RISK

MANAGEMENT
PLAN

Adopted May 2007

Last Revised October 2012
 RISK MANAGEMENT PLAN

CONTENTS
SECTION TOPIC PAGE

1 SCOPE ……………………………………………………………………….. 3
2 APPLICATION OF RISK MANAGEMENT ……………………………………. 3
3 DEFINITIONS ……………………………………………………………………. 3
4 OBJECTIVES ……………………………………………………………………. 4
5 RISK MANAGEMENT PROCESS ……………………………………………. 4
6 ROLES & ACCOUNTABILITIES ……………………………………………… 5
7 RISK ASSESSMENTS …………………………………………………………. 7
8 RISK REGISTRATION, TREATMENT and REPORTING …………………. 7
9 REVIEW STRUCTURE …………………………………………………………. 7
10 ASSOCIATED COUNCIL POLICIES and DOCUMENTS ………………….. 8
Appendix 1 Risk Matrix and Risk Level Action indicators ……………………… 9
Appendix 2 Indicative Measures of Consequence and Likelihood …………………… 10
Appendix 3 Fraud Prevention Strategy………………………………………………….. 13
Appendix 4 Generic Risk Register / Risk Assessment Template ………………….. 17
Appendix 5 Generic Risk Treatment Schedule & Action Plan ……………….……….. 16
Appendix 6 Risk Management Framework …………………………………………….. 19
Appendix 7 Flowchart of Integrated Risk Strategy………………………………………. 21
Appendix 8 Risk Management of Council Open Space ………………………………….22
1. SCOPE
This policy applies to all areas of Council’s operations, and covers risk of financial
loss, injury to employees and/or members of the public, damage to equipment and
property, and loss of reputation.

2. APPLICATION OF RISK MANAGEMENT

The risk management process will apply to the following areas:
a) strategic, operational and business planning processes, including policy
development and project management;
b) asset management and resource planning;
c) management of ethics, fraud, security and probity issues;
d) business interruption and continuity management;
e) management of significant change issues – eg. organisational and technological
changes;
f) public risk and general liability risks;
g) workplace health and safety risks;
h) environment al management;
i) purchasing and contract management;
j) financial management and sustainability

3. DEFINITIONS
Residual risk
The remaining level of risk after risk treatment measures have been taken into
account.
Risk
The chance of something happening that will have an impact upon objectives. It is
measured in terms of consequences and likelihood
Risk acceptance
An informed decision to accept the consequences and the likelihood of a particular
risk.
Risk analysis
A systematic use of available information to determine how often specified events
may occur and the magnitude of their consequences.
Risk assessment
The overall process of risk analysis and risk evaluation.
Risk control
That part of risk management which involves the implementation of policies, protocols,
standards, procedures and physical changes to eliminate or minimise adverse risks.
Risk evaluation
The process used to determine risk management priorities by comparing the level of
risk against predetermined standards, target risk levels or other criteria.
 RISK MANAGEMENT PLAN

Risk identification
The process of determining what can happen, why and how.
Risk management
The culture, processes and structures that are directed towards the effective
management of potential opportunities and adverse effects.
Risk management process
The systematic application of management policies, procedures and practices to the
tasks of establishing the context, identifying, analysing, evaluating, treating,
monitoring and communicating risk.
Risk treatment
Selection and implementation of appropriate options for dealing with risk.

4. OBJECTIVES:
The objectives of Council’s risk management action plan are to promote an integrated
risk management strategy and processes throughout Council. This integrated
process is illustrated in the flow chart attached as Appendix 7.
The integrated strategy will:
a) formalise and enhance existing risk management practices within Council;
b) demonstrate compliance with relevant legislation and regulatory requirements;
c) integrate the management of risk across key Council functions and areas of
responsibility;
d) raise the profile of risk management at all levels of Council, including elected
members;
e) reduce the cost of risk, including injury, cost of insurance premiums, damage
and loss to Council and the community;
f) develop and retain a risk register to facilitate the understanding of Council’s
risks;
g) demonstrate and promote good corporate governance;
h) improve community confidence and trust;
i) achieve a proactive approach to risk management, and
j) assist in ensuring Council’s financial sustainability.

