Professional Documents
Culture Documents
6.1 Risk Management Framework
6.1 Risk Management Framework
13 November 2019
KEY ISSUES
• The Risk Management Framework has been updated to align with ISO
31000:2018 Risk management - Guidelines.
• While the process of risk management remains the same, proposed changes to
the risk assessment and acceptance tools (matrices) is proposed.
• The Audit Committee, at its meeting held on 29 October 2019, endorsed the
review of and proposed amendments to POL-C-067 Risk Management and the
Risk Management Framework.
The Audit Committee recommends that the Council adopts revised policy POL-C-067
Risk Management Framework and the revised Risk Management Framework.
Ordinary Meeting of Council
13 November 2019
BACKGROUND
A review of policy POL-C-067 Risk Management and the Risk Management Framework
have been undertaken to align with the ISO 31000:2018 Risk management - Guidelines.
The Audit Committee, at its meeting held on 29 October 2019, endorsed the review of
and proposed amendments to POL-C-067 Risk Management and the Risk Management
Framework and resolved to submit to Council for adoption.
DETAILS
The purpose of reviewing policy POL-C-067 Risk Management and the Risk Management
Framework is to establish if the documents:
Policy Review
During the review of policy POL-C-067 Risk Management and the Risk Management
Framework, the following was identified.
• AS/NZS ISO 31000:2009 standard has now been superseded with the AS/NZS ISO
31000:2018 standard.
• the principles of risk management have been reviewed, as these are the key
criteria for successful risk management;
• Both the policy and the Framework have now been reviewed against AS/NZS ISO
31000:2018.
Ordinary Meeting of Council
13 November 2019
1. PURPOSE
The City of Swan (the City)
acknowledges its responsibility to
effectively manage risk and to provide a
Framework that assists decision makers
to make informed choices, prioritise
actions, and is integral as part of the
responsibilities of management to
increase efficiency in operations,
governance and reputation.
1. Objective 2. OBJECTIVE
The City of Swan ("the City") is The objective of this policy is to clearly
committed to organisation-wide risk document the City’s commitment to risk
management principles, systems and management and to ensure that
processes that deliver consistent, identified and emerging risks are
efficient and effective assessment of risks managed so that threats are reduced,
in planning, decision-making and and opportunities are maximised in a
operational processes. continuous, proactive and systematic
organisation-wide process that
This policy is to be read in conjunction contributes to the achievement of the
with the City of Swan Risk Management City’s corporate objectives.
Framework.
2. Definitions 3. DEFINITIONS
Australian / New Zealand International International Standard for Risk
Standard for Risk Management – management – Guidelines (ISO
Principles and guidelines (AS/NZS ISO 31000:2018) defines risk as “the effect
31000:2009) define risk as “the effect of of uncertainty on objectives.”
uncertainty on objectives.”
Risk is usually expressed in terms of risk
A risk is often specified in terms of an sources, potential events, their
event or circumstance and the consequences and their likelihood.
consequences that may flow from it. An
effect may be positive, negative, or a An effect may be positive, negative, or a
deviation from the expected. An objective deviation from the expected.
may be strategic, community based,
financial, related to health and safety, or Objectives can have different aspects and
defined in other terms. can be applied at different levels.
3. Policy Statement 4. POLICY STATEMENT
The City is committed to the principles,
framework and process of managing risk a) The City recognises the importance
as outlined in AS/NZS ISO 31000:2009. of the development and provision of
an effective Risk Management
The City will adopt the Framework Framework and process to mitigate
provided in AS/NZS ISO 31000:2009 to potential negative outcomes.
the management of risk associated b) To ensure a best practice approach
throughout the life of any process, to risk management is employed,
activity, asset, operation or project of the the Risk Management Framework
City. will be developed and implemented
Ordinary Meeting of Council
13 November 2019
• Scope/Context/Criteria
• Risk Identification
No change
Represents the total effectiveness of controls that act upon a particular risk. How
controls are assessed for effectiveness is broadened to assist management
determine if a control is designed and operating as intended.
on urban
design, or loss
of sense of
place for part of
area.
First aid $5,000 - Low impact, Short term A minor Identified breach
injuries, $250,000 with low temporary environmental of policy or
routine profile, low interruption, event that can process requirin
industrial media backlog cleared be corrected g additional
issues. attention, in <1 – 7 days. within one work or minimal
possible Minor setbacks month under damage
complaint that are easily the control of control or
Heightened remedied. the City. legislation
concerns from requirement.
localised Minor damage
group of or Internal
residents, one contamination, investigation
off negative contained and Opportunistic
media reversible, short incident
attention, term effect on involving several
possible environment, people.
complaint. no long term
effect or short
term negative
impact on urban
design, or loss
of sense of
Minor
design, or loss
of sense of
place for part of
area.
Lost time or $1,000,000 - Damage to Prolonged A significant Breach involving
severe $5,000,000 reputation, interruption of environmental external
injury. public services, event where investigation or
embarrassme additional rehabilitation third party
Staff nt, high media resources involves actions resulting
turnover attention, required; perfor multiple in tangible loss
well above several public mance affected, stakeholders or reputation
20%, complaints, issue resolved and various damage to the
ongoing third party within <4 – 12 levels of the organisation.
industrial intervention weeks. community and
action. Some government Major breach of
Significant important with an contractual or
outcry from objectives of expected statutory
public, the organisation recovery time obligations
damage to cannot be met. of between 1 resulting in
reputation, and 5 years. significant legal
significant action. External
negative state Significant or third party
level media environmental investigation.
attention, impact, long Major one off
several public term negative fraud or
complaints or impact on urban corruption by a
Significant
investigation
with adverse
findings.
• Likelihood - The definitions for the likelihood of a risk occurring has been updated
and simplified.
• Risk Evaluation
• Target Level of Risk – The level of risk the City is willing to accept based on
the consequence/impact. Risks that have a higher people or reputation impact
should have a low risk score; risks with a medium financial, service delivery
impact require a medium score.
• Risk Acceptance – Previously risk was accepted and managed based on the
risk score - Low, Medium, High etc. Risk acceptance now considers control
effectiveness and the target level of risk impact.
Ordinary Meeting of Council
13 November 2019
• Risk Treatment
In all cases, regardless of the risk rating, controls that are rated inadequate or
partially effective must have a treatment plan (action) to improve the control
effectiveness; or
If the rating is outside of the target level or rated high or extreme, treatment
plans must be considered.
No change
CONSULTATION
The Audit Committee, at its meeting held on 29 October 2019, endorsed the review of
and proposed amendments to POL-C-067 Risk Management and the Risk Management
Framework and resolved to submit to Council for adoption.
ATTACHMENTS
STRATEGIC IMPLICATIONS
STATUTORY IMPLICATIONS
Nil
FINANCIAL IMPLICATIONS
Nil
VOTING REQUIREMENTS
Simple majority
RECOMMENDATION
1) Adopt revised policy POL-C-067 Risk Management and the revised Risk
Management Framework.
CARRIED
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Council Policy
POL-C-067 Risk Management
1. PURPOSE
The City of Swan (the City) acknowledges its responsibility to effectively manage risk and
to provide a Framework that assists decision makers to make informed choices, prioritise
actions, and is integral as part of the responsibilities of management to increase efficiency
in operations, governance and reputation.
