Risk Management Policy

1.0 Purpose

Policy Objectives

To provide a consistent process to enhance efficient operations, effective processes and successful strategies that increase the likelihood of achieving the best outcomes for the district and the Council by:

  • Ensuring risk-based information is available to support good decision-making
  • Providing assurance that risks are being appropriately addressed and managed, and
  • Ensuring compliance with applicable legislation and regulation.

2.0 Background

Principles

The Council’s approach to risk management is consistent with the Joint Australian New Zealand International Standard Risk Management – Principles and Guidelines (AS/NZS ISO 31000:2009). That Standard provides the following principles of risk management:

  • Risk management creates and protects value
  • Risk management is an integral part of all organisational process
  • Risk management is a part of decision making
  • Risk management explicitly addresses uncertainty
  • Risk management is systematic, structured and timely
  • Risk management is based on the best available information
  • Risk management is tailored
  • Risk management takes human and cultural factors into account
  • Risk management is transparent and inclusive
  • Risk management is dynamic, iterative and responsive to change
  • Risk management facilitates continual improvement of the organisation

Objectives

Risks are defined in relation to relevant objectives.

At the highest level, Council’s objectives are expressed through its Vision of:

  • Fantastic sustainable lifestyle second to none
  • Thriving and innovative economy where opportunities abound
  • Strong and enviable reputation and identity
  • Inspiring, people-focused leadership

In addition, the Council’s Community Outcomes are:

  • High quality infrastructure to meet community and business needs
  • Smart, diversified economic success and growth supported and enabled
  • Communities that are safe, vibrant and growing
  • People enjoying a high quality of life
  • A strong identity forged and promoted
  • A valued, healthy and accessible environment

Risks

Risks can be positive or negative.

Risks can also be ‘risks to Council’ or ‘risks to the district’.

Positive risks, or opportunity risks, should be embraced, in a cost-effective manner, to the extent that they help Council or the district to meet its objectives.

Negative risks should be managed in a cost-effective manner so that they do not detract from Council or the district meeting its objectives.

In tabular form these concepts can be shown as follows:

 Negative riskPositive risk
District risks

3

Understanding risks for the district and assessing Council’s role in managing those risks

4

Understanding opportunities for the district and assessing Council’s role in developing those opportunities

Council risks

1

Understanding and managing risks for Council and its immediate stakeholders

2

Understanding and exploiting opportunities for Council

Council’s initial approach will be to focus on quadrant 1 while remaining aware of the responsibilities and possibilities under quadrants 2, 3 and 4.

Council is establishing a comprehensive formal risk management framework that principally focuses on quadrant 1 risks. This approach will be reviewed in time.

3.0 Key Definitions

Control is a process, policy, device, practice or other action that reduces the likelihood of a risk event occurring or reduces the potential consequence of that risk event before the risk event occurs.

Council means the entity know as the Timaru District Council and includes the governing body and the organisation.

Governing body means the mayor and councillors.

Mitigation is a process, policy, device, practice or other action that is intended to reduce the consequence of a risk event after the risk event has occurred.

Organisation means the operations, processes and staff of Timaru District Council led by the Chief Executive.

Residual risk is the risk remaining after risk treatment. (AS/NZS ISO 31000/2009)

Risk is the effect of uncertainty on objectives. (AS/NZS ISO 31000/2009)

Committee responsible for risk means the Audit and Risk Subcommittee, or a subsequent Committee of Council established with similar roles, responsibilities and powers.

Risk event is an occurrence or a change in a particular set of circumstances that gives rise to, or modifies, a risk.

Risk management is the coordinated activities to direct and control an organisation with regard to risk. (AS/NZS ISO 31000/2009)

Risk management framework is the combined suite of tools and processes, including this policy and supporting procedures, by which Council manages risk.

Risk management plan is a schedule that records risks and the controls, mitigations, risk treatments, and accountabilities associated with those risks.

Risk register is the same as a ‘risk management plan’.

Risk treatment is the process to modify risk. (AS/NZS ISO 31000/2009)

4.0 Policy

Commitment to risk management

Council recognises that early and systematic identification, analysis and assessment of risks and the development of plans for controlling and mitigating risk are necessary to achieve its desired objectives
As such, Council is committed to identifying, analysing, assessing and appropriately managing the risks to its objectives.

Risk management is the responsibility of everyone.

Council encourages intelligent and informed risk-taking and risk-acceptance in pursuit of its objectives.

It is the Policy of Timaru District Council to ensure that risks that it is exposed to are either avoided or if it is not possible to avoid those risks controlled to an acceptable level.

Identification of risks

All staff members are empowered, and expected, to identify and communicate risks. Identified risks will be recorded in a risk management plan.

Where, for whatever reason, direct reporting lines are not able to be used to communicate identified risks, alternative methods will be made available. These will include, but not be restricted to, direct notification to Group Managers or the Chief Executive.