5. RISK MANAGEMENT PROCESS

The main elements of the risk management process are the following:

5.1 Establish the Context

Establish the strategic, organizational and risk management context in which the rest of
the process will take place. Criteria against which risk will be evaluated should be
established and the structure of the analysis defined.

5.2 Identify Risks

Identify what, why and how things can arise as the basis for further analysis.
 RISK MANAGEMENT PLAN

5.3 Analyse Risks

Determine the existing controls and analyse risks in terms of consequence and like lihood
in the cont ext of those controls. The analysis sho uld consider th e range of potential
consequences and ho w likely tho se conseq uences are t o occur. Consequence and
likelihood may be combined to produce an estimated level of risk.

5.4 Evaluate Risks

Compare estimated levels of risk against the pre-established criteria. This enables risks to
be ranked so as to identify management priorities. If the levels of risk established are low,
then risks may fall into an acceptable category and treatment may not be required.

5.5 Treat Risks

Accept and monitor low-priority risks. For ot her risks, develop and implement a sp ecific
management plan which includes consideration of funding and introduces strate gies to
ensure new risks are not introduced.

5.6 Monitor and Review

Monitor and review the performance of the risk management system a nd changes whic h
might affect the performance.

5.7 Communicate and Consult

Communicate and con sult with inter nal and ext ernal stakeholders as a ppropriate at each
stage of the risk management process and concerning the process as a whole.

6. ROLES & ACCOUNTABILITIES

6.1 All Employees Generally

All staff have responsibilities for managing the risks in their activities and workplace
and are accountable through their individual work plans and within Council’s
Management Plan.
It is recognised that all Council staff are fully involved and best informed as to the
risks associated with their designated activities. All employees are required to
cooperate and be actively involved in the development and implementation of the
risk management program. This collaborative approach will ensure a quality system
delivering measurable outcomes.

6.2 General Manager

The General Manager is responsible for ensuring that a risk manageme nt system is
established, implemented and maintained in accordance wit h this policy, and for the
assignment of responsibilities in relation to risk management.

6.3 Deputy General Manager – Civil & Corporate

The Deputy General Manager – Civil & Corporate, being the Risk Manager, is
responsible for oversight of the risk management process and compliance with Risk
Management Plan; for support of Management and their st aff in imple menting risk
management initi atives; for establi shment of a Risk Register; for facilitating the
provision of training an d education of Council employees; and status r eporting to
senior staff in regards to risk profile and mitigation strategies.
 RISK MANAGEMENT PLAN

6.4 Deputy General Manager – Environmental & Economic

The Deputy General Manager – Environme ntal & Eco nomic is re sponsible f or
facilitating and resourcing to en able that Group’s compliance with the Risk
Management Plan, measuring perfo rmance of staff against strategies in Council’s
Management Plan and KPI’s in individual work plans.

6.5 Managers, Coordinators and Supervisors

Managers, Coordinators and Supervisors are responsible f or the imple mentation of
the Risk Management Policy and Risk Management Plan within their respective
areas of re sponsibility. This in cludes the identif ication, assessment, re cording and
reviewing of risks, establishment of controls through systems and processes and the
assignment and completion of risk control actions.
Managers will report to their De puty General Manager on the status of the
implementation of their respective Risk Management Plan at their regular Manager’s
Meetings and refer matters to DGM when additional resourcing is required on an as
needs basis.
Where relevant, the a chievement of risk management objectives should be included
in the performance agreements of Managers as KPIs.
6.6 Risk Management Committee
Council shall form a Risk Management Committee to:
(a) provide a holistic and strategic approach to risk mana gement throughout
Council,
(b) identify areas of risk to Council’s operations and practices, prioritise those risks
and determine strategies for managing them,
(c) establish a risk management culture throughout Council,
(d) review Council’s insurances and its external incident management,
(e) work in conjunction with both Co uncil’s Internal Audit Committee a nd the
Northern Rivers Risk Management Working Group, and
(f) ensure the effective auditing of Council’s risk management practices.
The membership of the Committee shall consist of:
 General Manager
 Deputy General Manager – Environmental & Economic
 Deputy General Manager – Civil & Corporate
 Manager Corporate Governance
 Manager Assets
 Manager Human Resources
 Manager Operations
 Manager Finance and Supply
 Manager Environment and Open Spaces
The Committee shall be responsible for:
(a) overseeing the development of a risk management culture in Council through
communication, information dissemination, workshops and training,
 RISK MANAGEMENT PLAN