2. OBJECTIVE
The objective of this policy is to clearly document the City’s commitment to risk
management and to ensure that identified and emerging risks are managed so that threats
are reduced, and opportunities are maximised in a continuous, proactive and systematic
organisation-wide process that contributes to the achievement
emen of the City’s corporate
objectives.
3. DEFINITIONS
D
International Standard for Risk management – Guidelines
idelines
delines (ISO
(ISO 31000:2018)
310 defines risk as
“the effect of uncertainty on objectives.”
SE
Risk is usually expressed in terms of risk sources,
rces, potential events,
urces, e their consequences and
their likelihood.
An effect may be positive, negative, orr a deviation from the expected.
Objectives can have different aspects
cts and can be applied
ap at different levels.
I
4. POLICY STATEMENT
NT
EV
h) The City will facilitate an Internal Audit function by providing resources required to
effectively review the City’s risks, internal controls (for both efficiency and
effectiveness), governance, performance and compliance. All internal audit activities
will remain free of undue influence. This will include scope of audit programs, the
frequency and timing of examinations and the content of internal audit reports.
D
I SE
EV
Document Controll
Document Approvals:
Version # Council
cil Adoption
R
1. Ordinary Meeting
Meet of Council
C 18/12/2002 - new policy adopted.
2. Ordinary Meeting
eeting of
o Council 05/09/2007 - revised policy adopted.
3. Ordinary Meeting
ing of Council 24/02/2010
ing - revised policy adopted.
4. Ordinary Meeting of Council 22/05/2013 - revised policy adopted.
5. Ordinary Meeting of Council 10/09/2014 - policy adopted, no amendments.
6. Ordinary Meeting of Council 02/03/2016 - revised policy adopted.
Document Responsibilities
Custodian: Manager Governance and Strategy Custodian Unit: Governance and Strategy
Document Management:
Risk Rating: 3 Review Frequency: Biennial
Next Review: ECM Ref: 1400335
Compliance Requirements:
Legislation: Regulation 17 of the Local Government (Audit) Regulations 1996
Industry: ISO 31000:2018 Risk Management –Guidelines
Organisational: Risk Management Framework
Risk Management Process
Internal Audit Guideline
Control Assurance Guideline
Management Accountabilities
Executive Accountabilities
Strategic Community Plan: G2.1 Improve capability and capacity
Risk Management
Framework
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
CONTENTS
INTRODUCTION 2
FR AMEWORK OVERVIEW 3
R I S K C U LT U R E 4
RISK POLICY 4
O P E R AT I O N A L M O D E L 5
REVIEW 6
O P E R AT I N G R E L AT I O N S H I P S 6
ED ROLES, RESPONSIBILITIES
A N D A C C O U N TA B I L I T I E S
A : S C O P E , C O N T E X T, C R I T E R I A
6
9
IS
B : R I S K I D E N T I F I C AT I O N 9
C : R I S K A N A LY S I S 9
EV
D : R I S K E V A L U AT I O N 10
E : R I S K T R E AT M E N T 10
F : C O M M U N I C AT I O N A N D C O N S U LTAT I O N 10
G: M O N I TO R I N G A N D R E V I E W 10
R
H: R ECO R D I N G A N D R EP O RTI N G 11
A P P E N D I X 2 - R I S K M A N AG E M E N T I M P R OV E M E N T P L A N 14
APPENDIX 2 A – ACTION PL AN 15
A P P E N D I X 3 – O P E R AT I O N A L R I S K T H E M E S 17
R I S K M AT R I X 21
LIKELIHOOD 21
CO N T RO L EF F ECTIV EN ES S 21
R I S K A C C E P TA N C E 21
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
INTRODUCTION
It sets out the City’s policy, strategy and approach to the identification, This Framework aims to balance a documented, structured and
assessment, management, reporting and monitoring of risks. systematic process with the current size and complexity of the
All components of this document are based on ISO 31000:2018 City along with existing time, resource and workload pressures.
Risk management – Guidelines.
It is essential that all areas of the City adopt this Framework to ensure:
• Strong corporate governance;
ED
• Compliance with relevant legislation, regulations and internal practices;
• Integrated planning and reporting requirements are met;
• to ensure delivery of quality City services and major projects;
• Improved organisational performance and resilience; and
IS
• Uncertainty and the effects on objectives are understood.
CONTINUAL
NUA
EV
IMPROVEMEN
IMPROVEMENT
F I G U R E 1 : R E L AT I O N S H I P
BETWEEN THE RISK H
HUMAN
AND
CULTURAL INTEGRATED
MANAGEMENT FACTOR
FACTORS
TI
INFORMATION COMPREHENSIVE
DYNAMIC INCLUSIVE
PRINCIPLES (CLAUSE 4)
SCOPE/CONTEXT/CRITERIA
INTEGRATION
CO M M U N ICATIO N & CO N S U LTATIO N
R I S K A S S ES S M E NT
MONITORING & REVIEW
IMPROVEMENT DESIGN
LEADERSHIP RISK ANALYSIS
AND
COMMITMENT RISK EVALUATION
EVALUATION IMPLEMENTATION
RISK TREATMENT
2 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
FR AMEWORK
OVERVIEW
The City’s Framework is a set of components that provide the
foundation and organisational arrangements for designing,
implementing, monitoring, reviewing and continually
improving risk management throughout the City.
The foundations are captured in the Risk Management Policy which • Risk Management Improvement Plan – sets out the
articulates the objectives and management commitment to managing implementationn objectives
objectiv
objective and specific actions for the continual
all risks responsibly across all areas of the City’s operations. ent of risk manage
improvement managem
management over the next 12 months.
• ational
tional Model
Operational Mo – describes
rib relationships
r and accountabilities;
The organisational arrangements are captured in the:
CULTURE
C
CU
OPERATIONAL MODEL
RISK MANAGEMENT
1. RISK ASSESSMENT & ACCEPTANCE CRITERIA
2. RISK MANAGEMENT PROCESS
3. RISK REPORTING
Risk management is a vital business management practice that • Commitment to resourcing the risk management functions;
should be considered as part of everyday tasks and duties. To ensure • Performance measures; and
the process is managed, it must always be demonstrated through • Continual review and improvement of the policy.
the integrated planning and reporting process and embedded in all
operational functions and services.
RISK MANAGEMENT
AGEMEN
The Executive, Business Unit Managers and Leadership Team leaders
IMPROVEMENT
VEMENT PLA
PLAN
effectively;
ED
will support and encourage a positive risk culture by:
4 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
OPER ATIONAL
MODEL
The City has adopted a ‘three lines of defence model’
to implement best practice risk management.
AUDIT COMMITTEE
ED
IS
OPERATIONAL RISK INTERNAL
MANAGEMENT MANAGEMENT
NAGEMENT AUDIT
EV
• Manage risk (in agreed risk • Provide timely, balanced • Offer independent oversight
appetite). information. of first and second lines.
