Incorporating Annual Review (2014)
Incorporating Annual Review (2015)

R ISK M ANAGEMENT P OLICY 2013
1.0
INTRODUCTION
2.0
CONTEXT
3.0
POLICY STATEMENT
4.0
OBJECTIVES
5.0
DEFINITIONS
6.0 APPLICATION
6.1
Council
6.2
The Audit Committee
6.3
Chief Executive Officer
6.4
The Executive Management Team (EMT)
6.6
Managers
6.7
Coordinators
6.8
Risk Management Unit
6.9
Employees and Temporary Staff
6.10
Contractors
7.0 REFERENCES and SOURCE
8.0 THE RISK MANAGEMENT PROCESS
8.1
The Continuum of Assessment and Review
8.2
Communication and Consultation
8.3
Establishing the Context
8.4
Identification of Risks
8.5
Assessment
8.6
Risk Appetite
8.7
Treatment
8.8
Implementation
8.9
Performance Measuring
8.10
Monitoring and Review
8.11
Records
9.0
REVIEW
10.0
ATTACHMENTS
Attachment 1
– Risk Consequence Criteria
Attachment 2 – Risk Controls Criteria
Attachment 3 – Risk Likelihood Criteria
Attachment 4
– Risk Matrix
Attachment 5 – Risk Rating Definitions
Attachment 6 – Definition of Risk Status
14
15
16
17
18
18
19
10
11
11
12
12
14
14
7
7
8
4
5
7
7
3
3
4
8
9
9
20
20
20
21
22
23
24
25
26
Adopted by Council on 18 March 2013 2 | P a g e

R ISK M ANAGEMENT P OLICY 2013
1.0 INTRODUCTION
The management of risk is recognised as an integral part of good management practice.
Effective risk management supports informed decision making and encourages the identification of opportunities for continuous improvement. Risk Management is no longer accepted as only a process of good operating standards but rather, as a critical element of sound governance across an organisation.
Council, through its management accountability systems, internal audit programs, Audit
Committee, risk assessment processes, occupational health & safety systems and various other policies and procedures, has a strong commitment towards the principles of risk identification, risk assessment and risk removal/minimisation or elimination.
This P olicy and procedure formalises and details Council’s approach to organisational risk management and provides a framework for the ongoing conduct of risk identification, assessment and minimisation practices across the organisation.
The principles supporting this Policy are based on the International Standard for Risk
Management, ISO AS/NZS 31000 - 2009 Risk Management – Principles and Guidelines.
2.0 CONTEXT
The context within which this Policy is written is one of ongoing strong governance and leadership. Since its formation in 1994, the City of Stonnington has continuously delivered to its ratepayers and residents, stability in government, excellence in service/facilities within a backdrop of growing prosperity. The City of Stonnington is a
Council within the meaning of the Local Government Act 1989 and has been given the authority and guidance to raise revenue from rates and charges, adopt it own budget independent of other governments or agencies and to adopt its own local laws to uniquely regulate its district.
The determinations and considerations made in this Policy have been based on the legislated framework within which the Council exists and operates. It is based on this context that the risk appetite of Council has been declared.
Stonnington has achieved a significant place within Local Government in Victoria as a stable and high performing Council. It guards its reputation conscientiously and invests significant resources to maintain and improve it. This achievement is to be seen against the backdrop of a business which is performing and delivering scores of diverse functions any of which have the potential to impact negatively on this reputation with its residents, visitors and the State Government.
As a consequence, Council’s Risk Appetite is variable and commensurate with the risk being assessed. However, Council ’s appetite to risks that encompasses corruption, fraud, theft or personal harm or injury is zero. To accommodate this, Council has established a program of continuous development and review of Policies, procedures, organisational structures and systems that are all designed to mitigate the likelihood and consequence of risk.
Adopted by Council on 18 March 2013 3 | P a g e

R ISK M ANAGEMENT P OLICY 2013
3.0 POLICY STATEMENT
The City of Stonnington is actively committed to the management of risk and reducing its exposure in all facets of its business. It endeavours to ensure that all necessary practices and procedures are effective and fully implemented to control any risks and thereby providing employees and the community with services, facilities and an environment which are sound, safe and inviting.
By this commitment to Risk Management, the City of Stonnington aims to:- a) Provide safe, quality facilities and environment for all stakeholders; b) Ensure there is an open and objective rationale for managing risk; c) Ensure that risk forms an integral part of all decision-making; d) Maintain appropriate budgetary levels to enable the effective management of risks related to Council’s physical assets; e) Provide appropriate training and information to all employees and contractors on risk management and risk reduction techniques; f) Ensure all employees are accountable for their actions including compliance with policies and procedures; and g) Work in partnership with the community, employees and contractors to identify, minimize, or eliminate potential and future risks.
Warren Roberts
Chief Executive Officer
4.0 OBJECTIVES
The objectives of the Risk Management Policy are to:

define risk in the context of Council;
 articulate Council’s commitment to risk management;

provide broad guidance to Council ’s General Managers, Managers and
Coordinators, to enable them to fulfil their Risk Management responsibilities;

introduce the fundamental principles and measures of risk;

promote and support risk management and hazard identification practices throughout the organisation;

recognise that successful risk management relies on input from all employees; and
 protect Council’s corporate image.
Adopted by Council on 18 March 2013 4 | P a g e

