6.1 Risk Management Framework

Ordinary Meeting of Council
13 November 2019
6.1 RISK MANAGEMENT FRAMEWORK
Ward: (No Wards) (Governance & Strategy)
Disclosure of Interest: Nil
Authorised Officer: (Chief Executive Officer)
KEY ISSUES
• The City is committed to the principles, framework and process of managing

risk as outlined in the Australian / New Zealand International Standard for Risk
Management (AS/NZS ISO 31000:2018).
• Council policy POL-C-067 Risk Management outlines the City's commitment to

risk management.
• The Risk Management Framework outlines the City's approach to risk

management and contains the operational detail.
• A review of policy POL-C-067 Risk Management and the Risk Management

Framework have been undertaken against AS/NZS ISO 31000:2018 standard.
• Operational content in policy POL-C-067 Risk Management has been

transferred to the Risk Management Framework.
• The Risk Management Framework has been updated to align with ISO
31000:2018 Risk management - Guidelines.
• While the process of risk management remains the same, proposed changes to
the risk assessment and acceptance tools (matrices) is proposed.
• The Audit Committee, at its meeting held on 29 October 2019, endorsed the
review of and proposed amendments to POL-C-067 Risk Management and the
Risk Management Framework.
The Audit Committee recommends that the Council adopts revised policy POL-C-067
Risk Management Framework and the revised Risk Management Framework.
13 November 2019
BACKGROUND
Risk is the effect of uncertainty on objectives. A risk is often specified in terms of an

event or circumstance and the consequences that may flow from it. An effect may be
positive, negative, or a deviation from the expected. An objective may be strategic,
community based, financial, related to health and safety, or defined in other terms.
A review of policy POL-C-067 Risk Management and the Risk Management Framework
have been undertaken to align with the ISO 31000:2018 Risk management - Guidelines.
The Audit Committee, at its meeting held on 29 October 2019, endorsed the review of
and proposed amendments to POL-C-067 Risk Management and the Risk Management
Framework and resolved to submit to Council for adoption.
DETAILS
The purpose of reviewing policy POL-C-067 Risk Management and the Risk Management
Framework is to establish if the documents:
• remain aligned with relevant statutory, industry and organisational requirements;
• are achieving its objective;
• works effectively and efficiently;
• are well supported by appropriate processes; and
• align with local government best practice.
Policy Review
During the review of policy POL-C-067 Risk Management and the Risk Management
Framework, the following was identified.
• AS/NZS ISO 31000:2009 standard has now been superseded with the AS/NZS ISO
31000:2018 standard.
• Updates to the Standard include:
• the principles of risk management have been reviewed, as these are the key
criteria for successful risk management;
• the importance of leadership by top management is highlighted, as is the

integration of risk management, starting with the governance of the organisation;
• greater emphasis is placed on the iterative nature of risk management, because

new knowledge and analysis leads to revision of processes, actions and controls;
and
• the content is streamlined with greater focus on sustaining an open systems

model to fit multiple needs and contexts.
• Both the policy and the Framework have now been reviewed against AS/NZS ISO
31000:2018.
13 November 2019
• The review of policy POL-C-067 Risk Management identified that significant