(b) overseeing the review and implementation of the Risk Management Policy and
this Plan in accordance with the framework set out in Appendix 6,
(c) overseeing the establishment of a Risk Register for Council,
(d) prioritising the risks identified in the Risk Register and develop a priority list,
(f) overseeing the development and u pdating of Council’s B usiness Co ntinuity
Plan,
(g) reviewing the benchmarking of Council’s performance in risk management,
(h) reviewing Council’s insurances and its external incident management, and
(i) keeping the Executive and Council informed of changes in risk management.
The Committee shall meet four times in each calendar year.
7. RISK ASSESSMENTS
Council is committed to identifying and either eliminating or managing its risks.
All managers have a responsibility to involve their staff within this process.
General areas of risk, and specific hazards within these areas, for which risk
assessments are to be conducted and documented, have been identified and are
listed in Council’s Risk Register.

8. RISK REGISTRATION, TREATMENT AND REPORTING

The Risk Management Committee shall oversee the establishment of an electronic
Risk Register for Council on which all risk areas within Council shall be listed, together
with details of whether or not they are being, or have been, addressed.

The risk areas so identified shall be prioritised and assessed as resources permit.

The Register shall list all areas of risk that are yet to be addressed and shall be
updated annually by the Risk Management Committee.

Relevant staff will be trained to use the necessary tools to undertake risk
assessments. These tools may include:
 Risk assessment process
 Risk assessment template
 RiskeMAP and/or other risk registers
The risk assessment process is defined in the form of a detailed flowchart which
includes the following:
 Identify the item to be assessed
 Establish the consultation group
 Identify the hazard/risks and existing controls
 Undertake risk rating

 Identify if required, additional controls/actions

 Sign off or acceptance by DGM.
 Allocate action/controls and schedule review period
 Review assessment
 RISK MANAGEMENT PLAN

Risk assessments should be conducted utilising the templates in Appendix 4 and

Appendix 5 and the Matrix in Appendix 1, with the information transposed into
RiskeMAP where appropriate.

9. REVIEW STRUCTURE
The Committee shall review the Risk Manageme nt Policy and this Plan annually and
recommend to the Executive any changes to it.
The respective risk assessments will be reviewed in accordance with scheduled
review identified for each assessment. This review will vary from six months to a
maximum of 3 years depending on the level of risk.
Unplanned reviews may be triggered by incident, new technology,
legislation/regulation changes, and variation in resources or community use/demand.
All reviews will take into account hazard and incident reports, complaints and any
other information affecting the risk.

10. ASSOCIATED COUNCIL POLICIES AND DOCUMENTS

Clarence Valley Council Delivery Program and Operational Plan
Fraud Control Policy
Risk Register
OH&S Policy
Hazard/Incident Reports
Business Continuity Plan
OH&S Protocols
Safe Work Method Statements
Asset Management Policy
Asset Management Strategy
Individual Asset Management Plans
 RISK MANAGEMENT PLAN

Appendix 1 Risk Definition and Classification

Risk Analysis Matrix

Consequences

Likelihood Insignificant Minor Moderate Major Catastrophic

Almost Medium High High Extreme Extreme

Certain

Likely Medium Medium High High Extreme

Possible Low Medium High High High

Unlikely Low Low Medium Medium High

Rare Low Low Medium Medium High

Adapted from Australian Standard on Risk Management AS/NZS 4360:2004

Risk Level Action

Risk Level Action Required

Extreme Risk Develop specific Management Plan for immediate implementation to

address extreme risks
Allocate actions and budget for implementation within one month
Report immediately to Senior Management; regular internal reporting
required

