1.0 Purpose
Policy Objectives
To provide a consistent process to enhance efficient operations, effective processes and successful strategies that increase the likelihood of achieving the best outcomes for the district and the Council by:
- Ensuring risk-based information is available to support good decision-making
- Providing assurance that risks are being appropriately addressed and managed, and
- Ensuring compliance with applicable legislation and regulation.
2.0 Background
Principles
The Council’s approach to risk management is consistent with the Joint Australian New Zealand International Standard Risk Management – Principles and Guidelines (AS/NZS ISO 31000:2009). That Standard provides the following principles of risk management:
- Risk management creates and protects value
- Risk management is an integral part of all organisational process
- Risk management is a part of decision making
- Risk management explicitly addresses uncertainty
- Risk management is systematic, structured and timely
- Risk management is based on the best available information
- Risk management is tailored
- Risk management takes human and cultural factors into account
- Risk management is transparent and inclusive
- Risk management is dynamic, iterative and responsive to change
- Risk management facilitates continual improvement of the organisation
Objectives
Risks are defined in relation to relevant objectives.
At the highest level, Council’s objectives are expressed through its Vision of:
- Fantastic sustainable lifestyle second to none
- Thriving and innovative economy where opportunities abound
- Strong and enviable reputation and identity
- Inspiring, people-focused leadership
In addition, the Council’s Community Outcomes are:
- High quality infrastructure to meet community and business needs
- Smart, diversified economic success and growth supported and enabled
- Communities that are safe, vibrant and growing
- People enjoying a high quality of life
- A strong identity forged and promoted
- A valued, healthy and accessible environment
Risks
Risks can be positive or negative.
Risks can also be ‘risks to Council’ or ‘risks to the district’.
Positive risks, or opportunity risks, should be embraced, in a cost-effective manner, to the extent that they help Council or the district to meet its objectives.
Negative risks should be managed in a cost-effective manner so that they do not detract from Council or the district meeting its objectives.
In tabular form these concepts can be shown as follows:
Negative risk | Positive risk | |
---|---|---|
District risks | 3 Understanding risks for the district and assessing Council’s role in managing those risks | 4 Understanding opportunities for the district and assessing Council’s role in developing those opportunities |
Council risks | 1 Understanding and managing risks for Council and its immediate stakeholders | 2 Understanding and exploiting opportunities for Council |
Council’s initial approach will be to focus on quadrant 1 while remaining aware of the responsibilities and possibilities under quadrants 2, 3 and 4.
Council is establishing a comprehensive formal risk management framework that principally focuses on quadrant 1 risks. This approach will be reviewed in time.
3.0 Key Definitions
Control is a process, policy, device, practice or other action that reduces the likelihood of a risk event occurring or reduces the potential consequence of that risk event before the risk event occurs.
Council means the entity know as the Timaru District Council and includes the governing body and the organisation.
Governing body means the mayor and councillors.
Mitigation is a process, policy, device, practice or other action that is intended to reduce the consequence of a risk event after the risk event has occurred.
Organisation means the operations, processes and staff of Timaru District Council led by the Chief Executive.
Residual risk is the risk remaining after risk treatment. (AS/NZS ISO 31000/2009)
Risk is the effect of uncertainty on objectives. (AS/NZS ISO 31000/2009)
Committee responsible for risk means the Audit and Risk Subcommittee, or a subsequent Committee of Council established with similar roles, responsibilities and powers.
Risk event is an occurrence or a change in a particular set of circumstances that gives rise to, or modifies, a risk.
Risk management is the coordinated activities to direct and control an organisation with regard to risk. (AS/NZS ISO 31000/2009)
Risk management framework is the combined suite of tools and processes, including this policy and supporting procedures, by which Council manages risk.
Risk management plan is a schedule that records risks and the controls, mitigations, risk treatments, and accountabilities associated with those risks.
Risk register is the same as a ‘risk management plan’.
Risk treatment is the process to modify risk. (AS/NZS ISO 31000/2009)
4.0 Policy
Commitment to risk management
Council recognises that early and systematic identification, analysis and assessment of risks and the development of plans for controlling and mitigating risk are necessary to achieve its desired objectives
As such, Council is committed to identifying, analysing, assessing and appropriately managing the risks to its objectives.
Risk management is the responsibility of everyone.
Council encourages intelligent and informed risk-taking and risk-acceptance in pursuit of its objectives.
It is the Policy of Timaru District Council to ensure that risks that it is exposed to are either avoided or if it is not possible to avoid those risks controlled to an acceptable level.
Identification of risks
All staff members are empowered, and expected, to identify and communicate risks. Identified risks will be recorded in a risk management plan.
Where, for whatever reason, direct reporting lines are not able to be used to communicate identified risks, alternative methods will be made available. These will include, but not be restricted to, direct notification to Group Managers or the Chief Executive.