R ISK M ANAGEMENT P OLICY 2013
5.0 DEFINITIONS
For the purpose of this Policy, the following definitions will apply.
Commercial Risk Risk such as a failed contract or business relationship.
Compliance Risk
Consequence
Contractor
Employee
Co-ordinators
Executive Management
Team
Financial & Systems
Risk
General Manager
Hazard
Risk of failing to meet statutory obligations.
The impact on an organisation should an event occur. For details refer Attachment 1 .
An independent entity that agrees to furnish a certain number or quantity of goods, material, equipment, personnel, and/or services that meet or exceed stated requirements or specifications, at a mutually agreed upon price and within a specified timeframe.
All fourth level managers. Usually in charge of a Service
Unit.
Includes all permanent and temporary employees of
Council within the meaning of the Industrial Relations Act
1996 and includes the Chief Executive Officer.
Comprises the Chief Executive Officer and General
Managers
Risk posed to Council’s financial systems and controls such as fraud.
All second level managers. Usually in charge of a Division.
Likelihood
Managers
Monitor
Operational Risk
Risk
A source of potential harm or a situation with a potential to cause injury, damage or loss.
The probability of an event occurring. For details refer
Attachment 3 .
All third level managers. Usually in charge of a
Department.
To check, supervise, observe critically, or record the progress of an activity, action or system on a regular basis in order to identify change.
Risk which occurs in, hampers or effects an individual
Division, Department, Service Unit or area of an organisation.
The chance of an event occurring that will have an adverse effect on business objectives. It is measured in terms of consequences and likelihood. The consequent liability is usually measure in financial terms, but may involve bodily injury, financial loss or property damage.
Adopted by Council on 18 March 2013 5 | P a g e

Risk Analysis
Risk Appetite
Risk Assessment
Risk Control
Risk Evaluation
Risk Identification
Risk Management
Risk Management process
Risk Minimisation
Risk Rating
Risk Tolerance
Risk to Public
Strategic Risk
Technical Risk
R ISK M ANAGEMENT P OLICY 2013
A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences.
The amount and type of risk that an organisation is willing to take in order to meet its strategic objectives. Risk
Appetite is best desc ribed as an organisation’s pursuit of risk or its willingness to take risks as opposed to avoiding them.
The overall process of risk analysis and risk evaluation.
That part of risk treatment which involves the implementation of policies, standards, procedures and physical changes to a thing, work process or system of work to eliminate or minimise the impact of the risk.
The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.
The process of determining what can happen, why and how.
The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.
A selective application of appropriate control measures, techniques and management principles to reduce either likelihood of an occurrence or its consequences, or both.
The level of severity applied to a risk based upon its impact to the organisation. Refer Attachment 5 .
The level of risk that Council is prepared to accept, before action is deemed necessary to reduce it and represents a balance between the potential benefits of calculated risk and the threats that it inevitably brings.
Those risks that are created by the activities, actions or inactions of Council in the delivery of services or works in the public space that may result in bodily harm or damage to property.
Risk which will effect or hamper across the organisation its ability to operate or deliver its policy, strategy or services.
Risk such as failed equipment and managing assets.
Adopted by Council on 18 March 2013 6 | P a g e

R ISK M ANAGEMENT P OLICY 2013
6.0 APPLICATION
This Policy applies equally to all employees and contractors.
Employees and contractors all have joint responsibility for ensuring risk management is a key part of their approach to the delivery of the Council’s functions, operations and services.
6.1 Council will provide:-

Guidance and governance to support significant and/or high profile elements of the risk management spectrum; and

The support and basis upon which the Risk Management framework can be established and developed including listing Risk Management as an element of the
Council Plan.
6.2 The Audit Committee will provide:-

Guidance and quality advice on existing Council processes and alternatives to managing risks; and

Advice and guidance on effective industry standards for managing risks associated with Council business.
6.3 Chief Executive Officer is responsible for:-

Providing direction and advice on the management of risks within Council and ensuring that appropriate treatment measures are in place to mitigate Council’s exposure;

Promoting a culture of risk management and ensuring that a strategic, comprehensive and systematic risk management program operates throughout
Council;

E nsuring that the Council’s organisational vision and values (relative to risk) are aligned and synchronised with its strategic direction and culture;

Making the case to the elected Council for budgetary consideration of additional risk initiatives;

Ensuring that the risk management program is intrinsic to everything Council undertakes and is incorporated in the messages given to the organisation;

E nsuring that Council’s commitments support the risk management program;

