Report to PERFORMANCE, AUDIT & RISK ... - gdc.govt.nz · (GDC) is committed to supporting the effective and consistent application of risk management at ... art of GDC he Risk M rocedures

Page 1 of 3 A468610

14/130

Subject: Risk Management Policy

Prepared by: Barry Vryenhoek (Chief Financial & Information Officer)

Meeting Date: 22 May 2014

Report to PERFORMANCE, AUDIT & RISK Committee for decision

SUMMARY

The public rely on Council to provide essential services in an efficient and effective manner. While providing these services, Council assumes significant risks. In addition, Council activities must fall within Local Government rules and regulations and compliance essential. As a result, a formal approach to risk management is needed.

Initially we must acquire an ongoing overall understanding of the level of risk embedded within our processes and activities at the Council. With this understanding we can create uniform risk criteria and evaluation metrics to help us manage and mitigate this risk. Gisborne District Council (GDC) is committed to supporting the effective and consistent application of risk management at all levels of Council activity. This committee has delegated authority to monitor risk within the Council, both of a financial and a non-financial nature, and recommend policies for the mitigation of risk. Monitoring includes, but is not limited to:

1. Overall Risk Management –

review whether staff has in place a current, comprehensive and effective risk management framework and associated procedures for effective identification and management of the Council’s significant risks;

consider whether appropriate action is being taken to mitigate Council’s significant risks.

2. External Audit - at the start of each audit, confirm the terms of the engagement, including the

nature and scope of the audit, timetable and fees, with the external auditor;

receive the external audit report(s) and review action to be taken by management on significant issues and audit recommendations raised within;

conduct a members only session (i.e. without any management present) with external audit to discuss any matters that the auditors wish to bring to the Subcommittee’s attention and/or any issues of independence.

3. Internal Audit – review and approve the internal audit coverage and annual work plans,

ensuring these plans are based on the Council’s risk profile;

A468610

4. C

The GDa consmanagemanageperiod, During tbest fit ware metthe Cou

1) Ap

2) Tpo

The Riskwill be emanagi

RECOM

That the

1. r2. a

Barry VryChief Fin

Keywords

revireco

revistrucarra

Complianc Ensu

the and

C risk manaistent apprement, anement activto align wi

this time, riskwith Counct. Two docuncil:

A Risk Manapart of GDC

The Risk Mprocedures outcomes.

k Managemestablisheding risk.

MMENDATIO

e Committee

receives theadopts the

yenhoek nancial & In

s: Risk manage

ew the adeommendat

ew the intectures, auth

angements

e – ure compliasystem for

d regulations

agement fraroach to r

nd effectivvities. The Gth current Ck managemcil activity acuments wil

agement PoC internal co

Managemento manag

ment Policy is. It is a stat

ONS

e

e report Risk Manag

nformation O

ement, risk man

equacy of tions;

ernal audit hority, acce are in plac

ance with Cmonitoring

s.

amework, prisk manage communGDC risk maCouncil act

ment practicnd to ensurl define, an

olicy that prontrol and c

nt Guidelinege and m

s a foundatement of th

gement Polic

Officer

nagement fram

managem

charter to ess, indepece.

Council’s legg the Counc

processes anement, clenication, managementivity such aces will be cre that all lend help us m

romotes ancorporate g

es that promitigate risk

tion policy dhe overall in

cy

mework, policy

ment’s imple

ensure appendence, re

gal responsibcil’s compli

nd practiceear accounmonitoring nt frameworas annual aconstantly eegal and remanage an

nd supports overnance

ovides a pks associat

document fntention an

y

ementation

propriate oesourcing a

bilities – reviiance with

es will be dentability anand repor

rk will be roland long teevaluated agulatory co

nd impleme

risk manag;

practical seed with C

from which nd direction

n of interna

rganisationand reporti

iew the effegovernanc

esigned withnd responsirting of rislled out ove

erm planninand amendompliance rent risk man

gement as

et of procCouncil ser

operationan we will tak

Page 2 of 3

l audit

nal ng

ectiveness oce legislatio

h the aim fobility for rissks and riser a 6-montg processeed to ensurrequiremennagement a

an integral

cesses and rvices and

al practices ke towards

3

of on

or sk sk th

es. re ts

at

Page 3 of 3 A468610

1. BACKGROUND

Gisborne District Council covers the largest land area in the North Island with 8,360 square kilometres. It has a total asset base of approximately $1.9 billion and historically it has experienced significant challenges due to its isolation and the nature of its geography. The public rely on council to provide essential services in an efficient and effective manner. While providing these services, Council assume significant risk. In addition, council activities must fall within Local Government rules, regulations and compliance requirements. Therefore a formal approach to risk management is needed.

2. DISCUSSION and OPTIONS

3. SIGNIFICANCE

The decision to adopt Council’s Risk Management Policy, and Guidelines & Framework is not a significant decision per Council’s Significance Policy.

4. COMMUNITY OUTCOMES

Prosperous and Safe Tairawhiti.

5. STRATEGIC CHALLENGES

The Council’s Risk Management Policy, and Guidelines & Framework contribute to the achievement of GDC Strategic Challenge 8: Risk Management.

6. POLICY

Not applicable.

7. LEVELS OF SERVICE

There are no levels of service impacts.

8. FINANCIAL

The development of the foundation documents arising from the Risk Management Framework and Policy will be resourced by hiring a 2-year fixed term Risk Management & Procurement Business Analyst. The implementation of the requirements laid out in these documents will place an additional workload on managers and other staff with risk management accountabilities. These extra requirements will need to be monitored and if necessary and appropriate additional resources will need to be made available.