OPERATING RELATIONSHIPS Committee and will coverr the reporting requirements in accordance
with the Local Government (Audit Regulations 1996.
nment (Audit)
The following diagram depicts the current operating structure for risk • Support Council-driven
-driven
driven effective corpo
corporate
corp governance; and
management in the City:
FIGURE 3: DIAGRAM
REPRESENTING THE CITY’S
ED
O P E R AT I N G R E L AT I O N S H I P S
• Monitor andd review the appropriateness
appropriaten
appropriatenes and effectiveness of the
anagement Framework and improvement strategies.
Risk Management
THIRD LINE
FROM A RISK MANAGEMENT OF DEFENCE
IS
PERSPECTIVE
COUNCIL
COUNC
AUDIT
COMMITTEE
EV
EXTERNAL
AUDIT
CHIEF
C AUDITOR
EXECUTIVE
EX GENERAL
OFFICER
INTERNAL
R
AUDIT
SECOND LINE
NE APPOINTED
OF DEFENCE BY CEO
GOVERNANCE EXECUTIVE
& STRATEGY MANAGEMENT
BUSINES UNIT TEAM
FIRST LINE
OF DEFENCE
6 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
RISK
MANAGEMENT
PROCESS
The risk management process is standardised
across all areas of the City. The following diagram
outlines this process with the following commentary
providing broad descriptions of each step.
ED
SCO PE / CO NTE X T/ C RITE
ERRIA
IA
IS
CO M M U N ICATIO N AN D CO N S U LTATIO N
R I S K A S S E S S M E NT
M O N ITO R I N G AN D R E VI EW
EV
RI S K I D E NTI FICATIO
FI N
R
R I S K A N ALYS I S
R I S K E VALUATIO N
RI S K TR E ATM E NT
R ECO R D I NG AN D R E P O RTI NG
8 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
A : SCOPE, CONTEXT, CRITERIA • Indirect refers to the risks which threaten the delivery
of project outcomes.
The first step in the risk management process is to understand the It is also important to understand the key stakeholders who
scope, context and criteria in which the risks are to be assessed may need to be involved in the risk assessment.
and what is being assessed. This forms two elements:
Whilst risk management should form part of all projects,
ORGANISATIONAL CRITERIA
the responsibility of the Manager - Project Management
This includes the Risk Assessment and Acceptance Criteria (Appendix 4)
to determine how risks are to be recorded as part of the
and any other tolerance tables as developed.
management of the project.
All risk assessments are to use these documents to ensure consistent
and comparable risk information is developed and considered in B : RISK IDENTIFICATION
planning and decision making processes.
Once the context is determined the next step is to identify the risk.
SCOPE AND CONTEXT This involves identification of what events or situations might affect
To direct the identification of risks, the specific risk assessment context key operations of the City in executing its strategy.
is to be determined prior to and used in the risk assessment process.
Risk sources can be internal or external. Having identified
edd what might happen,
ha we need to identity why it might
happen. This
is iss known as the risk cause.
ca
1. STRATEGIC CONTEXT
ED
For specific risk assessment purposes, the City has three levels of
C : RISK ANA
ANALYSIS
Identificatio
Identification
• Direct refers to the risks that may arise as a result of The consequence should be rated the ‘probable worst consequence’ if the
project activity (i.e. impacting on process, resources or risk eventuated with existing controls in place. This is not the worst case
IT systems) which may prevent the City from meeting scenario, but rather a qualitative judgement of the worst scenario that is
its objectives. probable or foreseeable.
The criterion for applying the relevant likelihood can be found in As risk is defined as the effect of uncertainty on objectives;
(Appendix 4) consulting with relevant stakeholders assists in reducing uncertainty.
See Risk Tip C - Likelihood Communicating these risks and the information surrounding the event
sequence ensures decisions are based on the best available knowledge.
STEP 4 – RISK RATING
Using the Risk Matrix, combine the measures of consequence and G : MONITORING AND REVIEW
likelihood to determine the risk rating. (Appendix 4)
It is essential to monitor and
nd review the management of risks as
D : RISK EVALUATION changing circumstances
es may result in ssome
ces so risks increasing or
decreasing in significance.
nificance.
D
Risk evaluation takes the risk rating and applies it to the Target Level of
Risk Acceptance Matrix (Appendix 4) to determine whether the risk is at This is onee of the most important step
steps in risk management, and
an acceptable level to the City.
E central
al to providing assurance (First
(Fir Line of Defence). It helps to ensure
(Fi
the
he risk management process
proces is dynamic and responsive to change.
See Risk Tip D – Evaluation
responsible for monitoring and reviewing risks,
Risk owners are re
respo
IS
E : RISK TREATMENT controls.
including controls
10 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
STRATEGIC RISKS
Strategic risks are identified, assessed, owned and managed by the
Executive Management Team. The status of these risks must be
maintained in the City’s strategic risk profiles.
OPERATIONAL RISKS
Operational risks are identified, assessed, owned and managed by
Business Unit Managers. The status of these risks must be maintained
through individual Business Plans.
APPENDIX 1 -
RISK MANAGEMENT
POLICY
1. PURPOSE c) Risk Management will form part of the strategic, operational,
project and line management responsibilities.
The City of Swan (the City) acknowledges its responsibility to effectively d) All risks are to be assessed according to the City’s Risk Assessment
manage risk and to provide a Framework that assists decision makers and Acceptance Criteria to allow consistency and informed
to make informed choices, prioritise actions, and is integral as part of decision making. For operational requirements, such as projects,
the responsibilities of management to increase efficiency in operations, takeho
or to satisfy external stakeholder requirements, alternative risk
governance and reputation. assessment criteriaa may be used
used; however these cannot exceed
cceptance criteria and
the City’s risk acceptance a are to be noted in the
2. OBJECTIVE
The objective of this policy is to clearly document the City’s commitment
to risk management and to ensure that identified and emerging risks are
managed so that threats are reduced, and opportunities are maximised
e)
f)
ED assessme
individual risk assessment.
ncil is committed to the conc
Council
as appointed a dedicated
and has dedicat
dedic
concept of resourcing risk management
Audit Committee to oversee the risk
a strategic risks facing the City.
management process and
Executiv Officer is responsible for the allocation
The Chief Executive
IS
in a continuous, proactive and systematic organisation-wide process that
hatt of operation
operational roles, responsibilities and accountabilities.
contributes to the achievement of the City’s corporate objectives. These are documented in the Risk Management Framework.
g) Al employees
All e in the City have a role in risk management from
3. DEFINITIONS the identification of risks to implementing risk treatments and
EV
4. POLICY STATEMENT
a) The City recognises the importance of the development and
provision of an effective Risk Management Framework and process
to mitigate potential negative outcomes.
b) To ensure a best practice approach to risk management is
employed, the Risk Management Framework will be developed
and implemented in accordance with the risk management
standard AS/NZS ISO 31000:2018 Risk management and will
include systems to identify, treat, monitor, review and report risks
across all of its operations.
12 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
APPENDIX 2 - RISK
MANAGEMENT
IMPROVEMENT PL AN
In line with ISO 31000 : 2018 Risk management – Guidelines, the
City has committed to the continuous improvement of risk
management throughout all operations, strategic initiatives
and project based activities.