Discussing and supporting the risk management program with Councillors; and

Considering the information and implications contained in the regular report provided to the Executive on matters of risk that have been either reported to Council or are considered to be strategic risks for Council including insurance claim management.
Adopted by Council on 18 March 2013 7 | P a g e

R ISK M ANAGEMENT P OLICY 2013
6.4 The Executive Management Team (EMT) will provide:-

Comment and feedback regarding the elements of risk as they apply to their specific areas of responsibility;

Provide quality advice to the CEO on the elements of risk they may consider to be an exposure to Council business.
6.5 General Managers are responsible within their Divisions for:-

Management of strategic risks that are directly related to their Division;

Maintaining the overall responsibility for the effective management of all types of risks related to this Policy within their Division;

E nsuring that Council’s assets and operations, together with liability risks and hazards, are adequately protected through appropriate risk budgeting, internal audit processes, loss control programs and the development and application of complementary practices and procedures;

Developing and fostering working relationships with other agencies with whom
Council has a shared risk;

Ensuring that assistance is provided to support the provision of requested information in relation to an insurance claim or a risk management issue, in a timely manner;

Advising of any risk management matter that should be referred for consideration for incorporation into forthcoming budgets;

Ensuring that employees within their Division are adequately trained in the identification, assessment and procedures available for the minimisation of risk;

Ensuring that performance measures are determined, to track progress in implementing risk treatment plans; and

Acknowledging that the management of risk is an integral part of service delivery.
6.6 Managers are responsible within their Departments for:-

Management of risks that are directly related to their Department;

E nsuring that Council’s assets and operations, together with liability risks and hazards within their areas of responsibility, are adequately protected through appropriate risk budgeting, loss control programs and measures, and adherence to
Council’s various complementary practices and procedures;

Managing relationships with other agencies on shared risk issues;

Arranging for advice and assistance to be provided including the provision of requested information, in relation to an insurance claim or a risk management issue, in a timely manner;

Ensuring that Council responds immediately to the investigation of any report of a hazard or incident received from a resident, employee, contractor or visitor;
Adopted by Council on 18 March 2013 8 | P a g e

R ISK M ANAGEMENT P OLICY 2013

Implementing risk control measures to mitigate exposure;

Advising their Divisional Manager of any risk management matter that should be considered for incorporation into forthcoming budgets.

Ensuring that their employees and contractors within their Department are trained, updated and undertake their duties in accordance with Council’s risk management and other related policies and procedures;

E nsuring Council’s Risk Management Unit is advised immediately of any potential insurance claims and ensure appropriate incident investigation has taken place;

Reporting to their Divisional Manager on a regular basis on risk management issues including budget, programs, measures and incidents; and

Acknowledging that the management of risk is an integral part of service delivery.
6.7 Coordinators are responsible within their Service Unit or area of responsibility for:-

Management of risks that are directly related to their Unit;

Ensuring that Council’s assets and operations, together with liability risks and hazards, are adequately protected through appropriate risk budgeting, loss control programs and measures, and adherence to Council’s various complementary policies and procedures;

Ensuring that their employees and contractors within their Unit are trained, updated and undertake their duties in accordance with Council’s risk management and other related policies and procedures;

Providing and arranging assistance and requested information in relation to an insurance claim or a risk management issue, in a timely manner;

Ensuring that Council responds immediately to the investigation of any report of a hazard or incident received from a resident, employee, contractor or visitor;

Implementing risk control measures to mitigate exposure;

Advising their Departmental Manager of any risk management matter that should be considered for incorporation into forthcoming budgets;

E nsuring Council’s Risk Management Unit is advised immediately of any potential insurance claims; and

Acknowledge that the management of risk is an integral part of service delivery.
6.8 Risk Management Unit is responsible for supporting all Council Business Units in properly managing risk within their units, and monitoring compliance with the risk management policy and processes.
The Risk Management Unit shall support the corporate risk initiatives by:-

Ensure that Council’s assets and operations, together with liability risks and hazards to the public, are adequately protected through appropriate risk budgeting, loss control programs and measures, and adherence to Council’s various complementary policies and procedures;

Reporting on high and extreme risks with existing control measures and recommendations for further mitigation;
Adopted by Council on 18 March 2013 9 | P a g e

R ISK M ANAGEMENT P OLICY 2013

Documenting the Council risk management program through the compilation and regular update of the Council risk management strategy;

Providing a platform to host Council
’s Operational Risk Register which provides for the recording and management of these risks by Divisions, Department and Service
Units;

Providing a platform to host and record Council’s Strategic Risks;

Ensuring that risk management platforms are functional and provide advice and guidance to users;

Assisting in the planning, monitoring, and review of risk assessments for Council assets and activities;

Ensuring that complementary policies and practices are implemented, periodically reviewed and where required, updated;

Providing regular reporting through the Manager Risk Management and Contracts
Compliance to the Executive, the Audit Committee, and Council on risk management issues, statistics and strategies including insurance claim management;

Providing advice and educational material on industry trends and legal developments; and

