3 Risk Management Framework Abstract€¦ · Section One: Risk Management Framework Overview 1.1 Introduction This Risk Management Framework aims to support an integrated and effective

Council Meeting Agenda 27/07/15

3 Risk Management Framework

Abstract Council’s Risk Management Framework (‘the Framework’) was adopted by Council in 2012. The Framework provides structure and guidance to Council’s risk management activities and outlines the components that provide the foundations and organisational arrangements for designing, implementing, monitoring and reviewing risk management throughout Council’s operations. In November 2014, an Internal Audit review provided a number of recommendations to review, enhance and update the Framework. Following that report, a consultant was engaged to assist with the review and update of the Framework. The revised Framework (Attachment 1) reflects all recommendations from the November 2014 Internal Audit review and includes amendments to ensure the Framework; incorporates governance requirements for the risk register and the role of the

Business Enterprise Risk Committee (BERC).

includes explicit links to Council’s planning processes.

aligns with AS/NZS 31000:2009 by including the application of the risk management principles, and incorporating emerging risk and project risk.

includes a risk management action plan.

maps all departments’ specialised risk management functions to determine how they are linked and to incorporate their risk assessment tools into the Framework.

The proposed revised Framework was reviewed by the Audit Committee at its May 2015 meeting. Some minor enhancements were suggested and the committee supported the presentation of the revised Framework to Council for formal consideration and adoption.

Officers' recommendation That Council resolve to adopt the revised Risk Management Framework (as annexed to the minutes). Document information

City of Boroondara Risk Management Framework Page 1 of 39


Responsible director: Marilyn Kearney

Corporate Services ___________________________________________________________________ 1. Purpose

To seek Council approval of the revised Risk Management Framework document (Attachment 1).

2. Policy implications and relevance to council plan

Council’s 2015-16 Annual Plan contains the Strategic Objectives of providing “financial management processes in accordance with professional standards and legislative requirements” and “we will provide risk management processes in accordance with the relevant Australian Standards and legislative requirements.”

3. Background

Council’s Risk Management Framework was adopted by Council in 2012. In November 2014, an Internal Audit review provided a number of recommendations to review, enhance and update the Framework. Following that report, a consultant was engaged to assist with the review and update of the Framework. The revised Framework (Attachment 1) reflects all recommendations from the November 2014 Internal Audit review.

4. Outline of key issues/options

The November 2014 Internal Audit review recommended that the Framework be reviewed to: incorporate governance requirements for the risk register and the role of

the Business Enterprise Risk Committee (BERC). include explicit links to Council’s planning processes. align with AS/NZS 31000:2009 by including the application of the risk

management principles, and incorporating emerging risk and project risk. include a risk management action plan. map all departments’ specialised risk management functions to determine

how they are linked and to incorporate their risk assessment tools into the Framework. (For example business continuity, emergency management, crisis management, project management, contract management, insurance, IT disaster recovery, stakeholder management, fraud control, climate adaptation, OH&S, compliance and event management).

The revised Framework addresses the recommendations made in the Internal Audit report.

5. Consultation/communication

The proposed revised Framework was reviewed and discussed at the May 2015 Audit Committee meeting. The committee provided a small number of suggestions for improvement to the draft document and were supportive of the document being presented to Council for consideration and adoption.



6. Financial and resource implications

No direct financial or resource implications. Planned initiatives contained within the proposed Framework are funded from departmental operating budgets.

7. Governance issues

Officers involved in the preparation of this report have no conflict of interest. The list of prescribed human rights contained in the Victorian Charter of Human Rights and Responsibilities has been reviewed in accordance with Council's Human Rights Compatibility Assessment Tool and it is considered that the proposed actions contained in this report present no breaches of, or infringements upon, those prescribed rights.

8. Social and environmental issues

No direct impacts arise from consideration of this policy.

9. Conclusion

The revised Framework reflects recommendations made in the November 2014 Internal Audit Report and provides guidance and structure to Council’s risk management practices. The Framework highlights the role played by all Council departments in risk management and reinforces the importance of a risk focussed approach to management of Council’s activities.

Manager: Chris Hurley, Commercial and Property Services Report officer: Sasha Allan, Team Leader Risk Management


Risk Management Framework 2015 Page 1 of 36

Risk Management Framework

2015

Draft

Responsible Directorate: Corporate Services Authorised by: Council Date of adoption: July 2015Review date: May 2018 Revocation/sunset date: NilPolicy type: Council

Council Meeting Agenda 27/07/15______________________________________________________________________________________

______________________________________________________________________________________City of Boroondara Risk Management Framework Page 4 of 39





Table of contents

Terminology ............................................................................................................. 5

Section One: Risk Management Framework Overview ....................................... 7

1.1 Introduction ................................................................................................................ 7

1.2 Risk Management Drivers ......................................................................................... 7

1.3 Risk Management Standard ...................................................................................... 9

1.4 Risk Management Principles ..................................................................................... 9

1.5 Risk Management Mandate and Commitment ........................................................... 9

1.6 Risk Management Framework Objectives ............................................................... 10

1.7 Risk Management Integrated Design....................................................................... 11

Section Two: Risk Management Framework Key Elements ............................. 12

2.1 Risk Culture ............................................................................................................. 12

2.2 Risk Governance and Accountability ....................................................................... 12

2.3 Risk Management Resources and Planning ............................................................ 16

2.4 Risk Management Process ...................................................................................... 17

2.5 Risk Assurance ........................................................................................................ 17

2.6 Interagency Risk Management ................................................................................ 18

Section Three: Key Guidelines and Risk Tools.................................................. 18

3.1 Training and Education ............................................................................................ 21

3.2 Monitor, Review and Improvement .......................................................................... 21

3.3 Risk Review and Register ........................................................................................ 21

3.4 Risk Appetite ........................................................................................................... 21

3.5 Risk Likelihood Ratings ........................................................................................... 22

3.6 Consequence Rating ............................................................................................... 24

3.8 Calculate Risk Ratings ............................................................................................. 25

3.9 Risk Reporting ......................................................................................................... 26

Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators.................................................................................................. 28

Attachment 2: Risk Management Framework Action Plan 2014-16 ................................ 28

Attachment 3: Strategic Risks ......................................................................................... 28

Attachment 4: Risk Attestation Wording Template .......................................................... 28







Terminology

Risk management process: definitions

Consequence The outcome of an event affecting organisational objectives.