This document sets out the continuous improvement strategy over the
next 12 months.
assurance reviews.
FRAMEWORK IMPROVEMENTS
OVE
OVEME
EDUCATION AND AWARENESS
A risk management framework is defined as the set of components that
provide the foundations and organisational arrangements for designing, Effective risk management requires more than just a Framework,
implementing, monitoring, reviewing and continually improving risk it requires a culture where proactive identification and management
management. of risks is a part of daily processes and awareness is embedded
throughout all levels of the City.
The outcomes expected are:
This will be achieved through:
• Integrating documentation components to allow specific focus on
improving distinct areas. • Championing of risk by the City’s leadership structure. This includes
• Ensuring that processes are aligned to the City’s high level contexts behaviours such as ensuring that ‘risk’ forms part of meeting
of strategic, operational and project risk management. agendas for their teams and functional areas.
• Defining the risk operating model. • Specific risk management training for Managers and other key
• Providing clarity of roles and responsibilities. staff which forms part of the individual and corporate learning
and development framework.
• Ongoing assistance provided through the Risk Management
Officer, including access to risk processes and guidance
material on the intranet.
14 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
APPENDIX 2A – ACTION
TION PLAN
R
Action Responsibility
Framework Improvements
Complete review of all Framework components and have adopted by Council. CEO
Provide formal training for Managers on the Risk Management Framework and specific process requirements. Risk Management Officer
Attend Business Unit risk workshops Risk Management Officer
Publish the risk management framework on the intranet Risk Management Officer
Complete the Compliance Measurement requirements Risk Management Officer
Complete the Risk Framework Maturity Assessment Risk Management Officer
Complete the ‘Review of the Risk Management Framework Report’ and provide to the Audit Committee. Risk Management Officer
Review Business Continuity Plan Risk Management Officer
Conduct City Business Continuity exercises Risk Management Officer
Requirement
Risks
Annual strategic risk review workshops conducted at least annually and in line with the Annual Business Planning process
Annual operational risk review workshops conducted at least annually and in line with the Annual Business Planning process
Business Unit risk reviews (extreme/high risks) conducted at least quarterly
Controls
Treatments
ED
IS
EV
R
16 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
include Occupatio
Itt does not includ Occupational
ccupati
and security”) or any Employment
Em
mployment practices”).
“Employment pract
Safety & Health Act (refer to “Safety
Practices based legislation (refer to
IS
ant
It does not include issues with the inappropriate use of the Plant,
Equipment or Machinery. Refer Misconduct.
EV
This includes:
This includes:
ession
• Key person dependencies without effective succession F
FACILITIES / VENUES / EVENTS
planning in place; and
MANAGEMENT
• Industrial activity.
Failure to effectively manage the day to day operations of facilities,
ENVIRONMENTAL
L MANAGEMENT
MANAGEM venues and/or events.
R
18 City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Examples include: This does not include instances where it was not an intentional breach
(refer to ”Errors, Omissions or Delays”).
• Incorrect planning, development or building advice;
• Incorrect health or environmental advice;
• Inconsistent messages or responses from staff and/or
SAFETY & SECURITY PRACTICES
Councillors; and
Non-compliance with the Occupation Safety & Health Act, associated
• Any advice that is not consistent with legislative requirements or regulations and standards.
local laws.
It is also the inability to ensure the physical security requirements of
INFRASTRUCTURE ( INCLUDING
carelessness.
COMMUNICATIONS )
Inadequate managem
management of external Suppliers, Contractors, IT Vendors
or Consultants engaged
een for core operations. This includes issues
IS
communication system or infrastructure causing the inability too continue that arise
ise from
fro
f the ongoing supply of services or failures in contract
business activities and provide services to the community. This
is may or management and monitoring processes.
manage
may not result in IT Disaster Recovery Plans being invoked.
oked.
TThis also includes:
EV
MISCONDUCT
Intentional activities intended to circumvent the Code of Conduct or
activities in excess of authority, which circumvent endorsed policies,
processes or delegated authority.
CONSEQUENCE LIKELIHOOD
Description People Financial Reputation & External Service Delivery/Strategic Environment Governance / Compliance Almost Certain Likely Possible Unlikely Rare
Stakeholders Objectives (5) (4) (3) (2) (1)
Insignificant (1) Negligible injuries. <$5,000 Insignificant public Key services disrupted Little impact, contained Minor breach p
ach of policy or
comment or local media for up to half a day, usual and reversible, no long app
processs requiring approval
coverage, no complaint. scheduled interruptions. term effect or short term ariance
or variance. 5 4 3 2 1
Negligible impact on negative impact on urban Medium Low Low Low Low
inciden
Minor opportunistic incident
objectives. design, or loss of sense of
volving a single person.
involving
place for part of area.
Minor (2) First aid injuries, routine $5,000 - $250,000 Heightened concerns Short term temporary Minor damage or proces
Breach of policy, process
industrial issues. from localised group of interruption, backlog contamination, contain
n, contained or legislation requir
require
requirement.
residents, one off negative cleared in <1 – 7 days. Minor sible, short
and reversible, rt term investig
invest
Internal investigation
media attention, possible setbacks that are easily effectt on environment, no
complaint.
D
remedied. long
ng term effect
term
effec or short
rm negative impact on
Opportunis
Opportunistic
portuni incident
involv
involvi
involving several people.
10
High
8
Medium
6
Medium
4
Low
2
Low
urban
ban design, or loss of
sense of place for part of
Medium
dium te
term effects
effec on Breach of contractual
staff turnover slightly higher from localised group tion,
ion, backlog cleared
interruption, environment,
nment, lolong term or statutory obligations
than 20%, one off industrial
issues.
of residents, negative
media attention,
possible complaint.
S dditional resources
by additional resou
<22 – 4 weeks. Some of the
I
organisation’s objectives
in recovery or long term
negativ
negative impact on urban
des
ddesign, or loss of sense of
resulting in internal
investigation, ongoing legal
issues not easily addressed.
15
High
12
High
9
Medium
6
Medium
3
Low
cannot be met place for part of area.
Planned unethical action
V by one or more staff.
person.
Rating Foreseeable Description Category Probability Description Indicative Frequency (times per year)
Effective There is no current scope Documentation Processes (Controls) fully documented, with accountable Almost Certain >75% Is expected to occur in most circumstances 5+ times
for improvement. ‘Control Owner’
Likely 51% - 75% Is expected to occur more often than not 1 - 5 times
Operating Subject to ongoing monitoring and compliance to process is
Effectiveness assured Possible 26% - 50% Might occur at some time 1
Design Effectiveness Reviewed and tested regularly Unlikely 5% - 25% Will probably not occur in most circumstances More than 0.5 and less than 1
Moderately Effective There is some scope Documentation Processes (Controls) partially documented, with a clear
for improvement. ‘control owner’
Operating Limited monitoring, ad-hoc approach and compliance to
Effectiveness process is generally in place
RISK ACCEPTANCE
PTAN
PTANCE
Design Effectiveness Reviewed and tested , but not regularly.
