELIHOOD The purpose of this step is to rank the identified risks so that resources to treat risks are allocated to those of greater priority. We will formally analyse and assess risks to our strategy, business plans, major organisational change, major projects and programs.

All risks identified at the Council and departmental level will be assessed in the residual terms using the NLC-wide risk consequence and likelihood criteria.

To evaluate the risk level, you will need to first assess the risk consequence by

identifying the potential consequences of a risk event occurring. The 'NLC-wide

consequence criteria’ is used to estimate a potential impact which a risk might have on

the achievement of the Council/departmental objectives (both in terms of negative

consequence (threats – see Tables 1 & 2) or positive consequence (opportunities – see

Tables 3 & 4). Select the appropriate table. The risk is either positive or negative – not

both.

The percentage of appropriate baseline amount as indicated in the ‘Financial’

consequence category should be applied to the Council budget or a departmental budget

accordingly to facilitate an appropriate calibration of the risk consequence across the

Council.

The consequence is the impact or effect that the risk could have on the outputs or

outcomes in the listed Risk Focus areas. The Risk Focus areas may be different than the

Risk Categories used for identification of the risks (section 3.2.1.1) because they are

more to do with the results of the risk eventuating rather than the source of the risk.

The risk likelihood will then be considered using the ‘NLC-wide likelihood criteria’ by

determining the probability of the risk occurring with the identified consequences. Existing

or planned controls should be taken into consideration when determining the risk

likelihood.

The risk consequence and likelihood criteria are provided in the tables below. Additional

risk consequence tables have been provided to facilitate an assessment of

project/program specific risks.

NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C1.10 15 of 45

Consequence Table Level Estimated Cost Business Process & Systems Health and Safety Environmental Community Legal Compliance

1 ‐ Insignificant 0>$10,000 Schedule slips one day Insignificant impact on Council's ability to achieve strategic outcomes, impact can be dealt with by routine operations

First Aid Injury Nuisance value

No or very low environmental impact. Impact confined to small area

Isolated complaint No media enquiry

Minor technical/legal compliance issue unlikely to attract a regulatory response

2 ‐ Minor >$10,000 Schedule slips one week Some impact on strategic initiatives but only minor aspects impacted. Overall strategic intent still achievable

Medical Treatment Injury Restricted Work Injury

Low environmental impact. Rapid clean‐up by site staff and/or contractors Impact contained to area currently impacted by operations

Small numbers of sporadic complaints. Local media enquiries

Possible fraud implications. Technical/legal compliance issue which may attract a low level administrative response from regulator Incident requires reporting in routine reports (eg monthly)

3 ‐ Moderate >$50,000 Schedule slips one month Some key components of the strategic plan could not be achieved as a result of risk event. Additional funding / resources required to rectify

Single Lost Time Injury Moderate environmental impact. Clean‐up by site staff and/or contractors Impact confined within lease boundary

Serious rate of complaints, repeated complaints from the same area (clustering) Increased local media interest

Breach of regulation with possible prosecution and penalties Continuing occurrences of minor breaches Incident requires immediate (< 48 hours) notification

4 ‐ Major >$100,000 Schedule slips 3 months Council unable to deliver on numerous key strategic initiatives without additional funding / resources. Breakdown of key activities leading to reduction in business performance ie service delays, community dissatisfaction, loss of revenue, cost delays, legislative breaches. Major review of strategic plan required

Multiple Lost Time Injuries Admission to intensive care unit or equivalent Serious ,chronic, long term effects

Major environmental impact Considerable clean‐up effort required using site and external resources Impact may extend beyond the lease boundary

Increasing rate of complaints, repeated complaints from the same area (clustering) Increased local/national media interest

May involve fraud. Major breach of regulation resulting in investigation by regulator Prosecution, penalties or other action likely

5 – Critical >$1,000,000 Schedule slips one year Critical business failure preventing core activities from being performed. Impact threatens not only the survival of project but Council itself. Majority of initiatives and / or key initiative within the Council’s strategic plan unattainable.

Fatality(s) or permanent disability

Severe environmental impact Local species destruction and likely long recovery period Extensive clean‐up involving external resources Impact on a regional scale

High level of concern or interest from local community National and/or international media interest

Serious breach of regulation resulting in investigation by regulator. Operation suspended, licenses revoked


PROJECT / PROGRAM THREATS

Risk Focus

Table 2 – Negative Consequence Criteria (Threats) – Projects / Programs (The potential impact on the objectives and resources)

Insignificant (1)

No change in projects

Minor (2)

Can be accommodated with existing resources

Moderate (3)

Impact can be absorbed with treatment but will require additional resources to be

allocated

Major (4)

The program will require considerable additional

resources from other areas

Critical (5)

The program may not be delivered

Quality

G

Negligible quality issues with no effect on objective

Objective achieved but quality diminished slightly

Objective achieved but quality diminished substantially

Substantial part of objective not met for quality reasons

Quality issues lead to non-achievement of objectives

Outputs/outcomes are not delivered

Time

H

Project/ Program/Service delayed by up to 5%

Project/ Program/Service delayed > 5% to 10%

Project/Program/Service delayed > 10% to 20%

Project/Program/Service delayed > 20% to 30%

Delay causes objective to not be achieved

Cost

I

Up to 1% variance to budget > 1% to 5% variance to budget > 5% to 10% variance to budget > 10% to 15% variance to budget but not requiring Treasury approval

Over 15% variance to budget or requiring Treasury approval

Benefits

J

Up to 5% not delivered > 5% to 20% not delivered > 20% to 30% not delivered > 30% to 50% not delivered > 50% not delivered


Risk Focus Table 3 - NLC-Wide Positive Consequence Criteria (Opportunities)

(The potential impact on the objectives and resources) Insignificant (1)