Control The measure that is modifying a risk.

Establishing the context

Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria.

Event The occurrence or change of a particular set of circumstances.

External context The external environment in which the organisation seeks to achieve its objectives.

Internal context The internal environment in which the organisation seeks to achieve its objectives.

Likelihood The chance of a risk event occurring.

Monitoring Continual checking, critically observing or determining status in order to identify change from the performance level required or expected.

Operational Risk Operational risks are linked to the Business Plan objectives and take into consideration risks which will prevent Departments from delivering their annual business plans and ongoing services to the community

Residual risk The risk remaining after risk treatment.

Risk The effect of uncertainty on objectives. An effect is a deviation from the expected and can be either positive or negative.

Risk analysis The process to comprehend the nature of risk and to determine the level of risk.

Risk assessment The overall process of risk identification, risk analysis and risk evaluation.

Risk attitude The organisation’s approach to assessing and eventually pursuing, retaining, taking or turning away from risk.

Risk criteria The terms of reference against which the significance of a risk is evaluated.

Risk evaluation The process of comparing the results of a risk analysis with the risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable.

Risk identification The process of finding, recognising and describing risks.

Risk management The coordinated activities to direct and control an organisation with requirements to manage risk.




Risk management process: definitions

Risk management framework

The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.

Risk management plan

The scheme within the risk management framework that specifies the approach, the management components and the resources that are to be applied to the management of risk.

Risk management policy

The statement of overall intention and direction of an organisation related to risk management.

Risk management process

The systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.

Risk owner The person or entity with the accountability and authority to manage a risk.

Risk profile The description of any set of risks.

Risk source An element that, either alone or in combination, has the intrinsic potential to give rise to a risk.

Risk treatment The process to modify risk.

Stakeholder A person or organisation that can affect, be affected by or perceive themselves to be affected by a decision or activity.

Strategic Risk Strategic risks are the risks that will prevent Council from meeting the objectives outlined in the Council Plan

Reference: ISO 31000:2009 Risk management—Principles and guidelines, pp. 4–7




Section One: Risk Management Framework Overview

1.1 Introduction

This Risk Management Framework aims to support an integrated and effective approach to risk management incorporating and representing the organisation-wide approach to risk management.

This Framework provides guidance on the arrangements for designing, implementing, monitoring and continually improving risk management, and outlines the drivers, principles, objectives and risk process.

The Risk Management Plan is the work plan that is incorporated into the Risk Management Framework and specifies the approach, the risk management components and resources that are to be applied reflecting an integrated risk management approach.

Section 1: provides an outline of the risk management principles and how they apply to the organisation, the drivers of risk management, mandate and commitment, objectives, and summarises the design of the integrated Risk Management Framework. Section 2: provides an overview and description of the Risk Management Framework features. Section 3: provides the risk assessment process, guidelines and tools to support enterprise risk management practices and decision making.

This Risk Management Framework has been developed with input and review from the Executive Leadership Team, the Audit Committee, the Business Enterprise Risk Committee and was adopted by Council.

1.2 Risk Management Drivers

Risk management is integral to good governance and good management. In the Local Government context:

Key legislation drivers include:

Local Government Act 1989 Equal Opportunity Act 2010 Planning and Environment Act 1987 Public Health and Wellbeing Act 2008 Occupational Health and Safety Act 2004 Protected Disclosure Act 2012 Charter of Human Rights & Responsibilities Act 2006 Ombudsman Act 1973 Privacy & Data Protection Act 2014

Key good governance drivers require Council and the administration to work towards:

Accountability by reporting, explaining and being answerable for the consequences of decisions it has made on behalf of the community it represents. Transparency by providing avenues for people to follow and understand the decision making process. Following the rule of law by ensuring decisions are consistent with relevant legislation or common law and are within the powers of council. Responsiveness by servicing the needs of the entire community while balancing competing interests in a timely, appropriate and responsive manner. Equity and inclusion where by members of the community feel their interests have been considered by Council in the decision-making process.Participation where by community members have the opportunity to participate in the process of decision making.




Key external assurance drivers include:

Auditor-General: The Auditor-General is an independent officer of the Victorian Parliament, appointed to examine the management of resources within the public sector on behalf of Parliament and Victorians. The Victorian Auditor General’s Office audits public entities who receive government funding. There are two types of audits, financial and performance. (a) Financial: A financial audit provides assurance that the financial statements of an entity

present fairly the financial position, cash flows and results of operations for the year, in accordance with relevant financial reporting frameworks and standards.

(b) Performance: A performance audit assesses whether an agency is meeting its aims effectively, using its resources economically and efficiently, and complying with legislation.

Ombudsman Victoria: The Ombudsman is accountable to Parliament, rather than the government of the day, and can only be dismissed by Parliament. The Ombudsman investigates complaints about administrative actions and decisions taken by government authorities and about the conduct or behaviour of their staff. Complaints can be made to the Ombudsman by any member of the public which may need to be investigated or responded to by Council.

Key internal drivers include:

Values (Integrity, collaboration, accountability, innovation and respect) Staff and Councillors Code of Conduct Audit Committee Internal audit program Business Enterprise Risk Committee (BERC) Frameworks (staff capability, accountability, planning) Standards Service delivery

City of Boroondara

Enterprise Risk Management Framework

Our Regulation

Our mandate

Our people

Our values

Our services

Our structure

Legislation ion Governance ance Assurance ce Frameworks orksrks Standards ds Service




1.3 Risk Management Standard

The risk management approach is aligned to the AS/NZS 31000:2009 Risk management-Principles and guidelines (the Standard). This practice is driven by a set of principles and is supported by a risk management governance framework and a risk process methodology.

