Risk Management Framework
advertisement
Risk Management Framework 2015 Responsible Directorate: Corporate Services Authorised by: Council Date of adoption: 27 July 2015 Review date: May 2018 Revocation/sunset date: Nil Policy type: Council Risk Management Framework 2015 Page 1 of 38 Risk Management Framework 2015 Page 2 of 38 Table of contents Terminology ............................................................................................................. 5 Section One: Risk Management Framework Overview ....................................... 7 1.1 Introduction ................................................................................................................ 7 1.2 Risk Management Drivers ......................................................................................... 7 1.3 Risk Management Standard ...................................................................................... 9 1.4 Risk Management Principles ..................................................................................... 9 1.5 Risk Management Mandate and Commitment ......................................................... 10 1.6 Risk Management Framework Objectives ............................................................... 10 1.7 Risk Management Integrated Design....................................................................... 11 Section Two: Risk Management Framework Key Elements ............................. 12 2.1 Risk Culture ............................................................................................................. 12 2.2 Risk Governance and Accountability ....................................................................... 12 2.3 Risk Management Resources and Planning ............................................................ 16 2.4 Risk Management Process ...................................................................................... 17 2.5 Risk Assurance ........................................................................................................ 17 2.6 Interagency Risk Management ................................................................................ 18 Section Three: Key Guidelines and Risk Tools.................................................. 18 3.1 Training and Education ............................................................................................ 21 3.2 Monitor, Review and Improvement .......................................................................... 21 3.3 Risk Review and Register ........................................................................................ 21 3.4 Risk Appetite ........................................................................................................... 21 3.5 Risk Likelihood Ratings ........................................................................................... 22 3.6 Consequence Rating ............................................................................................... 24 3.8 Calculate Risk Ratings............................................................................................. 25 3.9 Risk Reporting ......................................................................................................... 26 Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators.................................................................................................. 29 Attachment 2: Risk Management Framework Action Plan 2014-16 ................................ 29 Attachment 3: Strategic Risks ......................................................................................... 29 Risk Management Framework 2015 Page 3 of 38 Attachment 4: Risk Attestation Wording Template .......................................................... 29 Risk Management Framework 2015 Page 4 of 38 Terminology Risk management process: definitions Consequence The outcome of an event affecting organisational objectives. Control The measure that is modifying a risk. Establishing the context Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria. Event The occurrence or change of a particular set of circumstances. External context The external environment in which the organisation seeks to achieve its objectives. Internal context The internal environment in which the organisation seeks to achieve its objectives. Likelihood The chance of a risk event occurring. Monitoring Continual checking, critically observing or determining status in order to identify change from the performance level required or expected. Operational Risk Operational risks are linked to the Business Plan objectives and take into consideration risks which will prevent Departments from delivering their annual business plans and ongoing services to the community Residual risk The risk remaining after risk treatment. Risk The effect of uncertainty on objectives. An effect is a deviation from the expected and can be either positive or negative. Risk analysis The process to comprehend the nature of risk and to determine the level of risk. Risk assessment The overall process of risk identification, risk analysis and risk evaluation. Risk attitude The organisation’s approach to assessing and eventually pursuing, retaining, taking or turning away from risk. Risk criteria The terms of reference against which the significance of a risk is evaluated. Risk evaluation The process of comparing the results of a risk analysis with the risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable. Risk identification The process of finding, recognising and describing risks. Risk management The coordinated activities to direct and control an organisation with Risk Management Framework 2015 Page 5 of 38 Risk management process: definitions requirements to manage risk. Risk management framework The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. Risk management plan The scheme within the risk management framework that specifies the approach, the management components and the resources that are to be applied to the management of risk. Risk management policy The statement of overall intention and direction of an organisation related to risk management. Risk management process The systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. Risk owner The person or entity with the accountability and authority to manage a risk. Risk profile The description of any set of risks. Risk source An element that, either alone or in combination, has the intrinsic potential to give rise to a risk. Risk treatment The process to modify risk. Stakeholder A person or organisation that can affect, be affected by or perceive themselves to be affected by a decision or activity. Strategic Risk Strategic risks are the risks that will prevent Council from meeting the objectives outlined in the Council Plan Reference: ISO 31000:2009 Risk management—Principles and guidelines, pp. 4–7 Risk Management Framework 2015 Page 6 of 38 Section One: Risk Management Framework Overview 1.1 Introduction This Risk Management Framework aims to support an integrated and effective approach to risk management incorporating and representing the organisation-wide approach to risk management. This Framework provides guidance on the arrangements for designing, implementing, monitoring and continually improving risk management, and outlines the drivers, principles, objectives and risk process. The Risk Management Plan is the work plan that is incorporated into the Risk Management Framework and specifies the approach, the risk management components and resources that are to be applied reflecting an integrated risk management approach. Section 1: provides an outline of the risk management principles and how they apply to the organisation, the drivers of risk management, mandate and commitment, objectives, and summarises the design of the integrated Risk Management Framework. Section 2: provides an overview and description of the Risk Management Framework features. Section 3: provides the risk assessment process, guidelines and tools to support enterprise risk management practices and decision making. This Risk Management Framework has been developed with input and review from the Executive Leadership Team, the Audit Committee, the Business Enterprise Risk Committee and was adopted by Council. 