9. LEGAL

There are no legal implications associated with this decision.

10. CONSULTATION This decision does not require special consultation approval under the Consultation Policy.

11. OTHER CONSIDERATIONS

12. APPENDICES Appendix 1: GDC Risk Management Policy Appendix 2: GDC Risk Management Framework & Guidelines

A473809 Risk Management Policy Page 1 of 4

Risk Management Policy

Policy References Policy Number:

Objective Reference: 473809

Policy Owners: Chief Finance and Information Officer & Deputy Chief Executive

Date Adopted: 22 May 2014

Review Due: Jun 2015

Associated Document: Risk Management Guidelines Manual

1. Introduction Gisborne District Council covers the largest land area in the North Island with 8,360 square kilometres. It has a total asset base of approximately $1.9 billion and historically it has experienced significant challenges due to its isolation and the nature of its geography. The public rely on council to provide essential services in an efficient and effective manner. While providing these services, Council assume significant risk. In addition, council activities must fall within Local Government rules, regulations and compliance requirements. Therefore a formal approach to risk management is needed.

2. Policy Scope The Risk Management Policy applies to all employees, Councillors, voluntary workers and contractors who provide advice or services to the community, or who are involved with the management of the assets, resources, services or the environment of Gisborne District Council.

3. Objective This Policy confirms the commitment of the Council to good corporate governance through risk management. It defines the broad accountabilities and structures the Council will maintain in order to manage risk. The intent is to ensure that sound risk management practices are incorporated into Council’s planning and decision making processes and are aligned with the AS/NZ Standard ISO31000:2009 Risk Management Standard which is the best practice standard used by Local Government.

4. Policy Principles The Risk Management Policy is a statement of the overall intention and direction GDC will take toward managing risk. The policy is to be used in conjunction with the Risk Management Framework & Guidelines. The purpose of the Framework is to provide a set of guidelines that provide the foundations and organisational arrangements for designing, implementing,


monitoring, reviewing and continually improving risk management throughout the Gisborne District Council.

Risk is defined as the effect of uncertainty on objectives and may have a positive or negative impact and is measured in terms of consequence levels of risk.

Risk assessment is the process used to determine risk management priorities by evaluating and comparing the level or risk against predetermined acceptable levels of risk.

Risk management is the logical and systematic process of communicating, consulting, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risks associated with any activity, function or process in a way that will enable GDC to minimise losses and maximise opportunities. It is effective if it reliably protects Council’s strategic objectives and goals, and it is efficient if it does this at the lowest sustainable long-term cost. Risk management within GDC is based on the following principles:

a) Risk is part of running any organisation and GDC recognises the need to proactively identify and manage its risks.

b) GDC aims to achieve its strategic objectives by managing risk appropriately across the organisation.

c) GDC will continue to develop a “risk aware culture” where risk management is embedded in our decision making and operational processes and adds value to the work we do.

d) GDC is committed to implementation of a comprehensive risk management framework, which addresses four fundamental activities:

Governance and management responsibilities; Risk identification, analysis and assessment; Risk control/treatment; Monitoring and reporting on GDC risks and risk management processes and

performance

e) We will apply good risk management practices that are consistent with the current Standards New Zealand’s Guidelines for Risk Management in NZ.

f) This Policy is transparent and inclusive and applies to all GDC activities, elected members and employees.

g)

5. Roles & Responsibilities

The following aspects and accountabilities of risk management within GDC will be implemented to ensure effective policy and risk practices implementation:

Responsibility Aspect of Risk Management

Council Approval of governance policy(s) Approval of risk management policy statement Approval of risk tolerance appetite Ensure strategic risks are identified, assessed, monitored

and reported on annually. Ensure departmental risks are reported on quarterly to

the appropriate Council Committees.

Chief Executive Effective management of strategic, operational and project risks (accountable to the Council)


Chief Executive Ensure risk management system is established, implemented and maintained in accordance with this Policy

Chief Financial & Information

Accountable for the oversight of the processes for the identification and assessment of risk, reviewing the outcomes of risk management processes and for advising the Council as necessary

Ensure risk management is fully implemented at GDC

Risk Manager The designated person responsible for the co-ordination and overall implementation of risk management at Gisborne District Council

Ensure the Risk Management Framework is reviewed and updated annually.

Provide a timely, relevant reporting system for communicating with Council as well as staff

Implement risk management at GDC

Leadership Team Identify operational risks Manage and monitor activities within the team’s control

and report to the Chief Executive Report quarterly to the appropriate Council Committee

on the progress of risk management action plans for which team members are responsible

Staff Participate continuously in the process Carry out action plans and reporting

Staff, suppliers, contractors, delegated committees

Follow Council policies, codes, procedures and rules

Role of Elected Members as the Governing Board Council has a fundamental role to play in the management of risk. Its role is to:

a) Set the tone and influence the culture of risk management within GDC. This includes:

determining whether the GDC is ‘risk taking’ or ‘risk averse’ as a whole or on any relevant individual issue;

determining what types of risk are acceptable and which are not;

b) Determine the appropriate level of exposure for GDC;

c) Approve major (strategic) decisions affecting the GDC’s risk profile or exposure;

d) Monitor the management of significant risks to reduce the likelihood of adverse outcomes;

e) Satisfy itself that the less significant risks are being actively managed, with the appropriate controls in place and working effectively.