AS/NZ 31000:2009

1.4 Risk Management Principles

The risk management principles which guide our risk management approach have been aligned to the Principles outlined in the Standard. They are:

1. Risk Management creates and protects value by contributing to the achievement of objectives and improving performance.

2. Risk Management is an integral part of organisational processes by not being a stand-alone activity and is an integral part of all organisational processes.

3. Risk Management is part of decision making by helping decision makers make informed choices and prioritise actions.

4. Risk Management explicitly addresses uncertainty by taking into account the nature of that uncertainty and how it can be addressed.

5. Risk Management is systematic, structured & timely and contributes to efficiency and consistency.

6. Risk Management is based on the best available information. 7. Risk Management is tailored and aligned with the organisation’s external and internal context

and risk profile. 8. Risk Management takes human and cultural factors into account by recognising people’s

capabilities and perceptions that can facilitate or hinder achievement of the organisation’s objectives.

9. Risk Management is transparent and inclusive and involves stakeholders and decision makers in ensuring risk management remains relevant and up-to-date.

10. Risk Management is dynamic, iterative and responsive to change. 11. Risk Management facilitates continual improvement and enhancement of the organisation by

developing and implementing strategies to improve risk maturity.

1.5 Risk Management Mandate and Commitment

Management, employees, volunteers and contractors are all responsible for the successful management of risk. The risk management function resides with the Corporate Services Directorate, Commercial and Property Services Department.




1.6 Risk Management Framework Objectives

The key objectives of the Risk Management Framework are to:

Respond to the objectives of the Council Plan. Embed a commitment to the Risk Management Framework. Document accountability for the management and reporting of risks. Support a consistent risk management practice aligned to the Standard.

The focus for risk management maturity includes:

Increasing the competency levels of staff in the management of risk. Developing a culture where risk assessment and management is a part of everyday practice. Providing accessible resources and information to staff. Continuing to embed risk management through the integration of techniques and processes

within current systems and practices. Financing the recurrent insurable risk in the most efficient way. Improving the scope and type of management information available for the monitoring and

review of risks. Training for staff. Management review and reporting.

An integrated Risk Management Framework has evolved and is built around six key elements. These elements are summarised in Section 1.7.




1.7 Risk Management Integrated Design

Building an integrated and effective Risk Management Framework takes commitment and resources. Our Framework is built around the elements identified as risk: culture, governance and accountability, resources and planning, process, assurance and interagency. A brief description of the six elements is outlined below:

(a) Risk Culture: Risk culture is a sub-set of the organisation’s culture. The risk management behaviour of the people within Council can be described as ‘the way things are done’.

(b) Risk Governance and Accountability: Governance and Accountability is the approach taken for making decisions about risk and developing, supporting, and embedding the risk framework.

(c) Risk Management Resources and Planning: Resources is the allocation of human and financial resources to oversee risk and planning. It is the thinking and organising of activities that are required to implement an integrated Risk Management Framework.

(d) Risk Management Process: Refers to the process around managing all risks, including strategic, operational and emerging risks. This involves identifying, assessing and monitoring risks through Riskware, our software system.

(e) Risk Assurance: Risk assurance is making sure the internal controls are adequately supporting the management of risk and compliance with regulations.

(f) Interagency Risk Management: These are the risks which apply to Council and can affect another agency. In some cases the flow-on effects will require intervention strategies across multiple agencies. Council’s organisational risk management planning processes take into account the potential effects of organisational risks and strategies on other areas or agencies.




Section Two: Risk Management Framework Key Elements The purpose of this section of the Risk Management Framework is to provide an overview of the Framework’s six key elements and how they apply to Council.

2.1 Risk Culture

Our organisational culture is the behaviours, values and beliefs that are shared by the people within the organisation. Risk culture is fundamental to supporting governance, stakeholder confidence, trust and compliance with relevant legal and regulatory requirements for improving the control environment, the operational effectiveness and efficiency and the identification of opportunities and threats.

Risk is implied within legislation, governance, service delivery, policy, planning, priority setting and risk criteria tools. The management of risk is the responsibility of all staff and this requirement is included in all position descriptions. Engagement surveys can be conducted which will inform us about our culture.

Key risk performance indicators are measures which support our transparent approach to maturing risk management. The risk management performance indicators which we are working towards are provided as Attachment 1.

2.2 Risk Governance and Accountability

Our risk management accountability framework is aligned to our existing accountability requirements and summarised in Table 1.




Table 1: Risk Management Accountability Structure

Role Responsibilities

Council Council’s responsibilities are to:Adopt a Risk Management Policy that complies with the requirements of AS/NZS ISO 31000:2009 and to review and amend the Policy in a timely manner and/or as required. Adopt the Risk Management Framework for the Council. Be satisfied that risks are identified, managed & controlled appropriately to achieve Council’s Strategic Objectives.Appoint and resource the Audit Committee. Provide adequate budgetary provision for the financing of risk management including approved risk mitigation activities. Review Council’s risk appetite.

Chief Executive Officer

The Chief Executive Officer is accountable for the implementation and maintenance of risk management policies and processes across the organisation. The CEO is responsible for ensuring that strategic risks are regularly reviewed. The Chief Executive Officer is responsible for raising awareness and leading the culture of managing risk responsibly across the organisation.

Executive Leadership Team (ELT)

Promote and champion a strong risk management culture by linking and embedding risk management, and maintaining organisational risk focus across Council Manage and monitor the strategic risks.

Ensure that an effective risk control environment is implemented and maintained. Ensure that risks are considered and integrated into corporate and business planning processes. Participate in the review and updating of the organisation’s strategic risk profiles.

Ensure that accountabilities for managing risks are clearly defined.