1.2 Risk Management Drivers Risk management is integral to good governance and good management. In the Local Government context: Key legislation drivers include: Local Government Act 1989 Equal Opportunity Act 2010 Planning and Environment Act 1987 Public Health and Wellbeing Act 2008 Occupational Health and Safety Act 2004 Protected Disclosure Act 2012 Charter of Human Rights & Responsibilities Act 2006 Ombudsman Act 1973 Privacy & Data Protection Act 2014 Key good governance drivers require Council and the administration to work towards: Accountability by reporting, explaining and being answerable for the consequences of decisions it has made on behalf of the community it represents. Transparency by providing avenues for people to follow and understand the decision making process. Following the rule of law by ensuring decisions are consistent with relevant legislation or common law and are within the powers of council. Responsiveness by servicing the needs of the entire community while balancing competing interests in a timely, appropriate and responsive manner. Equity and inclusion where by members of the community feel their interests have been considered by Council in the decision-making process. Participation where by community members have the opportunity to participate in the process of decision making. Risk Management Framework 2015 Page 7 of 38 Key external assurance drivers include: Auditor-General: The Auditor-General is an independent officer of the Victorian Parliament, appointed to examine the management of resources within the public sector on behalf of Parliament and Victorians. The Victorian Auditor General’s Office audits public entities who receive government funding. There are two types of audits, financial and performance. (a) Financial: A financial audit provides assurance that the financial statements of an entity present fairly the financial position, cash flows and results of operations for the year, in accordance with relevant financial reporting frameworks and standards. (b) Performance: A performance audit assesses whether an agency is meeting its aims effectively, using its resources economically and efficiently, and complying with legislation. Ombudsman Victoria: The Ombudsman is accountable to Parliament, rather than the government of the day, and can only be dismissed by Parliament. The Ombudsman investigates complaints about administrative actions and decisions taken by government authorities and about the conduct or behaviour of their staff. Complaints can be made to the Ombudsman by any member of the public which may need to be investigated or responded to by Council. Key internal drivers include: Values (Integrity, collaboration, accountability, innovation and respect) Staff and Councillors Code of Conduct Audit Committee Internal audit program Business Enterprise Risk Committee (BERC) Frameworks (staff capability, accountability, planning) Standards Service delivery Legislation Governance Assurance Frameworks Standards Service City of Boroondara Enterprise Risk Management Framework Our Regulation s Our mandate Our structure Our values Our people Our services Risk Management Framework 2015 Page 8 of 38 1.3 Risk Management Standard The risk management approach is aligned to the AS/NZS 31000:2009 Risk management-Principles and guidelines (the Standard). This practice is driven by a set of principles and is supported by a risk management governance framework and a risk process methodology. AS/NZ 31000:2009 1.4 Risk Management Principles The risk management principles which guide our risk management approach have been aligned to the Principles outlined in the Standard. They are: 1. Risk Management creates and protects value by contributing to the achievement of objectives and improving performance. 2. Risk Management is an integral part of organisational processes by not being a stand-alone activity and is an integral part of all organisational processes. 3. Risk Management is part of decision making by helping decision makers make informed choices and prioritise actions. 4. Risk Management explicitly addresses uncertainty by taking into account the nature of that uncertainty and how it can be addressed. 5. Risk Management is systematic, structured & timely and contributes to efficiency and consistency. 6. Risk Management is based on the best available information. 7. Risk Management is tailored and aligned with the organisation’s external and internal context and risk profile. 8. Risk Management takes human and cultural factors into account by recognising people’s capabilities and perceptions that can facilitate or hinder achievement of the organisation’s objectives. 9. Risk Management is transparent and inclusive and involves stakeholders and decision makers in ensuring risk management remains relevant and up-to-date. 10. Risk Management is dynamic, iterative and responsive to change. 11. Risk Management facilitates continual improvement and enhancement of the organisation by developing and implementing strategies to improve risk maturity. Risk Management Framework 2015 Page 9 of 38 1.5 Risk Management Mandate and Commitment Management, employees, volunteers and contractors are all responsible for the successful management of risk. The risk management function resides with the Corporate Services Directorate, Commercial and Property Services Department. 