Professional Documents
Culture Documents
Risk Management PlanOct12 PDF
Risk Management PlanOct12 PDF
MANAGEMENT
PLAN
CONTENTS
SECTION TOPIC PAGE
1 SCOPE ……………………………………………………………………….. 3
2 APPLICATION OF RISK MANAGEMENT ……………………………………. 3
3 DEFINITIONS ……………………………………………………………………. 3
4 OBJECTIVES ……………………………………………………………………. 4
5 RISK MANAGEMENT PROCESS ……………………………………………. 4
6 ROLES & ACCOUNTABILITIES ……………………………………………… 5
7 RISK ASSESSMENTS …………………………………………………………. 7
8 RISK REGISTRATION, TREATMENT and REPORTING …………………. 7
9 REVIEW STRUCTURE …………………………………………………………. 7
10 ASSOCIATED COUNCIL POLICIES and DOCUMENTS ………………….. 8
Appendix 1 Risk Matrix and Risk Level Action indicators ……………………… 9
Appendix 2 Indicative Measures of Consequence and Likelihood …………………… 10
Appendix 3 Fraud Prevention Strategy………………………………………………….. 13
Appendix 4 Generic Risk Register / Risk Assessment Template ………………….. 17
Appendix 5 Generic Risk Treatment Schedule & Action Plan ……………….……….. 16
Appendix 6 Risk Management Framework …………………………………………….. 19
Appendix 7 Flowchart of Integrated Risk Strategy………………………………………. 21
Appendix 8 Risk Management of Council Open Space ………………………………….22
1. SCOPE
This policy applies to all areas of Council’s operations, and covers risk of financial
loss, injury to employees and/or members of the public, damage to equipment and
property, and loss of reputation.
3. DEFINITIONS
Residual risk
The remaining level of risk after risk treatment measures have been taken into
account.
Risk
The chance of something happening that will have an impact upon objectives. It is
measured in terms of consequences and likelihood
Risk acceptance
An informed decision to accept the consequences and the likelihood of a particular
risk.
Risk analysis
A systematic use of available information to determine how often specified events
may occur and the magnitude of their consequences.
Risk assessment
The overall process of risk analysis and risk evaluation.
Risk control
That part of risk management which involves the implementation of policies, protocols,
standards, procedures and physical changes to eliminate or minimise adverse risks.
Risk evaluation
The process used to determine risk management priorities by comparing the level of
risk against predetermined standards, target risk levels or other criteria.
RISK MANAGEMENT PLAN
Risk identification
The process of determining what can happen, why and how.
Risk management
The culture, processes and structures that are directed towards the effective
management of potential opportunities and adverse effects.
Risk management process
The systematic application of management policies, procedures and practices to the
tasks of establishing the context, identifying, analysing, evaluating, treating,
monitoring and communicating risk.
Risk treatment
Selection and implementation of appropriate options for dealing with risk.
4. OBJECTIVES:
The objectives of Council’s risk management action plan are to promote an integrated
risk management strategy and processes throughout Council. This integrated
process is illustrated in the flow chart attached as Appendix 7.
The integrated strategy will:
a) formalise and enhance existing risk management practices within Council;
b) demonstrate compliance with relevant legislation and regulatory requirements;
c) integrate the management of risk across key Council functions and areas of
responsibility;
d) raise the profile of risk management at all levels of Council, including elected
members;
e) reduce the cost of risk, including injury, cost of insurance premiums, damage
and loss to Council and the community;
f) develop and retain a risk register to facilitate the understanding of Council’s
risks;
g) demonstrate and promote good corporate governance;
h) improve community confidence and trust;
i) achieve a proactive approach to risk management, and
j) assist in ensuring Council’s financial sustainability.
The Deputy General Manager – Environme ntal & Eco nomic is re sponsible f or
facilitating and resourcing to en able that Group’s compliance with the Risk
Management Plan, measuring perfo rmance of staff against strategies in Council’s
Management Plan and KPI’s in individual work plans.