Managers Managers are accountable for implementing the risk management practices in their area of responsibility. This includes ensuring that risks are identified, managed, reviewed and updated regularly. Ensure that assets and operations, together with liability risk to the community, are adequately protected through treatment plans and measures. Provide risk management related information as requested by their Directorate. Managers are responsible for raising awareness and leading the culture of managing risk responsibly across the organisation by ensuring that risk management policies, procedures, standards, guidelines and risk management treatment plans are implemented in everyday business practice.

Team Leaders and Coordinators

Advising of any risk management matter that should be included in forthcoming budgets. Are responsible for raising awareness and leading the culture of managing risk responsibly across the organisation by assisting with the implementation of risk management policies, procedures, standards, guidelines and risk treatment plans.





Internal Auditor The internal auditor reviews operational and strategic risks annually as part of the development of the Three Year Strategic Internal Audit Plan. The Risk Management Framework directs the focus of audit resources to ensure higher level risks are reviewed. Risk controls and treatment plans are considered as part of each internal audit review. The Internal Auditor liaises with the Risk Management Team to share information and knowledge.

Risk Management Team

The Risk Management Team are responsible for overseeing the development, facilitation and implementation of a risk management culture and framework, including training and awareness across the organisation. They also provide advice to the organisation and are responsible for strategic overview.





All staff All staff are responsible for applying risk management practices in their business activities. This involves:

Systematically identifying, analysing, evaluating and treating risks. Maintaining awareness of current and potential risks that relate to areas of responsibility.

Risk management practices and treatments are regularly reviewed and monitored. Risk management reporting is appropriately undertaken. Advice to Managers of any risk issues believed to require attention, such as property exposures for potential loss or damage and community risk.

Business Enterprise Risk Committee (BERC)

The purpose of the BERC is to monitor Council’s approach to risk management as outlined in the scope and to provide advice and recommendations to the Executive Leadership Team.

Scope: To oversee the strategic direction of the Risk Management Framework in relation to non-OH&S-related risk management issues. Make recommendations in relation to risk policies and procedures. To review recommendations of JMAPP reports and MAV risk reviews/Audits and identify appropriate actions.

To monitor performance in the completion of new risk control plans and review of existing risk control plans. To monitor strategies for reducing risk in identified areas. To monitor and ensure the accuracy of the strategic risk register. Monitor and report to ELT regarding the implementation of the Risk Management Framework. Monitor Council’s insurance portfolio and identify any potential exposures.

Provide advice to management on the resolution of the organisation's high risk issues as identified. Assist in the resolution of issues referred to the Committee for consideration.

Monitor Business Continuity Planning programs across Council.

Audit Committee On behalf of Council, the purpose of Audit Committee is to oversee that Council carries out its responsibilities for accountable financial management, good corporate governance, fostering an ethical environment and maintains a system of internal control and risk management. They have been constituted to monitor and report on the systems and activities of Council in ensuring:

Reliable financial reporting and management information. High standards of corporate governance. Appropriate application of accounting policies. Compliance with applicable laws and regulations. Effective monitoring and control of all identified risks. Effective and efficient internal and external audit functions. Measures to provide early warning of any issues affecting the organisation's financial well-being. The level and effectiveness of appropriate Crisis Management, Business Continuity and Disaster Recovery planning.

Maintenance and fostering an ethical environment.




2.3 Risk Management Resources and Planning

Risk management resources and planning are embedded within existing processes and operates on a number of levels. A summary of our integrated approach to resources and planning is outlined below:

Responsibility for risk management is outlined in our Risk Management Accountability Structure (Refer to Table 1).

Risk management resources are embedded within all Departments across all functions. Leadership for specialist related risk areas are overseen by Departmental Managers. For example,

o responsibility for overseeing business continuity management, insurance, the fraud control plan, procurement, and internal audit resides with Commercial and Property Services;

o responsibility for overseeing business planning and finance accounting systems resides with Finance and Corporate Planning;

o responsibility for overseeing the Occupational Health and Safety program resides with People, Culture and Development;

o responsibility for overseeing risk matters relating to stakeholder engagement programs resides with Communications and Engagement;

o responsibility for overseeing the Code of Conduct resides with Governance; and o responsibility for overseeing climate adaptation risks resides with Environment and

Sustainable Living. o responsibility for Emergency Management procedures resides with Infrastructure Services

and Health Aged and Disability Services (HAADS) o responsibility for major project risks resides with Projects and Strategy o responsibility for IT disaster recovery risks resides with Information Technology

RiskManagement

People, Culture & Development

oversee OH&S risks

Governanceoversee

compliance and code of conduct

Communications and Engagement

overseeStakeholder

Enagement risks and Social Media

risks

Environment and Sustainable

Living oversee Climate

Adaptation risks Projects and

Strategy oversee Project risks

Commercial and Property Services

oversee Fraud risks

Information Technology oversee IT Disaster

Recovery risks

Infrastructure Services and

HAADS oversee the Emergency Management Procedures




Our approach to enterprise risk management is aligned to our strategic and business planning frameworks. Strategic risks are overseen by BERC and operational risks are identified and monitored as part of our annual business planning cycle.

Our risk register is enabled by a licenced enterprise risk information system (Risk ware) Our maturity and performance can be measured against our integrated risk management

performance indicators. Our continual improvement program is outlined in the risk management action plan. The risk

management action plan requirements are reviewed annually. The risk management action plan is provided as Attachment 3.

2.4 Risk Management Process

Risk is the effect of uncertainty on objectives. The risk management process takes into account risk from a number of perspectives: strategic, operational and emerging.

Strategic risk

Strategic risks are the risks that will prevent Council from meeting the objectives outlined in the Council Plan. Strategic risks should be few in number and are the critical risks for the organisation and considered in the same time horizon as the Council Plan. The Council Plan 2013-17 describes the vision and strategic objectives of the elected Council based on the following key themes:

Strong and engaged communities; Sustainable environment; Enhanced amenity; Quality facilities and assets; and responsible management

The strategic risks are annually reviewed by BERC and ELT. A summary of the strategic risks are provided as Attachment 3.