1.6 Risk Management Framework Objectives The key objectives of the Risk Management Framework are to: Respond to the objectives of the Council Plan. Embed a commitment to the Risk Management Framework. Document accountability for the management and reporting of risks. Support a consistent risk management practice aligned to the Standard. The focus for risk management maturity includes: Increasing the competency levels of staff in the management of risk. Developing a culture where risk assessment and management is a part of everyday practice. Providing accessible resources and information to staff. Continuing to embed risk management through the integration of techniques and processes within current systems and practices. Financing the recurrent insurable risk in the most efficient way. Improving the scope and type of management information available for the monitoring and review of risks. Training for staff. Management review and reporting. An integrated Risk Management Framework has evolved and is built around six key elements. These elements are summarised in Section 1.7. Risk Management Framework 2015 Page 10 of 38 1.7 Risk Management Integrated Design Building an integrated and effective Risk Management Framework takes commitment and resources. Our Framework is built around the elements identified as risk: culture, governance and accountability, resources and planning, process, assurance and interagency. A brief description of the six elements is outlined below: (a) Risk Culture: Risk culture is a sub-set of the organisation’s culture. The risk management behaviour of the people within Council can be described as ‘the way things are done’. (b) Risk Governance and Accountability: Governance and Accountability is the approach taken for making decisions about risk and developing, supporting, and embedding the risk framework. (c) Risk Management Resources and Planning: Resources is the allocation of human and financial resources to oversee risk and planning. It is the thinking and organising of activities that are required to implement an integrated Risk Management Framework. (d) Risk Management Process: Refers to the process around managing all risks, including strategic, operational and emerging risks. This involves identifying, assessing and monitoring risks through Riskware, our software system. (e) Risk Assurance: Risk assurance is making sure the internal controls are adequately supporting the management of risk and compliance with regulations. (f) Interagency Risk Management: These are the risks which apply to Council and can affect another agency. In some cases the flow-on effects will require intervention strategies across multiple agencies. Council’s organisational risk management planning processes take into account the potential effects of organisational risks and strategies on other areas or agencies. Risk Management Framework 2015 Page 11 of 38 (a) Section Two: Risk Management Framework Key Elements The purpose of this section of the Risk Management Framework is to provide an overview of the Framework’s six key elements and how they apply to Council. 2.1 Risk Culture Our organisational culture is the behaviours, values and beliefs that are shared by the people within the organisation. Risk culture is fundamental to supporting governance, stakeholder confidence, trust and compliance with relevant legal and regulatory requirements for improving the control environment, the operational effectiveness and efficiency and the identification of opportunities and threats. Risk is implied within legislation, governance, service delivery, policy, planning, priority setting and risk criteria tools. The management of risk is the responsibility of all staff and this requirement is included in all position descriptions. Engagement surveys can be conducted which will inform us about our culture. Key risk performance indicators are measures which support our transparent approach to maturing risk management. The risk management performance indicators which we are working towards are provided as Attachment 1. 2.2 Risk Governance and Accountability Our risk management accountability framework is aligned to our existing accountability requirements and summarised in Table 1. Risk Management Framework 2015 Page 12 of 38 Table 1: Risk Management Accountability Structure Role Council Chief Executive Officer Executive Leadership Team (ELT) Managers Team Leaders and Coordinators Responsibilities Council’s responsibilities are to: Adopt a Risk Management Policy that complies with the requirements of AS/NZS ISO 31000:2009 and to review and amend the Policy in a timely manner and/or as required. Adopt the Risk Management Framework for the Council. Be satisfied that risks are identified, managed & controlled appropriately to achieve Council’s Strategic Objectives. Appoint and resource the Audit Committee. Provide adequate budgetary provision for the financing of risk management including approved risk mitigation activities. Review Council’s risk appetite. The Chief Executive Officer is accountable for the implementation and maintenance of risk management policies and processes across the organisation. The CEO is responsible for ensuring that strategic risks are regularly reviewed. The Chief Executive Officer is responsible for raising awareness and leading the culture of managing risk responsibly across the organisation. Promote and champion a strong risk management culture by linking and embedding risk management, and maintaining organisational risk focus across Council Manage and monitor the strategic risks. Ensure that an effective risk control environment is implemented and maintained. Ensure that risks are considered and integrated into corporate and business planning processes. Participate in the review and updating of the organisation’s strategic risk profiles. Ensure that accountabilities for managing risks are clearly defined. Managers are accountable for implementing the risk management practices in their area of responsibility. This includes ensuring that risks are identified, managed, reviewed and updated regularly. Ensure that assets and operations, together with liability risk to the community, are adequately protected through treatment plans and measures. Provide risk management related information as requested by their Directorate. Managers are responsible for raising awareness and leading the culture of managing risk responsibly across the organisation by ensuring that risk management policies, procedures, standards, guidelines and risk management treatment plans are implemented in everyday business practice. Advising of any risk management matter that should be included in forthcoming budgets. Are responsible for raising awareness and leading the culture of managing risk responsibly across the organisation by assisting with the implementation of risk management policies, procedures, standards, guidelines and risk treatment plans. Risk Management Framework 2015 Page 13 of 38 Role Responsibilities Internal Auditor Risk Management Team The internal auditor reviews operational and strategic risks annually as part of the development of the Three Year Strategic Internal Audit Plan. The Risk Management Framework directs the focus of audit resources to ensure higher level risks are reviewed. Risk controls and treatment plans are considered as part of each internal audit review. The Internal Auditor liaises with the Risk Management Team to share information and knowledge. The Risk Management Team are responsible for overseeing the development, facilitation and implementation of a risk management culture and framework, including training and awareness across the organisation. They also provide advice to the organisation and are responsible for strategic overview. Risk Management Framework 2015 Page 14 of 38 Role All staff Business Enterprise Risk Committee (BERC) Audit Committee Responsibilities All staff are responsible for applying risk management practices in their business activities. This involves: Systematically identifying, analysing, evaluating and treating risks. Maintaining awareness of current and potential risks that relate to areas of responsibility. Risk management practices and treatments are regularly reviewed and monitored. Risk management reporting is appropriately undertaken. Advice to Managers