(b) overseeing the review and implementation of the Risk Management Policy and
this Plan in accordance with the framework set out in Appendix 6,
(c) overseeing the establishment of a Risk Register for Council,
(d) prioritising the risks identified in the Risk Register and develop a priority list,
(f) overseeing the development and u pdating of Council’s B usiness Co ntinuity
Plan,
(g) reviewing the benchmarking of Council’s performance in risk management,
(h) reviewing Council’s insurances and its external incident management, and
(i) keeping the Executive and Council informed of changes in risk management.
The Committee shall meet four times in each calendar year.
7. RISK ASSESSMENTS
Council is committed to identifying and either eliminating or managing its risks.
All managers have a responsibility to involve their staff within this process.
General areas of risk, and specific hazards within these areas, for which risk
assessments are to be conducted and documented, have been identified and are
listed in Council’s Risk Register.
The risk areas so identified shall be prioritised and assessed as resources permit.
The Register shall list all areas of risk that are yet to be addressed and shall be
updated annually by the Risk Management Committee.
Relevant staff will be trained to use the necessary tools to undertake risk
assessments. These tools may include:
Risk assessment process
Risk assessment template
RiskeMAP and/or other risk registers
The risk assessment process is defined in the form of a detailed flowchart which
includes the following:
Identify the item to be assessed
Establish the consultation group
Identify the hazard/risks and existing controls
Undertake risk rating
9. REVIEW STRUCTURE
The Committee shall review the Risk Manageme nt Policy and this Plan annually and
recommend to the Executive any changes to it.
The respective risk assessments will be reviewed in accordance with scheduled
review identified for each assessment. This review will vary from six months to a
maximum of 3 years depending on the level of risk.
Unplanned reviews may be triggered by incident, new technology,
legislation/regulation changes, and variation in resources or community use/demand.
All reviews will take into account hazard and incident reports, complaints and any
other information affecting the risk.
Consequences
High Risk Develop and implement a specific Management Plan for high risks
Allocate actions and budget to minimise risk; monitor implementation
Report to Senior Management within one month; regular internal reporting
required
Medium Risk Develop and implement a specific Management Plan for medium risks
Allocate actions and budget to minimise risk where existing controls
deemed inadequate; monitor implementation
Report to Senior Management within the quarter;
Management to consider additional controls; report within the quarter
impact; isolated release only on-site release immediately impact; on-site release release spreading off-site; release off-site; requires long
controlled contained with assistance contained with external term remediation
assistance
Negligible financial loss ($10 Minor financial loss ($10000- Significant financial loss Major financial loss ($500 000- Extensive financial loss ($1M+);
000), no impact on program $50000); minimal impact on ($50000- $500 000); $1M); severe impact on loss of program or business
Financial
or business operation program or business considerable impact on program or business operation operation
operation program or business
operations
First aid only required Minor medical treatment with Significant injury involving Individual fatality or serious Multiple fatalities or extensive
or without potential for loss medical treatment or long term injury long term injury
OHS
exceptional circumstances occur under normal occur but may under stage based on evidence of times during normal operations
operations; no evidence of specific circumstances previous incidents
previous incidents
First aid only required; Some medical treatment Significant injury involving Severe injuries or fatalities to Multiple fatalities or extensive
minimal loss to organisation required; medium loss to medical treatment or individual; very high loss to long term injuries; worst case
Liability
Public
term impact; repairable downtime; short term impact; temporary disruption of replacement or property or and long term consequences;
through normal operations mostly repairable through services; medium term infrastructure; long term impact threat to viability of service or
normal operations impact on organisation on organisation operation
10
RISK MANAGEMENT PLAN
Category Insignificant Minor Moderate Major Catastrophic
Isolated, internal or minimal Heightened local community Significant public criticism Serious public or media outcry, Extensive public outcry,
Reputation
adverse attention or concern or criticism with or without media broad media attention potential national media
complaint attention attention
Minimal physical or Minor physical or Significant physical or Major physical or environmental Extensive physical or
environmental impact; environmental impact, environmental impact; impact; hazard extending off- environmental impact extending
Hazards
Natural
isolated hazard only; dealt hazards immediately hazards contained with site; external services required off-site; managed by external