Negligible improvement in ability for NLC/Business

unit to meet its objectives

Minor (2)Minor improvement in ability

for NLC/Business unit to meet its objectives

Moderate (3)Moderate improvement in ability for

NLC/Business unit to meet its objectives

Major (4)Major improvement in ability for NLC/Business unit

to meet its objectives

Critical (5) Significant improvement in ability

for NLC to meet its objectives

Service delivery

A

Negligible improvement in Council or community/ program/ project/service outcomes

Changes implemented by routine operations

Minor improvement in Councilor community/ program/project/ service outcomes

Minor improvement in efficiency or effectiveness

Moderate improvement in delivery of Council or community/ program/service outcomes for identified groups

Moderate improvement in efficiency or effectiveness

Moderate improvement in utilisation of council assets

Moderate improvement in community participation & access

Major improvement in Council or community/program/service outcomes

Major improvement in ability to implement program Major improvement in the development of essential

infrastructure Major improvement in utilisation of council assets Major improvement in community participation &

access

Significant improvement in Council or community/program/service outcomes

Significant improvement to reputation of public education or sport & recreation

Financial

B

Saving or benefit up to 1% of the appropriate baseline amount, e.g.:

o Program/project budget

o Annual budget o Projected revenue

Saving or benefit > 1% to 5% of the appropriate baseline amount, e.g.:

o Program/project budget o Annual budget o Projected revenue





Saving or benefit > 15% of the appropriate baseline amount, e.g.:


Management Effort

C

An event, the impact of which slightly reduces the management effort required

An event, the impact of which reduces the management effort required

Potential to free up resources within a department

An event, the impact of which results in a moderate reduction in the management effort required

Potential to free up resources between the departmen

An event, the impact of which results in a major reduction in the management effort required

Resources can be released for other functions

An event, the impact of which significantly reduces the management effort required

Able to free up resources, reallocate responsibilities, and significantly realign functions

Health & Safety

D

Negligible effect on health and safety

Negligible effect on site security

Little effect on reputation

Minor preventative measures Minor improvements in site

security and controls Minor improvement in

reputation

Moderate improvements in prevention and control

Moderate improvements in site security

Positive improvement in reputation and community interest

Major improvements in prevention and control Major improvements in site security Major improvement in reputation and community /

stakeholder interest

Significant improvements in prevention and control

Significant improvements in site security

Significant improvement in reputation and community / stakeholder interest

Legal / Compliance

E

Negligible improvement in compliance ability

Little effort required

Minor improvement in compliance ability

Process improvements assist with a proactive approach

Moderate improvement in compliance ability

Positive cultural change Process improvements assist with a

proactive approach

Major improvement in compliance ability Large change in behaviours Positive cultural change Proactive approach

Significant improvement in compliance ability with cultural change and a proactive approach

Significant improvement in reputation and community / stakeholder interest

Reputation / External relationships

F

Modest positive publicity Modest positive attention

from minor stakeholders

Local positive publicity Visible satisfaction from

public, limited / localised media interest

Region wide positive publicity Short term improvements, public

interest in Council, positive publicity from local & regional media

Sustained region wide positive publicity Mainstream media reports, community satisfaction supportive comments SELGA members Positive reinforcements from LGA

Significant recognition leading to major improvement in community and stakeholder support

Broad public interest, media event


PROJECT / PROGRAM OPPORTUNITIES

Risk Focus

Table 4 - Positive Consequence Criteria (Opportunities) – Projects / Programs (The potential impact on the objectives and resources)

Insignificant (1)

Small change in projects

Minor (2)

Minor improvements in outcomes

Moderate (3)

Moderate improvements in outcomes

Major (4)

Major improvements in outcomes

Critical (5)

Significant improvements in outcomes

Quality

G

Negligible effect on objective Objective achieved Quality starting to exceed

expectations

Objective achieved Moderate increase in

outcomes Exceeding expectations

Major increase in quality Greatly improved outcomes High level of stakeholder

satisfaction Exceeding expectations

Significant increase in quality Significantly improved

outcomes High level of stakeholder

satisfaction Greatly Exceeding

expectations

Time

H

Project/ Program/Service improved by up to 5%

Project/ Program/Service improved by > 5% up to 10%

Project/Program/Service improved by >10% up to 20%

Project/Program/Service improved by >20% up to 30%

Project/Program/Service improved by > 30%

Cost

I

Up to 1% below budget > 1% to 5% below budget > 5% to 10% below budget > 10% to 15% below budget >15% below budget

Benefits

J

Negligible increase in planned benefits

Minor increase in benefits over those planned

Moderate increase in benefits over those planned

Major increase in benefits over those planned

Significant increase in benefits over those planned

NLC Enterprise Wide Risk Management Guidelines

NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 19 of 45

NLC-WIDE LIKELIHOOD CRITERIA How likely is it that the Council will be exposed to this specific risk (looking at both the event

(cause) and the impact (consequence)) considering factors such as:

Anticipated frequency

The external environment

The procedures, tools, skills currently in place

Staff commitment, morale, attitude

History of previous events

The ‘Description’ column in the following table is to be used as a guide only. Not all

initiatives will align to the time frames shown.

Level Description Criteria (read as either/or) Probability

5 ‐ Certain Certain The event will occurThe event occurs daily >95‐100%

4 ‐ Likely Likely The event is expected to occurThe event occurs weekly/monthly >70‐95%

3 ‐ Possible Possible The event will occur under some circumstances The event occurs annually >30‐70%

2 ‐ Unlikely Unlikely The event has happened elsewhereThe event occurs every 10 years >5‐30%

1 ‐ Rare Rare The event may occur in exceptional circumstances The event has rarely occurred <5%



13. DETERMINE RISK LEVEL

Having assessed the consequence and likelihood of major risks, a risk level will be

determined using the NLC-wide risk matrix. Risks which may have a larger consequence

and a higher likelihood on business operations will have a higher priority rating than those

with a minor consequence and lower likelihood.