of any risk issues believed to require attention, such as property exposures for potential loss or damage and community risk. The purpose of the BERC is to monitor Council’s approach to risk management as outlined in the scope and to provide advice and recommendations to the Executive Leadership Team. Scope: To oversee the strategic direction of the Risk Management Framework in relation to non-OH&S-related risk management issues. Make recommendations in relation to risk policies and procedures. To review recommendations of JMAPP reports and MAV risk reviews/Audits and identify appropriate actions. To monitor performance in the completion of new risk control plans and review of existing risk control plans. To monitor strategies for reducing risk in identified areas. To monitor and ensure the accuracy of the strategic risk register. Monitor and report to ELT regarding the implementation of the Risk Management Framework. Monitor Council’s insurance portfolio and identify any potential exposures. Provide advice to management on the resolution of the organisation's high risk issues as identified. Assist in the resolution of issues referred to the Committee for consideration. Monitor Business Continuity Planning programs across Council. On behalf of Council, the purpose of Audit Committee is to oversee that Council carries out its responsibilities for accountable financial management, good corporate governance, fostering an ethical environment and maintains a system of internal control and risk management. They have been constituted to monitor and report on the systems and activities of Council in ensuring: Reliable financial reporting and management information. High standards of corporate governance. Appropriate application of accounting policies. Compliance with applicable laws and regulations. Effective monitoring and control of all identified risks. Effective and efficient internal and external audit functions. Measures to provide early warning of any issues affecting the organisation's financial well-being. The level and effectiveness of appropriate Crisis Management, Business Continuity and Disaster Recovery planning. Maintenance and fostering an ethical environment. Risk Management Framework 2015 Page 15 of 38 2.3 Risk Management Resources and Planning Risk management resources and planning are embedded within existing processes and operates on a number of levels. A summary of our integrated approach to resources and planning is outlined below: Responsibility for risk management is outlined in our Risk Management Accountability Structure (Refer to Table 1). Risk management resources are embedded within all Departments across all functions. Leadership for specialist related risk areas are overseen by Departmental Managers. For example, o responsibility for overseeing business continuity management, insurance, the fraud control plan, procurement, and internal audit resides with Commercial and Property Services; o responsibility for overseeing business planning and finance accounting systems resides with Finance and Corporate Planning; o responsibility for overseeing the Occupational Health and Safety program resides with People, Culture and Development; o responsibility for overseeing risk matters relating to stakeholder engagement programs resides with Communications and Engagement; o responsibility for overseeing the Code of Conduct resides with Governance; and o responsibility for overseeing climate adaptation risks resides with Environment and Sustainable Living. o responsibility for Emergency Management procedures resides with Infrastructure Services and Health Aged and Disability Services (HAADS) o responsibility for major project risks resides with Projects and Strategy o responsibility for IT disaster recovery risks resides with Information Technology Risk Management Framework 2015 Page 16 of 38 Our approach to enterprise risk management is aligned to our strategic and business planning frameworks. Strategic risks are overseen by BERC and operational risks are identified and monitored as part of our annual business planning cycle. Our risk register is enabled by a licenced enterprise risk information system (Risk ware) Our maturity and performance can be measured against our integrated risk management performance indicators. Our continual improvement program is outlined in the risk management action plan. The risk management action plan requirements are reviewed annually. The risk management action plan is provided as Attachment 3. 2.4 Risk Management Process Risk is the effect of uncertainty on objectives. The risk management process takes into account risk from a number of perspectives: strategic, operational and emerging. Strategic risk Strategic risks are the risks that will prevent Council from meeting the objectives outlined in the Council Plan. Strategic risks should be few in number and are the critical risks for the organisation and considered in the same time horizon as the Council Plan. The Council Plan 2013-17 describes the vision and strategic objectives of the elected Council based on the following key themes: Strong and engaged communities; Sustainable environment; Enhanced amenity; Quality facilities and assets; and responsible management The strategic risks are annually reviewed by BERC and ELT. A summary of the strategic risks are provided as Attachment 3. Operational risk Operational risks are linked to the Business Plan objectives and take into consideration risks which will prevent Departments from delivering their annual business plans and ongoing services to the community. These risks are linked to the strategic risk profile. The Annual Plan details the actions that will be undertaken in support of the Council Plan objectives. It details how the strategic objectives will be delivered. Each Department is required to undertake a risk assessment in accordance with this Framework to determine the risks in meeting its delegated statutory obligations and stated objectives. This process is incorporated into the business planning process. Emerging risk Emerging risks are newly developing or changing risks and therefore by their nature are difficult to identify and evaluate. Characteristics of emerging risks commonly include a high level of uncertainty, lack of consensus, difficult to communicate, difficult to assign ownership and often are systemic or business practice issues. The BERC has a standing agenda item to review emerging risks as part of their quarterly meeting cycle. As required the emerging risks will be escalated for discussion to ELT. 2.5 Risk Assurance The risk management validation and assurance program operates on a number of levels from management reviews to internal and external reviews. Risk Management Framework 2015 Page 17 of 38 Management reviews: These reviews are initiated by management to inform and to provide advice to management about the organisation. Audit services: The internal audit program is overseen by the Commercial & Property Services Department. The internal audit plan is developed with consideration to the strategic and operational business risk profile. The internal audit program is designed as a rolling three year plan based on risk against which Internal Audit is to prepare audit reports for the Audit Committee's consideration. These audit reports