amendments could be made, with a large proportion of the current operational
content being incorporated into the Risk Management Framework.
• The proposed amendments to the policy are as follows:
Current Policy Proposed Amendments
1. PURPOSE
The City of Swan (the City)
acknowledges its responsibility to
effectively manage risk and to provide a
Framework that assists decision makers
to make informed choices, prioritise
actions, and is integral as part of the
responsibilities of management to
increase efficiency in operations,
governance and reputation.
1. Objective 2. OBJECTIVE
The City of Swan ("the City") is The objective of this policy is to clearly
committed to organisation-wide risk document the City’s commitment to risk
management principles, systems and management and to ensure that
processes that deliver consistent, identified and emerging risks are
efficient and effective assessment of risks managed so that threats are reduced,
in planning, decision-making and and opportunities are maximised in a
operational processes. continuous, proactive and systematic
organisation-wide process that
This policy is to be read in conjunction contributes to the achievement of the
with the City of Swan Risk Management City’s corporate objectives.
Framework.
2. Definitions 3. DEFINITIONS
Australian / New Zealand International International Standard for Risk
Standard for Risk Management – management – Guidelines (ISO
Principles and guidelines (AS/NZS ISO 31000:2018) defines risk as “the effect
31000:2009) define risk as “the effect of of uncertainty on objectives.”
uncertainty on objectives.”
Risk is usually expressed in terms of risk
A risk is often specified in terms of an sources, potential events, their
event or circumstance and the consequences and their likelihood.
consequences that may flow from it. An
effect may be positive, negative, or a An effect may be positive, negative, or a
deviation from the expected. An objective deviation from the expected.
may be strategic, community based,
financial, related to health and safety, or Objectives can have different aspects and
defined in other terms. can be applied at different levels.
3. Policy Statement 4. POLICY STATEMENT
The City is committed to the principles,
framework and process of managing risk a) The City recognises the importance
as outlined in AS/NZS ISO 31000:2009. of the development and provision of
an effective Risk Management
The City will adopt the Framework Framework and process to mitigate
provided in AS/NZS ISO 31000:2009 to potential negative outcomes.
the management of risk associated b) To ensure a best practice approach
throughout the life of any process, to risk management is employed,
activity, asset, operation or project of the the Risk Management Framework
City. will be developed and implemented
13 November 2019
in accordance with the risk

The Framework sets out a structure for management standard AS/NZS ISO
managing risks to ensure that the City: 31000:2018 Risk management and
a) Has incorporated risk management will include systems to identify,
into the corporate governance treat, monitor, review and report
system and management structure; risks across all of its operations.
b) Has identified and applied
appropriate strategies to manage c) Risk Management will form part of
significant risks, including alignment the strategic, operational, project
of risk management and the internal and line management
audit process; and responsibilities.
c) Has developed effective and efficient
risk management processes. d) All risks are to be assessed according
to the City’s Risk Assessment and
These objectives will be achieved by: Acceptance Criteria to allow
a) Continually and systematically consistency and informed decision
understanding the risks to the City making. For operational
as it pursues its strategic and requirements, such as projects, or to
operational objectives; satisfy external stakeholder
b) Developing a culture of risk requirements, alternative risk
awareness at all levels of the assessment criteria may be used;
Organisation; however these cannot exceed the
c) Developing and maintaining the City’s risk acceptance criteria and
appropriate tools for the are to be noted in the individual risk
management of risk; and assessment.
d) Ensuring robust, continuous, logical
and systematic processes are e) Council is committed to the concept
implemented. of resourcing risk management and
has appointed a dedicated Audit
3.1 Responsibilities Committee to oversee the risk
3.1.1 Council management process and strategic
a) Is committed to the concept of risks facing the City.
resourcing risk management.
b) Appoints a dedicated committee f) The Chief Executive Officer is
(Audit Committee) to oversee the responsible for the allocation of
risk management process and the operational roles, responsibilities and
strategic risks facing the City. accountabilities. These are
3.1.2 Audit Committee documented in the Risk Management
a) Reviews and approves the scope of Framework.
the internal audit plan and program
as well as assesses the effectiveness g) All employees in the City have a role
of the function. in risk management from the
b) Reviews whether the internal audit identification of risks to
plan systematically addresses implementing risk treatments and
internal controls over significant shall be invited and encouraged to
areas of risk, including non-financial participate in the process.
risks.
c) Critically analyses and follows up any h) The City will facilitate an Internal
internal or external audit report that Audit function by providing resources
raises significant issues relating to required to effectively review the
risk management and reviews City’s risks, internal controls (for
actions taken as a result of the both efficiency and effectiveness),
issues raised. governance, performance and
d) Monitors the risk exposure of the compliance. All internal audit
City by reviewing risk management activities will remain free of undue
13 November 2019
processes and management influence. This will include scope of

information systems. audit programs, the frequency and
3.1.3 Executive timing of examinations and the
a) Ensures that risk management is content of internal audit reports.
embedded in the operations and
processes of the organisation.
b) Identifies and controls strategic risks
facing the City.
c) Monitors the organisation’s strategic
and operational risk management
performance.
3.1.4 Employees
a) All employees, after appropriate
training, will adopt the principles of
risk management and comply with
all policies, processes and practices
relating to risk management.
b) All employees will alert management
to the risks that exist within their
area.
c) All employees will, as required,
conduct risk assessments
commensurate with the scope of the
task and the associated level of risk
identified.
4 Internal Audit relationship with
Risk Management
The City will facilitate an Internal Audit
function by providing resources required
to effectively review the City’s risks,
internal controls (for both efficiency and
effectiveness), governance, performance
and compliance.
All internal audit activities will remain