Analysis of risks
Risks will be analysed to determine potential causes, the likelihood of occurrence, and the potential consequences if they do occur.
The causes, likelihood and consequence will be recorded in a risk management plan.
In accordance with the principle that risk management is tailored, the analysis of risks will reflect the relevant objectives of the Council, organisation, group, unit or project.
For the high-level ‘corporate risk management plan:
- The likelihood of a risk event occurring will be assessed in accordance with the Likelihood Table included as Attachment 1.
- The potential consequences if a risk event occurs will be assessed in accordance with the Consequence Table included as Attachment 2.
- The assessments of the likelihood of a risk event occurring and the potential subsequent consequences will be considered together in accordance with the Risk Matrix included as Attachment 3.
The analysis of risks at subsidiary levels will be undertaken in a manner consistent with the above but may be tailored to suit the relevant circumstances.
Evaluation of risks
Analysed risks will be evaluated against criteria to determine whether a risk is tolerable in its current state or whether further action is required.
The evaluation of risks will consider established risk tolerances for such risks, as well as any risk-specific factors.
In the first instance the evaluation of risk will include reference to the Risk Response table included as Attachment 4.
Treatment of risks
Where residual risk is considered to be too high, risk treatments will be applied to reduce the residual risk to an acceptable level.
In considering risk treatments consideration will be given to both the costs and effort involved in the treatment and the potential benefit from the risk reduction.
Risk treatment can involve:
- Avoiding a risk by deciding not to start or continue with the activity that gives rise to the risk.
- Taking or increasing risk in order to pursue an opportunity
- Removing the risk source
- Changing the likelihood of the risk occurring
- Changing the consequence if the risk occurs
- Sharing the risk with anther party or parties, or
- Retraining the risk by informed decision.
Recording of risks
Risks, controls and mitigations will be recorded in a risk management plan.
A high level organisation-wide ‘corporate risk management plan’ will be maintained to record and report on risks of Council-wide significance.
Subsidiary risk management plans will be prepared as appropriate throughout the organisation. These may include, but will not be limited to:
- Group risk management plans
- Activity risk management plans (within Activity Management Plans)
- Asset risk management plans (if appropriate to be separate from Activity Management Plans)
- Specialists risk management plans (for example, health and safety)
- Project risk management plans, and
- Any other risk management plan relevant to helping Council achieve its objectives.
Reporting of risks
Identified risks, and the associated controls, mitigations and accountabilities, will be reported in accordance with the Risk Response table included as Attachment 4.
Risk management plans will be reported regularly to both the Management Team and the Committee responsible for risk.
Accountability for risks
Specific accountability for each risk, control and mitigation will be identified and recorded in a risk management plan.
Roles and responsibilities
Assigning specific responsibilities to specific roles provides clarity and strengthens the overall risk management framework.
Governance | Responsibility |
---|---|
Council | To be assured that a risk management framework is in place and that risks are being appropriately managed. |
Committee responsible for risk | Subject to the governing body’s delegated authority, the Committee responsible for risk has responsibility to:
|
Management | Responsibility |
---|---|
Chief Executive | Approve the risk management framework and recommend it to the Committee responsible for risk. Lead and promote a risk aware culture across the organisation. Implement the risk management framework across the organisation. |
Management Team | Endorse the risk management framework and champion it to the organisation. Monitor effective implementation of the risk management framework across the organisation. Receive and consider risk management plans on a quarterly basis Receive and consider other risk-related reports on an as-required basis. Provide direction on risk tolerance at a general and risk-specific level. Periodically review the risk management framework to ensure it remains appropriate. |
Group Managers | ‘Own’ risks relevant to, or arising from, their groups. Lead and promote a risk aware culture within their groups. |
Group Manager Corporate Services | Develop and maintain the risk management framework. Facilitate the population and ongoing review of the high level ‘corporate risk management plan’. Manage the interface between subsidiary risk management plans and the high level ‘corporate risk management plan’. Advise on potential risk treatments for identified risk. Consider and, where necessary, challenge the risks, controls, mitigations and accountabilities included (or not included) in risk management plans across the organisation. Support unit managers to implement the risk management framework in their divisions and teams. Lead the integration of risk management principles into other Council decision-making processes. |
Unit Managers | Develop, populate and manage the risk management plan for their unit in accordance with the risk management framework. ‘Own’ risks relevant to or arising from, their teams. Lead and promote a risk aware culture within their units. |
Staff and Contractors | Provide support in identifying risk. As appropriate, ‘own’ risks, controls or mitigations. |
Relevant Delegations
The Chief Executive or his/her nominee has delegated authority for the implementation of this policy.