Operational risk

Operational risks are linked to the Business Plan objectives and take into consideration risks which will prevent Departments from delivering their annual business plans and ongoing services to the community. These risks are linked to the strategic risk profile. The Annual Plan details the actions that will be undertaken in support of the Council Plan objectives. It details how the strategic objectives will be delivered. Each Department is required to undertake a risk assessment in accordance with this Framework to determine the risks in meeting its delegated statutory obligations and stated objectives. This process is incorporated into the business planning process.

Emerging risk

Emerging risks are newly developing or changing risks and therefore by their nature are difficult to identify and evaluate. Characteristics of emerging risks commonly include a high level of uncertainty, lack of consensus, difficult to communicate, difficult to assign ownership and often are systemic or business practice issues. The BERC has a standing agenda item to review emerging risks as part of their quarterly meeting cycle. As required the emerging risks will be escalated for discussion to ELT.

2.5 Risk Assurance

The risk management validation and assurance program operates on a number of levels from management reviews to internal and external reviews.

Management reviews: These reviews are initiated by management to inform and to provide advice to management about the organisation.




Audit services: The internal audit program is overseen by the Commercial & Property Services Department. The internal audit plan is developed with consideration to the strategic and operational business risk profile. The internal audit program is designed as a rolling three year plan based on risk against which Internal Audit is to prepare audit reports for the Audit Committee's consideration. These audit reports are to also include, where applicable, management responses, accountabilities and timelines for corrective actions. This plan shall detail the nature and timing of reports to be presented to the Audit Committee and to Council and will reflect the priorities and functions of the Audit Committee as detailed in their Charter.

External reviews: These reviews are conducted by an agency external to Council. Typically the agencies which currently conduct independent reviews are the Victorian Auditor General’s Office and Ombudsman Victoria. A brief overview of the role of their offices is provided below.

Victorian Auditor General’s Office: The Auditor-General is an independent officer of the Victorian Parliament, appointed under legislation to examine, on behalf of Parliament and the Victorian taxpayers, the management of resources within the public sector. The independence of the Auditor-General is enshrined in Victoria’s Constitution Act 1975. This aims to ensure that findings that arise from financial statements and performance audits are communicated to Parliament. The Audit Act 1994 is the main legislation governing the powers and functions of the Auditor-General. The Council is subject to financial and performance audit reviews. The Commercial & Property Services Department is the conduit between the Victorian Auditor-General’s Office.Ombudsman Victoria reviews: The Ombudsman is an officer of the Victorian Parliament and has the power to investigate decisions, actions and conduct of Victorian government departments and statutory bodies and employees of local government (councils). The Ombudsman investigates complaints about administrative actions and decisions taken by government authorities and about the conduct or behaviour of their staff. Cultural Survey: People, Culture and Development conduct biennial whole of staff engagement survey’s that will be utilised to measure and test staff’s perception of Council’s risk management culture. The results are reported to the Executive Leadership Team and where appropriate incorporated into an action plan.

Attestation requirements: A risk attestation process has been established requiring Managers and Directors to attest that critical risks are reviewed annually and internal control systems are robust. The risk attestation process is consistent with State Government and public companies. The Directors and Managers will attest to the CEO that their risk management approach is aligned to the Risk Management Framework and an internal control system is in place that enables Managers and Directors to understand, manage and satisfactorily control risk exposures. The risk attestation statement is provided as Attachment 4.

2.6 Interagency Risk Management

Interagency risks are the risks which apply to Council and can affect another agency. In some cases the flow-on effects will require intervention strategies across multiple agencies. Council’s organisational risk management planning processes take into account the potential effects of organisational risks and strategies on other areas or agencies. Where interagency risks have been identified, there are appropriate consultation and communication channels to relevant agencies.

Section Three: Key Guidelines and Risk Tools The process of risk management involves risk identification, risk analysis, evaluation of risk treatment options and implementation of the appropriate treatment options. There are a number of steps within this process. The basic risk management process methodology follows the AS/NZS ISO 31000:2009 risk management approach as per the diagram below:




A key output from the risk management process is the risk assessment. The risk management process must incorporate a defined methodology for completing a risk assessment.

The table below outlines the risk process:




Communication and Consultation

Step 1: Establish the Context

Organisation’s objectives Set scope for risk criteria

Step 2: Identify Risks

What can happen?When, Where? How and Why?

Step 4: Evaluate Risks

Compare against criteriaSet priorities

Step 5: Treat Risks

Identify optionsAssess optionsDevelop treatment plans Assess the cost implications

Step 6: Monitor and Review

Inspections, Reports, EvaluationsAuditCommunication and

Consultation

Step 3: Analyse Risks

Identify existing controlsDetermine level of risk




3.1 Training and Education

Risk management training and awareness is recognised as an important requirement for all staff and a training schedule has been developed. These are designed to increase the knowledge and awareness of staff and management in a number of risk management topics including general risk management, liability, fraud awareness, environment, events and Business Continuity. In addition to formal training the Risk Management Team act as specialist advisors to staff. This includes help with identifying and assessing risk exposures and the steps in developing, implementing and monitoring of sustainable control measures.

3.2 Monitor, Review and Improvement

A continual process of monitor, review and improvement of all components of the Risk Management Framework is required to ensure an effective and up-to-date Framework. Monitoring the Framework involves inspections, reports, self-assessments or audits to assess whether objectives of the Framework components are being achieved. Reviewing the Framework involves assessing whether various components of the Framework still match the risk profile. This assessment may involve the review of policies, strategies and processes.

3.3 Risk Review and Register

Risks are identified and mitigated at all levels of the organisation using a top down and bottom up assessment process. The Risk Register is a database that allows Managers and Directors to register and monitor risks associated with business operations. Coordinators and Team Leaders have the delegated responsibility to review and monitor risks as determined by their Manager. These risks may be linked to various plans or projects/council works or events.

Risks need to be regularly reviewed according to their risk rating. The review dates for the different levels of risk are listed below, the review date for risks need to be realistic and linked to those accountable.