free of undue influence. This will include
scope of audit programs, the frequency
and timing of examinations and the
content of internal audit reports.
The internal audit process is to provide

independent advice and assurance to
Council and management that the
policies, operations, systems and
procedures designed to mitigate the risks
associated with the operations and
management of the City:
a) Comply with relevant legislation and
standards (compliance);
b) Are carried out with optimum use of
resources (economy and efficiency);
c) Achieve the objectives specified in
Strategic and Operational Plans
(effectiveness);
d) Pro-actively reduces the Council's
13 November 2019
risk exposure; and

e) Promotes a culture of continuous
improvement practices across
Council.
5 Performance Measurement
The Management Team, the Risk
Management function and Internal Audit
shall measure the effectiveness of the
Risk Management Framework in assisting
the City to achieve its strategic objective.
Key measurement areas are:

a) Audit ratings;
b) Implementation of audit findings;
c) Achievement of risk control
improvement;
d) Success of projects, events and
major organisational change; and
e) Changes in risk ratings; and
f) Level of risk reduction.
• The review of the Risk Management Framework identified the following:
• Scope/Context/Criteria
Risk Breakdown Structure - the categorising of risks (formally Risk Breakdown

Structure) has been replaced with Risk Themes typical to Local Government.
• Risk Identification
No change
• Risk Analysis - Control Effectiveness
Represents the total effectiveness of controls that act upon a particular risk. How
controls are assessed for effectiveness is broadened to assist management
determine if a control is designed and operating as intended.
• Risk Analysis - Consequence
To enable the acceptance or treatment of a risk, the potential consequence of the

risk must be understood. A risk that has a high reputation consequence may
require a rigorous treatment plan opposed to a risk with a less serious
consequence. Risk assessors are to consider each consequence description to
enable the assessment of risk to be complete.
In reviewing these definitions and descriptions, the City undertook

research, benchmarking, internal consultation and sought advice from peers
within the local government industry, peak risk management bodies and the
City's insurance providers LGIS, to determine best practice approaches to
alignment consequence descriptors with the City's operating environment.
Consequence definitions are to be updated as follows (additions underlined):
13 November 2019
HEALTH FINANCIAL REPUTATION OPERATION ENVIRONMENT REGULATORY

& EXTERNAL SERVICE
PEOPLE STAKEHOLDE DELIVERY/ GOVERNANCE/
RS STRATEGIC COMPLIANCE
OBJECTIVES
Negligible <$5,000 Low impact, No material An insignificant Minor breach of
injuries with low service environmental policy or process
profile and no interruption, event that can requiring some
complaint backlog cleared be immediately response with
in 2 – 4 hours corrected under little impact on
Insignificant the control of other
public Key services the City. criteria approval
comment or disrupted for up or variance.
local media to half a day, Little impact,
coverage, no usual scheduled contained and Minor
complaint interruptions. reversible, no opportunistic
Negligible long term effect incident
impact on or short term involving a
objectives. negative impact single person.
Insignificant
on urban
design, or loss
of sense of
place for part of
area.
First aid $5,000 - Low impact, Short term A minor Identified breach
injuries, $250,000 with low temporary environmental of policy or
routine profile, low interruption, event that can process requirin
industrial media backlog cleared be corrected g additional
issues. attention, in <1 – 7 days. within one work or minimal
possible Minor setbacks month under damage
complaint that are easily the control of control or
Heightened remedied. the City. legislation
concerns from requirement.
localised Minor damage
group of or Internal
residents, one contamination, investigation
off negative contained and Opportunistic
media reversible, short incident
attention, term effect on involving several
possible environment, people.
complaint. no long term
effect or short
term negative
impact on urban
design, or loss
of sense of
Minor
place for part of

