LG FS Info Paper 22 - Understanding Risk Management 2015

advertisement
Financial Sustainability
Information Paper 22
Understanding Risk
Management
Revised February 2015
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
Introduction
This Information Paper is one of a series of Information Papers about Financial Sustainability and
Financial Governance in Local Government.
The series of Information Papers was originally published in 2006 to 2011 as a part of the Financial
Sustainability Program. The history of that program and a complete list of Information Papers and
other resources including a glossary of terms and abbreviations is provided on the LGA’s
“Financial Sustainability” web page: www.lga.sa.gov.au/FSP.
The entire series of Papers was revised in 2012 and again in early 2015 to take account of
legislative changes and other developments. These Papers are addressed to, and written primarily
for the benefit of Council Members and staff, but they are also available as a resource for the
general public, and students of Local Government.
Background
The 2005 Independent Inquiry into the Financial Sustainability of Local Government highlighted a
need for strengthened policy frameworks and improved financial governance in Local Government.
This information paper outlines key steps that a Council should consider when implementing a risk
management approach to its services and activities. The paper includes, at Attachment A, an
example of a risk management register.
This paper should be read in conjunction with other Financial Sustainability Information Papers at
www.lga.sa.gov.au/FSP - in particular:



Information Paper 21: Internal Financial Controls;
Information Paper 23: Financial Governance; and
Information Paper 27: Prudential Management.
Risk Management – what is it?
Risk management is the term applied to a logical and systematic method of establishing the
context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated
with any activity, function or process in a way that will enable organisations to minimise losses and
maximise opportunities.
Risk management should be based on the Australian Standard AS/NZS ISO 31 000: Risk
Management – Principles and Guidelines (“the Standard”). The Standard defines risk as “the
effect of uncertainty on objectives.” Risk management is defined as “co-ordinated activities to
direct and control an organisation with regard to risk.”
The benefits of a coordinated, systematic approach to risk management include:








the Council and its Chief Executive Officer and senior management having a clear
understanding of the key risks facing the Council;
meeting a Council’s strategic objectives;
encouraging proactive management of strategies to identify and manage risks;
promoting a positive risk management culture integrated across the Council structure;
ensuring a continuous improvement regime across the Council;
establishing an effective method for decision making and planning;
cost savings that are achieved for Council through the presence of an efficient controls
environment; and
the community having increased confidence in the Council’s operations.
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/fsp
Page 2
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
The purpose of risk management is not to eliminate all risks but, rather, to reduce them to a level
acceptable to the Council in accordance with its risk tolerance limits. Risk management requires a
mature proactive approach to management and achieving a balance between the costs of
managing risks and the anticipated benefits.
Councils are encouraged to adopt and maintain robust risk management, based on the approach
outlined in this paper.
What does legislation require?
There is no legislative provision that specifically requires Councils to implement risk management.
However there are references within the Local Government Act 1999 (“the Act”) that require
Councils to adopt appropriate policies, practices and procedures that ensure their assets are
protected through sound administrative management. In addition, each Council’s Audit Committee
is responsible for „reviewing the adequacy of accounting, internal control, reporting and other
financial management systems and practices of the Council on a regular basis‟ 1 Each Council
auditor is also required to provide an opinion about the adequacy of a Council’s internal financial
controls.2
Local Government also has risk management obligations under other legislation, such as the:
 Work Health and Safety Act 2012
 Environment Protection Act 1993;
 Development Act 1993;
 South Australian Public Health Act 2011;
 Food Act 2001;
 Emergency Management Act 2004; and the
 Fire and Emergency Services Act 2005,
among others.
Sound risk management also contributes towards improving Local Government financial
sustainability and financial governance.
Risk management – the Standard
Risk management requires more than simply adopting policy. It requires embedding risk
management into every aspect of the Council’s operations, as illustrated by the diagram on page 4
of this Paper.
The risk management approach outlined in this Paper is consistent with the Standard which sets
out risk management:
1. principles;
2. framework; and
3. processes.
1
2
Section 126(4) of the Act.
Section 129(3) of the Act
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/FSP
Page 3
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
AS/NZS ISO 31 000: 2009: RISK MANAGEMENT – PRINCIPLES AND GUIDELINES
Defining Risk Management
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/fsp
Page 4
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
1. Principles
The principles of risk management, as outlined in the Standard, are:
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
Creates value
Integral part of organisational processes
Part of decision-making
Explicitly addresses uncertainty
Systematic, structured and timely
Based on the best available information
Tailored
Takes human and cultural factors into account
Transparent and inclusive
Dynjamic, iterative and responsive to change; and
Facilitates continual improvement and enhancement of the organisation.
2. The Framework
The framework for risk management creates the environment in which risk management processes
operate. As outlined in the second panel of the above diagram, there are five elements to a risk
management framework. These are:
2 (a)
Mandate and commitment
Effective risk management requires a strong and sustained commitment by the Council’s
leadership, i.e. the elected members, as well as by senior management. If the Council leadership
has endorsed a risk management framework, then staff throughout the Council organisation can
then rely upon this endorsement as they incorporate risk management processes into their day-today activities.
2 (b)
Design of a framework for managing risk
Risk management is not something that can be purchased off the shelf. A framework has to be
woven into the culture of an organisation, just as a frame is part of the construction of a building.
A framework that is designed to be effective within a commercial organisation is unlikely to be
suitable for Local Government, which has different responsibilities and needs. Risk management
needs will vary between Councils, too, according to the range of services that the Council chooses
to provide.
The factors that need to be taken into account, in designing a risk management framework include:





Understanding the organisation and its context;
Establishing a risk management policy and processes;
Determining accountability (who is responsible for what?);
Integrating risk management into organisational processes, within resources; and
Including internal and external communication and reporting mechanisms.
Councils seeking practical help with designing a risk management framework should contact the
Local Government Mutual Liability Scheme.
2 (c)
Implementation of risk management framework (including
management process)
This is the heart of risk management, and will be discussed in Section 3 below.
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/fsp
the
risk
Page 5
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
2 (d)
Monitoring and review of the framework
Effective risk management requires two types of monitoring and review. The actual process of
managing risks on a day-to-day basis requires monitoring and review (see Section 3 (e) below). In
addition, at the strategic level, the entire risk management framework also requires periodic
monitoring and review. At this level, the key tasks are to:

measure a Council’s risk management performance against indicators (which
should also be periodically reviewed for appropriateness); and
 determine whether the Council needs to adjust its policies, plans, workforce training
or other factors in response to changes in the internal or external environment.
Councils seeking practical help with monitoring and reviewing their risk management framework
should contact the Local Government Mutual Liability Scheme.
2 (e)
Continual improvement of the framework
Decisions on improving the Council’s risk management framework should arise from the monitoring
and review described above. This will help to nurture the risk management culture within the
Council.
3. The risk management process
At the heart of risk management are the actual day-to-day processes of risk management, outlined
in the third panel of the diagram on page 4:
3(a) Establishing the context of risks
3 (a) (i) External context
3 (a) (ii) Internal context
3 (a) (iii) Risk management policy
3 (b) Risk Assessment
3 (b) (i) Risk identification
3 (b) (ii) Risk analysis
3 (b) (iii) Risk evaluation
3 (c) Risk Treatment
3 (d) Communication and consultation
3 (e) Monitoring and review.
Each of these items are discussed below.
3 (a)
Establishing the Context of risks
The general context in which the Council operates must be taken into account in designing the
overall risk management framework. (See section 2(b) above.) However, the context for various
Council services and projects may vary. Hence the risks may vary. Examining the context
relevant to each Council service, and each project helps to identify, analyse and evaluate risks.
3 (a) (i) External Context
The external environment in which the Council seeks to deliver a service or achieve an
objective might include, for example, cultural, social, political, legal and financial factors and
trends.
3 (a) (ii) Internal Context
The internal environment of the Council includes its strategic management plan,
governance arrangements, any relevant policies and responsibilities of key staff, etc. For
example, most Councils are well aware of what constitutes occupational health and safety
risks, and management systems have been in place for many years to ensure these are
managed and minimised.
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/FSP
Page 6
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
3 (a) (iii) A risk management policy
The Council may wish to establish a formal risk management policy, to express its values, and
the overall objectives of its risk management. Such a policy might include, for example:



an expression of the Council’s commitment to a risk management framework consistent
with the Standard; (or some other commitment);
how the Council estimates the likelihood and consequences of risks; and
the level at which risk becomes acceptable or tolerable.
A Council seeking practical help with drafting a risk management policy should contact the
Local Government Mutual Liability Scheme.
3 (b)
Risk Assessment
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.
3 (b) (i) Risk identification
The Standard defines risk identification as the process of finding, recognising and describing
risks. It is about identifying sources of risk, areas of impact, events, opportunities, failure to
innovate and their causes and potential consequences.
Risk identification needs to be undertaken on a periodic basis, and also in the context of any
proposed new service or project.3 The Council should maintain a list or register of risks, and
schedule regular reviews of the risk register.4 These reviews should take account of changes in
the Council’s services and operating environment and identify all risks that impact on the
Council’s activities, regardless of whether or not the risks are under the Council’s control.
Approaches used to identify risks may include:






Brainstorming sessions;
Review of audit findings;
Assessment of historical incident data;
Assessment of third party contracts;
Ongoing project management; and
Stakeholder needs
In order to ensure comprehensive identification of all relevant risks (where these risks lie within
the Council) and the formulation of appropriate treatment plans, risks should be grouped into
broad categories along the lines of the following:













Asset management
Business development
Compliance & Legal
Financial
Governance
Human resources
Safety & Welfare
Information services
Procurement
Project management
Strategic management
Environment
Public relations
See also Local Government Financial Sustainability Information Paper No. 27 – Prudential Management at
www.lga.sa.gov.au/FSP
4 See the risk register template at Attachment A.
3
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/FSP
Page 7
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
3 (b) (ii) Risk analysis
Risk analysis is the process to comprehend the nature of risk and to determine the level of
risk. The analysis is based on an assessment of the:


risk likelihood (the chance of something happening ) and
risk consequence (the outcome of an event).
The following tables can be used to estimate risk likelihood and risk consequence, to
determine an overall risk rating.
RISK LIKELIHOOD
Level Descriptor
Description
Expected to occur at times of normal operations (more than once per year)
A
Almost
Certain
B
Likely
C
Possible
Not expected to occur but could under specific circumstances
D
Unlikely
E
Rare
Conceivable but not likely to occur under normal operations – no previous
occurrence
Only occurs in exceptional circumstances
Will occur at some stage based on previous incidents
RISK CONSEQUENCE
Level
Descriptor
5
Insignificant
4
Minor
3
Moderate
2
Major
1
Catastrophic
Description
Negligible Financial Loss, No Injury/First Aid only, no impact to
customers/business
Minor Financial Loss, Minor Medical attention, Minor interruption to a
service with minimal impact
Moderate Financial Loss, Significant Injury requiring medical attention,
Moderate Interruption to service delivery
Major Financial Loss, Serious Long Term Injury. Temporary disablement,
Major interruption to service delivery
Significant Financial Loss, Major Injury/disablement or death, Major
interruption to delivery of all or most services
Once the likelihood and consequence have been assessed for a particular risk the overall
inherent risk can be determined by referring to a risk priority matrix, like this one:
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/FSP
Page 8
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
3 (b) (iii) Risk evaluation
The purpose of risk evaluation is to make decisions about which risks need treatment and
the treatment priorities. It should be obvious that risks analysed as “extreme” would
warrant correspondingly diligent risk management treatment, while risks analysed as “low”
would warrant less attention.
Not all risks will necessarily warrant any risk treatment. Some “low” risks may disregarded,
if the risk involved is regarded as tolerable, although all risks should be re-evaluated from
time to time to ascertain whether the analysis rating is still correct.
The Council is unlikely to have sufficient resources to treat all risks in an optimum manner.
Therefore it will always be necessary to evaluate and prioritise:


which risks to treat, or mitigate; and
the resources (if any) to devote to treating or mitigating each risk.
Council’s evaluation of risks must be documented. This is a safeguard for Council in the
event that its risk management may be called into question as part of a claim for
compensation (e.g. if an injured person alleges Council negligence in dealing with a risk).
The elements that may be taken into consideration when assessing controls and mitigating
factors associated with a particular risk include:








Legal requirements relevant to the risk;
Council’s risk management policy, if any (see 3(a)(iii) above);
Design of facilities;
Cost of alterations;
Communication of risk factors (e.g. warning signs)
Risk borne by parties other than the Council;
Defined responsibilities and accountabilities;
Monitoring and review procedures.
3 (c)
Risk treatment
The Standard defines Risk treatment as the process to modify risk. Therefore, risk treatment
involves selecting one or more options for modifying each risk. Accordingly, risk treatment can
involve one or more of options such as:







avoiding the risk;
pursuing the risk as an opportunity;
removing the risk source;
changing the likelihood;
changing the consequences;
sharing the risk with other parties; and/or
retaining the risk.
Appropriate treatment plans will vary with circumstances, but should be developed to be consistent
with Councils’:





strategic management plans;
long-term financial plan;
infrastructure and asset management plan;
policies (perhaps reflecting Council concerns about non-financial matters such as social or
environmental goals); and
annual budget.
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/FSP
Page 9
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
After an inherent risk has been modified, it may still exist in a different form (perhaps because the
likelihood has been changed, or the consequences have been changed). What remains is
described as the residual risk.
Good treatment plans should include the following elements:






Specific actions;
Resourcing;
Delegations;
Timing;
Definition of key performance indicators; and
Communication, feedback and control.
3 (d) Communication and Consultation
Communication and consultation are important during each step of risk management. Whether
they realise it or not, all staff members play a role in risk management. Communication is not a
one-way activity. Staff suggestions, ideas and co-operation should be sought for all stages of the
risk management process described above, especially identifying risks and proposing risk
treatments.
Communication and consultation is also necessary with external stakeholders (e.g. any
organisations partnering with Council during projects).
If all staff and external stakeholders understand the basis on which risk management decisions are
made and why particular actions are required, this will help to ensure that the Council’s risk
management is fully informed at all stages.
3 (e) Monitor and Review
A Council’s risk management is not a static policy or one-off procedure, but must be part of
ongoing business. A Council, its management team, and Audit Committee, must set aside time to
periodically review both the framework under which risks are managed (see section 2 above) and
also the process of risk management (section 3).
Regular reporting, checking or surveillance and review against key criteria will ensure that
treatment plans, if any, are achieving their aim and remain relevant. It will also serve to highlight
changes in risk analysis ratings, and identify any new risks, arising from a changed internal or
external context.
Responsibilities for monitoring and reviewing should be clearly defined, as part of the risk
management framework.
Councils should ensure that their risk management systems are supported by a structured process
to record relevant information including: risks identified, analyses and assessments, treatment
options and methodologies, decision processes and treatment performance results. Good
corporate governance dictates that this risk management information is captured and retained
throughout the risk management cycle.
An example of a basic Risk Register is included as Attachment A.
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/FSP
Page 10
LGA ‘Financial Sustainability’ Information Paper No. 22: Understanding Risk Management
– Revised February 2015
Issues for Councils
The management of risk is a fundamental component of achieving financial sustainability and
underpins Councils’ capacity and resilience in achieving all its strategic and operational objectives.
Councils should develop and adopt an organisation-wide risk management framework, and
processes, as described above, consistent with the Australian Standard AS/NZS ISO 31 000: Risk
Management – Principles and Guidelines. This would include ongoing procedures to monitor,
review and update risk management activities to maintain continuous improvement.
A Council’s Audit Committee should play a key role in ensuring that this occurs.
It is important however to emphasise that the adoption of such a framework and processes will not
lead to the elimination of risks. Rather, it will lead to the management of these risks in a
cost-effective and strategic manner that supports good governance principles.
A Council seeking practical help with any of the above should contact the Local Government
Mutual Liability Scheme.
Acknowledgements
Development of this paper has benefited from contributions by Mark Jeffreson of UHY Haines
Norton and funding from the Local Government Research and Development Scheme.
ECM 617337
LGA Financial Sustainability Program – www.lga.sa.gov.au/FSP
Page 11
Attachment A
Risk Register
Risk
ECM 617337
Risk Description
Current Controls
Likelihood
Consequence
and/or mitigating factors
Chance of
something
happening
Outcome of an
event
LGA Financial Sustainability Program – www.lga.sa.gov.au/fsp
Page 12
Level of
Risk (rated)
eg Risk Priority
Rating
Treatment Strategy/ies
Download