Placing and managing of Council’s insurance portfolio, ensuring that adequate insurance coverage exists for all classes of insurable risk.
The Risk Management Unit provides guidance and advice on risk exposure issues as required by all Council Divisions and service areas. The risk owners (General
Managers, Managers and Coordinators) are responsible for managing the risks of their areas and should seek assistance from the Risk Management Unit as soon as an exposure or an emerging risk becomes known or suspected.
6.9 Employees and Temporary Staff are responsible for:-

Reporting any risk, potential risk or incident immediately it is brought to their attention, to their Team Leader/Coordinator;

Ensuring that they conduct their daily duties in a manner that does not expose
Council to loss or risk, and that these duties are conducted in accordance with the relevant policies, procedures and legislative requirements;

Assisting in the investigation of any incident that may have occurred and for which they were involved or have knowledge of, as a result of a risk or hazard;

Acting in a pro-active manner to control and prevent risk, injury or harm to the
Council or any person;

Reporting either through a corporate recording system or to their Supervisor, any notification of a hazard or incident received from a resident, employee or visitor, in order to allow Council to respond immediately;

Managing risk (including OHS risk) and, participate in risk management and OHS processes by encouraging all individuals to take responsibility for managing risks associated with their official duties. This is to be achieved through the observance of Council Policy, following lawful direction of their Supervisors and ensuring they
Adopted by Council on 18 March 2013 10 | P a g e

R ISK M ANAGEMENT P OLICY 2013 carry out their tasks properly and safely, utilising the correct equipment for the task; and

Acknowledging that they all have a part to play in managing risk.
6.10 Contractors are responsible for:-

E nsuring that Council’s assets and operations, together with liability risks and hazards to the public, are adequately protected through appropriate loss control programs and measure s, and adherence to Council’s various complementary policies and procedures;

Responding immediately to the investigation of any report of a hazard or incident received from an employee, resident or visitor;

Maintaining appropriate and adequate insurances as required under their contract; and

Ensuring that they conduct their daily duties in a manner that does not expose
Council to loss or risk and that these duties are performed in accordance with the relevant policies, procedures and legislative requirements.
7.0 REFERENCES and SOURCE
The references and sources for the content of this Policy have been derived from the following documents;
1. International Standard – ISO AS/NZS 31000 – 2009 Risk Management
2. Council’s Occupational Health & Safety Policy and Manual
3. Occupational Health and Safety Act (Vic) 2004
4. Managing Risk Cross the Public Sector 2004
5. Implementation of Government Risk Control Framework 2013;
6. Delivering Assurance on Risk Management ISO 31000 - 2009 (HB158/2010)
7. Risk Assessment Techniques (HB89/2012)
8. Fraud Prevention Strategies in Local Government 2012
Adopted by Council on 18 March 2013 11 | P a g e

8.0 THE RISK MANAGEMENT PROCESS
R ISK M ANAGEMENT P OLICY 2013
8.1 The Continuum of Assessment and Review
For the Risk Management process to be successful and effective within Council, it must be:

an integral part of management;

embedded in the culture and practices; and

tailored to the processes of the organisation.
The process comprises a number of logical and distinct steps which are necessary to not only establish the specifics of the risk but to also engage it into the continuum of control and review.
The steps are detailed in the flow chart below.
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
* Source ISO AS/NZS 31000 - 2009 Risk Management - Principles and Guidelines
Adopted by Council on 18 March 2013 12 | P a g e

R ISK M ANAGEMENT P OLICY 2013
To apply the assessment and review continuum into a City of Stonnington context, the following flowchart details the process.
Cycle
Commences
Regular
Departmental
Managers/
Coordinators meetings to discuss operational risks
Regular Divisional
Managers/
Departmental
Managers meet to discuss operational risks
Divisions advise Risk
Management of exposure. RM analyse, evaluate, provide treatment advice and record in
Risk Register.
All risks are monitored, reviewed and reassessed as required (special focus on
High and Extreme risks)
Risk Management Unit operates ongoing training and awareness workshops.
Monthly Risk Management reports to the Executive regarding High and Extreme
Risks.
KEY
Identifying Risk
Analysis & Treatment
Monitor & Review
Training & Awareness
Reporting
Quarterly the Risk
Management Coordinator revises the Risk
Management Strategy,
Action Plan and Strategic
Audit Plan.
Quarterly the Audit
Committee reviews the Risk
Management issues presented in the Risk
Management report.
Half yearly, Council review
Risk Management issues presented in a Risk
Management Report.
Annually, the Risk
Management Policy is reviewed and updated.
Cycle
Recommences
Adopted by Council on 18 March 2013 13 | P a g e

R ISK M ANAGEMENT P OLICY 2013
8.2 Communication and Consultation
Communication and consultation with internal and external stakeholders should take place during all stages of the risk management process.
Risk ownership is integral to its successful management and therefore, all risk creations and reviews are to involve the areas or key individuals who will effectively manage and control the risk exposure to Council throughout its life cycle. Relevant people will be involved in the consultation process and contribution into the various aspects of the process will be encouraged and acknowledged.
8.3 Establishing the Context
The establishment of the context (or parameter of reference) is an integral element within the process of risk management as it establishes and defines the various environments in which risk is to be considered, assessed and managed.
The level of contextual relevance should be considered on;