are to also include, where applicable, management responses, accountabilities and timelines for corrective actions. This plan shall detail the nature and timing of reports to be presented to the Audit Committee and to Council and will reflect the priorities and functions of the Audit Committee as detailed in their Charter. External reviews: These reviews are conducted by an agency external to Council. Typically the agencies which currently conduct independent reviews are the Victorian Auditor General’s Office and Ombudsman Victoria. A brief overview of the role of their offices is provided below. Victorian Auditor General’s Office: The Auditor-General is an independent officer of the Victorian Parliament, appointed under legislation to examine, on behalf of Parliament and the Victorian taxpayers, the management of resources within the public sector. The independence of the Auditor-General is enshrined in Victoria’s Constitution Act 1975. This aims to ensure that findings that arise from financial statements and performance audits are communicated to Parliament. The Audit Act 1994 is the main legislation governing the powers and functions of the Auditor-General. The Council is subject to financial and performance audit reviews. The Commercial & Property Services Department is the conduit between the Victorian AuditorGeneral’s Office. Ombudsman Victoria reviews: The Ombudsman is an officer of the Victorian Parliament and has the power to investigate decisions, actions and conduct of Victorian government departments and statutory bodies and employees of local government (councils). The Ombudsman investigates complaints about administrative actions and decisions taken by government authorities and about the conduct or behaviour of their staff. Cultural Survey: People, Culture and Development conduct biennial whole of staff engagement survey’s that will be utilised to measure and test staff’s perception of Council’s risk management culture. The results are reported to the Executive Leadership Team and where appropriate incorporated into an action plan. Attestation requirements: A risk attestation process has been established requiring Managers and Directors to attest that critical risks are reviewed annually and internal control systems are robust. The risk attestation process is consistent with State Government and public companies. The Directors and Managers will attest to the CEO that their risk management approach is aligned to the Risk Management Framework and an internal control system is in place that enables Managers and Directors to understand, manage and satisfactorily control risk exposures. The risk attestation statement is provided as Attachment 4. 2.6 Interagency Risk Management Interagency risks are the risks which apply to Council and can affect another agency. In some cases the flow-on effects will require intervention strategies across multiple agencies. Council’s organisational risk management planning processes take into account the potential effects of organisational risks and strategies on other areas or agencies. Where interagency risks have been identified, there are appropriate consultation and communication channels to relevant agencies. Section Three: Key Guidelines and Risk Tools The process of risk management involves risk identification, risk analysis, evaluation of risk treatment options and implementation of the appropriate treatment options. There are a number of steps within this process. The basic risk management process methodology follows the AS/NZS ISO 31000:2009 risk management approach as per the diagram below: Risk Management Framework 2015 Page 18 of 38 A key output from the risk management process is the risk assessment. The risk management process must incorporate a defined methodology for completing a risk assessment. The table below outlines the risk process: Risk Management Framework 2015 Page 19 of 38 Communication and Consultation Step 1: Establish the Context Step 2: Identify Risks Step 3: Analyse Risks Organisation’s objectives Set scope for risk criteria What can happen? When, Where? How and Why? Identify existing controls Determine level of risk Step 6: Monitor and Review Step 5: Treat Risks Step 4: Evaluate Risks Inspections, Reports, Evaluations Audit Communication and Consultation Identify options Assess options Develop treatment plans Assess the cost implications Compare against criteria Set priorities Risk Management Framework 2015 Page 20 of 38 3.1 Training and Education Risk management training and awareness is recognised as an important requirement for all staff and a training schedule has been developed. These are designed to increase the knowledge and awareness of staff and management in a number of risk management topics including general risk management, liability, fraud awareness, environment, events and Business Continuity. In addition to formal training the Risk Management Team act as specialist advisors to staff. This includes help with identifying and assessing risk exposures and the steps in developing, implementing and monitoring of sustainable control measures. 3.2 Monitor, Review and Improvement A continual process of monitor, review and improvement of all components of the Risk Management Framework is required to ensure an effective and up-to-date Framework. Monitoring the Framework involves inspections, reports, self-assessments or audits to assess whether objectives of the Framework components are being achieved. Reviewing the Framework involves assessing whether various components of the Framework still match the risk profile. This assessment may involve the review of policies, strategies and processes. 3.3 Risk Review and Register Risks are identified and mitigated at all levels of the organisation using a top down and bottom up assessment process. The Risk Register is a database that allows Managers and Directors to register and monitor risks associated with business operations. Coordinators and Team Leaders have the delegated responsibility to review and monitor risks as determined by their Manager. These risks may be linked to various plans or projects/council works or events. Risks need to be regularly reviewed according to their risk rating. The review dates for the different levels of risk are listed below, the review date for risks need to be realistic and linked to those accountable. The appropriate review schedule is shown below. Level of risk Review Low Medium High Extreme Yearly Half yearly Quarterly Monthly 3.4 Risk Appetite Risk appetite refers to the risk exposures that are or are not tolerated. The consequence table and risk matrix below determine how the risk is rated. The rating then determines the tolerance level of that risk. This is referred to as risk appetite. The table below outlines the risk tolerance level and risk escalation expectations and reporting requirements. Risk Management Framework 2015 Page 21 of 38 Extreme Needs Active Management High Needs Regular Monitoring Moderate Needs Periodic Monitoring Low No Major Concerns A risk treatment plan must be established and implemented. A treatment process should be adopted, primarily focused on paying close attention to the maintenance of excellent/good controls. A treatment process should be adopted, primarily focused on monitoring risks in conjunction with a review