The appropriate review schedule is shown below.

Level of risk Review

Low Yearly Medium Half yearly High Quarterly Extreme Monthly

3.4 Risk Appetite

Risk appetite refers to the risk exposures that are or are not tolerated. The consequence table and risk matrix below determine how the risk is rated. The rating then determines the tolerance level of that risk. This is referred to as risk appetite. The table below outlines the risk tolerance level and risk escalation expectations and reporting requirements.




The residual rating for a particular risk is based on its potential impact and the likelihood of the risk event given the quality of the control process designed to reduce the likelihood and impact.

After the risk rating has been determined, the business area must assess what treatment, if any, will be applied to those risks. . Each treatment plan must be assessed to determine if the cost of implementing the plan outweighs the derived benefit. However there will be situations where due to legal or social reasons the cost will not be a factor in the treatment plan and this will usually be the case when there is a rare or severe risk.

3.5 Risk Likelihood Ratings

Some events happen once in a lifetime. Others can happen almost every day. Analysing risks requires an assessment of the frequency of occurrence. The following table provides broad descriptions used to support likelihood ratings. The occurrence should be considered, initially, without reference to known management/mitigating practices.

Extreme Needs Active Management

A risk treatment plan must be established and implemented.

HighNeeds Regular Monitoring

A treatment process should be adopted, primarily focused on paying close attention to the maintenance of excellent/good controls.

Moderate Needs Periodic Monitoring

A treatment process should be adopted, primarily focused on monitoring risks in conjunction with a review of existing control procedures.

LowNo Major Concerns

Significant management effort should not be directed towards the risk in this section of the risk matrix.

Likelihood

Consequence

Negligible Minor Moderate Major Catastrophic

AlmostCertain Moderate High High Extreme Extreme

Likely Moderate Moderate High High Extreme

Possible Low Moderate High High High

Unlikely Low Low Moderate Moderate High

Rare Low Low Moderate Moderate High




Likelihood Rating Definition table

Definition Anticipated Frequency

ALMOST CERTAIN

Event is expected to occur in most circumstances. Event is imminent for specific item.

In the order of 100 times a year

LIKELY Event will probably occur in most circumstances.In the order of 10 times per year

POSSIBLE Event might occur at some time. Annually

UNLIKELY Event could occur at some timeOnce in every 10 years

RARE Event may occur only in exceptional circumstancesOnce in 100 years

AS/NZS ISO 31000/2009




3.6 Consequence Rating

Consequences can be described in a number of ways and determine an organisation's risk appetite. Each consequence can be rated in terms of its severity from minor to catastrophic. The following table provides descriptions for levels of consequence.

DESCRIPTION INJURY (STAFF OR

PUBLIC)

FINANCIAL LOSS

ENVIRONMENTAL IMPACT

REPUTATION LEGISLATION &

REGULATIONS

STRATEGIC

CATASTROPHIC Death/s > significant financial loss

(e.g.> $5 Million)

Toxic release off site with long term effects

Substantial / long term damage to flora / fauna, soil / water

Very high customer sensitivity and irreparable damage to Council name.

National/international media coverage

Total failure to meet relevant legislation and regulations leading to dismissal of Council.

Selection of a strategic direction that negatively impacts on the future ofCouncil.

MAJOR Serious injury to one or more persons resulting in a permanent disability

Major financial loss

(e.g. >$1M - $5M)

Off-site release with no long term effects

Limited damage to flora/fauna, soil / water

Significant customer sensitivity and damage to Council name

Statewide Media coverage

Failure to meet relevant legislation and regulationsresulting in Material fines, penalties and restrictions on Council operations due to regulatory non-compliance.

Senior employees charged for breaches/fraud.

Selection of a strategic direction which requires significant resources, both monitoring and time to correct, impacting a part of Council

MODERATE Injury requiringhospitalisation to one or more persons

High financial loss

(e.g. >$50,000 - $1M)

On site release contained with outside assistance

No damage to flora / fauna and short term effects on soil, water and air

Moderate customer sensitivity and damage to Council name impacting noticeably on business activities

Significant local community coverage

Activity does not meet all of the requirements of relevant Australian Standardsexposing Council to possible litigation risks.

Selection of a strategic direction which impacts on smaller parts of Council and will require considerable resources to correct

MINOR Minor injury requiring first aid only

Medium financial loss

(e.g. >$10,000 - $50,000)

On site release contained immediately

Minimal customer sensitivity and damage to Council name

Limited local community coverage

Activity does not follow relevant established Industry / Victorian / Australian guidelines

Minimal impact on strategic / operational objectives

INSIGNIFICANT Injury requiring no medical treatment

Low financial loss

(e.g. < $10,000)

Minor leak, non-contaminating

No impact on reputation of Council

No media coverage

No regulatory impact

Consequences are dealt with by routine operations




3.8 Calculate Risk Ratings

Risk Rating Process

The process for calculating a risk rating is:

1. Identify appropriate consequence rating (refer Consequence Definition Table) 2. Identify appropriate likelihood rating (refer Likelihood Definition Table) 3. Ascertain risk rating by cross referencing the consequence and likelihood ratings (refer Risk

Matrix).

The table below identifies the definition and outcomes for the risk ratings. These outcomes are to be considered when developing Risk Control Plans.




RISK RATING OUTCOMES TABLE

EXTREME (E)

Extreme risk is unacceptable. Comprehensive consideration by ELT required to ensure that the risk remaining is consistent with corporate objectives and risk appetite. If not, detailed research and planning is required to mitigate risk.

HIGH (H)

Attention required to assess the acceptability of remaining risk or required mitigation measures. Management need to ensure that necessary mitigation actions are carried out and the risk does not increase by actively monitoring any changes to the control environment, consequence and likelihood.

MODERATE (M)

Management/team leaders to ensure that the control environment, consequence and likelihood does not substantially change. Consider the implementation of any additional cost effective controls.