Risk treatment and escalation/delegation guidelines:

Risk

Level

Risk Treatment Guidelines Risk Escalation

Guidelines

NLC- Wide Risk

Delegation

Guidelines

Extreme Immediate action required to actively manage risk and limit exposure

Escalate to CEO & Council The CEO responsibility and accountability

High Cost / benefit analysis required to assess extent to which risk should be treated - monitor to help ensure risk does not adversely change over time

Escalate to the CEO The CEO responsibility and accountability

Medium Constant / regular monitoring required to help ensure risk exposure is managed effectively, disruptions minimised and outcomes monitored

Escalate to the Management Team Specify risk management responsibility and accountability

Assign accountability to the Management Team

Low Effectively manage through routine procedures and appropriate internal controls

Monitor and manage at operational management level

Monitor and manage at operational management level



14. RISK EVALUATION

The purpose of this step is to develop a prioritised list of risks requiring attention.

When the risk has been rated, the risk level needs to be compared with management’s acceptable level of risk.

If a negative risk (threat) level is at or below management’s acceptable level of risk then the risk is at an acceptable level and no additional risk treatment is required at this stage. This risk would be managed by ongoing monitoring and be subject to review in the next risk assessment.

If a negative risk (threat) level is above management’s acceptable level of risk then the risk is at an unacceptable level and additional risk treatments may be required to reduce the risk to management’s acceptable level.

If a positive risk (opportunity) level is low or medium but could be increased (improved) with reasonable steps (subject to cost/benefit analysis) then it is at an unacceptable level and additional risk treatments may be required.

If a positive risk level (opportunity) is high or extreme it may be at an acceptable level so no additional risk treatment may be required (subject to cost/benefit analysis) at this stage. This risk would be managed by ongoing monitoring and be subject to review in the next risk assessment.



15. RISK TREATMENT

The purpose of this step is to identify the most appropriate treatments for risks that are at

an unacceptable level.

16. GENERAL

Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify the controls.

Risk treatment involves a cyclical process of:

assessing a risk treatment

deciding whether residual risk levels are tolerable

if not tolerable, generating a new risk treatment

assessing the effectiveness of that treatment.

Risk treatment options are not necessarily mutually exclusive or appropriate in all

circumstances. Select the best options in terms of feasibility and cost effectiveness. The

options can include the following:

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Taking or increasing the risk in order to pursue an opportunity

Removing the risk source

Changing the consequences

Changing the likelihood

Sharing the risk with another party or parties (including contracts, insurance, and risk financing)

Retaining the risk by informed decision.

17. SELECTION OF RISK TREATMENT OPTIONS

Selecting the most appropriate risk treatment option involves balancing the costs and

efforts of implementation against the benefits derived, with regard to legal, regulatory,

and other requirements such as social responsibility and the protection of the natural

environment. Decisions should also take into account risks which can warrant risk

treatment that is not justifiable on economic grounds, e.g. severe (high negative

consequence) but rare (low likelihood) risks.



A number of treatment options can be considered and applied either individually or in

combination. The organisation can normally benefit from the adoption of a combination of

treatment options.

When selecting risk treatment options, the organisation should consider the values and

perceptions of stakeholders and the most appropriate ways to communicate with them.

Where risk treatment options can impact on risk elsewhere in the organisation or with

stakeholders, these should be involved in the decision.

Though equally effective, some risk treatments can be more acceptable to some

stakeholders than to others.

The treatment plan should clearly identify the priority order in which individual risk

treatments should be implemented.

Risk treatment itself can introduce risks. A significant risk can be the failure or

ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of

the risk treatment plan to give assurance that the measures remain effective.

Risk treatment can also introduce secondary risks that need to be assessed, treated,

monitored and reviewed.

These secondary risks should be incorporated into the same treatment plan as the

original risk and not treated as a new risk. The link between the two risks should be

identified and maintained.

18. PREPARING AND IMPLEMENTING CONTINUOUS IMPROVEMENT PLANS

The purpose of continuous improvement plans is to document how the chosen treatment

options will be implemented.

The information provided in continuous improvement plans should include:

the reasons for selection of treatment options, including expected benefits to be gained

those who are accountable for approving the plan and those responsible for implementing the plan

proposed actions

resource requirements including contingencies

performance measures and constraints

reporting and monitoring requirements

timing and schedule.

Improvement plans should be integrated with the management processes of the

organisation and discussed with appropriate stakeholders.

Decision makers and other stakeholders should be aware of the nature and extent of the

residual risk after risk treatment. The residual risk should be documented and subjected

to monitoring, review and, where appropriate, further treatment.



19. MONITORING AND REVIEW

Risk monitoring and review is an integral step in the risk

management process.

It enables us to proactively identify changes on the risk

profile and adjust the organisational response as

required.

It also enables us to understand the effectiveness

(impacts, benefits and costs) of implementing risk

management strategies.

Risk monitoring and review is a continuous process and

is essential that our risk priorities and risk management

plans remain relevant in the changing environment we

operate in.

Risk management is responsive to change.

Continuous monitoring and review of the external and

internal risk environment is required to help shape the

context and understanding of our risk profile, change in

the risk ratings, identification of new risks, or taking

risks off the radar.



20. SCANNING RISK SOURCES

Environmental scanning is an important part of the monitoring framework and involves

analysis of multiple sources of risk information as depicted in Figure 3 below.

Figure 3: Sources of risk information

Environmental scanning by the Management team, and the Council assists to identify

new and emerging risks from external and internal environment through:

Analysis of Political, Economic, Social, Technological, Environmental factors, Government policies and other regulatory environment

Interviews or meetings with the LGA, SELGA, Councillors

Interviews or meetings with staff and stakeholders

External reports and papers from recognised subject matter experts

Consideration of our operations, systemic issues arising from incidents analysis, audit results and other historical risk information.

21. RISK MONITORING AND REPORTING

The Management Team monitors the risk profile and associated risk treatment strategies

(as detailed in the Organisational Risk Register) using the following approaches:

Management and Council meetings

Lessons Learned

(incidents management experience

Ratepayer / Stakeholder expectations

Strategic Plan

NLC Risk

Profile

Business

Plans

Major Projects/Key

business processes

Emerging

risks /

uncertainty

Regulatory / reputational

issues

KPIs/

Operational

indicators

Audit Reports



Formal risk profile and risk appetite reviews

Early escalation of emerging risks.