with through normal controlled with local assistance of external to manage services; long term remediation
operations resources resources required
No measurable operational Minor downtime or outage in Significant downtime or Loss of critical functions across Extensive and total loss of
impact to organisation single area of organisation; outage in multiple areas multiple areas of organisation; functions across organisation;
Technology
Information
addressed with local of organisation; long term outage; extensive disaster management required
management and resources substantial management management required and
required and local extensive resources
resources
Isolated non-compliance or Contained non-compliance or Serious breach involving Major breach with formal Extensive breach involving
breach; minimal failure of breach with short term statutory authorities or inquiry; critical failure of internal multiple individuals; potential
Governance
Political and
internal controls managed by significance; some impact on investigation; significant controls; widespread adverse litigation; viability of
normal operations normal operations failure of internal controls; publicity organisation threatened
adverse publicity at local
level
Isolated, internal or minimal Contained impact on staff Significant impact on staff Major impact on staff morale or Extensive impact or
impact on staff morale or morale or performance of morale or performance of performance with long term organisational morale or
Relations
Industrial
performance; minimal loss to short term significance; medium term significance; very high loss to performance; threat to viability
organisation medium loss to organisation significance; significant organisation or program or service
loss to organisation
Isolated non-compliance or Contained non-compliance or Serious breach involving Major breach with fines and Extensive fines and litigation
Contractual
breach; negligible financial breach with short term statutory authority or litigation; long term significance with possible class action;
and Legal
impact significance and minor investigation; prosecution and major financial impact threat to viability of program or
financial impact possible with significant service.
financial impact
11
RISK MANAGEMENT PLAN
Measures of Likelihood
12
RISK MANAGEMENT PLAN
Appendix 3 FRAUD PREVENTION STRATEGY
INTRODUCTION
These values are reflected throughout Council’s Integrated Planning documents and the
concepts of economic prosperity and efficient resource use combined with accountability set
the framework for this Strategy.
Fraud prevention is concerned ultimately with the effective utilisation of resources and the
minimization of waste, mismanagement and fraud.
Council believes that an emphasis on fraud prevention rather than fraud investigation will
lead to a reduction of these opportunities for waste, abuse and mismanagement.
(b) the promotion of its fraud prevention principles in the community to ensure that there
is awareness that Council will not tolerate fraudulent acts against Council by
contractors, suppliers or members of the public,
(c) the General Manager developing and implementing fraud management strategies to
cultivate a culture of fraud prevention among staff within Council,
(d) encouraging the reporting of instances of fraud and corruption within Council,
including the adoption and dissemination of an Internal Reporting Policy, and
(e) maintaining policies that promote ethical conduct by Councillors, staff and
those who deal with Council.
Procedures
Maintaining an effective system of internal controls and compliance with those controls
Regularly, including through its Internal Audit Committee, undertaking fraud risk assessments and
audits to identify opportunities for fraud and implementing prevention and minimisation procedures in
day to day operations.
Establishing formal procedures for the investigation of allegations of dishonest and/or fraudulent
behaviour.
Reacting appropriately to situations where fraud allegations are proven to be true. This may include
taking disciplinary action, pressing criminal charges or referring to outside agencies.
Where appropriate and as a deterrent, publicising throughout Council proven cases of fraudulent or
corrupt conduct and the disciplinary action taken.
Ensuring all staff have a copy of Council’s Code of Conduct, are aware of their obligations to act
honestly and to report fraudulent and corrupt conduct and adequately trained.
Cultivating and maintaining an environment in which dishonest conduct by staff is actively discouraged.
There are a number of signals which may assist staff in identifying fraud and corrupt
conduct, including:
Conflicts of interest
Gifts and benefits
Storage of information
Recruitment
Purchas ing and tendering
Devel opment applications
C ash handling
Dele gations
T imesheets
Use of Council resources
Stock control
Each of these risks, and the controls adopted by Council, are addressed in Council’s Risk
Register
RISK MANAGEMENT PLAN
Fraud Prevention Strategy (cont)
Reporting
Council’s Internal Reporting Policy provides a confidential means by which staff can report
fraud and corrupt conduct and secure protection from reprisal via the provisions of the
Protected Disclosures legislation.