External context – the external environment in which the organisation seeks to achieve its objectives;

Internal context – the internal environment in which the organisation seeks to achieve its objectives;

Context of the risk management process – the objectives, strategies, scope and parameters of the organisation should be established; and

Defining the risk criteria – the organisation should define criteria to be used to evaluate the significance of risk.
8.4 Identification of Risks
The effective identification of risk exposures to which Council may be subjected, is a foundation element of establishing the basis of effective mitigation, control and review.
As various levels of assumptions are made during this process, it is essential to remain grounded in establishing the likelihood, consequence and realism of such a risk occurring.
Unrealistically assessed events, impacts or consequences undermine the validly and credibility of the risk management process and its relevance to the organisation ’s business rapidly becomes irrelevant as people disengage from the process.
The primary questions must be based on;

The current environment in which the activity is undertaken (political, financial etc);

The past history or experience of the organisation;

Any known or suspected threats;

Recent experience of other like industries; or

Other relevant knowledge, local or otherwise, to risk exposures that may also impact on Council.
Adopted by Council on 18 March 2013 14 | P a g e

R ISK M ANAGEMENT P OLICY 2013
The key ele ments of Council’s risk identification processes are:

The cyclical ‘whole-of-organisation’ risk assessments undertaken by Council’s internal auditors;

Risk assessments undertaken within individual Divisions, Departments and Units by key personnel on a regular basis that are both supported by the Risk Management
Unit and form part of Council’s Risk Registers (Strategic and Operational);

T he annual liability risk assessment undertaken by Council’s Public Liability insurer; and

Key industry information derived from various sources.
In managing organisational risk, Council will focus on the following major areas of risk exposure:

Human Resources;

Occupational Health & Safety;

Legislative Compliance;

Internal Controls;

Contract Management;

Insurance Liability;

Corporate Governance;

Information Technology;

Asset Management;

Security;

Professional Advice;

Records Management;

Systems – Efficiency and Effectiveness;

Financial Management;

Reputational exposure; and

Management Reporting.
This list is not exhaustive and will be complemented through the normal risk review processes undertaken by General Managers and Managers as part of Council’s annual budget development, as well as the service reviews undertaken as part of Council’s Best
Value program. Identified risks will be recorded on the Strategic and Operational Risk
Registers, managed by the Risk Management and OHS Units.
Employees and members of the public are also to be encouraged to report potential risk exposures.
8.5 Assessment
A full, accurate and objective assessment of any identified risk must be undertaken to:-

Evaluate existing controls;

Determine the likelihood of an incident;

Determine the consequences of the risk;

Establish the risk rating;
Adopted by Council on 18 March 2013 15 | P a g e

R ISK M ANAGEMENT P OLICY 2013

Identify any physical hazards; and

Develop remedial actions.
These assessments may be undertaken by Council’s Risk Management Unit, Council’s
Internal Auditors, Council Managers and Coordinators, Designated Workgroups or by external consultants.
Risk assessments will be undertaken by using the assessment criteria and matrix shown in Attachment 1 .
An assessment of risks should be carried out three times during the life of the risk:
Stage 1 - Inherent risk (Absolute) – the risk exposure prior to management controls being put in place;
Stage 2 - Managed risk – the risk exposure with the current level of management controls; and
Stage 3 - Residual risk – when no further controls are required and the level of residual risk is tolerable.
8.6 Risk Appetite
The City of Stonnington determines its risk appetite across four distinct areas of its operations and performance namely Cultural, Outcome, Expectation and Liability.
8.6.1 Cultural
Our cultural risk appetite defines our behaviour and the principles to be applied across Council but is not necessarily measurable or actionable. The Cultural
Risk Appetite is: a)
Council has a very low tolerance for reputational risk exposure that negatively impacts on its standing or image. Steps to minimize the likelihood of adverse reputational impact should always be taken; b)
Council will promptly take action to address ratepayer/customer complaints and regulatory concerns; c)
Council will not engage in any activity that will put its long-term values or reputation at risk. The Council will meet the ratepayers ’/customers’ expectations of providing efficient, considerate and cost-effective services; and d)
Council is an equal opportunity employer that employs skilled and experienced employees in positions with clearly defined roles and responsibilities.
8.6.2 Outcome
Our outcome risk appetite specifies the limits or maximum impact/outcome within
Council which is considered to be reasonable and acceptable where such risk is measurable. The Outcome Risk Appetite is defined by compliance to: a)
Council ’s Business and Strategic Plan; b)
Council ’s annual budget; and c)
defined Divisional, Departmental and Unit Business Plans.
Adopted by Council on 18 March 2013 16 | P a g e