High Risk Develop and implement a specific Management Plan for high risks
Allocate actions and budget to minimise risk; monitor implementation
Report to Senior Management within one month; regular internal reporting
required

Medium Risk Develop and implement a specific Management Plan for medium risks
Allocate actions and budget to minimise risk where existing controls
deemed inadequate; monitor implementation
Report to Senior Management within the quarter;
Management to consider additional controls; report within the quarter

Low Risk Accept and Monitor low-priority risks

Manage via routine procedures where possible; Monitor via normal internal
reporting mechanisms

Appendix 2 Indicative Measures of Consequence and Likelihood
The measures of consequence and the measures of likelihood can be used to assist in determination of Council’s risk appetite. The measures are indicative
only.
Category Insignificant
Minimal environmental
Environment
impact; isolated release only
Negligible financial loss ($10
000), no impact on program
Financial
or business operation
First aid only required
OHS
Only ever occurs under
Professiona
l Indemnity
exceptional circumstances
First aid only required;
minimal loss to organisation
Liability
Public
Isolated or minimal loss; short
Infrastructure
Property and
term impact; repairable
through normal operations
Minor
Minor environmental impact;
on-site release immediately
controlled
Minor financial loss ($10000-
$50000); minimal impact on
program or business
operation
Minor medical treatment with
or without potential for loss
time.
Conceivable but not likely to
occur under normal
operations; no evidence of
previous incidents
Some medical treatment
required; medium loss to
organisation
Minor loss with limited
downtime; short term impact;
mostly repairable through
normal operations
Moderate
Significant environmental
impact; on-site release
contained with assistance
Significant financial loss
($50000- $500 000);
considerable impact on
program or business
operations
Significant injury involving
medical treatment or
hospitalisation and loss
time
Not generally expected to
occur but may under
specific circumstances
Significant injury involving
medical treatment or
hospitalisation; high loss
to organisation
Significant loss with
temporary disruption of
services; medium term
impact on organisation
10
RISK MANAGEMENT PLAN
Major
Major environmental impact;
release spreading off-site;
contained with external
assistance
Major financial loss ($500 000-
$1M); severe impact on
program or business operation
Individual fatality or serious
long term injury
Will probably occur at some
stage based on evidence of
previous incidents
Severe injuries or fatalities to
individual; very high loss to
organisation
Critical loss or event requiring
replacement or property or
infrastructure; long term impact
on organisation
Catastrophic
Fatalities occur; extensive
release off-site; requires long
term remediation
Extensive financial loss ($1M+);
loss of program or business
operation
Multiple fatalities or extensive
long term injury
Event expected to occur most
times during normal operations
Multiple fatalities or extensive
long term injuries; worst case
loss to organisation
Disaster with extensive loss
and long term consequences;
threat to viability of service or
operation
 RISK MANAGEMENT PLAN
Category Insignificant Minor Moderate Major Catastrophic
Isolated, internal or minimal Heightened local community Significant public criticism Serious public or media outcry, Extensive public outcry,
Reputation

adverse attention or concern or criticism with or without media broad media attention potential national media
complaint attention attention