area.
13 November 2019

& EXTERNAL SERVICE
OBJECTIVES
Medically $250,000 - Moderate Medium term A moderate Breach requiring
treated $1,000,000 impact, temporary environmental investigation,
injuries. moderate interruption, event that can mediation or
Staff media backlog cleared be rehabilitated restitution.
turnover attention, by additional but requires
slightly public resources within multiple Breach of
higher than complaint <2 – 4 weeks. stakeholder contractual or
20%, one Some of the input. Expected statutory
off Concerns from organisation’s recovery time obligations
industrial cross section objectives of less than one resulting in
issues. of public, cannot be met year. internal
ongoing investigation,
negative Medium term ongoing legal
media effects on issues not easily
attention, environment, addressed.
public long term Planned
complaint recovery or long unethical action
term negative by one or more
impact on urban staff.
Moderate
design, or loss
of sense of
place for part of
area.
Lost time or $1,000,000 - Damage to Prolonged A significant Breach involving
severe $5,000,000 reputation, interruption of environmental external
injury. public services, event where investigation or
embarrassme additional rehabilitation third party
Staff nt, high media resources involves actions resulting
turnover attention, required; perfor multiple in tangible loss
well above several public mance affected, stakeholders or reputation
20%, complaints, issue resolved and various damage to the
ongoing third party within <4 – 12 levels of the organisation.
industrial intervention weeks. community and
action. Some government Major breach of
Significant important with an contractual or
outcry from objectives of expected statutory
public, the organisation recovery time obligations
damage to cannot be met. of between 1 resulting in
reputation, and 5 years. significant legal
significant action. External
negative state Significant or third party
level media environmental investigation.
attention, impact, long Major one off
several public term negative fraud or
complaints or impact on urban corruption by a
Significant
on-going design, or loss senior person.

complaint of sense of
place for the
whole area.
13 November 2019

& EXTERNAL SERVICE
OBJECTIVES
Fatality or >$5,000,000 Irreversible Indeterminate A severe Breach involving
Disablemen damage to prolonged environmental regulatory
t. reputation, interruption of event requiring investigation
very high level services. that multiple and / or third
Sustained of public impacts on stakeholders, all party actions
and serious embarrassme public safety levels of the resulting in
industrial nt, very high and core community and tangible loss or
action, loss media services. government significant
of multiple attention, with an reputation
staff at many public Most of the expected damage to the
once. complaints organisation’s recovery time organisation.
objectives of greater than
Significant cannot be met. 5 years or Serious breach
and where of contractual or
widespread potentially it is statutory
public outcry, irrecoverable. obligations
sustained resulting in
negative Severe significant
national media environmental prosecution and
attention, harm or fines. External
many public permanent investigation
complaints or negative impact and/or third
on-going on urban party action.
heighten design. Systemic fraud
complaint. and corruption,
major external
Severe
investigation
with adverse
findings.
• Likelihood - The definitions for the likelihood of a risk occurring has been updated
and simplified.
• Risk Rating - Changed Very High to Extreme
• Risk Evaluation
• Target Level of Risk – The level of risk the City is willing to accept based on
the consequence/impact. Risks that have a higher people or reputation impact
should have a low risk score; risks with a medium financial, service delivery
impact require a medium score.
• Risk Acceptance – Previously risk was accepted and managed based on the
risk score - Low, Medium, High etc. Risk acceptance now considers control
effectiveness and the target level of risk impact.
13 November 2019
• Risk Treatment
In all cases, regardless of the risk rating, controls that are rated inadequate or
partially effective must have a treatment plan (action) to improve the control
effectiveness; or
If the rating is outside of the target level or rated high or extreme, treatment
plans must be considered.
• Communication and Consultation
No change
• Monitoring and Review
Control Assurance reviews conducted by the Risk Management Officer and

Internal Auditor will monitor and review the effectiveness of control throughout
the organisation, this feeds into the risk register.
• Recording and Reporting
No change - this will be updated following the implementation of Performance

Planning - OneCouncil.
CONSULTATION
Internal consultation was undertaken in conjunction with external benchmarking and

research.
The Audit Committee, at its meeting held on 29 October 2019, endorsed the review of
and proposed amendments to POL-C-067 Risk Management and the Risk Management
Framework and resolved to submit to Council for adoption.
ATTACHMENTS
Policy Review - Risk Management and Risk Management Framework 2019
STRATEGIC IMPLICATIONS
Strategic Community Plan (2017 - 2027):
Key Area: Governance
Outcome: G1 City of Swan is seen as a place to live, work and visit
Objective: G1.1: Provide accountable and transparent leadership
Outcome: G2 Optimise use of City resources
Objective: G2.1: Improve capability and capacity