Target Level of Risk
Partially Effective There is scope for Documentation Processes (Controls) noted, no clear ‘control owner’
Impact
ctt Category
Categ Low 1-5
Lo Medium 6-10 High 11-19 Extreme 20-25
improvement. Operating Some monitoring, occasional compliance to process
People
eoplee X
Effectiveness is reviewed
Financ
Financial X
Documentation
Ad-hoc review or testing, when an issues arises
B/Unit Manager
monitoring.
R
Risk Management Framework City of Swan
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
www.swan.wa.gov.au
ED
IS
EV
R
City of Swan
2 Midland Square Midland
PO Box 196 Midland WA 6936
9267 9267
POLICY
POL-C-067 - Risk Management
1 Objective
The City of Swan ("the City") is committed to organisation-wide risk management
principles, systems and processes that deliver consistent, efficient and effective
assessment of risks in planning, decision-making and operational processes.
This policy is to be read in conjunction with the City of Swan Risk Management
Framework.
2 Definition
Australian / New Zealand International Standard for Risk Management – Principles and
guidelines (AS/NZS ISO 31000:2009) define risk as “the effect of uncertainty on
objectives.”
T
expected. An objective may be strategic, community based, financial, related to health
and safety, or defined in other terms.
EN
3 Policy Statement
The City is committed to the principles, framework and process of managing risk as
outlined in AS/NZS ISO 31000:2009.
The City will adopt the Framework provided in AS/NZS ISO 31000:2009 to the
R
management of risk associated throughout the life of any process, activity, asset,
operation or project of the City.
R
The Framework sets out a structure for managing risks to ensure that the City:
U
a) Has incorporated risk management into the corporate governance system and
management structure;
C
c) Developing and maintaining the appropriate tools for the management of risk;
and
Page 1 of 4
Date Accessed - 09/03/2016
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
POLICY
POL-C-067 - Risk Management
3.1 Responsibilities
3.1.1 Council
a) Is committed to the concept of resourcing risk management.
c) Critically analyses and follows up any internal or external audit report that raises
T
significant issues relating to risk management and reviews actions taken as a
result of the issues raised.
EN
d) Monitors the risk exposure of the City by reviewing risk management processes
and management information systems.
3.1.3 Executive
R
a) Ensures that risk management is embedded in the operations and processes of
the organisation.
R
performance.
C
3.1.4 Employees
a) All employees, after appropriate training, will adopt the principles of risk
management and comply with all policies, processes and practices relating to
risk management.
b) All employees will alert management to the risks that exist within their area.
All internal audit activities will remain free of undue influence. This will include scope of
audit programs, the frequency and timing of examinations and the content of internal
audit reports.
Page 2 of 4
Date Accessed - 09/03/2016
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
POLICY
POL-C-067 - Risk Management
The internal audit process is to provide independent advice and assurance to Council
and management that the policies, operations, systems and procedures designed to
mitigate the risks associated with the operations and management of the City:
b) Are carried out with optimum use of resources (economy and efficiency);
5 Performance Measurement
T
The Management Team, the Risk Management function and Internal Audit shall
EN
measure the effectiveness of the Risk Management Framework in assisting the City to
achieve its strategic objective.
a) Audit ratings;
R
Page 3 of 4
Date Accessed - 09/03/2016
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
POLICY
POL-C-067 - Risk Management
Governance References
Statutory
Nil.
Compliance
Industry
AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
Compliance
Risk Management Framework
Organisational
City of Swan Strategic Community Plan 2012-2022
Compliance
KRA: Governance
G2.1 Improve capability and capacity
Decision Maker Council
Process Links Risk Management Process
Policy Administration
Business Unit Name Officer Title Contact:
T
Governance Manager, Governance 9267 9267
Risk Complexity
3 Review Frequency 2018
Classification
EN
Version Decision Reference Synopsis
1. OCM 18/12/02 New Policy adopted.
2. OCM 05/09/07-Pt.B-1.1 Policy Revision to align with new corporate approach.
3. OCM 24/02/10 Policy revised to reflect change of ISO standard.
Executive 29/11/12 Endorsed the policy review and proposed amendments.
R
4. Governance 30/04/13 Endorsed the policy review and proposed amendments.
OCM 22/05/13 Endorsed the policy review and proposed amendments.
Executive - 31/07/2014 Endorsed review of policy.
R
6.
Audit - 23/02/16 Endorsed the policy review and proposed amendments.
OCM - 02/03/16 Adopted the amended policy.
7.
C
Page 4 of 4
Date Accessed - 09/03/2016
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
T
EN
R
R
U
C
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
CONTENTS
1 Introduction .............................................................................................................................................1
2 Purpose ....................................................................................................................................................1
3 Objective .................................................................................................................................................1
4 Definitions ...............................................................................................................................................1
5 Organisational Risk Management Context ..............................................................................................1
5.1 Internal Context .............................................................................................................................2
5.2 External Context ............................................................................................................................2
6 Integration into Strategic and Business Planning ....................................................................................2
7 Risk Management Roles and Responsibilities.........................................................................................2
8 Risk Acceptance/Tolerance .....................................................................................................................3
9 Internal Audit Link to Risk Management ................................................................................................3
10. Risk Management Process.......................................................................................................................4
10.1 Establishing the Context of an Individual Risk .............................................................................4
10.2 Risk Identification .........................................................................................................................4
10.2.1 Risk Breakdown Structure - Risk Categories ..........................................................5
10.2.2 Record the Risk........................................................................................................7
10.2.3 Cause of risk ............................................................................................................7
T
10.3 Risk Analysis.................................................................................................................................7
10.3.1 Determine Consequence ..........................................................................................8
EN
10.3.2 Determine Likelihood ............................................................................................10
10.3.3 Level of Risk..........................................................................................................10
10.4 Risk Evaluation ...........................................................................................................................10
10.4.1 Overview of controls .............................................................................................10
10.4.2 Assessing Controls.................................................................................................11
10.5 Communication & Consultation ..................................................................................................12
R
10.6 Risk Treatment ............................................................................................................................12
10.6.1 Risk Treatment Options .........................................................................................14
10.7 Monitor and Review ....................................................................................................................14
R
1 Introduction
Risk Management is the culture, processes and the structures that are directed towards the
effective management of potential opportunities and adverse effects. The City of Swan is committed
to a formal structure and systematic risk management system.
The management of risk assists the City to meet the expectations of our customers and clients
whilst providing services that are of the highest level.
The management of risk delivers certainty for our customers, clients, councillors and employees.
We are better informed, more decisive and able to make decisions with confidence which will assist
us in achieving our strategic outcomes and objectives.
2 Purpose
The purpose of this framework is to:
T
x Establish risk management practices that support the City's strategic goals and objectives;
x Define the relationship between risk management and strategic and operational planning;
x
EN
Define the parameters and corporate approach to risk management;
x Define the roles and responsibilities, monitoring and reporting requirements for the management
of risks; and
x Support the City's governance and compliance requirements by ensuring areas of risk are
R
identified, assessed and managed to benefit the organisation.
3 Objective
R
The objective of this Framework is to provide the City and its employees with a comprehensive
U
approach to identify and manage risk. The Framework articulates the organisation’s commitment to
applying risk management processes which facilitate achievement of the City’s strategic and
operational objectives.