Role of Senior Management The key roles of senior management (led by the CEO) are to:

a) Implement policies on risk management and internal control;

b) Identify and evaluate the significant risks faced by the GDC for consideration by the Council;

c) Provide adequate information in a timely manner to the Council and its committees/sub committees on the status of risks and controls;

d) Have an open and receptive approach to solving risk problems;


e) Apply conservative and prudent recognition and disclosure of financial and non- financial risk;

f) Encourage good risk management practices amongst staff members via relevant managers.

6. Policy Procedures GDC will undertake assessment of risks throughout the organisation, using a standard methodology that is consistent with the Australian/New Zealand Standard ISO 31000. This standard methodology is to include:

establishment of a context for the assessment to occur in; identification of the risks; analysis of the identified risks; evaluation of the identified risks; treatment of the identified risks; monitoring, review and reporting of the identified risks.

This standard methodology will be applied across the organisation and within Council groups, and is to be used to assess the consequences and likelihood of each risk. The objective of each risk assessment is to establish a prioritised list of risks for further analysis. Guidelines on how these processes will be implemented are outlined in the GDC Risk Management Guidelines.

7. Critical Success Factors Critical success factors will be reviewed annually and reported on to the Performance, Audit & Risk Committee in July each year. The Council will know it has a successful risk management culture by the measurement of the following factors:

a) Everyone in Council knows their risk management responsibilities

b) The Council’s image and reputation are protected and maintained

c) Risk management is an integral part of the Leadership Team’s focus

d) Risk management across Council is continuously reviewed and improved

e) Internal and external stakeholders are confident that the Council manages risk within acceptable levels

f) The Council is identified as a good example of risk management during change

g) Council ethics and values are demonstrated, upheld and maintained.

___________________________________________ Authorised by Chief Executive (signature)

A474039 DRAFT - GDC Risk Management Framework & Guidelines - 1 -

DRAFT GISBORNE DISTRICT COUNCIL

Risk Management Framework & Guidelines Owner GDC Risk Manager

Last Review May 2014 in process

Next Review May 2015

1. PURPOSE The purpose of this document is to provide a set of guidelines that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the Gisborne District Council. The Council’s risk management policy, framework and procedures contribute to the achievement of GDC Strategic Challenge 8: Risk Management.

1.1. INTRODUCTION

Gisborne District Council covers the largest land area in the North Island with 8,360 square kilometres. It has a total asset base of approximately $1.9 billion and historically it has experienced significant challenges due to its isolation and the nature of its geography. The public rely on council to provide essential services in an efficient and effective manner. While providing these services, Council assume significant risk. In addition, council activities must fall within Local Government rules, regulations and compliance requirements. Therefore a formal approach to risk management is needed. Risk is one of life’s uncertainties for local authorities. It is the threat that an event or action will adversely affect the Council’s ability to achieve its objectives and execute its strategies successfully. The risks faced by the Council are constantly changing, along with the changes in our society, our environment and our economy. The most serious risks are those that are not recognised or understood and that can result in nasty surprises. But risk is not all about the bad. Risk is also about managing our opportunities – knowing when to take advantage of an emerging opportunity or trend, and when to exercise more caution. It helps us prioritise our work, evaluate innovative ideas and opportunities, protect our staff and our communities, and prepare us to respond to and recover from any adverse events when they happen. Risk management provides a source of information that enables better decision making, greater openness and transparency, and better outcomes in terms of efficiency and effectiveness. As the old adage says, prevention is better than cure – and it is also less costly! The aim of the Risk Management Framework & Procedure Manual is to provide management and staff with clear processes that enable you to identify, assess, manage and report risks; along with the appropriate tools, templates and resources to support you in the


management of your risk. It is important that everyone has a clear understanding of the risks that are prevalent in their own area of work, understand and agree on an owner for each risk, and understand and apply the practices and mitigation strategies to manage them. This Framework provides a practical approach to help you better manage and minimise the risks associated with your work, and any projects that you undertake.

1.2. VISION, CRITICAL SUCCESS FACTORS AND BENEFITS OF RISK MANAGEMENT VISION Gisborne District Council aims to be a risk aware Council that manages and mitigates its risks and opportunities effectively. The Council uses risk management to help ensure the achievement of its objectives, to prioritise and manage its work, to make effective and timely decisions, and to take advantage of opportunities. CRITICAL SUCCESS FACTORS The Council will know it has a successful risk management culture by the measurement of the following factors:

Everyone in Council knows their risk management responsibilities The Council’s image and reputation are protected and maintained Risk management is an integral part of the Leadership Team’s focus Risk management across Council is continuously reviewed and improved Internal and external stakeholders are confident that the Council manages risk within

acceptable levels The Council is identified as a good example of risk management during change Council ethics and values are demonstrated, upheld and maintained. Effective risk managers will be able to deliver:

an appropriate balance between risk and control more effective decision making that incorporate risk assessment better use of limited resources by using risk management to inform prioritisation of work/

resources greater innovation through identification and assessment of opportunity BENEFITS OF RISK MANAGEMENT Effective and well managed risk has a number of benefits for the Council. These include, but are not limited to: prioritisation of work through better focus on what needs to be done (and what doesn’t

need to be done) to meet the Council’s objectives supporting optimised decision making contributing to the achievement of better outcomes better management of change programmes controlled insurance costs better quality services supporting optimisation of performance and service delivery


enhanced ability to support action taken protection of reputation successful evaluation and implementation of innovative ideas and proposals better utilisation of resources happier staff fewer complaints more satisfied citizens

1.3. GUIDING PRINCIPLES FOR EFFECTIVE RISK MANAGEMENT Effective risk management focuses not only on threats, but also on opportunities for the Council. A threat and an opportunity can arise jointly from a common risk driver, such as legislative or governance changes, or it can be quite separate. The following principles set the foundation the model, framework, policy, procedures and systems that support risk management at the Council.