Management Meetings

Management meetings are important forums for tracking movements on the risk profile

and the implementation of key risk treatment strategies. The Management team meets on

a regular basis to monitor performance against the strategic initiatives and monitor the

risks. The Management Team considers risks at the following meetings:

Weekly management meetings allow for discussion on performance matters, emerging risks and major ongoing concerns

The department face-to-face meetings include discussion on major department risks

Monitoring of strategy and major projects includes review of the risk profile and risk treatment activities biennially by the Management team. A Risk Escalation Report and details of overdue/partially completed risk treatment activities in relation to high and extreme risks are reviewed as part of these meetings. Refer to Appendix 2 for a Risk Escalation Report example.

22. REVIEW OF THE RISK PROFILE

The risk profile is an important source of risk information, represented by the

Organisational Risk Register, which contains the most significant risks faced by the

Council as a whole and includes the following:

Strategic and operational risks

Major departmental risks escalated to the Council via the Management team.

Risks representing strategic projects or major initiatives

Escalated risks will procedurally progress to the Audit Committee.

The Management team will undertake a High Level Overview of the most significant risks/risk areas facing the Council.

The profile is collaboratively reviewed by the Council on an annual basis.

A formal annual refresh of the risk profile includes revision of the risk ratings taking into account the progress against risk treatment activities. New and emerging risks are considered for the inclusion on the risk profile

A comprehensive annual review of the risk profile and risk appetite is performed by the Management team.

The profile monitoring is an integral part of monitoring business performance and is

underpinned by the following:

Prioritisation of the major strategic risks which may have impact on the Strategic Plan



Identification and prioritisation of new or emerging risks which may have a significant impact

Monitoring of key performance indicators of major projects and initiatives which constitute areas of significant risk.

To help ensure that the risk profile is relevant, up to date and effectively managed, the

Management risk review approach addresses the following:

Alignment of the risks to strategic priorities

Risk magnitude

Key treatment strategies in place to manage the risk

Effectiveness of the current risk treatment activities

Movements in the risk ratings

Initiatives to address risks which are above risk appetite or to strengthen risk management processes

Accountabilities assigned to implement the risk treatment strategies and associated due dates

Sufficiency of resourcing requirements to implement the risk treatment strategies.

Where the risk rating increases or potential risks are identified, the Management team

considers the adequacy of the current risk treatment activities. The following questions

may be considered:

Are the assumptions relating to the risk context (including environment, technology and resources) still relevant?

Is the risk treatment activity effective in managing the risk? How it can be improved?

Are there performance measures or indicators in place to measure key outcomes?

Does the risk management activity comply with legal requirements, and Council policies?

23. EMERGING RISK IDENTIFICATION

All staff members are responsible for ensuring new and emerging risk areas are

captured, monitored and escalated appropriately through existing communication

channels.

24. EXECUTIVE RISK REPORTING

Risk reporting supports the Executive discussion and decision-making on major risks and

business priorities.

Risk reports are prepared by the CEO annually. The reports are focussed on high and

extreme risks and highlight “hot spots” on the Risk Profile including:

Risk description



Reference to the strategy (target)

Residual risk ratings

Target risk ratings

Movements in risk ratings

Reference to a department (if applicable)

Reference to a risk treatment strategy

Accountability

Status of risk treatment strategies (completed, partially implemented and overdue)

Assurance activities in place to assess the management of the risk

High level overview of the significant risks/risk areas facing the Council (including emerging negative risks and opportunities).

For major initiatives, updates are provided to management meetings. Updates should include details of overdue or partially implemented risk treatment strategies and the following information:

Description

Commentary

Budget

Accountability and

Due date.

The dashboard report is supported by a commentary including highlights of the annual environmental scan and analysis of systemic issues and trends arising from historic information such as incidents and internal audit findings or resource implications for additional risk treatment activities.

Progress on performance against expected outcomes for major projects by reviewing key risk performance indicators for major initiatives is reported as part of the business performance reporting. This information contributes to the monitoring of major risks associated with these projects.

Full details of the roles and responsibilities of portfolios, the Executive and the ERM Group are outlined in Appendix 5.

25. REVIEW OF THE RISK MANAGEMENT FRAMEWORK

The risk management framework is subject to review to meet the requirements of the current risk management standards (AS/NZS ISO 31000:2009). The review includes the following:

Annual review of Council’s risk profile and departmental risk profiles in conjunction with the self-assessment of the achievement of strategic objectives and progress against the strategic initiatives

Self-assessment of the ERM Group performance in accordance with the ERM Group Charter



An independent review of the risk management function and process every two years

A review of departmental alignment with the risk management principles.

Significant changes to operations should prompt a review and update of the risk management framework to help ensure that it remains appropriate to support business needs.

26. REPORTING TO THE AUDIT COMMITTEE

The results of the risk management framework review are reported to the Audit Committee and the Council which will include recommendations for improvement.

27. COMMUNICATION AND CONSULTATION

Communication and consultation with internal and external

stakeholders should take place during all stages of the risk

management process. Therefore, plans for communication

and consultation should be developed at an early stage.

These should address issues relating to the risk itself, its

causes, its consequences (if known), and the measures

being taken to treat it. Effective internal and external

communication and consultation should take place to help

ensure that stakeholders and those accountable for

implementing the risk management process understand

the basis on which decisions are made, and the reasons

why particular actions are required.

A consultative team approach may:

help establish the context appropriately

help ensure that the interests of stakeholders are understood and considered

help ensure that risks are adequately identified and defined

bring different areas of expertise together for analysing risks

help ensure that different views are appropriately considered when defining risk criteria and in evaluating risks

secure endorsement and support for a treatment plan

enhance appropriate change management during the risk management process

develop an appropriate external and internal communication and consultation plan.