Minimal physical or Minor physical or Significant physical or Major physical or environmental Extensive physical or
environmental impact; environmental impact, environmental impact; impact; hazard extending off- environmental impact extending
Hazards
Natural

isolated hazard only; dealt
with through normal
operations
No measurable operational
impact to organisation
Technology
Information
hazards immediately
controlled with local
resources
Minor downtime or outage in
single area of organisation;
hazards contained with
assistance of external
resources
Significant downtime or
outage in multiple areas
site; external services required
to manage
Loss of critical functions across
multiple areas of organisation;
off-site; managed by external
services; long term remediation
required
Extensive and total loss of
functions across organisation;

addressed with local of organisation; long term outage; extensive disaster management required
management and resources substantial management management required and
required and local extensive resources
resources
Isolated non-compliance or Contained non-compliance or Serious breach involving Major breach with formal Extensive breach involving
breach; minimal failure of breach with short term statutory authorities or inquiry; critical failure of internal multiple individuals; potential
Governance
Political and

internal controls managed by
normal operations
Isolated, internal or minimal
impact on staff morale or
Relations
Industrial
significance; some impact on
normal operations
Contained impact on staff
morale or performance of
investigation; significant
failure of internal controls;
adverse publicity at local
level
Significant impact on staff
morale or performance of
controls; widespread adverse litigation; viability of
publicity organisation threatened
Major impact on staff morale or Extensive impact or
performance with long term organisational morale or

performance; minimal loss to
organisation
Isolated non-compliance or
Contractual
short term significance; medium term significance; very high loss to performance; threat to viability
medium loss to organisation significance; significant organisation or program or service
loss to organisation
Contained non-compliance or Serious breach involving Major breach with fines and Extensive fines and litigation

breach; negligible financial breach with short term statutory authority or litigation; long term significance with possible class action;
and Legal

impact significance and minor investigation; prosecution and major financial impact threat to viability of program or
financial impact possible with significant service.
financial impact

11
 RISK MANAGEMENT PLAN
Measures of Likelihood

Category Rare Unlikely Possible Likely Almost Certain

Environment Only ever occurs Conceivable but not likely Not generally Will probably occur at Event expected to occur
Financial under exceptional to occur under normal expected to occur some stage based on most times during normal
OHS circumstances operations; no evidence but may under evidence of previous operations
Professional Indemnity of previous incidents specific incidents
Public liability circumstances
Property and Infrastructure
Reputation
Natural Hazards
Information Technology
Political and Governance
Industrial relations
Contractual and Legal

12
 RISK MANAGEMENT PLAN
Appendix 3 FRAUD PREVENTION STRATEGY
INTRODUCTION

Council’s Mission Statement states:

We co-operatively plan for and achieve:

 protection of ecological systems

 positive social and community development
 cultural diversity, expression and creativity
 economic prosperity and efficient resource use
 quality human habitat and essential services and
 protection of our valuable natural and cultural heritage

through supportive, accountable and participatory decision-making management and action

that actively involves the wider community.

These values are reflected throughout Council’s Integrated Planning documents and the
concepts of economic prosperity and efficient resource use combined with accountability set
the framework for this Strategy.

Council’s Fraud Control Policy provides that Council is committed to fostering an

environment that discourages fraud and encourages fraud prevention.

Fraud prevention is concerned ultimately with the effective utilisation of resources and the
minimization of waste, mismanagement and fraud.

Council is committed to preventing fraud at its origin. Fraud flourishes in an environment

where there are insufficient controls to prevent waste, abuse and mismanagement.

Council believes that an emphasis on fraud prevention rather than fraud investigation will
lead to a reduction of these opportunities for waste, abuse and mismanagement.

To this end, Council is committed to the following strategy:

(a) visible and unambiguous decision making by Council and staff,

(b) the promotion of its fraud prevention principles in the community to ensure that there
is awareness that Council will not tolerate fraudulent acts against Council by
contractors, suppliers or members of the public,

(c) the General Manager developing and implementing fraud management strategies to
cultivate a culture of fraud prevention among staff within Council,

(d) encouraging the reporting of instances of fraud and corruption within Council,
including the adoption and dissemination of an Internal Reporting Policy, and

(e) maintaining policies that promote ethical conduct by Councillors, staff and
those who deal with Council.

Council will implement that strategy as set out in this document.

 RISK MANAGEMENT PLAN
Fraud Prevention Strategy (cont)

Procedures

Council will manage fraud by:

 Maintaining an effective system of internal controls and compliance with those controls

 Regularly, including through its Internal Audit Committee, undertaking fraud risk assessments and
audits to identify opportunities for fraud and implementing prevention and minimisation procedures in
day to day operations.