The Council’s Chief Executive and Leadership Team accept responsibility for implementing good risk management practice.

The identification and management of risk is linked to the Council’s achievement of strategic, tactical, operational and project objectives

The Council’s risk management programme will help maintain the integrity of its services through a sound system of internal total quality assurance control that supports the achievement of its objectives and required outcomes.

The Council safeguards its assets, people, finances and property.

Risk management forms part of the Council culture, where all employees accept responsibility for managing risk. Risk controls are embedded in ongoing operations and are recognised as being part of business as usual. Every staff member is a risk manager.

Staff members hold themselves accountable for compliance with legislation, policy, procedures, guidelines and processes

The Council and its staff recognise that:

o Managing risk is not onerous o Managing risk adds value o Managing risks means there are no surprises.

The Council adequately and appropriately deals with risks and issues as they occur through a transparent and effective risk management process that ensures legal compliance and aligns with good business practice.

The Council uses the risk management framework to help identify opportunities and promote innovation and integration.

The Risk Management process supports optimal decision making and continuous improvement by incorporating risk assessment into the decision making process.

Effective risk management helps decision makers to be:

o united in what is decided o more assured and confident in what priorities are set


o aware of the effect of their decisions, and o be prepared when any risks or opportunities are realised.

These principles are intended to support a Council culture that is innovative and understands the importance of managing risks effectively. Effective risk management helps to ensure that the Council is resilient to foreseeable and unexpected events.

2. THE APPROACH GDC supports a framework that supports understanding and practical application of risk management, and moves away from a compliance environment in which the output is a risk register that is monitored for adherence to a rigid set of rules. The new approach encourages a focus on the process we would expect to see in place around the identification, mitigation and management of risks across Council and within each Department. It is expected that this would be demonstrated through:

a clear understanding by each Department of the risks they are managing integration of risk management principles into all business strategies, activities and

management systems flexible and effective risk management processes being applied that monitor and

manage the changing risk environment inclusion of risk management throughout the development and implementation of any

business plan, policy, programme or project.


2.1. RISK MANAGEMENT FRAMEWORK The Council has developed a Risk Management Framework that is based on the international standard for risk management: ISO 31000. A copy of this standard is available at EDRMS: A373671. The diagram below demonstrates the relationship between the principles, framework and process as set out in ISO 31000.

The ISO 31000 framework helps to manage risks effectively by applying the risk management processes in an inter-related and cohesive manner. The framework ensures that information about risk, gathered through the risk management process, is adequately reported and used as a basis for decision making at all levels through the Council. The rest of this document provides more detailed information on each component of the Framework as it applies to GDC. MANDATE AND COMMITMENT The Leadership Team (LT) at GDC is committed to supporting the effective and consistent application of risk management at all levels of Council activity. The LT engages with risk management practices as a part of strategic planning and performance management and supports the application of risk management at all levels throughout Council. DESIGN OF THE FRAMEWORK FOR MANAGING RISKS The Council has a complex and varied environment, and the application of risk management at various levels and within different groups requires a framework that is flexible, practical and easy to use.


There are already a number of risk management practices in existence across Council that are effective and meet the needs of a particular group or function. The Council wide framework needs to be able to incorporate these risk management models, while still ensuring that risk information can be collated and reported effectively as required. To achieve this, the risk management framework will provide consistency and guidelines at a policy and process level, while allowing flexibility and adaptability of tools and risk management practices to suit individual industry and group needs. The aim of the framework is to ensure: consistency in approach to risk management across Council clear accountability and responsibility for risk management, and effective communication, monitoring and reporting of risks and risk management

strategies/ activity. RISK APPETITE A key challenge for management under this framework is to determine how much risk the Council is prepared to and does accept as it strives to achieve value for its communities, stakeholders and staff. The appropriate level will depend on the nature of the work undertaken and the objectives pursued. By defining its risk appetite, we balance our operations between uncontrolled innovation and excessive caution. Once established is serves to guide people on the level of risk permitted and encourage consistency of approach across the GDC. We will assess our risk by determining the probability of occurrence combined to the resulting impacts. IMPLEMENTING RISK MANAGEMENT Implementation will vary from year-to-year as the GDC culture becomes more “risk aware”. Initially, these guidelines will be rolled out over a 6-month period, to align with current Council activity such as Annual and Long Term planning processes. During this time, risk management practices will be evaluated and amended to ensure best fit with Council activity and to ensure that all legal and regulatory compliance requirements are met. In particular, risk management practices will be incorporated into Council decision making processes to assist with prioritisation and effective decision outcomes.


2.2. LEVELS OF RISK Risk management can be applied at many levels. The cube below demonstrates the slicing and dicing of different levels and cross-levels that apply through Council. Risk applies at all levels and across all aspects.