of existing control procedures. Significant management effort should not be directed towards the risk in this section of the risk matrix. The residual rating for a particular risk is based on its potential impact and the likelihood of the risk event given the quality of the control process designed to reduce the likelihood and impact. Consequence Likelihood Negligible Minor Moderate Major Catastrophic Almost Certain Moderate High High Extreme Extreme Moderate Moderate High High Extreme Low Moderate High High High Low Low Moderate Moderate High Low Low Moderate Moderate High Likely Possible Unlikely Rare After the risk rating has been determined, the business area must assess what treatment, if any, will be applied to those risks. . Each treatment plan must be assessed to determine if the cost of implementing the plan outweighs the derived benefit. However there will be situations where due to legal or social reasons the cost will not be a factor in the treatment plan and this will usually be the case when there is a rare or severe risk. 3.5 Risk Likelihood Ratings Some events happen once in a lifetime. Others can happen almost every day. Analysing risks requires an assessment of the frequency of occurrence. The following table provides broad descriptions used to support likelihood ratings. The occurrence should be considered, initially, without reference to known management/mitigating practices. Risk Management Framework 2015 Page 22 of 38 Likelihood Rating Definition table Definition ALMOST CERTAIN LIKELY Event is expected to occur in most circumstances. Event is imminent for specific item. Event will probably occur in most circumstances. POSSIBLE Event might occur at some time. UNLIKELY Event could occur at some time RARE Event may occur only in exceptional circumstances Anticipated Frequency In the order of 100 times a year In the order of 10 times per year Annually Once in every 10 years Once in 100 years AS/NZS ISO 31000/2009 Risk Management Framework 2015 Page 23 of 38 3.6 Consequence Rating Consequences can be described in a number of ways and determine an organisation's risk appetite. Each consequence can be rated in terms of its severity from minor to catastrophic. The following table provides descriptions for levels of consequence. DESCRIPTION CATASTROPHIC MAJOR INJURY (STAFF OR PUBLIC) Death/s Serious injury to one or more persons resulting in a permanent disability FINANCIAL LOSS ENVIRONMENTAL IMPACT > significant financial loss Toxic release off site with long term effects (e.g.> $5 Million) Substantial / long term damage to flora / fauna, soil / water Major financial loss Off-site release with no long term effects (e.g. >$1M - $5M) Limited damage to flora/fauna, soil / water REPUTATION Very high customer sensitivity and irreparable damage to Council name. National/international media coverage Significant customer sensitivity and damage to Council name Statewide Media coverage LEGISLATION & REGULATIONS STRATEGIC Total failure to meet relevant legislation and regulations leading to dismissal of Council. Selection of a strategic direction that negatively impacts on the future of Council. Failure to meet relevant legislation and regulations resulting in Material fines, penalties and restrictions on Council operations due to regulatory noncompliance. Selection of a strategic direction which requires significant resources, both monitoring and time to correct, impacting a part of Council Senior employees charged for breaches/fraud. MODERATE MINOR Injury requiring hospitalisation to one or more persons Minor injury requiring first aid only High financial loss On site release contained with outside assistance (e.g. >$50,000 $1M) No damage to flora / fauna and short term effects on soil, water and air Medium financial loss On site release contained immediately (e.g. >$10,000 $50,000) INSIGNIFICANT Injury requiring no medical treatment Low financial loss (e.g. < $10,000) Moderate customer sensitivity and damage to Council name impacting noticeably on business activities Significant local community coverage Minimal customer sensitivity and damage to Council name Limited local community coverage Minor leak, noncontaminating No impact on reputation of Council No media coverage Activity does not meet all of the requirements of relevant Australian Standards exposing Council to possible litigation risks. Selection of a strategic direction which impacts on smaller parts of Council and will require considerable resources to correct Activity does not follow relevant established Industry / Victorian / Australian guidelines Minimal impact on strategic / operational objectives No regulatory impact Consequences are dealt with by routine operations Risk Management Framework 2015 Page 24 of 38 3.8 Calculate Risk Ratings Risk Rating Process The process for calculating a risk rating is: 1. Identify appropriate consequence rating (refer Consequence Definition Table) 2. Identify appropriate likelihood rating (refer Likelihood Definition Table) 3. Ascertain risk rating by cross referencing the consequence and likelihood ratings (refer Risk Matrix). The table below identifies the definition and outcomes for the risk ratings. These outcomes are to be considered when developing Risk Control Plans. Risk Management Framework 2015 Page 25 of 38 RISK RATING OUTCOMES TABLE EXTREME (E) Extreme risk is unacceptable. Comprehensive consideration by ELT required to ensure that the risk remaining is consistent with corporate objectives and risk appetite. If not, detailed research and planning is required to mitigate risk. HIGH (H) Attention required to assess the acceptability of remaining risk or required mitigation measures. Management need to ensure that necessary mitigation actions are carried out and the risk does not increase by actively monitoring any changes to the control environment, consequence and likelihood. MODERATE (M) Management/team leaders to ensure that the control environment, consequence and likelihood does not substantially change. Consider the implementation of any additional cost effective controls. LOW (L) Manage by routine procedures and be mindful of changes to nature of risks. Consider the implementation of any cost effective internal controls. 