13 November 2019
STATUTORY IMPLICATIONS
Nil
FINANCIAL IMPLICATIONS
Nil
VOTING REQUIREMENTS
Simple majority
RECOMMENDATION
The Audit Committee recommends that the Council resolves to:
1) Adopt revised policy POL-C-067 Risk Management and the revised Risk
Management Framework.
CARRIED
Policy Review - Risk Management & Risk Management Framework (Attachment 2&0)
Council Policy
POL-C-067 Risk Management
1. PURPOSE
The City of Swan (the City) acknowledges its responsibility to effectively manage risk and
to provide a Framework that assists decision makers to make informed choices, prioritise
actions, and is integral as part of the responsibilities of management to increase efficiency
in operations, governance and reputation.
2. OBJECTIVE
The objective of this policy is to clearly document the City’s commitment to risk
management and to ensure that identified and emerging risks are managed so that threats
are reduced, and opportunities are maximised in a continuous, proactive and systematic
organisation-wide process that contributes to the achievement
emen of the City’s corporate
objectives.
3. DEFINITIONS
D
International Standard for Risk management – Guidelines
idelines
delines (ISO
(ISO 31000:2018)
310 defines risk as
“the effect of uncertainty on objectives.”
SE
Risk is usually expressed in terms of risk sources,
rces, potential events,
urces, e their consequences and
their likelihood.
An effect may be positive, negative, orr a deviation from the expected.
Objectives can have different aspects
cts and can be applied
ap at different levels.
I
4. POLICY STATEMENT
NT
EV
a) The City recognises the

e importan
importance of the development and provision of an effective
amework
mework and pro
Risk Management Framework process to mitigate potential negative outcomes.
b) To ensure a best approach
st practice app
appr to risk management is employed, the Risk
Management Framework
mework will beb developed and implemented in accordance with the
R
risk management standard

anda AS
andard AS/NZS ISO 31000:2018 Risk management and will include
systems to identify, treat, monitor, review and report risks across all of its operations.
eat, m
c) Risk Management will form part of the strategic, operational, project and line
management responsibilities.
d) All risks are to be assessed according to the City’s Risk Assessment and Acceptance
Criteria to allow consistency and informed decision making. For operational
requirements, such as projects, or to satisfy external stakeholder requirements,
alternative risk assessment criteria may be used; however these cannot exceed the
City’s risk acceptance criteria and are to be noted in the individual risk assessment.
e) Council is committed to the concept of resourcing risk management and has appointed
a dedicated Audit Committee to oversee the risk management process and strategic
risks facing the City.
f) The Chief Executive Officer is responsible for the allocation of operational roles,
responsibilities and accountabilities. These are documented in the Risk Management
Framework.
g) All employees in the City have a role in risk management from the identification of risks
to implementing risk treatments and shall be invited and encouraged to participate in
the process.
POL-C-067 Risk Management Page 1

h) The City will facilitate an Internal Audit function by providing resources required to
effectively review the City’s risks, internal controls (for both efficiency and
effectiveness), governance, performance and compliance. All internal audit activities
will remain free of undue influence. This will include scope of audit programs, the
frequency and timing of examinations and the content of internal audit reports.
D
I SE
EV
Document Controll
Document Approvals:
Version # Council
cil Adoption
R
1. Ordinary Meeting
Meet of Council
C 18/12/2002 - new policy adopted.
2. Ordinary Meeting
eeting of
o Council 05/09/2007 - revised policy adopted.
3. Ordinary Meeting
ing of Council 24/02/2010
ing - revised policy adopted.
4. Ordinary Meeting of Council 22/05/2013 - revised policy adopted.
5. Ordinary Meeting of Council 10/09/2014 - policy adopted, no amendments.
6. Ordinary Meeting of Council 02/03/2016 - revised policy adopted.
Document Responsibilities
Custodian: Manager Governance and Strategy Custodian Unit: Governance and Strategy
Document Management:
Risk Rating: 3 Review Frequency: Biennial
Next Review: ECM Ref: 1400335
Compliance Requirements:
Legislation: Regulation 17 of the Local Government (Audit) Regulations 1996
Industry: ISO 31000:2018 Risk Management –Guidelines
Organisational: Risk Management Framework
Risk Management Process
Internal Audit Guideline
Control Assurance Guideline
Management Accountabilities
Executive Accountabilities
Strategic Community Plan: G2.1 Improve capability and capacity
POL-C-067 Risk Management Page 2