Descriptions Council Risk Level Risk Description

Council Risks that apply at a corporate level across the wider Council environment (such as the impact of a natural disaster)

Department Risks that apply to a specific Department of Council (such as risks to the water supply)

Team Risks that apply to a specific team or function within Council (such as building consent applications)

Individual Risks that apply to an individual in the course of their job (such as health and safety)

Community/ Council Outcomes

External risks to Council high level objectives that align with and support the Council vision set out in the Ten Year Plan, arising from unexpected adverse changes in the macro-environment with respect to: the economy (business cycle); the political landscape; law and regulation; technology; social mores; and the actions of competitors1 These risks are also primarily associated with the Council corporate planning (such as the Ten Year Plan and Annual Plan processes)

Strategies and Policies

Operational Plans Risks related to the effective and efficient use of resources. "The risk of loss resulting from inadequate or failed internal processes, people and systems". (Basel II)

Project These risks are specific to a particular project, over and above the already identified risks in the Council register.

Performance Management

Risks relating to managing Council, Department, Team and Individual performance in relation to the delivery of Council and Community Outcomes

Financials Risks to financial management of Council, including compliance with legal and audit requirements

Information and Communication

Risks to Council in relation to the way in which information and communication is managed both internally and externally

Monitoring and Reporting

Risks to effective monitoring and reporting of Council activities

1 http://www.risk.net/public/showPage.html?page=468529


2.3. CATEGORIES OF RISK Risk Categories are a way of “slicing and dicing” risks to align to particular types of risk such as political, reputation, compliance, or financial. Risks can be categorised under one or more categories at one time. For example, a risk may have financial, legal and environmental impacts and therefore would be linked to all three categories. The Council has identified 11 categories of risk as defined below. Strategic: Risks to Council high level objectives arising from unexpected adverse changes in the external environment. Political: Risks associated with the impact of the political environment (internationally, nationally or locally) on Council activity. Leadership and Governance: Risks related to the tone set by the leadership team as it relates to internal policies and procedures, integrity, values, competence, and leadership’s philosophy and operating style. Failure or inefficiency in core governance processes leading to poor decision making. Can lead to non-compliance, breakdown in organisational culture, and poor organisation wide performance. Operational: Risks related to the effective and efficient use of resources. "The risk of loss resulting from inadequate or failed internal plans, processes, and systems from internal or external events". (Basel II) Stakeholder Management (including impact on Reputation): The risks associated with engagement, communication and consultation with our stakeholders. This includes risks around identifying, establishing and maintaining the right relationships with both internal and external stakeholders. This includes risks associated with the delivery of services, including the quality of service provided, or the manner in which a product is delivered, customer interaction and after-sales service. Risks related to the threat to the reputation of the Council due to the conduct of the entity as a whole, the viability of products/services, or the conduct of employees or others associated with the Council. Human Resources: Staff capability and/ or capacity risks including risks to ability of Council to recruit and/or retain staff, health and safety risks, and risks to personnel security. Financial: Risks associated with the financial management of Council, including funding and fraud. Environmental: Risk of Council activity resulting in potential or actual negative environmental or ecological impacts, regardless of whether these are reversible or irreversible in nature. Asset: Risks related to the planning, funding, design, production, contract management, maintenance and equipment of Council assets (infrastructure and operational). Includes risks associated with contract management. Legal and Compliance: Risk of non-compliance with relevant Acts and regulations. This includes legislation, regulations, standards, codes of practice and contractual requirements.


Also extends to compliance with additional ‘rules’ such as policies, procedures or expectations, which may be set by contracts, customers or the social environment. Technology/ Information Management: Risks include the implementation, management, security, maintenance and upgrades associated with technology. Extends to recognising critical IT infrastructure and loss of a particular service/function for an extended period of time (IT Disaster Recovery). 3. RISK ASSESSMENT AND RATING OF RISKS

The purpose of effectively assessing and rating risks is to establish an understanding of the level of risk and its nature. This information then provides input into the decision on whether risks need to be treated, and – if so – to determine the most appropriate and cost effective risk treatment. Risk assessment involves consideration of the source of risk, its positive and negative consequences and the likelihood that those consequences may occur. Risk rates are determined by combining the likelihood and the consequence ratings. The extent of the consequences, should the event occur, and the likelihood of the event occurring, are assessed in the context of the Council and its surrounding environment, including political and social. For more information about analysis and evaluation of risk, including discussion on qualitative and quantitative analysis, please contact the Risk Management Coordinator. The following tables set out the agreed criteria for assessing risk across the Council.


3.1. RISK CONSEQUENCE TABLE

5 - Extreme 4 - Major 3 - Serious 2 - Minor 1 – Insignificant

Strategic Council unable to deliver on all strategic outcomes.

Impact on the delivery of more than 3 strategic outcomes.

Impact on the total delivery of 1-2 strategic outcomes.

Impact on some aspects of one or two strategic outcomes.

No impact on strategic outcomes.

Political Changes in legislation that remove the existence of Council

Significant changes in legislation that removes core activities and functions.

Major changes in legislation that significantly alter the way that core activities and functions are delivered

Changes in legislation that alter the way that core activities and functions are delivered

Minor changes in legislation / regulations that have a minor impact on delivery of service

Leadership and Governance

A major accident that totally incapacitates the Chief Executive and half the senior management team. Commissioner appointed. Formal inquiry.