Analysis of risks

Risks will be analysed to determine potential causes, the likelihood of occurrence, and the potential consequences if they do occur.

The causes, likelihood and consequence will be recorded in a risk management plan.

In accordance with the principle that risk management is tailored, the analysis of risks will reflect the relevant objectives of the Council, organisation, group, unit or project.

For the high-level ‘corporate risk management plan:

  • The likelihood of a risk event occurring will be assessed in accordance with the Likelihood Table included as Attachment 1.
  • The potential consequences if a risk event occurs will be assessed in accordance with the Consequence Table included as Attachment 2.
  • The assessments of the likelihood of a risk event occurring and the potential subsequent consequences will be considered together in accordance with the Risk Matrix included as Attachment 3.

The analysis of risks at subsidiary levels will be undertaken in a manner consistent with the above but may be tailored to suit the relevant circumstances.

Evaluation of risks

Analysed risks will be evaluated against criteria to determine whether a risk is tolerable in its current state or whether further action is required.

The evaluation of risks will consider established risk tolerances for such risks, as well as any risk-specific factors.

In the first instance the evaluation of risk will include reference to the Risk Response table included as Attachment 4.

Treatment of risks

Where residual risk is considered to be too high, risk treatments will be applied to reduce the residual risk to an acceptable level.

In considering risk treatments consideration will be given to both the costs and effort involved in the treatment and the potential benefit from the risk reduction.

Risk treatment can involve:

  • Avoiding a risk by deciding not to start or continue with the activity that gives rise to the risk.
  • Taking or increasing risk in order to pursue an opportunity
  • Removing the risk source
  • Changing the likelihood of the risk occurring
  • Changing the consequence if the risk occurs
  • Sharing the risk with anther party or parties, or
  • Retraining the risk by informed decision.

Recording of risks

Risks, controls and mitigations will be recorded in a risk management plan.

A high level organisation-wide ‘corporate risk management plan’ will be maintained to record and report on risks of Council-wide significance.

Subsidiary risk management plans will be prepared as appropriate throughout the organisation. These may include, but will not be limited to:

  • Group risk management plans
  • Activity risk management plans (within Activity Management Plans)
  • Asset risk management plans (if appropriate to be separate from Activity Management Plans)
  • Specialists risk management plans (for example, health and safety)
  • Project risk management plans, and
  •  Any other risk management plan relevant to helping Council achieve its objectives.

Reporting of risks

Identified risks, and the associated controls, mitigations and accountabilities, will be reported in accordance with the Risk Response table included as Attachment 4.

Risk management plans will be reported regularly to both the Management Team and the Committee responsible for risk.

Accountability for risks

Specific accountability for each risk, control and mitigation will be identified and recorded in a risk management plan.

Roles and responsibilities

Assigning specific responsibilities to specific roles provides clarity and strengthens the overall risk management framework.

GovernanceResponsibility
CouncilTo be assured that a risk management framework is in place and that risks are being appropriately managed.
Committee responsible for risk

Subject to the governing body’s delegated authority, the Committee responsible for risk has responsibility to:

  • Review the risk management framework
  • Consider matters related to the quality assurance and internal controls in the organisation including by enquiry and monitoring of risk matters
  • Advise the governing body on matters of risk and provide objective advice and recommendations for the governing body’s consideration

 

ManagementResponsibility
Chief Executive

Approve the risk management framework and recommend it to the Committee responsible for risk.

Lead and promote a risk aware culture across the organisation.

Implement the risk management framework across the organisation.

Management Team

Endorse the risk management framework and champion it to the organisation.

Monitor effective implementation of the risk management framework across the organisation.

Receive and consider risk management plans on a quarterly basis

Receive and consider other risk-related reports on an as-required basis.

Provide direction on risk tolerance at a general and risk-specific level.

Periodically review the risk management framework to ensure it remains appropriate.

Group Managers

‘Own’ risks relevant to, or arising from, their groups.

Lead and promote a risk aware culture within their groups.

Group Manager Corporate Services

Develop and maintain the risk management framework.

Facilitate the population and ongoing review of the high level ‘corporate risk management plan’.

Manage the interface between subsidiary risk management plans and the high level ‘corporate risk management plan’.

Advise on potential risk treatments for identified risk.

Consider and, where necessary, challenge the risks, controls, mitigations and accountabilities included (or not included) in risk management plans across the organisation.

Support unit managers to implement the risk management framework in their divisions and teams.

Lead the integration of risk management principles into other Council decision-making processes.

Unit Managers

Develop, populate and manage the risk management plan for their unit in accordance with the risk management framework.

‘Own’ risks relevant to or arising from, their teams.

Lead and promote a risk aware culture within their units.

Staff and Contractors

Provide support in identifying risk.

As appropriate, ‘own’ risks, controls or mitigations.