3.9 Risk Reporting There is a structured approach to risk reporting. The matrix below details which information will be reported throughout the organisation together with the reporting frequency. The Risk Management Team is responsible for reporting to Senior Management on all risks that are due for review and current risk trends. Managers and Directors are responsible for reporting on risks that are due for review within each Quarter. Reporting will be on a rotational basis dependent on the risk rating schedule as per the table at 3.3. Risk Management Team Summary of risk information Strategic risks Audit Committee Executive Group Director Department Manager yearly Quarterly Quarterly Operational risks only extreme risks to be reported yearly yearly Quarterlydependant on risk rating Half-yearly Quarterly Quarterly Half-yearly Half yearly Quarterly Risk trends Risk Management Framework 2015 Page 26 of 38 Managers and Directors Summary of risk information Audit Committee Executive Group Director Strategic risks Yearly Quarterly Quarterly Operational risks only extreme risks to be reported on yearly Half yearly Quarterly A summary of the risk reporting parameters includes the following: Strategic risks – All strategic risks as required by their risk ratings in the risk register, specifically the risk control/treatment plans for each of these risks. By providing the status updates on the implementation of risk control/treatment plans provides important information on the implementation of risk mitigation strategies. Operational risks – the extreme risks as per the residual risk ratings in the risk register. Risk owners will provide treatment plans for the mitigation of these risks. Risk trends – trend analysis to assist in identifying emerging risks and those increasing risk frequency which may be indicative of systematic flaws in risk control strategies. Date approved: Accountable officer: Chris Hurley, Manager Commercial and Property Services Responsible officer: Sasha Allan, Team Leader Risk Management Endorsed by: Marilyn Kearney, Director Corporate Services Approved by: Chief Executive Officer Next review: May 2018 Risk Management Framework 2015 Page 27 of 38 Risk Management Framework 2015 Page 28 of 38 Attachments Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators Attachment 2: Risk Management Framework Action Plan 2014-16 Attachment 3: Strategic Risks Attachment 4: Risk Attestation Wording Template Risk Management Framework 2015 Page 29 of 38 Risk Management Framework 2015 Page 30 of 38 Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators Over the next three years, the City of Boroondara are working towards maturating their Enterprise Risk Management Framework to a risk maturity level of integrated. Note: Descriptions which are bolded is to demonstrate Council has established measurements. Integrated City of Boroondara Risk Maturity Performance Indicators Culture Governance & Accountability Resources & Planning Process Assurance Inter-Agency Management are committed to risk management. Risk governance is aligned to the organisations governance and accountability framework. There are the human resources to support risk management system and processes. There are processes to ensure communication and consultation with internal and external stakeholder groups takes place during each activity of the risk management process The internal validation and assurance activities are aligned to the risk profile. There is a process in place to manage interorganisational and interagency risks. Employees’ contributions to risk management are valued. There is an endorsed risk management policy accessible to all staff. Tools and templates are used to support risk management processes and assessments. Risk appetite and tolerances has been agreed and is clearly understood. Practices and values are linked to risk management. ELT and Audit Advisory Committee regularly receive, consider and discuss risk management reports. The external and internal context to be considered by staff is clearly defined. There is a process to support risk management attestation. A risk rating criteria is clearly defined and risks are consistently documented and the effectiveness of existing controls is used to determine the estimated level of risk. Risk Management Framework 2015 Page 31 of 38 Integrated City of Boroondara Risk Maturity Performance Indicators Culture Governance & Accountability Resources & Planning Process There is a robust process for ensuring legal and regulatory compliance requirements are met. Risks are consistently identified and by staff with the required knowledge and skills using an agree risk register format. Roles and responsibilities for risk management are clearly defined at all levels of the organisation. There is a process in place to respond to incidents, near misses, incidents, hazards and complaints. Assurance Inter-Agency Risks are assessed to determine tolerability & priorities for risk treatment. Treatment plans are prepared, implemented and monitored. Risk Management Framework 2015 Page 32 of 38 Integrated Risk Management Framework: Sample Measurements Culture Risk management included in Job descriptions Risk management is linked to values and Code of Conduct. Risk management is included in recognition and reward programs. All staff are aware of organisation’s approach to risk management and the risk management format has been documented. Governance & Accountability RMF documented, approved & accessible to staff. Risk reports distributed and reviewed. Evidence exists to support attestation Organisational wide approach to legal and regulatory compliance framework documented and accessible to staff. Risk roles and responsibilities documented. Risk meeting agendas and minutes recorded and maintained. Resources & Planning Process Organisational wide risk policy Risk management guidelines. Risk management capabilities and training provided. Risk management skills gap addressed. Organisation wide risk appetite and tolerance has been documented, approved and available to all staff. Organisational wide risk tools and templates are used Organisational wide risk management plans documented, approved and accessible to all staff. Documented evidence of risk management forms part of the strategic and operational objectives that specifically takes into account risks which may impact the organisation. A defined risk criteria is available and consistently applied. Risk information system available and accessible to nominated staff. User software training made available to nominated staff. The risk methodology is endorsed and available to all staff. Risk has been linked to agreed categories which have been documented and reviewed. System in place for near misses Risk escalation processed established, clear and complied too. Assurance There is a clear, documented link between the validation and assurance program The validation and assurance program incorporates data analytics such as dashboard reporting, measurements against targets Interagency Relationships have been developed and are understood to identify and manage interorganisational & inter-agency that impact the organisation. An approach to the evaluation and treatment of interagency risk is documented in the risk management policy, plan and/or framework. Assurance mapping Attestation plan documented and approved. Risk Management Framework 2015 Page 33 of 38 Attachment 2: Risk Management Framework Action Plan 2014-16 City of Boroondara Risk Management Framework Action Plan 2014-2016 Feature A-Culture Action A-1: Develop a structure which more formally engages staff through discussion forums and create opportunities’ for staff to share information about risk management practice. A-2: The second stage will begin in March 2015 where follow-up department team meetings will be held to discuss the outcomes of the business planning day and to further discuss risk. A-3: Run face-to-face sessions across departments and in work teams to provide staff with an opportunity to explore a number of ways to articulate risk. Risk will be considered the effect of uncertainty on objectives. A-4: Develop risk appetite statements after the strategy risk profile has been revised and endorsed. B- Governance and Accountability B-1: A BERC meeting schedule will be developed to ensure meetings occur frequently. This will include a program of work which identifies