A sudden major mishap that makes three senior managers unavailable for work for three to six months Loss of community confidence

Appointment of a senior manager who was not emotionally compatible or strategically aligned with subordinate staff in his/her department, or with peers anywhere in the organisation Major public interest Council unable to make appropriate and “good” decisions due to dysfunction and/ or lack of sufficient and appropriate information

The very delayed appointment of a replacement manager, so that staff are left without adequate leadership direction for a considerable period. Minor public interest Council ability to make appropriate and good decisions adversely affected by internal relationships and adequate information

Extended periods of planned leave of several senior staff, in periods where there are no planning or implementation deadlines. Nil community or adverse comment

Operational planning, processes and systems

Serious loss of operational capability/ capacity for over 4 weeks and serious disruption to service levels

Serious loss of operational capability/ capacity for 2-4 weeks and major disruption to service levels

Serious loss of operational capability/ capacity for over 1 week and disruption to service levels

Loss of operational capability/ capacity in some areas and some disruption to service levels

No loss of operational capability/ capacity or negative disruption to service levels

Stakeholder Management (including reputation)

Complete breakdown of all key relationships More than one week media coverage. Widespread reaction/ response from local, regional and national communities. Central government interest/ reaction.

Significant breakdown or negative impact on many key relationships Up to a week media coverage. Public response is widespread. Some interest/ reaction from outside the region.

Relationships negatively affected with multiple key parties 2-3 days media coverage. 1-2 Community groups react/ respond.

Relationships negatively affected with single/few key parties 1 day media response. A few individual public reactions.

Relationships not negatively affected with any key parties No media interest. No public reaction.

Human Resource: recruitment and retention, personnel security, and health and safety

Permanent staff turnover exceeds 30% p.a. above the norm Loss of life or permanent severe quality of life/work limiting disability.

Permanent staff turnover 20% to 30% p.a. above the norm Injury/ Illness with 3+months time-off and permanent major physical impairment.

Permanent staff turnover 15% to 20% p.a. above the norm Injury/ Illness with 2 weeks to 3 months time-off and minor permanent physical impairment.

Permanent staff turnover 10% to 15% p.a. above the norm Injury/ Illness with less than 2 weeks time-off and minor temporary (requiring a period of physiotherapy) physical impairment.

Permanent staff turnover 0% to 10% p.a. above the norm No health or safety impact

Financial 20% unplanned variation 10% unplanned variation 5% unplanned variation 1% unplanned variation 1% unplanned variation

Environment Widespread, irreversible damage to aquatic and/ or terrestrial ecosystems. Permanent loss of one or more species. Permanent damage to a traditional Maori kaimoana gathering site.

Widespread, long-term reversible damage to aquatic and/ or terrestrial ecosystems. Significant reduction in one or more species. Long term damage to a traditional Maori kaimoana gathering site.

Localised, medium term reversible damage to aquatic and/ or terrestrial ecosystems. Moderate reduction in one or more species. Medium damage or long term cultural violation to a traditional Maori kaimoana gathering site.

Localised minor reversible damage to aquatic and/ or terrestrial ecosystems. Temporary reduction in one species. Medium damage or short term cultural violation to a traditional Maori kaimoana gathering site.

Localised short term reversible damage to aquatic and/ or terrestrial ecosystems. No noticeable species reduction

Asset Damage to assets results in total inability to deliver services for more than 4 weeks city wide.

Damage to asset results in total inability to deliver service for up to one week city wide.

Localised damage to assets results in loss of service for up to 3 days.

Localised damage results in loss of service for up to one day.

Localised damage results in loss of service for up to one hour.

Legal/ Compliance

Council sued for more than $10million or greater Council fined $1million or greater

Council sued for between $1million and $10million Council fined between $1million and $100K Council fails audit due to non-compliance

Council sued or fined for between $250,000and $1million Council fined between $100k and $10k Council is mentioned in OAG report to be non-compliant in significant areas

Council sued for between $50,000 and $250,000 Council fined between $10k and $1k Council noted in audit report to be non-compliant in some areas

Council sued for less than $50,000 Council fined for less than $1k

Technology/ Information Management

Unplanned loss of Technology Platform and Telephone System for more than four hours or loss of either system for more than 8 hours.

Unplanned Loss of telephone System or Technology Platform for up to four hours, or loss of both for up to 2 hours

Unplanned loss of Telephone System or Technology Platform for up to two hours, or loss of both systems for up to one hour.

Unplanned loss of Telephone system or Technology Platform for up to one hour

Planned loss of Telephone System or Technology Platform for up to 1 hour


3.2. RISK ASSESSMENT - LIKELIHOOD

Description Level Definition Probability

Almost Certain 5 The event is expected to occur in most circumstances

9 out of 10 years

90%

Likely 4 The event will probably occur in most circumstances

7 out of 10 years

70%

Moderate 3 The event should occur at some time

5 out of 10 years

50%

Unlikely 2 The event could happen very occasionally

2-3 out of 10 years

20-30%

Rare 1 The event may occur only in exceptional circumstances

2 or less out of 10 years

20%>

3.3. RISK RATING MATRIX

Likelihood

Consequences

Insignificant

1

Minor

2

Serious

3

Major

4

Extreme

5

Almost Certain 5

Medium Medium High Extreme Extreme

Likely 4

Low Medium High High Extreme

Moderate 3

Low Medium Medium High High

Unlikely 2 Insignificant Low Medium Medium Medium

Rare 1 Insignificant Insignificant Low Low Medium


4. ROLES AND RESPONSIBILITIES GDC is committed to ensuring that there is accountability, authority and appropriate competence for appropriately managing risk at all levels. This will include effective implementation and ongoing monitoring of risk controls.