Relevant Delegations

The Chief Executive or his/her nominee has delegated authority for the implementation of this policy.

References and Relevant Legislation

Joint Australian New Zealand International Risk Management – Principles and Guidelines (AS/NZS ISO 31000:2009).

Attachments:

1. Categories of Likelihood

Almost certain5

90% or greater chance of occurring in next 12 months

Expected to occur in 9 or next 10 years

Certain to occur at least once in next 5 years

It would be unusual if this didn’t happen

Likely4

60% to 90% chance of occurring in next 12 months

Expected to occur at least once in next 5 years

Will occur more often than not

Possible3

25% to 60% chance of occurring in next 12 months

Expected to occur in 4 or next 10 years

Likely will occur at least one in next five years (>80% chance)

Not likely, but don’t be surprised

Unlikely2

2% to 25% chance of occurring in next 12 months

Expected to occur a maximum of once every 5 to 20 years

50% chance of occurring in next 5 years

A surprise, but not beyond the bounds of imagination

Rare1

Up to 2% chance of occurring in next 12 months

Could occur once every 50 or more years

Less than 10-% chance of occurring in next 5 years

Will only occur in exceptional circumstances

2. Categories and Descriptors of Consequence

 12345
 Less than minorMinorModerateMajorExtreme
Achievement of the Vision and Community OutcomesNo impact on the Vision and Community OutcomesInconvenience or delay in achieving the Vision and Community Outcomes

Significant difficulty introduced to achievement of the Vision and Community Outcomes

Lost opportunity to contribute positively to one or more of the Vision and Community Outcomes

Failure to achieve a specific Community Outcome

Lost opportunity to significantly advance a specific Community Outcome

Failure to achieve multiple Community Outcomes

Lost opportunity to significantly advance multiple Community Outcomes

FinancialFinancial impact of less than $50,000

Financial impact of between $50,000 and $250,000

Financial impact of between 1% and 2% of the Council’s total opex

Financial impact of between $250,000 and $1 million

Financial impact of between 2% and 5% of the Council’s total opex

Financial impact of between $1 million and $5 million

Financial impact of between 5% and 10% of the Council’s total opex

Financial impact of more than $5 million

Financial impact of more than 10% of the Council’s total opex

Health and Safety
(customers, staff, contractors)
Minor injury, first aid not requiredFirst aid or minor treatmentMedical treatment requiredSerious harm, for example broken bones, hospitalisationLoss of life; multiple serious harms; permanent severe disability
Service delivery to communityShort-term reduction in service delivery which is easily restored and does not compromise the community’s health and wellbeingReduced service delivery that does not compromise the community’s health and wellbeing

Key service not available to some of the community for ten hours or more

Continued service degradation for two days or more

Key service not available to a significant portion of the community for two days or more

Continued severe service degradation for one week or more

Key service not available to a large proportion of the community for one week or more

Continued severe service degradation for one month or more

Organisational capability and capacityTemporary problem with organisational capability resulting in no impact on external service deliveryLoss of organisational capability in some areas resulting in sub-optimal support to external delivery activities

Organisation unable to function for less than 10 hours

Serious reduction in organisational capability for one week or more

Organisation unable to function for more than 10 hours

Serious reduction in organisational capability for two weeks or more

Organisation unable to function for more than two days

Serious reduction in organisational capability for one month or more

Reputational

Negative feedback from individuals

Short-term ‘letters to the editor’ (or online equivalent) commentary

Short-term loss of confidence among small sections of the community

Regional adverse political or media comment for one or two days

Sustained ‘letters to the editor’ (or online equivalent) commentary in usual sources

Short-term and manageable loss of community confidence

Regional adverse political or media comment for more than tow days

Significant social media commentary or campaign from new sources

Loss of community confidence requiring significant time to remedy

National adverse political or media comment for more than two days

Regional adverse political or media comment for more than one week

Requirement for (televised) public explanation

Insurmountable loss of community confidence

National adverse political or media comment for more than one week

Requirement for (televised) public apology or defence

Adverse comments or questions in Parliament

Legislative / regulatory complianceOne-off minor regulatory or legislative non-compliance with no direct impact on the community’s health or wellbeingOne-off minor regulatory or legislative non-compliance with potential impact on the community’s health or wellbeing

Complaint to the Ombudsman, Auditor-General or other statutory office

Multiple related minor non-compliances due to an underlying systemic issue

Significant breach or non-compliance resulting in regulatory scrutiny

Significant breach or non-compliance, or multiple breaches or non-compliances, resulting in regulatory action and/or restrictions on Council activities

Court proceeding or criminal action for breach or non-compliance; potential for imprisonment of elected member or staff

Judicial review on a matter of rates or other funding, or on a matter with significant financial impact

3. Risk Matrix

Risk Matrix 


4. Risk Response

Risk Response Table


Adopted by Policy and Development Committee 9 June 2015