Chapter 5, Part 1, Section 164(1) (a) and (b) of the Local Government Regulation 2012 require a local government must keep a written record stating the following:
- The risks the local government’s operations are exposed to, to the extent they are relevant to financial management;
- The control measures adopted to manage the risks.
In compliance with legislation, Council adopted a Corporate Risk Management Policy at its General Meeting on 16 September 2020 and establishment of the Corporate Risk and Audit Advisory Committee.
Importance of Risk Management
Corporate Risk Management emerges from Council’s intent to effectively and efficiently manage risks that may have an impact on the achievement of strategic priorities, operational goals and project objectives as defined in the Corporate and Operational Plans.
Effective corporate risk management will:
- Contribute to the achievement of strategic priorities as specified in Council’s Corporate Plan;
- Facilitate open and transparent communication and consultation between Council Representatives in defining aspects related to the identification, analysis, evaluation and treatment of strategic and operational risks to which Council is exposed;
- Enhance corporate governance by promoting a structured and systematic approach to Council’s corporate risk processes;
- Promote a proactive and dynamic perspective in identifying, handling and monitoring emerging new risks; and
- Facilitate continual improvement of the organisation.
Corporate Risk and Internal Audit Framework
The Corporate Risk and Internal Audit Framework provides a disciplined and structured process that integrates corporate risk management and audit activities. This process ensures the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing corporate risk.
Risk Management Process
The AS/NZS 31000:2018 Risk Management Guidelines is to be applied to all activities to ensure that corporate risks associated with Council’s strategic and operational objectives are identified and effectively integrated into all aspects of Council’s functions and operations.
Communication and Consultation
Throughout the process for managing corporate risk, communication and consultation with relevant stakeholders will take place. A consultative approach can help to appropriately establish the context, ensure the adequate identification of corporate risks, bring together expertise required for analysing and evaluating corporate risks and secure endorsement / support for treatment.
Establish the context
Establishing the context involves the articulation of Council’s external and internal environment. It also consists of the determination of the risk appetite.
Potential risks that need to be managed are identified. The sources of risk, areas of impact, events and change in circumstances, their causes and potential consequences are to be identified for the purpose of generating a comprehensive list of risks that may have a major influence in the creation of opportunities or prevent the achievement of Council’s strategic priorities, operational goals and objectives. Current and relevant information is essential in identifying risks.
Risk is analysed by determining the positive and negative consequences and the likelihood of causes and sources of risk. By combining the evaluation of likelihood and consequences, a level of risk is ascertained. The effectiveness and efficiency of existing controls to mitigate the risk are also taken into consideration.
Risk evaluation entails ascertaining the acceptability of the risk. The evaluation helps in deciding whether the risks are acceptable or not. Risks that are not acceptable will require management action and further risk treatment. Risk evaluation aims to generate a list of prioritised risks that require treatment implementation.
Risk treatment involves choosing one or more alternatives for controlling or managing risks and implementing these alternatives.
Risk Treatment Plan
A treatment plan shall be drawn for the chosen treatment option. The specific action plan, person responsible, financial resources required and target date for completion shall be indicated.
Monitor and review
Monitoring and review of the risk management process is necessary to ensure that controls are effective and efficient, the external and internal context are up to date, the risk criteria and framework are relevant.
Application of Risk Management
Council is committed to embed the risk management process into:
- Organisational culture
- Decision making processes
- Strategic Planning
- Operational Planning
- Projects, Programs and Events
- Business and Financial Processes
Risk assessment will be conducted:
- When major decisions are to be made
- When key strategies are to be developed
- As part of operational planning
- Prior to commencement and at key milestones of important projects and programs
- When existing processes are improved or upgraded
- When new processes are designed or developed