4.1. PERFORMANCE, AUDIT & RISK COMMITTEE The Committee has a significant role to play in ensuring the integrity and transparency of risk management and risk reporting at Council. To fulfil their role the Committee will receive quarterly reports on activity relating to the management of risks for Council.

4.2. OTHER COUNCIL COMMITTEES Risk management is the responsibility of all departments, as such, each group manager will report quarterly on their risks and risk management processes to the appropriate Council Committee.

4.3. THE CHIEF EXECUTIVE AND LEADERSHIP TEAM (LT) The Chief Executive and LT will: review the Corporate/ Strategic risk register at regular intervals throughout the year understand and support implementation of the policy on risk management within their

respective areas of responsibility ensure compliance with risk assessment procedures such as the reviews of risk registers,

and the development and activity of the Internal Audit programme (refer to Section 7: Internal Audit), and

review the policy on at least a 3-yearly basis (in line with the Ten Year Plan process) to ensure continued relevance and appropriateness.

4.4. MANAGEMENT

All managers and team leaders across GDC are required to understand and apply the risk management framework to their areas of operational responsibility. This helps to ensure that GDC’s business and community objectives are achieved. Each manager/ team leader is responsible for: ensuring that risk management is applied within the context of their environment promoting risk management in their area of responsibility, and appointing risk owners as

appropriate taking the required action to identify, evaluate, mitigate and manage risks in their area maintaining and managing their sections of any risk registers that are developed as

necessary identification and disclosure of any new risks and/ or uncertainties, and working with the Risk Manager in Planning and Development to ensure that risks are

effectively monitored and accurately reported through the appropriate mechanisms, including Quarterly Activity Reports.


4.5. STAFF Every staff member at GDC has a responsibility to participate in the identification, mitigation and management of risks. All staff are required to understand and apply the risk management framework to their areas of responsibility. This helps to ensure that the GDC’s business and community objectives are achieved. Each staff member is responsible for: participating in risk management throughout GDC including specific roles in areas of risk

such as Health and Safety, Asset Management, Civil Defence and Emergency Management, Business Continuity)

take the required action to identify, evaluate, mitigate and manage risks/ opportunities, and

working with Management to ensure that risks are effectively monitored and accurately reported.

A risk owner will be identified for each risk. Risk owners are responsible for ensuring that their risk information is kept up to date, relevant and accurate. They are responsible for reviewing the risk on a regular basis and recording any changes into the risk register. The risk owner is also responsible for ensuring that any and all mitigating action is carried out effectively.

4.6. RISK MANAGEMENT COORDINATION A risk management implementation model will be created to support the delivery of Risk Management services to GDC as part of Phase Two of the programme. Risk management implementation will include (but is not limited to): providing a knowledge resource for risk management, and providing assistance and

information as required developing GDC Risk Management to be consistent with external risk management good

practice standards and guidelines encouraging the ongoing management of GDC’s Corporate and Strategic Risk Registers encouraging the link between risk management, internal audit and business continuity

management providing advice, assistance and risk management services to all Groups on risk

management related matters coordinating the implementation of (including training), and maintenance of, GDC’s Risk

Management Framework and Tools preparing quarterly reports on Risk Management for LT and Council coordinating risk communications, training, education, activities, and initiatives across

GDC to ensure consistency and transparency of risk management within GDC environment, and

promote risk management in relation to the preparing of Council long term and strategic plans, annual and business plans, work programmes, and projects.


5. MONITORING & REVIEWING THE RISK MANAGEMENT FRAMEWORK

The ongoing relevance and usefulness of a risk management framework is largely informed by the extent to which it is continually improved. It is therefore essential for us to monitor, review and enhance the effectiveness of the risk management framework on a regularly bases. The Framework provides the structure within which all risks are managed, to ensure it remains fit for purpose it is essential it is reviewed annually to gain assurance as to its ongoing effectiveness and relevance. The annual Internal Audit programme (refer Section 7: Internal Audit) may include audit of

risk management processes, systems and procedures; and audit of key/ critical risk areas The Risk Management Coordinator will facilitate review of the Risk Management

Framework and Guidelines on an annual basis.

6. RISK & RISK MANAGEMENT REPORTING

Successful risk management requires frequent and open communication with both internal and external stakeholders. Effective reporting contributes to good corporate governance by providing reliable and current information to Council, Leadership Team and staff regarding our risks as well as the treatment plans in place to manage these risks.

6.1. MEASURING THE EFFECTIVENESS OF RISK MANAGEMENT FOR COUNCIL

To ensure the risk management practice of all Departments is effective, comprehensive, documented and visible a stock take will be carried out in each Department on a regular basis. Some of the questions that each Department can ask to help gain an understanding of the effectiveness of risk management in their area are: What are the key business functions of this Department? How is risk management being led and promoted within this Department? How are risks being identified through business planning processes integrated into business

operations? How do emerging risks get escalated within the Department? How are risks that may have an impact on the wider Council environment escalated

through to Risk and Assurance and the Leadership Team? How are the Department’s risk evaluated, prioritised, monitored and documented? How are the Department’s risk mitigation strategies documented and monitored? How does the Department ensure that the key controls are operating effectively to

manage related risks? Has each objective been assessed for risks to the achievement of expected outcome? Risk and Assurance will provide a Controlled Self Assessment Tool to allow Departments to assess their own level of effectiveness in risk management, and then provide some verification where appropriate, and report results to the Leadership Team on a bi-annual basis.