Risk Management
Framework
STR ATEGIC RI S K S ARE THOSE RISKS THAT APPLY

TO TH E CIT Y OF SWAN A S A WHOLE AN D COU LD
ADVERSELY AFFECT TH E ACHIE VEMENT OF OU R
STR ATEGIC OUTCOMES AN D / OR DAMAGE THE
CIT Y ’S REPUTATION. TH ESE RISKS ARE MANAGED
BY E XECUTIVE MANAGEMENT TE AM.
O PE R ATIO NAL R I S K S REL ATE TO TH E RISKS THAT

MAY IMPACT DELIVERY OF SPECIFIC SERVICES AN D
PROGR AMS AN D ARE MANAGED BY TH E RELE VANT
BUSIN ES S U NIT.
CONTENTS
INTRODUCTION 2
FR AMEWORK OVERVIEW 3
R I S K C U LT U R E 4
RISK POLICY 4
RISK MANAGEMENT IMPROVEMENT PL AN 4
O P E R AT I O N A L M O D E L 5
REVIEW 6
O P E R AT I N G R E L AT I O N S H I P S 6
ED ROLES, RESPONSIBILITIES
A N D A C C O U N TA B I L I T I E S
RISK MANAGEMENT PROCESS
A : S C O P E , C O N T E X T, C R I T E R I A
6
9
IS
B : R I S K I D E N T I F I C AT I O N 9
C : R I S K A N A LY S I S 9
EV
D : R I S K E V A L U AT I O N 10
E : R I S K T R E AT M E N T 10
F : C O M M U N I C AT I O N A N D C O N S U LTAT I O N 10
G: M O N I TO R I N G A N D R E V I E W 10
R
H: R ECO R D I N G A N D R EP O RTI N G 11
APPENDIX 1 - RISK MANAGEMENT POLICY 12
A P P E N D I X 2 - R I S K M A N AG E M E N T I M P R OV E M E N T P L A N 14
APPENDIX 2 A – ACTION PL AN 15
APPENDIX 2B – COMPLIANCE MEASURES 16
A P P E N D I X 3 – O P E R AT I O N A L R I S K T H E M E S 17
APPENDIX 4 – RISK ASSESSMENT 17
R I S K M AT R I X 21
LIKELIHOOD 21
CO N T RO L EF F ECTIV EN ES S 21
R I S K A C C E P TA N C E 21
INTRODUCTION
This document provides an overview of the City of Swan’s (the

City) Risk Management Framework (the Framework).
It sets out the City’s policy, strategy and approach to the identification, This Framework aims to balance a documented, structured and
assessment, management, reporting and monitoring of risks. systematic process with the current size and complexity of the
All components of this document are based on ISO 31000:2018 City along with existing time, resource and workload pressures.
Risk management – Guidelines.
It is essential that all areas of the City adopt this Framework to ensure:
• Strong corporate governance;
ED
• Compliance with relevant legislation, regulations and internal practices;
• Integrated planning and reporting requirements are met;
• to ensure delivery of quality City services and major projects;
• Improved organisational performance and resilience; and
IS
• Uncertainty and the effects on objectives are understood.
CONTINUAL
NUA
EV
IMPROVEMEN
IMPROVEMENT
F I G U R E 1 : R E L AT I O N S H I P
BETWEEN THE RISK H
HUMAN
AND
CULTURAL INTEGRATED
MANAGEMENT FACTOR
FACTORS
PRINCIPLES, FRAMEWORK VALUE