C
4 Definitions
Definitions applicable to risk management are detailed in the Glossary - See Appendix A.
1
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Internal context relates to factors within the organisation that influence the way in which an
organisation manages risk. This reflects the organisation’s capabilities. Areas that may impact
include:
x Leadership
x Customers and Other Stakeholders
x Information and Knowledge
x People
x Process Management, Improvement and Innovation
x Strategy and Planning
x Results and Sustainable Performance
The risk management context for City of Swan is impacted by a range of external factors. These
may include:
T
x Policy
x Funding
EN
x Legislative
x Economic
x Environmental
x
R
Social
x Cultural
R
The City of Swan requires the capability to meet the community's expectations by building
efficiencies through an effective risk management system. Aligning the risk management systems to
the Strategic Community Plan and Corporate Business Planning assists in identifying both strategic
C
and operational risks that may impact the City on achieving the agreed objectives.
The City uses risk management processes when making strategic decisions as follows:
x to identify strategic risks that require further controls in the form of risk mitigation strategies;
x to identify strategic risks that are dependent upon the effectiveness of existing controls;
x to identify strategic risks that are over controlled and for which control measures can be
reduced;
x to allocate resources to controls and risk mitigation strategies through close analysis and
comparison of objective and subjective measures of risk; and
x to assess changes to the organisational context which impact upon risk and therefore require
review of the City’s approach to strategies, risks and the control framework.
2
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
8 Risk Acceptance/Tolerance
The table below outlines the risk acceptance and tolerance levels for City operations and the levels
at which residual risk maybe accepted and treated.
Figure 1 - Risk Acceptance Criteria/Tolerance
LEVEL
CRITERIA FOR MANAGEMENT OF RISK RESPONSIBILITY
OF RISK
Acceptable Risk acceptable with adequate Staff members
1-4 controls, managed by routine
Low procedures that are subject to
annual review.
Monitor Risk acceptable with adequate Supervisor/Coordinator/
5-9 controls, managed by specific Manager
Medium procedures that are subject to
quarterly review.
Urgent Management Risk acceptable with robust Manager/Executive
10 - 19 Attention Required controls, and management
T
High supervision, subject to monthly
monitoring.
EN
Usually Unacceptable Risk only acceptable with
excellent management controls
Executive/Council
20 - 25
and all treatment plans to be
Very
explored and implemented where
High
possible, subject to continuous
monitoring.
R
When managing occupational safety and health risk, any risks rated as medium or low where the
R
To maximise the efficiency and effectiveness of the City's Internal Audit function the City produces a
Strategic Audit Plan which is based on the high risk areas within the organisation and those areas
C
that depend highly on controls. The Executive Management Team (EMT) is required to approve the
plan prior to Audit Committee approval.
During the audit process internal auditors review risk registers and advise the City on the following:
Based on the audit findings further risk mitigation strategies may be required.
Business Unit Managers are responsible for ensuring that approved actions and treatments are
dealt with within the timeframes recommended. Overdue items are escalated to the EMT and further
to the Audit Committee.
For additional information please view Strategic Audit Plan, Audit Committee Charter and Internal
Audit Processes.
3
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
General
The City’s risk management process is based on the Australian Standard AS/NZS ISO 31000:2009
and is set out in the diagram below.
The City’s approach to risk requires the consideration of all risks which could impact upon the
achievement of business objectives.
The process is ongoing, monitoring and review of all stages is critical, and ensuring that a periodic
review of risks and controls is in place is crucial to the success of the process.
Figure 2 - Risk Management Process
T
EN
R
R
U
C
The context for each individual risk must be considered in relation to the City’s goals, objectives and
activities in order to effectively assess, analyse and treat risk.
The aim of the risk identification process is to generate a comprehensive list of events which may
affect the City’s objectives and operations. These risks are then considered in more detail, to
identify the potential impact of each risk.
Risk is the chance of something happening that will have an impact upon objectives. Risk is
measured in terms of a combination of the consequences of an event and their likelihood.
4
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
It is important to ensure risks are identified as events and are described in a way that they can be
treated.
Identification should include all risks, whether or not they are under the control of the City.
Inherent Risk the risk which exists prior to and without the implementation of risk controls
and risk reviews
Residual Risk the risk which remains after risk controls have been implemented
Projected Risk the risk which remains after treatments have been implemented
Strategic risks are identified in relation to the impact they have on the City’s achievement of its
strategic objectives as set out in the Strategic Community Plan.
The Risk Breakdown Structure (RBS) (figure 3) provides a framework to categorise operational
risks, which are placed in a hierarchy organised by source.
T
Strategic risks are categorised into the red heading boxes. A strategic risk is something that is
outside the control of the City, which is out in the environment within which the City is operating.
EN
The impact of strategic risks on the City may force a change in our strategic direction.
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes,
people and systems or from external events.
R
The RBS demonstrates a cumulative effect of similar risks which allows the Executive Management
Team to respond to trending issues.
R
5
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
T
EN
R
R
U
C
6
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Once identified it is necessary to record and describe the risk so that it can be correctly analysed.
The method to be used for describing a risk within City is as follows:
T
Workers fails to wear safety
equipment
Lack of/ineffective
EN training/induction
Lack of/ineffective supervision
Factors to consider:
x When - in what instances can the risk occur? Does the position pose a risk?
x Where - does location pose a risk?
x
C
Risks identified at a Business Unit level may have causes similar to those experienced in another
business unit; therefore a corporate wide risk strategy may be required to mitigate the risk.
The level of risk is identified at stage one of the process so that lower level risks can be excluded
from further more detailed risk considerations. Although low risks may not be subject to further
mitigation, it is important that they are documented and added to the risk register to demonstrate the
completeness of the risk analysis.
7
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Consequence can be described in a number of ways depending on category. The following list
describes some examples of consequence to the City:
x Human impact;
x Dollar cost;
x Damage to reputation and brand;
x Damage to property, assets;
x Harm to the environment
x Strategy or loss of opportunity
x Service delivery and meeting of customer expectations;
x Regulatory or legal compliance
Consequences are rated, in terms of severity, from severe to insignificant. To assist in determining
the level of consequence, the following table provides a summary of consequence and severity
ratings. In most instances consequence is relevant to a single risk category. However, where the
T
consequence applies to several categories the highest impact statement relates.
EN
R
R
U
C
8
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Significant
Lost time or severe $1,000,000 -
R
embarrassment,
high media attention,
services, additional
resources required;
involves multiple
stakeholders and various
or third party actions
resulting in tangible
10-20% increase in time,
or a reduction in the quality
injury $5,000,000 performance
several public levels of the community loss or reputation and scope that is
U
complaints, third
party intervention
affected, issue
resolved within <4 –
12 weeks
and government with an
expected recovery time of
damage to the
organisation.
unacceptable to sponsor.
C between 1 and 5 years.
A severe environmental
Breach involving
Irreversible damage Indeterminate event requiring multiple
regulatory investigation
to reputation, very prolonged stakeholders, all levels of >40% increase in cost;
and / or third party
high level of public interruption of the community and >20% increase in time or
actions resulting in
Severe Fatality or Disablement >$5,000,000 embarrassment, services that government with an project end item is
tangible loss or
very high media impacts on public expected recovery time of effectively useless in terms
significant reputation
attention, many safety and core greater than 5 years or of quality and scope.
damage to the
public complaints services where potentially it is
organisation.
irrecoverable.