LOW (L)Manage by routine procedures and be mindful of changes to nature of risks. Consider the implementation of any cost effective internal controls.

3.9 Risk Reporting

There is a structured approach to risk reporting. The matrix below details which information will be reported throughout the organisation together with the reporting frequency. The Risk Management Team is responsible for reporting to Senior Management on all risks that are due for review and current risk trends. Managers and Directors are responsible for reporting on risks that are due for review within each Quarter. Reporting will be on a rotational basis dependent on the risk rating schedule as per the table at 3.3.

Risk Management Team

Summary of risk information

Audit Committee

Executive Group

Director Department Manager

Strategic risks yearly Quarterly- dependant on risk rating

Quarterly Quarterly

Operational risks

only extreme risks to be reported yearly

Half-yearly Quarterly Quarterly

Risk trends yearly Half-yearly Half yearly Quarterly




Managers and Directors

Summary of risk information

Audit Committee Executive Group Director

Strategic risks Yearly Quarterly Quarterly

Operational risks only extreme risks to be reported on yearly

Half yearly Quarterly

A summary of the risk reporting parameters includes the following:

Strategic risks – All strategic risks as required by their risk ratings in the risk register, specifically the risk control/treatment plans for each of these risks. By providing the status updates on the implementation of risk control/treatment plans provides important information on the implementation of risk mitigation strategies.

Operational risks – the extreme risks as per the residual risk ratings in the risk register. Risk owners will provide treatment plans for the mitigation of these risks.

Risk trends – trend analysis to assist in identifying emerging risks and those increasing risk frequency which may be indicative of systematic flaws in risk control strategies.

Date approved:

Accountable officer:

Chris Hurley, Manager Commercial and Property Services

Responsibleofficer:

Sasha Allan, Team Leader Risk Management

Endorsed by: Marilyn Kearney, Director Corporate Services

Approved by: Chief Executive Officer

Next review: May 2018




Attachments

Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators

Attachment 2: Risk Management Framework Action Plan 2014-16

Attachment 3: Strategic Risks

Attachment 4: Risk Attestation Wording Template




Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators

Over the next three years, the City of Boroondara are working towards maturating their Enterprise Risk Management Framework to a risk maturity level of integrated.

Note: Descriptions which are bolded is to demonstrate Council has established measurements.

Integrated

City of Boroondara Risk Maturity Performance Indicators

Culture Governance & Accountability

Resources & Planning Process Assurance Inter-Agency

Management are committed to risk management.

Risk governance is aligned to the organisations governance and accountability framework.

There are the human resources to support risk management system and processes.

There are processes to ensure communication and consultation with internal and external stakeholder groups takes place during each activity of the risk management process

The internal validation and assurance activities are aligned to the risk profile.

There is a process in place to manage inter-organisational and interagency risks.

Employees’ contributions to risk management are valued.

There is an endorsed risk management policy accessible to all staff.

Tools and templates are used to support risk management processes and assessments.

Risk appetite and tolerances has been agreed and is clearly understood.

Practices and values are linked to risk management.

ELT and Audit Advisory Committee regularly receive, consider and discuss risk management reports.

The external and internal context to be considered by staff is clearly defined.

There is a process to support risk management attestation.

A risk rating criteria is clearly defined and risks are consistently documented and the effectiveness of existing controls is used to determine the estimated level of risk.




Integrated

City of Boroondara Risk Maturity Performance Indicators


Resources & Planning Process Assurance Inter-Agency

There is a robust process for ensuring legal and regulatory compliance requirements are met.

Risks are consistently identified and by staff with the required knowledge and skills using an agree risk register format.

Roles and responsibilities for risk management are clearly defined at all levels of the organisation.

There is a process in place to respond to incidents, near misses, incidents, hazards and complaints.

Risks are assessed to determine tolerability & priorities for risk treatment.

Treatment plans are prepared, implemented and monitored.




Integrated Risk Management Framework: Sample Measurements


Resources & Planning

Process Assurance Interagency

Riskmanagement included in Job descriptionsRiskmanagement is linked to values and Code of Conduct. Risk management is included in recognition and rewardprograms. All staff are aware of organisation’s approach to risk management and the risk management format has been documented.

RMF documented, approved & accessible to staff. Risk reports distributed and reviewed. Evidence exists to support attestation

Organisational wide approach to legal and regulatory compliance framework documented and accessible to staff.Risk roles and responsibilities documented.Risk meeting agendas and minutes recorded and maintained.

Organisational wide risk policy

Risk management capabilities and training provided.

Risk management skills gap addressed. Organisational wide risk tools and templates are used Organisational wide risk management plans documented, approved and accessible to all staff.Risk information system available and accessible to nominated staff.User software training made available to nominated staff.

Risk management guidelines. Organisation wide risk appetite and tolerance has been documented, approved and available to all staff. Documented evidence of risk management forms part of the strategic and operational objectives that specifically takes into account risks which may impact the organisation. A defined risk criteria is available and consistently applied. The risk methodology is endorsed and available to all staff.

Risk has been linked to agreed categories which have been documented and reviewed. System in place for near misses Risk escalation processed established, clear and complied too.

There is a clear,documented link between the validation and assurance program

The validation and assurance program incorporates data analytics such as dashboard reporting, measurements against targetsAssurance mapping

Attestation plan documented and approved.

Relationships have been developed and are understood to identify and manage inter-organisational & inter-agency that impact the organisation.

An approach to the evaluation and treatment of interagency risk is documented in the risk management policy, plan and/or framework.




Attachment 2: Risk Management Framework Action Plan 2014-16

City of Boroondara Risk Management Framework Action Plan 2014-2016 Feature Action Timeline Measure

A-Culture A-1: Develop a structure which more formally engages staff through discussion forums and create opportunities’ for staff to share information about risk management practice.

December (14) Risk management incorporated into business planning cycle.

A-2: The second stage will begin in March 2015 where follow-up department team meetings will be held to discuss the outcomes of the business planning day and to further discuss risk.