 Establishing formal procedures for the investigation of allegations of dishonest and/or fraudulent
behaviour.

 Reacting appropriately to situations where fraud allegations are proven to be true. This may include
taking disciplinary action, pressing criminal charges or referring to outside agencies.

 Where appropriate and as a deterrent, publicising throughout Council proven cases of fraudulent or
corrupt conduct and the disciplinary action taken.

 Ensuring all staff have a copy of Council’s Code of Conduct, are aware of their obligations to act
honestly and to report fraudulent and corrupt conduct and adequately trained.

 Cultivating and maintaining an environment in which dishonest conduct by staff is actively discouraged.

Recognising Fraudulent and Corrupt Conduct.

There are a number of signals which may assist staff in identifying fraud and corrupt
conduct, including:

 Unauthorised changes to systems or work practices

 Alteration of documents such as file notes, log books, timesheets, etc
 Missing documentation or a lack of record keeping
 Staff evidently living beyond their means
 Staff who do not take holidays for extended periods
 Illogical excuses given by staff for unusual actions or occurrences
 Potential conflicts of interest not declared
 Councillors attempting to direct or influence staff in the exercise of their duties
 Staff attempting to influence other staff to act contrary to Council policy or procedures or to act illegally
 Undue secrecy

Particular areas of risk for Council include:

 Conflicts of interest
 Gifts and benefits
 Storage of information
 Recruitment
 Purchas ing and tendering
 Devel opment applications
 C ash handling
 Dele gations
 T imesheets
 Use of Council resources
 Stock control

Each of these risks, and the controls adopted by Council, are addressed in Council’s Risk
Register
 RISK MANAGEMENT PLAN
Fraud Prevention Strategy (cont)

Reporting

Council’s Internal Reporting Policy provides a confidential means by which staff can report
fraud and corrupt conduct and secure protection from reprisal via the provisions of the
Protected Disclosures legislation.

FRAUD PREVENTION STRATEGY

IMPLEMENTATION

Strategy Action Action Review

date date

Visible and unambiguous decision making by  Council meetings to be

Council and staff conducted in accordance with
the Code of Meeting Practice
and the Local Government Act
and Regs
 Whenever possible, Council
meetings will be open to the
public
 Council will provide reasons for
all resolutions at Council
meetings
 All staff decisions are to be
documented and reasons
provided

Promotion of its fraud prevention principles in the  Statement of Business Ethics

community brochure prepared
 Brochure sent out to all
suppliers and with all requests
for tender or quote

General Manager developing and implementing  An effective system of internal

fraud management strategies controls to be established and
maintained via
 Internal Audit Committee (IAC),
including community members,
to be established
 IAC to arrange annual external
audits of internal controls

Encouraging the reporting of instances of fraud  Internal Reporting Policy and

and corruption within Council Procedures adopted
 Protected Disclosure Officers
appointed
 Staff regularly advised of
Policy and encouraged to
report corrupt conduct

Maintaining policies that promote ethical conduct  Code of Conduct

 Gifts and Benefits Policy
 Fraud Control Policy
 Internal Reporting Policy
 Policy on Use of Corporate
Credit Cards
 Policy on Disposal of Council
Assets
 Enforcement Policy
 RISK MANAGEMENT PLAN
Fraud Prevention Strategy (cont)

STAFF RESPONSIBILITY STRUCTURE

 Cultur e
 Policy and Strategy
 Bus iness Risk
 Corpo rate Governance
 Compliance (legislative, regulatory, community)
 Internal Audit
 Corpo rate image