R ISK M ANAGEMENT P OLICY 2013
8.6.3 Expectation
Council’s expectation risk appetite defines its tolerance for strategic and operational actions. These risks, specific to activities or known risks, are measurable and supported by mitigation controls and actions. The Expectation
Risk Appetite is: a)
Council has a low tolerance for Strategic Risks. These risks are to be mitigated and controlled as far as practicable down to a low or medium risk rating. b)
Council has zero tolerance for harm or injury to its employees or visitors and these harms will be mitigated and controlled down to a low risk; c)
Council has zero tolerance for internal/external fraud or deception activities; d)
Council has a low tolerance for operational risk. These risks will be mitigated and controlled to where the cost of control is equal to the marginal cost of the risk; e)
Council has a low tolerance for information technology outages. There is no tolerance for outages that exceed one week.
8.6.4 Liability
Council’s liability risk appetite defines the level of liability for which it is prepared to accept using internal mitigations or management processes before it seeks external support or remedies to resolve matters. Such risks are measurable and reportable.
The Liability Risk Appetite is restricted to the deductible excess as stated on each of the insurance policies as issued by each insurer and may be adjusted as required from time to time against Council ’s tolerance for risk exposure.
8.7 Treatment
To control a risk, there is a need for it to be correctly and realistically evaluated to determine the best option for risk removal or minimisation, with plans prepared and implemented to rectify or mitigate any problem areas.
Risk control options (which are not necessarily mutually exclusive or appropriate in all circumstances) include the following:

Risk Avoidance – avoid the identified risk by deciding not to proceed with the activity likely to generate risk (where this is practicable);

Risk Transfer – reducing exposure by transferring the risk to another party e.g. contracting to a business that has the requisite qualifications and skills;

Reduce the likelihood of occurrence through measures such as audit compliance programs, contract conditions, preventative maintenance, engineering controls, inspections, process policies and procedures; and

Reduce the consequences through measures such as contingency planning, disaster recovery plans, contractual arrangements, financial management controls and risk exposure minimisation plans.
Adopted by Council on 18 March 2013 17 | P a g e

R ISK M ANAGEMENT P OLICY 2013
8.8 Implementation
Risk Management across the Council will be implemented and managed through effective governance controls including:

Monitoring of adherence to internal controls;

Conducting risk assessments of Council assets and activities;

Applying a corporate risk management strategy;

Promoting adherence to this Policy and related Policies by all employees and contractors;

Providing employee training opportunities on relevant risk issues;

Providing induction training and ongoing workshop sessions;

Instructional information available to employees upon request;

Providing adequate fundi ng for risk reduction initiatives in Council’s budget; and

Undertaking an annual review of identified risks.
The Risk Management Unit is part of the Risk Management and Contract Compliance
Department and is available for advice and guidance on risk and insurance matters.
8.9 Performance Measuring
Performance measures to track progress in implementing risk treatment plans within
Divisions, Departments and Business Units should be established and reviewed by the relevant area Managers and reported to the Risk Management Unit annually.
The tracking process should include;

The inherent risks;

The existing control measures;

Actions to be undertaken;

Due date of the actions;

Outcomes to be achieved;

Responsible officer; and

Acceptance of the residual risk.
A risk profile for each Department will be established and implemented as a live working document that will provide a clear snapshot of the actual risk position and of the possible or likely future risks.
The progress of implementing the treatment plans will form part of the reporting structure of the Risk Management Unit on an exception basis via the process listed in 8.10 of this
Policy.
Adopted by Council on 18 March 2013 18 | P a g e

R ISK M ANAGEMENT P OLICY 2013
8.10 Monitoring and Review
Monitoring of risk is the responsibility of the respective General Manager, Manager and
Coordinator, as an element of their overall responsibilities.
Monitoring of risk, with the support of the Risk Management Unit, will include, but not be limited to:
 the analysis of insurance claims;
 on-going risk assessment and risk minimisation as part of standard management practice;
 advice and input into contract specifications and documentation;
 advice and input into risk assessments of new Council programs;
 on-going review of existing Council programs and facilities, as required;
 reviewing documentation of inventories, hall or facility hire agreements, Committees of Management Deeds of Delegation;
 compliance with all complementary Council Policies and Procedures; and
 periodic review of Council’s complementary Policies and Procedures.
The Risk Management Unit via the Risk Management & Contracts Compliance
Department will report as follows:
Reporting To Items of Report Frequency
Executive Statistics regarding incidents, activities, training and insurance claims and advice and analysis of risk trends.
Monthly
Executive
Audit
Committee
Report on High and Extreme risks with existing control measures and recommendations for further mitigation.
Quarterly
Council
Statistics regarding incidents, activities, training, insurance claims, analysis of risks trends.
Quarterly
Report on High and Extreme risks with existing control measures and recommendations for further mitigation.
Status Report of internal audit recommendations.
Statement of position regarding the Council ’s Risk
Management program and management of High and
Extreme Risks.
Bi Annual
Significant risk issues will be brought to the attention of the Chief Executive Officer and the relevant General Manager and, where required, Council.
Risk reviews formally undertaken by Council’s internal auditors, will be reported to
Council’s Audit Committee as part of its charter.
Adopted by Council on 18 March 2013 19 | P a g e