Communication and consultation with stakeholders is important as they make judgements about risk based on their perceptions of risk. These perceptions can vary due to differences in values, needs, assumptions, concepts and concerns of stakeholders. As their views can have a significant impact on the decisions made, the



stakeholders' perceptions should be identified, recorded, and taken into account in the decision making process. Communication and consultation should facilitate truthful, relevant, accurate and understandable exchanges of information, taking into account confidential and personal integrity aspects.

Communication and consultation in the Council includes business units:

reporting untreated risks through existing corporate reporting frameworks

communicating the results of the risk assessment to stakeholders

28. REFERENCES

AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines Standards Australia (and related standards and handbooks) HB 89-2012, Risk management - Guidelines on risk assessment techniques Standards Australia



APPENDIX 1 – RISK REGISTER (See also Recording Risk Information – Appendix 3 Section 8)

The purpose of a risk register is to provide a central repository or focal point of identified risks that can be monitored and reviewed on a regular basis by both internal and external stakeholders.

Risk information gained through conducting risk assessments should be documented and maintained in the register. The Executive Risk Register following is included as a guide only.

The risk assessment will provide managers with information to assist them to manage risks remaining at an unacceptable risk level.

The strategic and operational risk assessments should be updated at least annually and or at times when new and emerging risks may arise for example, the introduction of new business products, processes, systems and or services.

The creation and application of a risk register leads to improved management decision making as it helps to:

identify managed and unmanaged risks especially during the planning cycle

evaluate the severity of any identified risk

apply possible solutions to those risks through a systematic approach

monitor and analyse the effectiveness of actions taken to mitigate the risks.

When risks are effectively managed, the confidence level in achieving goals and objectives is increased. By creating and maintaining risk registers across the Council, stakeholder engagement will increase through communication and the accountability and escalation of risks.

There is no standard list of components that should be included in the risk register.

The Council’s Organisational Risk Register (ORR) is being used here as a model. The ORR documents the following information for each risk:

1. Target or Strategic Objective –This column consists of two components: the number is a sequential number on the register and may change in relation to the risks as risks are removed, added, escalated or de-escalated. Then follows a brief description of the target or strategic objective that the risk relates to and may come directly from business plans or other higher level sources.

2. Planned Action – The action(s) required to achieve the target or strategic objective. 3. Risk Number – A unique number given to each individual risk. There may be more

than one risk linked to each objective. These numbers are not necessarily sequential in the listings as the risks may be removed, added, escalated or de-escalated as time progresses.

4. Identified Risk – A brief description of each risk as it relates to the target or objective or planned action(s). This is normally described in terms of an event and an impact, i.e. something happens...resulting in...

5. Existing Treatments/Strategies – Relates to current or existing treatments, strategies or controls either in-place or planned.

6. C – Consequence Rating from Section 3.2.2 (see the following Legend). There can be



multiple consequence ratings as a risk can affect multiple categories e.g. financial, reputation, compliance etc.

7. L – Likelihood (Rating) of the risk occurring with the predetermined Consequence Rating and with the risk treatments, strategies or controls either in-place or planned – from Section 3.2.2 (see the following Legend).

8. Residual Rating – The estimated risk rating based on the predetermined consequence and likelihood ratings with the current or existing treatments, strategies or controls (planned or in-place).

9. Additional Treatment Needed – If the Residual Rating is unacceptable, additional treatments or strategies or controls will be put in place to reduce the rating to an acceptable Target Risk Rating (if the Residual Risk Rating is acceptable or unchangeable this column could be empty).

10. Target Risk Rating – If the Residual Risk Rating is unacceptable, the Target Risk Rating is the acceptable rating of the risk (if the Residual Risk Rating is acceptable or unchangeable this column could be empty).

11. Executive Action Required – If the Residual Risk Rating is unacceptable or unchangeable and no Additional Treatment would be effective, then Executive Action or intervention may be required. If no specific or explicit Executive Action is required this column could be empty.

12. Executive Owner – The member of the Executive (one person) accountable for ensuring that the risk is managed as effectively as possible.

13. KPIs – The Key Performance Indicators which are a measure of how well the risk is being or could be managed.

14. Internal Audit Assurance – Internal audit activities that assess the management of the risk.

15. Other Internal Assurance – Other internal mechanisms or Council groups (steering committees etc.) who have oversight of the management of the risk or related objectives.

16. External Assurance – External bodies or organisations with a role in assuring the effective management of the risk (Audit Committee, etc.).

LEGEND for reading the Risk Register

Key to Columns C, L and Rating

C (Consequence) L (Likelihood) Residual or Target Risk Rating

1 = Insignificant 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic

1 = Rare 2 = Unlikely 3 = Possible 4 = Likely 5 = Certain

Low Medium (Med) High Extreme (Extr)



HOW TO DEVELOP A RISK REGISTER Risk registers are designed to capture risk information and is a primary tool for risk monitoring, reporting and follow up action.

The steps taken to create a risk register are outlined in the following table and are in parallel to the risk register development process shown below.

Steps in the Creation of a Risk Register

Step Step Descriptor

Comments

1 Risk register awareness and readiness Initial planning by business unit manager and key staff

2 Meet with business unit key stakeholders Building the contextual framework

3 Conduct business unit risk identification meetings (e.g. brainstorming)

Take into consideration all points of view

4 Stakeholder engagement with teams develop the risk register (see next table)

Populating the risk register

5 Development of risk register entries Coordination of risk evaluation and treatments

6 Sign off and assigning ownership of risks Agreement of budgets to control risks

7 Updating risk registers Reviewing and monitoring. Escalation and/or de-escalation process may need to be enacted



Risk Register Development Process

Step No.

Process Component

Key Questions to be Asked

Linkages

1 Establishing the context

Have the business objectives been taken into account? Has an environmental scan been conducted? Have the risk criteria been defined?