 Lead by example - be a role model for ethical conduct

both in the workplace and with third parties
 Develop and implement fraud and corruption prevention
strategies for their Section
 Identify and mitigate actual and potential corruption risks
in their Section
 Monitor and review the effectiveness of mechanisms
(including procedures) implemented to minimise and
detect corruption
 Promote and encourage the reporting of corrupt conduct
and ensure staff are aware of how to report such conduct
General Manager

and of their rights under the Internal Reporting Policy

 Promote awareness of ethical

DGMs and Managers

conduct and mechanisms to prevent

corruption
 Provide input to policies, procedures
and instructions that relate to areas of
Coordinators and Team Leaders

risk
 Ensure their staff are aware of
corruption reporting mechanisms
 Set the standard for ethical behaviour
in the workplace
 Monitor potential corruption risks

 Behave ethically
 Comply with Code
of Conduct
 R eport suspected
Employees

incidents of fraud
and corruption
 Comply with fraud
and corruption
prevention controls
and procedures
 RISK MANAGEMENT PLAN
Appendix 4 Generic Risk Register / Risk Assessment Template

Identifying and Analysing Risks

Organisation / Department: …………………………………………………… Date of Review: ……………………………………….
Function / Activity / Planning Task: ………………………………………….. Compiled By: …………………………………………..
Next Review Date: …………………………………….

Ref Category Hazard Hazard / Risk Description Existing Controls Impact Risk
# Consequence Likelihood
Rating

(eg. OHS, Source of risk? What can happen? Measures already in place? As per
PL) Matrix
 RISK MANAGEMENT PLAN
Appendix 5 Generic Risk Treatment Schedule and Action Plan Template

Risk Treatment Schedule and Action Plan

Date of Review ……………………………

Name of Organisation ……………………………………… Compiled by …………………………….

Function / Activity ……………………………………… Reviewed by …..…………………………

POTENTIAL TREATMENT OPTIONS COSTS & IS THE TARGET RESPONSIBLE TIMETABLE MONITORING
BENEFITS TREATMENT TO RISK LEVEL PERSON for strategies to
RISK REFERENCE