clear purposes and required outcomes for each meeting. B-2: Incorporate the risk register governance requirements into the Risk Management Framework as well as a risk management action plan and clearly outline the risk management focus for the next 12–24 months. Measure Timeline December (14) Risk management incorporated into business planning cycle. March (15) Operational risks are linked to business planning objectives March (15) number sessions run Agenda’s from department meetings noting risk discussions. May (15) Risk appetite statement developed and endorsed by ELT. February (15)on-going Operational risks are linked to business planning objectives. May (15) Risk Management Framework Action Plan developed and monitored. Risk Management Framework 2015 Page 34 of 38 City of Boroondara Risk Management Framework Action Plan 2014-2016 Feature Action B-3: Strengthen the alignment of its Framework with AS/NZS 31000:2009 by including: the application of the risk management principles; risk maturity statement; risk appetite statements; a risk tolerance statement; and Incorporating emerging risk and project risk management into the risk process model, in addition to strategic and operational risk. B-4: Develop the risk management action plan and incorporate the action plan into the Framework. B-5: Identify and map all departments’ specialised risk management functions to determine how they are linked and to incorporate their risk assessment tools into the Framework. (For example, business continuity, emergency management, crisis management, project management, contract management, insurance, IT disaster recovery, stakeholder management, fraud control, climate adaptation, OH&S, compliance and event management). B-6: Map the risk register to workflow. C- Resources and Planning C-1: Finalise and implement the e-learning risk management module. C-2: Incorporate operational risk identification and assessment into its annual planning process. Operational risks are explicitly linked to business objectives. C-3: Finalise the process for reviewing the strategic risk profile and incorporate the risk review process into the RMF. C-4: Identify the risk register user group and provide training to users. Measure Timeline December 15 RMF & Action plan revised and updated February (15) The Risk Framework Action Plan developed and reviewed annually. May (15) Descriptions of specialist functions will be incorporated into the Risk Management Framework. March (15) June (15) Risk register is configured and mapped to workflow. Risk management module incorporated into Council’s induction program. December (14) Department operational risk profile incorporated into business planning process. December (14) Strategic risk profile revised and endorsed. December (14) Risk register user group identified and trained. Risk Management Framework 2015 Page 35 of 38 City of Boroondara Risk Management Framework Action Plan 2014-2016 Feature D-Process Action D-1: Change the risk rating on the risk management information system from residual risk rating to target risk rating. D-2: Further develop the risk treatment plans to include the following: the reasons for selection of the treatment options, expected benefits to be gained, those who are accountable for approving the plan, those responsible for implementing the plan, the proposed actions, resource requirements including contingencies, performance measures and contingencies, reporting and monitoring requirements, timing and schedules. D-3: Review and strengthen the consequence ratings so impact can be measured. E-Assurance F-Interagency Measure Timeline March (15) November (14) Risk and target risk requirements incorporated into the risk assessment guidelines. Treatment plans incorporated into the risk register on Risk Ware. Revised time June (15) November (14) Consequence rating tables reviewed. E-1: Develop a quality assurance review schedule so that operational risks registers are periodically reviewed on a rolling basis. To drive performance the focus of this review should be endorsed annually by BERC. March (15) Periodic review of departments operational risk registers are undertaken and reported. E-2: Council should consider introducing a risk attestation process requiring directors and managers to attest that the critical risks are focused on or currently managing the risks listed on the department risk register. November (14) Annual risk attestation process developed. F-1: Department operational risk profile incorporated into business planning process. June (16) Interagency risk management approach developed, endorsed and adopted. Risk Management Framework 2015 Page 36 of 38 Attachment 3: Strategic Risks City of Boroondara - Strategic Risks Risk Description Control Rating L'hood Cons Risk Rating Risk Owner Adverse impact of legislative and/or policy change on Council's capacity to comply or deliver services Fair Likely Major High CEO Inadequate management of built assets to meet desired service levels Breakdown of relationships between Councillors and organisation Failure to maintain and protect the amenity and liveability of the natural environment Failure to protect amenity and liveability of the built environment. Failure to plan, deliver and facilitate Council services that meet the social needs of the community Good Good Good Good Good Possible Possible Possible Possible Possible Major Major Major Major Major High High High High High DEI CEO DEI DCP DCD Failure to identify, plan and respond to impacts of climate change on Council in relation to flooding, storm and heat Fair Possible Moderate High DEI Inability to recruit and retain workforce to deliver appropriate and innovative services Failure of information technology systems performance and security Failure to maintain financial sustainability Failure to maintain a safe work environment Failure of Council to adequately advocate and lead on issues reducing community wellbeing as identified in Council adopted Policies and Strategies Good Good Excellent Good Good Possible Possible Unlikely Unlikely Unlikely Minor Minor Major Major Moderate Moderate Moderate Moderate Moderate Moderate Manager PCD Manager IT CFO DCS EMCE Failure to maintain an effective organisational culture Excellent Unlikely Moderate Moderate DCS Failure to plan for future technology needs for interaction with the community Good Unlikely Moderate Moderate Innovation Leader Risk Management Framework 2015 Page 37 of 38 Attachment 4: Risk Attestation Wording Template Manager to Director I, [Accountable Officer] certify that the [name of department] has risk management processes in place consistent with Council’s adopted Risk Management Framework 2015 and an internal control system is in place that enables the executive to understand, manage and satisfactorily control critical risk exposures and has been critically reviewed within the last 12 months. Director to CEO I, [Accountable Officer] certify that my Managers have attested that risk management processes are in place which are consistent with Council’s adopted Risk Management Framework 2015 and an internal control system enables the executive to understand, manage and satisfactorily control critical risk exposures which has been critically reviewed within the last 12 months. Risk Management Framework 2015 Page 38 of 38