Monitoring and review Communication and

consultation

2 Risk identification What do you want to achieve, what will stop it being achieved (threat), or what will help it being achieved (opportunity)?

What is the potential cost to time, money and performance? How likely is it to happen? What are the impacts of each risk? What is the source of the risk? What can be done to reduce/control the risk?


consultation

3 Risk analysis Are there any existing controls? Have the consequences of the risk been considered? Have the impacts been evaluated on a ‘gut feel’ or an

evidence-based approach? Has the likelihood criteria been applied?


consultation

4 Risk evaluation Have the risks been compared against the set criteria? Has the Council’s risk tolerance levels been considered in

accordance with legal, regulatory and other requirements? Has a decision been made to treat the risks?

If yes, go to Step 5. If no, continue to monitor and review the risks.


consultation

5 Risk treatment Have all treatment options been identified? Have all options been assessed? Have treatment plans been prepared and ready for

implementation? Have residual risks been analysed and evaluated?


consultation

6 Monitoring and review

Have the established procedures been followed? Is there is a requirement to escalate or de-escalate risks to

the next level?

Risk management plan, if held

The risk register when complete should be brought to the attention of all employees working in the business unit in a clear and understandable manner taking into account their level of training, knowledge and experience as well as their responsibility of managing the risks.

CONTINUOUS IMPROVEMENT A risk register is a ‘living document’, and not a one-off process. Accordingly, it should be regularly updated and used actively during planning and related activities. To align with Council requirements, industry standards and best practice, business units are encouraged to regularly review their risk register for accuracy and currency.


NLC Enterprise Risk Management Guidelines 35 of 45

SAMPLE TEMPLATE - RISK REGISTER

Risk No

Functional Area

Potential Hazard

Risk/Event Description Existing Controls Consequence Likelihood

Risk Rating

New Controls and Action Plan (3W)

Rev Likelihood

Residual Risk Level

Responsible Dept Comments

5 Legal compliance

Breach of confidentiality creating legal proceedings

Insurance; policies and procedures; ombudsman; external audits 2 ‐ Minor 4 ‐ Likely High Governance

6 Legal compliance

Incomplete records leading to poor decisions and inefficiencies

Records Management system and processes; dedicated records officer; 3 ‐ Moderate 4 ‐ Likely High

Corporate Services

8 Legal compliance

Development occurs in area inappropriate zoned or without appropriate building and planning conditions adding to council costs and loss of revenue

Development Plan processes 4 ‐ Major

3 ‐ Possible Extreme

Consistency in decision making, workshop with real estate agents and construction industry, constant engagement with relevant parties. Structure plan. Planning

11 Legal compliance

Litigations or incomplete work or financial loss as a result of contractors working without a contract in place

Register of contracts 4 ‐ Major

3 ‐ Possible Extreme

Establish project teams/project plans that include schedules and contractual arrangements. Standard contracts across Council.

Corporate Services


NLC Enterprise Risk Management Guidelines 36 of 45

APPENDIX 2 - SAMPLE TEMPLATE RISK RECORD (OPTIONAL)

Risk Number:

Target (Strategic Objective) Planned Action (to achieve objective) Department Context / Assumptions

Identified Risk Existing Treatments/Strategies Conseq‐uence

Likeli‐hood

Risk Rating

DirectorRisk Manager

Completion Date

Budget Funding Approved / Required

Introduced Risks / Residual Risks / Risk Triggers (or indicators)

Additional Treatments Needed Conseq‐uence

Likeli‐hood

Residual Risk Rating

Target Risk Rating

KPI's

Executive Management Team Action Required Due Date Status KPI's

NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 37 of 45

APPENDIX 3 - ALIGNING RISK MANAGEMENT TO STRATEGIC AND BUSINESS PLANNING, BUDGETING AND PERFORMANCE MANAGEMENT

1. RISK MANAGEMENT AT THE STRATEGIC LEVEL

Risk Management at the strategic level involves identifying circumstances and events that could have an impact (positive or negative) on the achievement of corporate objectives. Risk and strategy are linked and whenever there is a change in strategies, the risk assessment will also change.

The risk process is a recognition that in striving for a specific goal or outcome there are often elements or risks associated with the achievement of those outcomes. If these risks are not considered or addressed at the time of developing strategic plans they can delay, frustrate or cause unexpected outcomes to arise affecting the achievement of the objectives, or there may be opportunities that are missed.

Strategic plans and the risks impacting the outcomes in those plans are not likely to remain static due to changing priorities, new initiatives, government decisions, stakeholder issues, etc. and these risks along with the portfolio strategies may need re-assessment at the time portfolio plan progress is being monitored regularly throughout the year.

There are two distinct stages when risk needs to be considered at the strategic level:

At the time strategic plans are first being developed and

At the time progress is being monitored and reported on against the strategic plans.

2. STRATEGIC AND BUSINESS PLANNING

Understanding how risks align with the planning processes enables us to effectively integrate risk management into our governance and management structures.

Risks are addressed as part of any planning process including the Total Asset Management (TAM) Plan, Funding Plan submissions to the Treasury, the Corporate Plan, project and program plans, and any other strategic, business or operational plan. The integration of risk management into strategic and business planning processes is a key component of the Council’s risk governance and business improvement processes.

Strategic risk management applies to the process of considering and managing the strategic risks on the Executive Risk Profile (risks included on the Executive Risk Register) which may impact the Council as a whole. However, this process can also be generally applied to all business unit levels.

Strategic risks are those that may have a direct and significant impact on the organisation’s strategic objectives. The strategic risks are given formal consideration by the Executive collectively and the departmental heads individually.

Business plan risk management applies to the process of considering and managing risks to the delivery of major projects and services. Business plan risks include strategic and operational risks. Major projects and initiatives risks generally relate to the delivery of infrastructure projects.

The starting point for embedding risk management is to link the risk identification process to the corporate strategic and business plan objectives, using risk assessment as an input to the plans. Risk and performance are managed and monitored in an integrated manner to help achieve better overall governance.