9
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
T
10% - 40% 1 in 100,000
The event could At least once in chance of
Unlikely
EN
occur at some time 10 years occurrence (P10-
P40)
The event may only Less than once Less than 10% 1 in 1,000,000
Rare occur in exceptional in 20 years chance of
circumstances occurrence (P10)
R
10.3.3 Level of Risk
R
The level of risk is determined, using the following matrix, at the point on the grid where likelihood
meets consequence. The level of risk is defined in a numerical rating which determines the criteria
for management of risk. See figure 1 Risk Acceptance Criteria/Tolerance table.
U
CONSEQUENCES
Insignificant Minor Moderate Significant Severe
LIKELIHOOD
(1) (2) (3) (4) (5)
Medium High High Very High Very High
Almost Certain (5)
(5) (10) (15) (20) (25)
Low Medium High High Very High
Likely (4)
(4) (8) (12) (16) (20)
Low Medium Medium High High
Possible (3)
(3) (6) (9) (12) (15)
Low Low Medium Medium High
Unlikely (2)
(2) (4) (6) (8) (10)
Low Low Low Low Medium
Rare (1)
(1) (2) (3) (4) (5)
Controls are City policies, processes and systems developed and implemented that assist in
mitigating a risk.
10
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Corporate governance practices within the City require a robust internal control system.
The existence and proper application of these and other controls assist the City to operate
efficiently, effectively and ethically.
The degree and effectiveness of existing controls over risks needs to be evaluated to allow a
definitive risk ranking process. These controls need to be identified clearly and their effectiveness
assessed.
These controls are aimed at preventing risk occurring in the first place.
Preventative Controls They include: plans, policies, procedures, Safe Work Method Statements
etc.
These controls are used to identify when a risk becomes an
T
Detective Controls issue/incident. They include: audits, stocktakes and reviews, safety
incident reports etc.
These controls are aimed at minimising the consequences that arise from
EN the issue/incident. They include: Business Continuity Plans and Disaster
Mitigating Controls
Recovery Plans, Personal Protective Equipment, insurance, outsourcing
of risk etc.
Corrective controls restore the system or process back to the initial state
prior to a harmful event. For example, a business may implement a full
Corrective Controls
R
restoration of a system from backup tapes after evidence is found that
someone has improperly altered the payment data.
R
Experience has demonstrated that there is a direct correlation between the effectiveness of an
existing control and the likelihood of the risk occurring (i.e. the more effective the control, the less
likely the risk is to occur) and/or the impact of the risk (i.e. non effective controls may increase the
U
impact).
C
The outcome of the evaluation should influence further analysis of the likelihood and potential
consequences of the risk.
Poor/Non- Will not have any effect in terms of reducing the likelihood and/or consequence
Existent of the risk.
Will have very little effect in terms of reducing the likelihood and/or
Inadequate
consequence of the risk
Will have some effect in terms of reducing the likelihood and/or consequence of
Satisfactory
the risk
Will have a reasonably significant effect in terms of reducing the likelihood
Good
and/or consequence of the risk
Will significantly reduce the likelihood and/or consequence of the risk at all
Excellent
times
11
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Communication and consultation is a key factor in effective risk management, particularly as the
City's activities are diverse, complex and involve multiple stakeholders.
Regular communication and consultation adds value throughout the Risk Management Process:
T
Identification coherence, which is particularly relevant given the complexity and range of the
activities undertaken within the City.
Analysis
EN
Communication will often improve the understanding of risk. Involving others
will enable the likelihood to be better determined, historical knowledge drawn
from others is valuable.
A diversity of knowledge and experience is essential to achieve a balanced
Evaluation
review of the controls and treatments in place.
Experience and expertise are crucial in developing appropriate treatments that
R
Treatment will be effective. Allocation of treatments to the most appropriate party either
within or outside of the City can be established.
R
Risk treatment involves identifying a range of options for treating the risk, evaluating those options,
selecting the most effective treatment and preparing and implementing a risk treatment plan.
C
Where a risk is shared across business units, the treatment plan must be agreed and endorsed by
all relevant business unit managers.
Use the flowchart below together with the Risk Acceptance/Tolerance table (figure 1) in order to
arrive at the correct criteria for management of risk. Treatment options should be considered
weighing the cost of implementing against the potential benefit.
12
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Is the Risk
Acceptable? YES Accept
NO
Monitor and
Review
- Reduce likelihood and/or consequence
- Share - in part or fully Progress
- Avoid Reporting
Treatment Strategy
T
-Recommend
-Choose
-Implement
EN
In actioning treatment plans the process should include:
R
x allocation of risk treatment responsibilities;
x approval or allocation of resources needed for treatment; and
R
Where treatment plans have long lead times, consideration should be given to implementing interim
measures and actions. Where treatment plans cannot be implemented at the time of approval,
C
13
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
There are four broad treatment options available for the mitigation of identified risks. These are
outlined below.
Treat - risk treatments that will reduce the likelihood and/or consequence of the risk are determined
and documented in a Risk Treatment Plan. The projected risk is recorded on the Risk Register in
CID.
All risk treatments must be assigned an owner. Upon completion of the risk treatments, the Risk
Register is updated to reflect completion of the treatment, the treatment is added as a control and
the residual risk is updated to reflect the projected risk rating.
Where a risk affects multiple business units, the business unit wherein the consequence is the
highest is the risk owner.
Transfer/Sharing - where a risk is applied to one business unit and its treatment is undertaken by a
different business unit, the managers must communicate regularly to ensure that mitigation
practices are effective and maintained.
T
Escalation - risk and treatment plans are escalated to the EMT by the Risk Management Officer
when:
EN
x the residual risk is above the City’s tolerance;
x the risk treatment actions are outside the control of the City;
x shared risk owner/treatments cannot be agreed; or
x
R
there are no further treatments to reduce the risk
The EMT has authority and accountability to accept the risk on behalf of the organisation provided it
R
Accept/Retain - risk acceptance may only be undertaken (in line with the Risk Acceptance
U
x the level of the risk is so low that it does not warrant treatment; or
x Risk treatment would cost more than the consequences of the risk (not just in dollar terms).
In order to ensure that treatment/controls remain effective and continue to meet the City’s Criteria
and Tolerance Level regular review is essential.
Treatment items are monitored and completion progress reported within the City's Corporate
Information Database (CID) quarterly.
Treatment items not completed by their due dates are escalated via reporting to EMT.
Monitoring and review procedures form part of the risk management plan. As a guide, some
methods of review include:
14
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
It should be noted that when there is a significant change to circumstances, all risks should be
T
reviewed at that time. EN
10.7.3 Archiving Risks
Risks are archived when the risk no longer exists. Archiving is undertaken in consultation with the
Risk Management Officer. Risks may not be archived simply because no treatment is required or
treatments have already been implemented and the risk has reached its target level.
R
Appropriate approval is required according to the following table.
R
Each business unit has a Risk Register in which risks and individual treatment plans are recorded.