R ISK M ANAGEMENT P OLICY 2013
8.11 Records
Reference to the records relating to the management of Risks will be maintained in;
 the Division, Department or Unit where the risk resides;

Council ’s Records Management System;

Council ’s relevant Risk Register; and

Council ’s insurance portfolio where relevant.
9.0 REVIEW
This document is to be reviewed by the Risk Management Coordinator every year from date of adoption by Council, with each review to be approved via the CEO Notice Paper.
10.0 ATTACHMENTS
This Policy is supported by detailed attachments that further define graphically the methods and process of risk management.
The attachments are;
 Attachment 1. Risk Consequence Criteria
 Attachment 2.
 Attachment 3.
 Attachment 4.
 Attachment 5.
 Attachment 6.
Risk Controls Criteria
Risk Likelihood Criteria
Risk Matrix
Risk Ratings Definitions
Definition of Risk Status
Adopted by Council on 18 March 2013 20 | P a g e

R ISK M ANAGEMENT P OLICY 2013
Attachment 1
– Risk Consequence Criteria
CONSEQUENCE
RATING
Description Safety Financial Environmental Outrage & Media Regulatory
INSIGNIFICANT
MINOR
MODERATE
MAJOR
CATASTROPHIC
• Effect is minimal
• Event requiring moderate levels of resources and input
• Significant event with long reaching effect

• Critical event
• Disaster with potential to lead to collapse or to have a profound effect
No Treatment
Applied
• First-Aid
Treatment
Only
Medical treatment,
Ambulance, or admission to hospital of less than 2 days
Hospitalisation of more than 2 days, or long term injury or disability
• Single or multiple fatalities
• Up to $10k financial loss
(.007% of
Budget)
• >$10 k - $50k financial loss
(.037% of
Budget)
• >$50 k - $500k financial loss
(.37% of
Budget)
• >$500 k - $5 m financial loss
(3.75% of
Budget)
• >$5 m financial loss
(>3.75% of
Budget)
• No detrimental environmental effect
• Environmental discharge controlled, and of a minor nature
• Localised environmental impact, causing community annoyance, and requiring remedial action
• Long-term detrimental environmental or social impact
• Long-term environmental or social impact on community
• Issue raised by residents and/or local press
• Resident and/or media concern/local media coverage
• Embarrassment for Council, including adverse media coverage
• Reputation of
Council severely affected in the long-term.
• Government intervention required
• Activity does not follow established industry standards
• Activity does not follow "Best Practice"
• Activity does not meet all of the requirements of the relevant Australian
Standards
• Activity does not meet all of the requirements of relevant legislation
• Activity does not meet any of the requirements of relevant legislation and Regulations
1. Consider the consequence for each category i.e.; Safety, Financial, Environmental, outrage and Media, Regulatory and Business Continuity.
2. Determine the CONSEQUENCE RATING based on overriding definition i.e.; “worst” (or highest) category.
Business
Continuity
• Business disruption, but no loss of service delivery
• Brief service loss
• Productivity loss for up to 5 days
• Critical service loss for up to 1 month
• Loss of service for a critical period of time
Adopted by Council on 18 March 2013 21 | P a g e

R ISK M ANAGEMENT P OLICY 2013
Attachment 2
– Risk Controls Criteria
CONTROL RATING
TOTALLY EFFECTIVE
VERY EFFECTIVE
EFFECTIVE
INEFFECTIVE
DESCRIPTION
Effectiveness of existing control measures
Significant control over the risk.
Substantial reduction in risk.
Improvements are possible.
Satisfactory risk reduction.
Improvements are possible.
PARTIALLY EFFECTIVE
Marginal risk reduction.
Improvements should be considered.
Minimal risk reduction, if any.
Improvements required.
SYSTEM CONTROL/DESIGN CONTINGENCY PLAN
Affects frequency of occurrence
Reduces severity of consequence of an event
Total confidence.
Excellent system with total implementation.
No variance in control quality.
Not confident.
Only partly introduced or no attempt.
Substantial variance.
Total confidence in an effective plan.
Fully tested and documented.
Very confident.
Full system with effective implementation.
Little or no variance in control quality.
Very confident.
Fully tested and documented.
Quite confident.
Satisfactorily implemented.
Some variance in control quality.
Just effective - open to some weaknesses.
Not fully tested, quite good documentation.
Moderately confident.
Fair implementation only.
Quite a degree of variance in performance.
Not really effective plan.
Not tested problems.
– open to substantial
No plan at all or very inadequate preparation.
INFORMATION
SYSTEM
Supports the action and capability for monitoring
Well proven data base, robust system, very user friendly.
Mainly as above but improvements are possible.
Mostly good but not yet robust. Some flaws in supporting effective risk action.
Fair to poor database / performance in risk reduction. Not very user friendly.
Very poor / inadequate / nonexistent.
Process
Consider the effectiveness of current controls when determining the three levels of risk. The rating given should be based on the lowest of control ratings applied.
Adopted by Council on 18 March 2013 22 | P a g e