Effective risk management provides increased confidence that we can deliver the desired outcomes, manage threats to an acceptable degree and make informed decisions about opportunities. Alignment of risk management to strategic planning, budgeting and performance management can deliver a range of benefits by:

a. Improving the quality of decision making (appropriate, fast, accurate, and effective)

b. Effective execution of decisions (improved confidence, known quantity)

c. Embedding risk management within the day-to-day operation of your organisation (part of business as usual, not additional task or process burden)

d. Integrating risk management with business strategy (help ensure decisions are informed and based on sound judgment)

e. Improving planning processes by enabling the key focus to remain on core business and helping ensure continuity of service delivery

f. Reducing the likelihood of potentially costly ‘surprises’

g. Preparing for challenging events and improving overall resilience

h. Prioritising budgeted resources

i. Optimising performance through efficiencies in service delivery, major change and quality assurance initiatives and

j. Contributing to the development of a positive organisational culture of improved governance, clear purpose, roles and accountabilities for all staff.

3. BUDGETING

Risk information provides an input to the identification of the resourcing requirements and assists in the prioritisation of available resources as follows:

Risk information and estimates of resource requirements for the treatment of major risks are included in program and project proposals and considered by senior management

Risk management resource implications are included in the appropriate approved plans

The budget prioritisation process takes into account the NLC-wide and departmental risk profiles.

The risk management framework allows escalation of risks throughout the year, with any financial considerations being subject to Council decision as appropriate. However, the identification and assessment of risks will not necessarily be a trigger for additional funding. If additional funding is available, then this can be used to accommodate the additional risk treatment activities required to manage the risk. In most cases however, the reduction of the risk exposure in a particular area, will be accommodated by reprioritising the available activities, resources, funds or other investment in that area.


4. THE ALIGNMENT PROCESS

Risk management is integrated in strategic and business planning and budgeting activities as follows:

Step Action

1 Review any current in-use planning policies, procedures and checklists to help ensure that content is aligned with these guidelines as well as any reference to the latest standards (e.g. risk matrix, consequence and likelihood tables). If inconsistencies exist, the appropriate action should be taken by either developing or updating risk related documentation/or references to risk terminology

2 Clearly state the strategic objective As you would normally do in your planning process

3 Describe the planned actions to achieve the objective

4 Clearly state all assumptions (e.g. market size, resources required, competition, safety, etc)

5 Identify the risks related to the objectives, planned actions, and the assumptions (are the assumptions correct? what if they’re not? what if the situation changes? etc)

6 Perform a high level assessment of the risks (consequence, likelihood, risk rating)

7 Describe a high level treatment strategy for the higher rated risks (treatment options, cost/benefit analysis, decide whether to proceed)

8 Undertake a detailed assessment and plan the management of the accepted risks as per Section 3 of these guidelines

9 Monitor the risks and the situation for changes

10 Monitor the plan to address the changes


5. STEPS TO INTEGRATE (EXAMPLE)

Integration of ERM into the Council’s strategic planning process (see Figure 4 below)

a. At the Management Planning Session in period 1 the broad strategy is set, providing a strategic direction for preparation of individual business plans, the management plan, and the development of future years’ budget requirements

b. Individual business streams begin drafting their business plans in period 2 to inform the management meeting (held in period 4). The following business plan risk assessment actions are carried out by the business streams:

i. Business streams articulate their objectives contributing to the overall strategy, describe the planned actions to achieve the objective, state the assumptions, and identify risks to achieving the business plan objectives

ii. Risks are identified by the business stream in the context of the business as usual (service delivery) objectives, and major projects and initiatives

iii. Risks are assessed by the business stream in accordance with the Enterprise Risk Management Guidelines

Figure 4: Integration of ERM into the NLC Strategic Planning Process

Business / Strategic Planning Process

Performance Management

Process

Risk Management Process Timeline

Period 1

Period 2

Period 3

Period 4

Responsibility for Carriage of Objectives & Strategies

Assigned

Develop KPI’s to Measure Achievement of Objectives

Management Performance Agreement Incorporate Risk

Management Objectives

Monitor, Review & Report Progress against the Plan

Identify risks to achieving strategic and operational objectives

Treatment Strategies

Determine Budget Implications

Detail Action Plans to Implement Treatment Strategy

Major Risks Considered in Identification of Priority Projects

Responsibilities Assigned to Action Plans

Develop High Level Risk Profile

Management Planning Session

to set broad strategy

Individual Business Plans

Management Strategy

Development of Budget

Requirements

Approval of Funding Plan

Working Draft of Strategy Endorsed by

Management

Priority Projects for Strategy

Implementation

Management Meeting to

Validate Strategy


iv. Treatment strategies required to manage the risks are developed

v. Budget implications (high level) are estimated for each high and extreme risk

vi. Risk treatment strategies and budget implications are documented in the risk records (refer to the Sample Risk Record template – Appendix 4)

vii. Risk treatment strategies and the budget implications are then prioritised taking into account the risk ratings

viii. Summary of high and extreme risks, treatment strategies and budget implications are documented in a prioritised order in the business plans

ix. Upon approval of the funding plan the detail action plans to implement risk treatment strategies are developed taking into account the available budget and the risk priority

x. Business plans are finalised to include detailed action plans for each risk including due dates

xi. Responsibilities are assigned after the strategy is validated in period 4

xii. Detailed action plans, due dates, associated costs and responsibilities are documented for each high and extreme risk (refer to the Sample Risk Record template – Appendix 2).

c. The management strategy is set, reflective of the strategic direction

d. Prioritised budget requirements in excess of available resources, are promoted to management for inclusion in the development of the next budget period

e. Major risks on the risk profile are considered in the identification of priority projects before a working draft of the strategy is endorsed by management in period 3.