IMPLEMENTATION
Cultur e
Policy and Strategy
Bus iness Risk
Corpo rate Governance
Compliance (legislative, regulatory, community)
Internal Audit
Corpo rate image
risk
Ensure their staff are aware of
corruption reporting mechanisms
Set the standard for ethical behaviour
in the workplace
Monitor potential corruption risks
Behave ethically
Comply with Code
of Conduct
R eport suspected
Employees
incidents of fraud
and corruption
Comply with fraud
and corruption
prevention controls
and procedures
RISK MANAGEMENT PLAN
Appendix 4 Generic Risk Register / Risk Assessment Template
Ref Category Hazard Hazard / Risk Description Existing Controls Impact Risk
# Consequence Likelihood
Rating
(eg. OHS, Source of risk? What can happen? Measures already in place? As per
PL) Matrix
RISK MANAGEMENT PLAN
Appendix 5 Generic Risk Treatment Schedule and Action Plan Template
POTENTIAL TREATMENT OPTIONS COSTS & IS THE TARGET RESPONSIBLE TIMETABLE MONITORING
BENEFITS TREATMENT TO RISK LEVEL PERSON for strategies to
RISK REFERENCE
BE implementation measure
IMPLEMENTED effectiveness
CONSEQUENCE
TARGET LEVEL
(Y / N) of Risk
LIKELIHOOD
Treatments
RISK MANAGEMENT PLAN
Appendix 6: Risk Management Framework
# Elements Comments:
1 Clear framework and strategy (goals) Senior Management Team to develop organisational
goals / set context for program.
Aligned to organisational objectives
CONTEXT
Resource allocation – including budget / Allocate funds (dedicated operating expense) to risk
cost centres management projects – including access to external
‘experts’ as required
3 Risk profiling process – broad Eg. undertake risk profiling sessions with all functional
identification of risk exposures areas to determine at least 3 key areas for attention over
(Enterprise RM philosophy – strategic) next 12 months (repeat annually)
Specific risk priorities set Risk priorities are generally those with the highest risk
ranking, although other priorities may be nominated as
required. Priorities should be documented in an Action
Plan.
IDENTIFY
regarding new items plant, etc) threats / opportunities. Should be routinely conducted
according to pre-determined points in the business cycle,
or for key operational functions.
19
RISK MANAGEMENT PLAN
Elements Comments:
5 Risk Treatment / Action Plan Treatment / Action plans are designed to focus the
organisation as to the items that are of most importance
to their goals at that time. Action Plans may be
developed at dept / function level or a single Action Plan
can be developed for the organisation.
Training Needs Analysis / matching Expand induction / intranet to reflect the expanded risk
organisational skill set to risk mngt management focus – not just OHS
needs
6 Compliance activities – track / manage All compliance requirements for the Council should be
compliance identified and recorded on a register. A system should
exist to ensure the register is maintained over time as
compliance requirements change
Statistical measures of performance Increase the statistical and qualitative information
Documents subject to regular review reported up to RM Cmtee / Snr Management (key risk
issues)
Scheduled / unscheduled reviews
MONITOR
Risk
Management
Policy
Risk Fraud
Management Prevention
Plan Strategy
Internal Audit
Committee
Management
Plan
Incident
Insurance Management
Incident
Investigation
RISK MANAGEMENT PLAN
APPENDIX 8
Step 1
Conduct a risk assessment of the area. This should:
(a) include both natural (watercourses, cliffs) and built (playgrounds, sportsfields,
amenities) environments,
(b) be undertaken utilising steps 1 to 6 in the Statewide Best Practice Manual on
Signs as Remote Supervision to determine the Facility Visitation Rate and the
Risk Rating of identified hazards, and
(c) be documented utilising Council’s standard risk assessment template.
Step 2
Determine the risk control measures required to minimise the identified risks.
Step 3
Undertake a risk/benefit analysis of the risk control measures to determine whether the cost
of implementing the measure is justified by the benefit of having it in place. In determining
the benefits, consideration should be given to the likelihood and degree of any damage or
injury that may arise from the hazard and this should be weighed against the cost of
implementing the risk control measure.
Step 4
To further mitigate any risk, all organisations (including commercial operators, schools and
clubs) using Council open space should be required to produce Certificates of Currency for
their public liability insurance.