Risk Registers are reviewed annually by way of meetings scheduled by the Risk Management
Officer and conducted as part of the Business Planning Process.
15
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
In order to ensure the ongoing maintenance and effectiveness of risk management, a number of
reports are generated. The following reports present data captured from CID.
x Quarterly Risk Management Report - presented to EMT – reports on the progress of risk within
the organisation including the approval of escalated risks.
x Quarterly Risk Analysis Report - presented to EMT – reports on overdue treatment items.
x Internal Audit Register Open Items - presented to Audit Committee – progress report, reports
on completed, current and overdue audit items.
x Strategic Risk Register - presented to Audit Committee.
Business Continuity Planning (BCP) is an integral part of the City’s Risk Management Framework
and is undertaken to ensure that stakeholders and the community can rely on the continuation of
T
services from the City, during times of crisis.
EN
The City has developed a BCP that identifies the processes and resources required to ensure that
critical objectives under a conceivable disaster are met.
f) Plan Validation
The steps are similar to, or an extension of, those used during the risk assessment and treatment
C
process.
BCP's are located on the risk intranet page and reviewed annually as part of overall risk
management.
Occupational Safety and Health is a distinct subset of risk management which has legislated risk
management functions that must be undertaken.
All Occupational Safety and Health controls must be determined in accordance with the hierarchy of
control. Elimination of the hazard is always the most effective control. Lower order controls such as
Administrative Controls and Personal Protective Equipment should always be considered in
conjunction with higher order controls such as Substitution and Engineering/Isolation.
Refer to the OSH intranet page for the Occupational Safety and Health Legislation relevant to risk
management.
16
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
11.3 Insurance
The City's insurance function is managed within the Financial Services and Rates business unit.
Risk Management is essential to assist in reducing the financial cost and liability exposure to the
City associated with insurance claims.
The City is required to assess the themes emerging with insurance claims and implement risk
treatment strategies which will assist in the mitigation of risks occurring that result in insurance
claims.
The assessment of risk management performance within the City is measured by assessing the
extent to which risk management is contributing to the achievement of the City's objectives and
outcomes.
T
EN
R
R
U
C
17
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Framework Administration
Governance References
Statutory Compliance Local Government Act 1995
Industry Compliance AS/NZS ISO 31000 Risk Management - Principals and Guidelines 2009
City of Swan Strategic Community Plan 2012-2022
Organisational KRA: Governance
Compliance G2.1 Improve capability and capacity
Risk Management Policy
Decision Maker Executive
Process Links
Framework Administration
Business Unit Name Officer Title Contact:
Governance Manager, Governance 9267 9267
Risk Complexity Classification Review Frequency Biennial
3
Next Due 2018
T
1. Executive 28/01/2016 Approved Risk Management Framework.
2.
3.
EN
R
R
U
C
18
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
List of Appendix
A - Risk Management Glossary
B - Roles and Responsibilities
C - Risk Breakdown Structure - Examples
T
EN
R
R
U
C
19
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Terms Definitions
Assurance A process that provides confidence that planned objectives will be
achieved within an acceptable degree of residual risk. An evaluated
opinion, based on evidence gained from review, on the
organisation’s governance, risk management and internal control
framework.
Audit The formal examination of the City's accounts, financial situation,
internal controls, systems, policies and processes and compliance
with applicable terms, laws, and regulations
Compliance A state of being in accordance with established internal rules,
guidelines, policies, specifications, social ethics and norms and
legislation.
Consequence The outcome of an event or change in circumstances affecting the
achievement of objectives.
Controls All the policies, procedures, practices and processes in place to
provide reasonable assurance of the management of the City’s
risks.
T
Control Self-Assessment A formal assurance activity whereby managers make a formal
analysis of risks and controls and identify key controls that
EN collectively confirm acceptable operation. These controls are then
controls are then formally checked and reported on a regular basis.
Event An occurrence or change of a particular set of circumstances
Frequency A measure of the rate of occurrence of an event expressed as the
number of occurrences of an event in a given time (see also
Likelihood and Probability)
R
Hazard A source of potential harm or a situation with a potential to cause
loss
R
20
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Risk Management Coordinated activities to direct and control the City with regard to
risk
Risk Management The systematic application of management policies, procedures
Process and practices to the activities of communicating, consulting,
establishing the context, identifying, analysing, evaluating, treating,
monitoring and reviewing risk
Risk Owner The City officer with the accountability and authority to manage a
risk
Risk Register Document used for recording risk management process for
identified risk
Risk Sharing Sharing with another party the burden of loss, or benefit of gain
from a particular risk
Risk Source Element which alone or in combination has the intrinsic potential to
give rise to risk. A risk source can be tangible or intangible.
Risk Transfer Shifting the responsibility or burden for loss to another party
through legislation, contract, insurance or other means. Risk
transfer can also refer to shifting a physical risk or part thereof
elsewhere.
Risk Treatment Agreed action that has been identified to further mitigate a risk,
T
once completed the treatment will become a control
Strategic Risk Those risks that are holistic in nature, spread across the
EN organisation and are more appropriately managed at a corporate
level
The Standard AS/NZS ISO 31000:2009, Risk Management – Principles and
Guidelines Standards Australia.
R
R
U
C
21
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Council
x Approval of the Council policy for Risk Management; and
x Appointing a dedicated committee (Audit Committee) to oversee the risk management process
and the significant risks facing the City.
Audit Committee
x Approval of the Risk Management Framework;
x Reviewing and approving the scope of the internal audit plan and program as well as assess the
effectiveness of the function;
x Reviewing whether the internal audit plan systematically addresses internal controls over
significant areas of risk, including non-financial management matters;
x Critically analysing and following up any internal or external audit report that raises significant
issues relating to risk management and review management’s response to, and actions taken as
a result of the issues raised; and
x Monitoring the risk exposure of the City by determining if management has appropriate risk
T
management processes and adequate management information systems.
Executive
EN
x Leadership of the Risk Management Framework;
x Ensuring that risk management frameworks and models are embedded in the operations and
processes;
x Identifying and controlling strategic risks facing the City; and
R
x Continually monitoring the organisation’s strategic and operational risk management
performance.
R
Governance
x Development of the Risk Management Framework, including deployment and engagement;
U
processes;
x Delivery of relevant risk management training for all employees;
x Ensuring that the risk management reporting provides an effective overview of the significant risk
exposures to the City of Swan and an understanding of the measure that are being taken to
mitigate the identified risks; and
x Facilitating the escalation of risks that are outside the control of Business Units Managers to
ensure that these risks are acted upon appropriately.
22
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
T
Treatment Owners
x Day to day responsibility for the management of a particular treatment assigned to their role;
EN
x Ensuring treatments actions are completed as specified in treatment plan; and
x Ensuring treatment actions are progressing to completion in a timely manner.
All Employees
x Working and complying with the City’s Risk Management Framework;
R
x Attending and actively engaging with the City’s risk management training; and
x Actively reporting identified risks and, where appropriate, implementing agreed treatments.
R
U
C
23
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
T
EN
R
R
U
C
24
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
T
EN
R
R
U
C
25
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
T
EN
R
R
U
C
26