The following risk related questions are considered during the strategy setting process:

i. What are the major assumptions to each of the strategic objectives?

ii. What are the strategic and operational risks inherent in the strategy, and are in accordance with our appetite to risk?

iii. Can we meet the resources requirements of this strategy and associated risks, now and in the foreseeable future?

iv. Will our values and ethics be compromised in any way by execution of this strategy?

v. Priority projects for the strategy are refined in period 2 taking into account the requirements to manage major risks on the risk profile

vi. Existing structures, resources and risk appetite are aligned to the strategy and the risk profile.


6. AN INTEGRATED FRAMEWORK

Risk Management is an integral part of the strategic planning and budgeting

processes. An integrated business planning and ERM framework should contain the

following elements:

a. Evidence of communication and consultation with key stakeholders in developing strategic plans

b. Objectives should be set so that achievement of them can be measured. Tools such as “SMART” criteria (i.e. objectives should be Specific, Measurable, Achievable, Relevant and Timely) reflect good practice in this regard (see Section 3.1.3)

c. Linking of operational plans back to higher level strategic plans to help ensure they are consistent with higher level vision/mission

d. Evidence of identification and consideration of risks that impact on the achievement of strategic and operational objectives

e. Evidence of strategies designed to achieve objectives and manage the risks that could affect the achievement of those objectives

f. Evidence of responsibilities for carriage of objectives and strategies having been assigned to portfolios/areas

g. Development of Key Performance Indicators to measure achievement of objectives

h. Evidence that operational plans include identification, appropriate costings and assignment of resources to undertake them

i. Evidence of formal processes for identification of emerging risks and issues that impact plans and mechanisms for implementation of remedial action as appropriate

j. Evidence of formal processes in place to monitor, review and report progress against plans

k. Evidence that the annual report includes reporting in terms of key risks identified for the Council and management of those risks and legislative requirements

l. Policy and guidelines to support the above processes.

7. RISK MANAGEMENT AND PERFORMANCE MANAGEMENT

Risk management objectives are linked with performance management at all levels

of the organisation. Appropriate risk culture is supported by ensuring that risk

management objectives and overall performance objectives are aligned. This is

supported in the following ways:

Management’s individual Performance Agreements incorporate risk management objectives such as high and extreme risks, target (or acceptable) risk ratings, risk management strategies, KPIs and due dates

Identification of the people component of major business risks: leadership, knowledge, capabilities, behaviour, staff turnover, succession planning, training and development, and culture. Relevant risk management strategies are developed to address root causes of these risks.


8. RECORDING RISK INFORMATION

For each individual risk, the risk information is documented on a risk record (see

sample in Appendix 2) which incorporates links to the strategic management,

budgeting and performance management processes as follows:

Reference to a strategic area/objective

Risk management accountability which indicates an overall responsibility for managing a particular risk

Risk triggers - an event, activity or early warning signal or indicator likely to highlight or result in an emerging risk occurring

Key performance indicators (KPIs) for future treatment strategies which are included in the individual performance agreements

Budget required to implement the risk treatment strategies.

See also the Risk Register – Appendix 1


APPENDIX 4 – DEFINITION OF TERMS Acceptable level of risk

The acceptable level of risk reflects the decision by management to accept the likelihood and consequences of a risk. This is also known as the organisation’s risk appetite. This is articulated in the consequence tables, the risk matrix, and the risk treatment and escalation/delegation guidelines (see Section 3.2.2).

Consequence

The outcome or impact associated with a risk occurring eg the loss, injury, disadvantage or gain.

Control

Any measure or action that changes the consequence or likelihood of a risk materialising.

Likelihood

Likelihood is the qualitative description of the probability or frequency of a risk occurring.

Operational Risks

Operational risks are those that may have a direct and significant impact on the organisation’s business as usual activities, functions, roles and/or operations.

Residual Risk Level

The level of risk calculated using likelihood and consequence criteria after treatments have been put in place.

Risk

Risk is the effect of uncertainty on objectives. The chance of something happening that will have an impact (positive or negative) on achieving the organisation’s objectives. It is measured in terms of the likelihood of occurrence and the magnitude of the consequences.

Risk Appetite

The risk appetite reflects the acceptable level of risk. This is articulated in the consequence tables, the risk matrix, the risk treatment and escalation/delegation guidelines (see Section 3.2.2) and the Executive Risk Register as the acceptable risk rating for each of the risks.

Risk Register

The documented repository of risk information gained from risk assessments.

Risk Level

The risk rating calculated using likelihood and consequence criteria after considering the existing control environment.

Risk Management

Co-ordinated activities to direct and control an organisation with regard to risk.

Stakeholders

Stakeholders are those people and organisations who may affect, be affected by, or perceive themselves to be affected by, a decision or activity of NLC.

Strategic Risks

Strategic risks are those that may have a direct and significant impact on the organisation’s strategic objectives.


APPENDIX 5 – ROLES AND RESPONSIBILITIES

ROLE OF DIRECTORS AND DEPARTMENT MANAGERS

Consistent with the NLC Risk Management Principles, Departments will

Identify, assess, develop and rate success indicators and treatment strategies for risks to be included in the Organisational Risk Register

Help ensure major risks align with policy, budgets, business plans and performance management arrangements

Help ensure risks and issues are escalated (on a needs basis) for management consideration when there is danger of a risk not being appropriately managed by existing strategies, treatments and resource allocation

Provide recommendations for dealing with escalated risks and issues (escalated risks and issues will procedurally progress to the Audit Committee and Council).

ROLE OF THE MANAGEMENT TEAM Help ensure ERM is embedded in NLC budget and planning processes and

appropriately monitored

Formal consideration of risk will be facilitated through biennial Management Team meetings taking place as part of the annual work program

Two of these meetings designated for annual and half yearly review of risks on the Organisational Risk Register

Risk Management will be standing item for Management Team meetings as part of issues management.

Consideration will be given to organisational risks and a risk owner designated (e.g. governance, ERM, business continuity, procurement etc.)

The designated risk owner will help ensure that cross departmental risks are effectively managed.

enterprise risk management naracoorte … · · 2015-12-17... is committed to a structured and...

Documents