References and Relevant Legislation
Joint Australian New Zealand International Risk Management – Principles and Guidelines (AS/NZS ISO 31000:2009).
Attachments:
1. Categories of Likelihood
Almost certain | 5 | 90% or greater chance of occurring in next 12 months Expected to occur in 9 or next 10 years Certain to occur at least once in next 5 years It would be unusual if this didn’t happen |
Likely | 4 | 60% to 90% chance of occurring in next 12 months Expected to occur at least once in next 5 years Will occur more often than not |
Possible | 3 | 25% to 60% chance of occurring in next 12 months Expected to occur in 4 or next 10 years Likely will occur at least one in next five years (>80% chance) Not likely, but don’t be surprised |
Unlikely | 2 | 2% to 25% chance of occurring in next 12 months Expected to occur a maximum of once every 5 to 20 years 50% chance of occurring in next 5 years A surprise, but not beyond the bounds of imagination |
Rare | 1 | Up to 2% chance of occurring in next 12 months Could occur once every 50 or more years Less than 10-% chance of occurring in next 5 years Will only occur in exceptional circumstances |
2. Categories and Descriptors of Consequence
1 | 2 | 3 | 4 | 5 | |
Less than minor | Minor | Moderate | Major | Extreme | |
Achievement of the Vision and Community Outcomes | No impact on the Vision and Community Outcomes | Inconvenience or delay in achieving the Vision and Community Outcomes | Significant difficulty introduced to achievement of the Vision and Community Outcomes Lost opportunity to contribute positively to one or more of the Vision and Community Outcomes | Failure to achieve a specific Community Outcome Lost opportunity to significantly advance a specific Community Outcome | Failure to achieve multiple Community Outcomes Lost opportunity to significantly advance multiple Community Outcomes |
Financial | Financial impact of less than $50,000 | Financial impact of between $50,000 and $250,000 Financial impact of between 1% and 2% of the Council’s total opex | Financial impact of between $250,000 and $1 million Financial impact of between 2% and 5% of the Council’s total opex | Financial impact of between $1 million and $5 million Financial impact of between 5% and 10% of the Council’s total opex | Financial impact of more than $5 million Financial impact of more than 10% of the Council’s total opex |
Health and Safety (customers, staff, contractors) | Minor injury, first aid not required | First aid or minor treatment | Medical treatment required | Serious harm, for example broken bones, hospitalisation | Loss of life; multiple serious harms; permanent severe disability |
Service delivery to community | Short-term reduction in service delivery which is easily restored and does not compromise the community’s health and wellbeing | Reduced service delivery that does not compromise the community’s health and wellbeing | Key service not available to some of the community for ten hours or more Continued service degradation for two days or more | Key service not available to a significant portion of the community for two days or more Continued severe service degradation for one week or more | Key service not available to a large proportion of the community for one week or more Continued severe service degradation for one month or more |
Organisational capability and capacity | Temporary problem with organisational capability resulting in no impact on external service delivery | Loss of organisational capability in some areas resulting in sub-optimal support to external delivery activities | Organisation unable to function for less than 10 hours Serious reduction in organisational capability for one week or more | Organisation unable to function for more than 10 hours Serious reduction in organisational capability for two weeks or more | Organisation unable to function for more than two days Serious reduction in organisational capability for one month or more |
Reputational | Negative feedback from individuals Short-term ‘letters to the editor’ (or online equivalent) commentary | Short-term loss of confidence among small sections of the community Regional adverse political or media comment for one or two days Sustained ‘letters to the editor’ (or online equivalent) commentary in usual sources | Short-term and manageable loss of community confidence Regional adverse political or media comment for more than tow days Significant social media commentary or campaign from new sources | Loss of community confidence requiring significant time to remedy National adverse political or media comment for more than two days Regional adverse political or media comment for more than one week Requirement for (televised) public explanation | Insurmountable loss of community confidence National adverse political or media comment for more than one week Requirement for (televised) public apology or defence Adverse comments or questions in Parliament |
Legislative / regulatory compliance | One-off minor regulatory or legislative non-compliance with no direct impact on the community’s health or wellbeing | One-off minor regulatory or legislative non-compliance with potential impact on the community’s health or wellbeing | Complaint to the Ombudsman, Auditor-General or other statutory office Multiple related minor non-compliances due to an underlying systemic issue Significant breach or non-compliance resulting in regulatory scrutiny | Significant breach or non-compliance, or multiple breaches or non-compliances, resulting in regulatory action and/or restrictions on Council activities | Court proceeding or criminal action for breach or non-compliance; potential for imprisonment of elected member or staff Judicial review on a matter of rates or other funding, or on a matter with significant financial impact |
3. Risk Matrix
4. Risk Response
Adopted by Policy and Development Committee 9 June 2015
Last updated: 24 Feb 2021