R ISK M ANAGEMENT P OLICY 2013
Attachment 3
– Risk Likelihood Criteria
RARE
UNLIKELY
POSSIBLE
LIKELY
ALMOST CERTAIN
Event MAY occur only in EXCEPTIONAL circumstances. There is LITTLE opportunity for the event to recur. Chance of risk occurring is 0-10%
Event COULD occur at SOME time. There is a REASONABLE opportunity for the event to recur.
Chance of risk occurring is 11-40%
Event SHOULD occur at SOME time. There is SOME opportunity for the event to recur.
Chance of risk occurring is 41-60%
Event will PROBABLY occur in MOST circumstances. There is CONSIDERABLE opportunity for the event to recur. Chance of risk occurring is 61-90%
Event is EXPECTED to occur in MOST circumstances. There is a STRONG likelihood of the event recurring. Chance of risk occurring is 91-100%
Process
1. Determine the LIKELIHOOD RATING based on the overriding criteria definition
Adopted by Council on 18 March 2013 23 | P a g e

R ISK M ANAGEMENT P OLICY 2013
Attachment 4
– Risk Matrix
Insignificant Minor
Almost Certain
Likely
Possible
Moderate
11.00
Moderate
7.00
Low
4.00
High
16.00
Moderate
13.00
Unlikely
Rare
Low
2.00
Low
1.00
Moderate
8.00
Low
5.00
Low
3.00
Moderate
High
20.00
High
17.00
Moderate
15.00
Moderate
9.00
Low
6.00
Major
Extreme
23.00
High
22.00
High
19.00
Moderate
14.00
Moderate
10.00
Catastrophic
Extreme
25.00
Extreme
24.00
High
21.00
High
18.00
Moderate
12.00
Process:
Plot the rating box for each of Absolute, Managed and Residual risk.
Adopted by Council on 18 March 2013 24 | P a g e

LOW
R ISK M ANAGEMENT P OLICY 2013
Descriptor
Attachment 5
– Risk Rating Definitions
Manage by routine procedures and be mindful of changes to nature of risks. Consider the implementation of any cost effective internal controls.
MODERATE
Management to ensure that the control environment, consequence and likelihood do not substantially change. Consider the implementation of any additional cost effective controls.
HIGH
EXTREME
Process
1. Choose appropriate CONSEQUENCE RATING
2. Determine appropriate CONTROL RATING
3. Choose appropriate LIKELIHOOD RATING
Ascertain risk category
Executive attention required to assess the acceptability of remaining net risk or required/planned mitigation measures. Management to ensure that necessary mitigation actions are carried out and the risk does not increase by actively monitoring any changes to the control environment, consequence and likelihood.
Extreme risk is generally unacceptable. Comprehensive consideration by the Executive is required to ensure that the net risk remaining is consistent with Council ’s objectives and acceptance of risk.
If not, detailed research and planning is required to mitigate risk.
Adopted by Council on 18 March 2013 25 | P a g e

R ISK M ANAGEMENT P OLICY 2013
Attachment 6 – Definition of Risk Status
Operational
Risk which occurs in, hampers, or impacts upon an individual
Division, Department, Service Unit or area of an organisation.
Strategic Risk which will impact upon or hamper across the organisation its ability to operate or deliver its policy, strategy or services.
Risk such as a failed contract or business relationship. Commercial
Technical
Financial &
Systems
Compliance
Risk such as failed equipment and managing assets.
Risk posed to Council’s financial systems and controls such as fraud.
Risks to meeting regulatory obligations.
Source: Managing Risk Across the Public Sector - Good Practice Guide – Auditor General Vic 2004
Adopted by Council on 18 March 2013 26 | P a g e

R ISK M ANAGEMENT P OLICY 2013
Version:
Author:
Owner:
Document Control
3.0
Manager, Risk Management &
Contracts Compliance
Risk, Coordinator
Risk Management and Contracts
Compliance Department
Date:
QA:
Review
Period:
17 November 2015
Business Support
Officer
Annual
Date
18 March
2013
23
September
2014
17
November
2015
Revision Details
Update Details Reviewed QA
Adoption of Policy
Annual administrative review of document and insertion of Internal Audit recommendations regarding Risk Tolerance and the roles of the Audit
Committee and EMT.
Annual administrative review.
Risk
Coordinator
Risk
Coordinator
Manager,
Risk
Management
& Contracts
Compliance
Manager,
Risk
Management
& Contracts
Compliance
Risk
Coordinator
Manager,
Risk
Management
& Contracts
Compliance
Approved
Council
Chief
Executive
Officer
Chief
Executive
Officer
Adopted by Council on 18 March 2013 27 | P a g e