March (15) Operational risks are linked to business planning objectives

A-3: Run face-to-face sessions across departments and in work teams to provide staff with an opportunity to explore a number of ways to articulate risk. Risk will be considered the effect of uncertainty on objectives.

March (15) number sessions run Agenda’s from department meetings noting risk discussions.

A-4: Develop risk appetite statements after the strategy risk profile has been revised and endorsed.

May (15) Risk appetite statement developed and endorsed by ELT.

B- Governance andAccountability

B-1: A BERC meeting schedule will be developed to ensure meetings occur frequently. This will include a program of work which identifies clear purposes and required outcomes for each meeting.

February (15)- on-going

Operational risks are linked to business planning objectives.

B-2: Incorporate the risk register governance requirements into the Risk Management Framework as well as a risk management action plan and clearly outline the risk management focus for the next 12–24 months.

May (15) Risk Management Framework Action Plan developed and monitored.





B-3: Strengthen the alignment of its Framework with AS/NZS 31000:2009 by including:

the application of the risk management principles; risk maturity statement; risk appetite statements; a risk tolerance statement; and

Incorporating emerging risk and project risk management into the risk process model, in addition to strategic and operational risk.

December 15 RMF & Action plan revised and updated

B-4: Develop the risk management action plan and incorporate the action plan into the Framework.

February (15) The Risk Framework Action Plan developed and reviewed annually.

B-5: Identify and map all departments’ specialised risk management functions to determine how they are linked and to incorporate their risk assessment tools into the Framework. (For example, business continuity, emergency management, crisis management, project management, contract management, insurance, IT disaster recovery, stakeholder management, fraud control, climate adaptation, OH&S, compliance and event management).

May (15) Descriptions of specialist functions will be incorporated into the Risk Management Framework.

B-6: Map the risk register to workflow. March (15) Risk register is configured and mapped to workflow.

C- Resources and Planning

C-1: Finalise and implement the e-learning risk management module.

June (15) Risk management module incorporated into Council’s induction program.

C-2: Incorporate operational risk identification and assessment into its annual planning process. Operational risks are explicitly linked to business objectives.

December (14) Department operational risk profile incorporated into business planning process.

C-3: Finalise the process for reviewing the strategic risk profile and incorporate the risk review process into the RMF.

December (14) Strategic risk profile revised and endorsed.

C-4: Identify the risk register user group and provide training to users.

December (14) Risk register user group identified and trained.





D-Process D-1: Change the risk rating on the risk management information system from residual risk rating to target risk rating.

March (15) Risk and target risk requirements incorporated into the risk assessment guidelines.

D-2: Further develop the risk treatment plans to include the following:

the reasons for selection of the treatment options, expected benefits to be gained, those who are accountable for approving the plan, those responsible for implementing the plan, the proposed actions, resource requirements including contingencies, performance measures and contingencies, reporting and monitoring requirements,

timing and schedules.

November (14)

Revised time

June (15)

Treatment plans incorporated into the risk register on Risk Ware.

D-3: Review and strengthen the consequence ratings so impact can be measured.

November (14) Consequence rating tables reviewed.

E-Assurance E-1: Develop a quality assurance review schedule so that operational risks registers are periodically reviewed on a rolling basis. To drive performance the focus of this review should be endorsed annually by BERC.

March (15) Periodic review of departments operational risk registers are undertaken and reported.

E-2: Council should consider introducing a risk attestation process requiring directors and managers to attest that the critical risks are focused on or currently managing the risks listed on the department risk register.

November (14) Annual risk attestation process developed.

F-Interagency F-1: Department operational risk profile incorporated into business planning process.

June (16) Interagency risk management approach developed, endorsed and adopted.




Attachment 3: Strategic Risks

City of Boroondara - Strategic Risks

Risk Description ControlRating

L'hood Cons RiskRating

Risk Owner

Adverse impact of legislative and/or policy change on Council's capacity to comply or deliver services

Fair Likely Major High CEO

Inadequate management of built assets to meet desired service levels Good Possible Major High DEI Breakdown of relationships between Councillors and organisation Good Possible Major High CEO Failure to maintain and protect the amenity and liveability of the natural environment Good Possible Major High DEI

Failure to protect amenity and liveability of the built environment. Good Possible Major High DCP Failure to plan, deliver and facilitate Council services that meet the social needs of the community

Good Possible Major High DCD

Failure to identify, plan and respond to impacts of climate change on Council in relation to flooding, storm and heat

Fair Possible Moderate High DEI

Inability to recruit and retain workforce to deliver appropriate and innovative services Good Possible Minor Moderate Manager PCD Failure of information technology systems performance and security Good Possible Minor Moderate Manager IT Failure to maintain financial sustainability Excellent Unlikely Major Moderate CFO Failure to maintain a safe work environment Good Unlikely Major Moderate DCS

Failure of Council to adequately advocate and lead on issues reducing community wellbeing as identified in Council adopted Policies and Strategies

Good Unlikely Moderate Moderate EMCE

Failure to maintain an effective organisational culture Excellent Unlikely Moderate Moderate DCS

Failure to plan for future technology needs for interaction with the community Good Unlikely Moderate Moderate Innovation Leader




Attachment 4: Risk Attestation Wording Template

Manager to Director

I, [Accountable Officer] certify that the [name of department] has risk management processes in place consistent with Council’s adopted Risk Management Framework 2015 and an internal control system is in place that enables the executive to understand, manage and satisfactorily control critical risk exposures and has been critically reviewed within the last 12 months.

Director to CEO

I, [Accountable Officer] certify that my Managers have attested that risk management processes are in place which are consistent with Council’s adopted Risk Management Framework 2015 and an internal control system enables the executive to understand, manage and satisfactorily control critical risk exposures which has been critically reviewed within the last 12 months.



Documents

3 Risk Management Framework Abstract€¦ · Section One: Risk Management Framework Overview 1.1 Introduction This Risk Management Framework aims to support an integrated and effective