BE implementation measure
IMPLEMENTED effectiveness

CONSEQUENCE

TARGET LEVEL
(Y / N) of Risk

LIKELIHOOD
Treatments
 RISK MANAGEMENT PLAN
Appendix 6: Risk Management Framework
# Elements
1 Clear framework and strategy (goals)
Aligned to organisational objectives
CONTEXT
Understanding of organisational risk
appetite
2 Management commitment – sign off
policy, set context
Responsibility, accountability, authority
– managers responsible for risk
management within area of
responsibility
Steering committee / decision making
group
Dedicated risk management personnel –
as facilitators / resources
IDENTIFY
Resource allocation – including budget /
cost centres
3 Risk profiling process – broad
identification of risk exposures
(Enterprise RM philosophy – strategic)
Specific risk priorities set
IDENTIFY
Risk Register
4 Risk management planning process
(operational)
Hazard Identification, Incident
Reporting, Incident Investigation
Risk assessments (with feedback loop
ASSESS
regarding new items plant, etc)
19
Comments:
Senior Management Team to develop organisational
goals / set context for program.
Communicate strategy required of operational areas
Articulate risk appetite for key risks via RM Plan
Risk Management Plan is documented form of this
commitment
Engage / involve all Managers in the risk management
process through higher profile of RM Committee as a
resource and monitoring body, and increased priority
being placed on risk management activity by senior
management.
Review current RM Committee structure / role, including
linkage with Snr Management Team and OHS Cmtee
Train RM Cmtee to have broad scope and to become
main vehicle for Managers to gain assistance for risk
management initiatives
Allocate funds (dedicated operating expense) to risk
management projects – including access to external
‘experts’ as required
Eg. undertake risk profiling sessions with all functional
areas to determine at least 3 key areas for attention over
next 12 months (repeat annually)
Risk priorities are generally those with the highest risk
ranking, although other priorities may be nominated as
required. Priorities should be documented in an Action
Plan.
Adopt RiskeMAP as the tool for conducting risk
assessments, Consider format of Risk Register and how
risks are entered / assessed
Encourage inter-departmental liaison on risk
management issues – eg. through working parties on
particular issues, via intranet forums, etc
Centralise strategy for management of significant risk
issues (eg. volunteers, contractor management) but
ensure wide internal consultation in development of
strategy / protocols
Ensure mechanisms exist for each and staff are trained in
their responsibilities.
Ongoing Risk Assessment of Strategic and Operational
threats / opportunities. Should be routinely conducted
according to pre-determined points in the business cycle,
or for key operational functions.
 RISK MANAGEMENT PLAN
Elements
5 Risk Treatment / Action Plan
Internal Controls:
processes to support risk management
mitigation; compliance driven /
auditable
Eg. verifications, sign offs, escalations,
position descriptions, purchasing &
procurement processes, monthly
reporting, customer feedback, trend
analysis
Information dissemination /
communication – access to information
Document management system –
storage, version control, etc
CONTROL
Training Needs Analysis / matching
organisational skill set to risk mngt
needs
6 Compliance activities – track / manage
compliance
Statistical measures of performance
Documents subject to regular review
Scheduled / unscheduled reviews
MONITOR
Audit function – internal / external
7 Cross-enterprise implementation
Risk aware culture / integrated with
business processes
Continuous Improvement
CULTURE
Comments:
Treatment / Action plans are designed to focus the
organisation as to the items that are of most importance
to their goals at that time. Action Plans may be
developed at dept / function level or a single Action Plan
can be developed for the organisation.
Setup reporting lines for monitoring / review by RM
Cmtee and senior management as appropriate
A Communication Strategy should outline preferred
methods of communication, including guidance to ensure
communication occurs how and when the organisation
deems appropriate.
Should reflect and support the business needs of each
department / section of Council.
Expand induction / intranet to reflect the expanded risk
management focus – not just OHS
All compliance requirements for the Council should be
identified and recorded on a register. A system should
exist to ensure the register is maintained over time as
compliance requirements change
Increase the statistical and qualitative information
reported up to RM Cmtee / Snr Management (key risk
issues)
A schedule of audit activities should be developed
according to the compliance needs determined by
Council.
Implementation of each of the elements above should be
according to a planned roll-out, accompanied by clear
demonstration of senior management commitment and
support.
Every staff member should understand their role in risk
management, and confirm the relevance of risk
management activities to their day-to-day responsibilities.
Mechanisms must exist to ensure that all monitoring and
review activities are integrated into the planning activities
of Council in order to continuously refine and improve the
risk management arrangements of the organisation.
 RISK MANAGEMENT PLAN

Appendix 7 – Flowchart of Integrated Risk Management Strategy

Risk Management Plan

Risk
Management
Policy

Risk Fraud
Management Prevention
Plan Strategy

Internal Audit
Committee
Management
Plan

Northern Rivers CVC Risk Performance

Regional Risk Management Agreements
Management Committee (KPIs)
Working Group

Incident
Insurance Management

Incident
Investigation
 RISK MANAGEMENT PLAN

APPENDIX 8

RISK MANAGEMENT OF COUNCIL OPEN SPACE

(Parks, Reserves, Sportsgrounds, beaches)

Step 1
Conduct a risk assessment of the area. This should:

(a) include both natural (watercourses, cliffs) and built (playgrounds, sportsfields,
amenities) environments,
(b) be undertaken utilising steps 1 to 6 in the Statewide Best Practice Manual on
Signs as Remote Supervision to determine the Facility Visitation Rate and the
Risk Rating of identified hazards, and
(c) be documented utilising Council’s standard risk assessment template.

Step 2
Determine the risk control measures required to minimise the identified risks.

Step 3
Undertake a risk/benefit analysis of the risk control measures to determine whether the cost
of implementing the measure is justified by the benefit of having it in place. In determining
the benefits, consideration should be given to the likelihood and degree of any damage or
injury that may arise from the hazard and this should be weighed against the cost of
implementing the risk control measure.

Step 4
To further mitigate any risk, all organisations (including commercial operators, schools and
clubs) using Council open space should be required to produce Certificates of Currency for
their public liability insurance.