Effective and concise reporting on the management of risks has several benefits to Council:

Provides communication and flow of information

Brings risk management to the forefront of business

Targeted reporting informs different levels with different objectives to answer questions, and provide a complete picture of the entire Council operations

Assists effective decision making

Provides a logical framework for viewing the Council

Links risk management to value to the Community and helps the Council to better meet the needs of all its stakeholders.

Perhaps the most important application of risk reporting is the ability to link it to stakeholder value. Effective risk reporting will contribute to effective management of Council operations and rather than placing yet another burden on management, will instead provide tangible value for the management team. It provides an opportunity to harness some of the upsides of risk by exposing risks that can be exploited for the benefit of the Council. Effective risk reporting may also show where controls are excessive in parts of the Council and may be scaled back to enable those resources to be better utilised in other parts of the Council where controls may be less adequate. Effective risk reporting will also show where risks appear to be concentrated in certain parts of the Council and resources can be appropriately allocated to those areas. Risk and Assurance Services provide systems and processes for reporting on risk that enable risk management to support the achievement of Council objectives, and to bring consistency and value to risk reporting at all levels across the Council. It is important that risk reporting is not a one way street. While risk reporting is designed to enable the Leadership Team and the Council to make informed business decisions on the basis of accurate risk information, it should also be linked back to all staff at all operational levels.

It is worth remembering that what you don’t know WILL hurt you! It is expected that Managers and Risk Owners will maintain the status of their risks on the Council Risk Register so that the Leadership Team can have assurance that reports based on the Risk Register are accurate and up to date. The Chief Financial & Information Officer will report to the Leadership Team on Risk Management on a bi-annual basis. Other reports on risk management will be produces as required.

7. LINK TO OTHER QUALITY ASSURANCE PROGRAMMES The role of risk management falls within a wider assurance model that, when applied in an integrated way, provides total quality assurance to the Leadership Team through:

Daily business operations which develop and apply a risk and control environment,


Oversight functions (such as Finance, HR and Risk Advisory Services) which provide strategic management, advice, policy and procedure setting, and functional oversight of quality assurance programmes, and

external/independent audit and review which offers independent challenges to the Council’s operations.

Examples of specific activities that provide aspects of quality assurance, in addition to risk management, are: Activity Planning is a prime opportunity for Departments and the Council as a whole to review external and internal risks, and to ensure that plans to mitigate, manage and control risks are incorporated into the annual plans. Internal Audit is an important element of the internal control process. Apart from its normal programme of work, internal audit is responsible for the annual review of the effectiveness of the internal control systems within Council. Internal Audit can help to identify gaps or performance improvement opportunities related to risk mitigation controls and strategies. Business Continuity is the process whereby systems and procedures are put in place to ensure that if any identified, or unidentified, risk eventuates that the Council is able to respond to, and recover from the event in a short a time as possible with minimal disruption to Council services.

A474039 DRAFT - GDC Risk Management Guidelines - 18 -

Appendix One: Definitions Risk: The threat or possibility that an action or event will adversely (threat) or beneficially (opportunity) affect the Council’s ability to:

- achieve it objectives - delivery services to the standard expected by all stakeholders - innovate, or - maintain the Council’s positive reputation.

Risk is measured in terms of likelihood and consequence.

Issue: The realisation of a threat or opportunity that needs to be addressed in order to protect or benefit the Council, and ensure that objectives are not adversely affected.

Risk Assessment: The overall process of risk identification and evaluation

Risk Management: The culture, processes and structures that are directed towards the effective management of potential opportunities and possible adverse effects within the Council’s environment. The process will involve:

- identifying potential risks, threats and opportunities - assessing the potential consequences for Council and the likelihood of their

occurrence - evaluating the current controls in place to manage the risk - assessing and taking further action to treat the remaining risk, - appointing a risk owner, and - monitoring and reporting on the status of key risks on a regular basis.

Internal Controls: Internal controls are the processes, policies and procedures we use to govern the Council’s work, or any additional mitigating actions that are taken to deal with a particular, or potential situation.

Risk Management Processes: The systematic application of policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluation, communicating, treating and monitoring of risks.

Risk Mitigation: A risk mitigation action refers to actions that must be taken to lower the likelihood of the risk occurring and/ or minimizing the consequence if the risk did occur. Risk can never be totally eliminated, but it can be mitigated to lessen its likelihood and/ or consequence to an acceptable level in line with Council risk appetite.

Risk Appetite: Refers to the amount of risk or exposure the Council is willing to tolerate in pursuit of achieving its objectives.


Risk Response: Involves considering the best option for managing or treating a risk. Risk responses usually fall into one of the following categories:

- Avoid: Some risks will only be treatable, or containable to acceptable levels, by terminating or avoiding the activity or activities that give rise to the risk

- Accept: The ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained. In these cases the response may be toleration.

- Share: For some risks the best response may be to transfer them. Namely, shift the responsibility or burden of loss to another party through legislation, contract, insurance or other means.

- Reduce: By far the greater number of risks will belong to this category. The purpose of treatment is not necessarily to obviate the risk, but more likely to contain the risk to an acceptable level. The actions taken to handle risk are instigated by the Risk Owner although their effects may be felt outside of the Risk Owner's area of responsibility.


Appendix Two: Other Related Documents/ Links Standards

- AS/NZS ISO 31000:2009 (A373671) GDC Documents

- GDC Risk Management Policy (A473809)

Other References & Tools http://www.vmia.vic.gov.au/Risk-Management/Guides-and-publications/Risk-Management-Guidelines.aspx