AND PROCESS (SOURCE: CREATION
BEST AND STRUCTURED
ISO 31000:2018) AVAILABLE PROTECTION AND
R
TI
INFORMATION COMPREHENSIVE
DYNAMIC INCLUSIVE
PRINCIPLES (CLAUSE 4)
SCOPE/CONTEXT/CRITERIA
INTEGRATION
CO M M U N ICATIO N & CO N S U LTATIO N
R I S K A S S ES S M E NT
MONITORING & REVIEW
R I S K I D E NTI FIC ATIO N
IMPROVEMENT DESIGN
LEADERSHIP RISK ANALYSIS
AND
COMMITMENT RISK EVALUATION
EVALUATION IMPLEMENTATION
RISK TREATMENT
RECORDING & REPORTING
FRAMEWORK (CLAUSE 5) PROCESS (CLAUSE 6)
2 City of Swan
FR AMEWORK
OVERVIEW
The City’s Framework is a set of components that provide the
foundation and organisational arrangements for designing,
implementing, monitoring, reviewing and continually
improving risk management throughout the City.
The foundations are captured in the Risk Management Policy which • Risk Management Improvement Plan – sets out the
articulates the objectives and management commitment to managing implementationn objectives
objectiv
objective and specific actions for the continual
all risks responsibly across all areas of the City’s operations. ent of risk manage
improvement managem
management over the next 12 months.
• ational
tional Model
Operational Mo – describes
rib relationships
r and accountabilities;
The organisational arrangements are captured in the:
• Culture – A positive risk culture is one where every person in

the City understands that thinking about and managing risk is part
of their job.
ED
•
cluding the relevant reporting
including
proces
review process.
reportin structure and the Framework
reporti
isk Management Processes

Risk P
and responsibilit
responsibili
– contains the process, roles
responsibilities, timings, and templates to adequately perform
risk manage
management activities in accordance with the Policy.
• Policy – The policy documents the City’s commitment to risk
IS
management to ensure that identified and emerging riskss inter-r
The inter-relationship between the Framework components can be
are managed. di l
display
displayed in Figure 2.
EV
FIGURE 2: DIAGRAM REPRESENTING THE

CITY’S RISK MANAGEMENT FRAMEWORK AND
I N T E RAC T I O N W I T H OT H E R F RA M E WO R KS
R
CULTURE
C
CU
RISK MANAGEMENT FRAMEWORK

OTHER CITY FRAMEWORKS
RISK MANAGEMENT PLAN
RISK MANAGEMENT POLICY
OPERATIONAL MODEL
RISK MANAGEMENT
1. RISK ASSESSMENT & ACCEPTANCE CRITERIA
2. RISK MANAGEMENT PROCESS
3. RISK REPORTING
STRATEGIC OPERATIONAL PROJECT

RISKS RISKS RISKS
Risk Management Framework 3

RISK CULTURE RISK POLICY

Risk culture is defined as the impact of organisational culture on risk The City is committed morally and financially to the concept and
management. resourcing of risk management. The policy states the outcome based
objectives and commitments to managing risks and contains the
There are both formal and informal elements that influence culture:
following components:
• Formal – Governance systems provide processes through which
• Rationale for managing risks;
appropriate behaviours can be encouraged and supported, and
• Linkage between the City’s objectives and other related policies;
poor behaviours can be identified and acted upon.
• Accountabilities and responsibilities for managing risks;
• Informal – Expectations and behavioural norms through
demonstrated actions against the City’s values. • Conflicts of interests;
Risk management is a vital business management practice that • Commitment to resourcing the risk management functions;
should be considered as part of everyday tasks and duties. To ensure • Performance measures; and
the process is managed, it must always be demonstrated through • Continual review and improvement of the policy.
the integrated planning and reporting process and embedded in all
operational functions and services.
RISK MANAGEMENT
AGEMEN
The Executive, Business Unit Managers and Leadership Team leaders
IMPROVEMENT
VEMENT PLA
PLAN
effectively;
ED
will support and encourage a positive risk culture by:
• Empowering management and employees to manage risks
• Acknowledging, rewarding and publicising good risk management to

The City strives
trives for best practice in tthe management of risks and
will document and manage an improvement
i
intervals. There are currently
strategy over 12 month
currentl two components to the strategy: technical
current
development and employee
emp awareness, which are both aimed at
promote positive learning outcomes;
IS
improving maturity of risk management in the City.
ing the ma
mat
• Encouraging discussion and analysis of unexpected results, bothh
positive and negative; and The Risk
Ris Management
M Improvement Plan is located in Appendix 2
• Committing to organisation-wide risk management principles,
inciples,
ciples, page
ag 14
on pag
EV
systems and processes that deliver consistent, efficient

ficient and effective
assessment of risks in planning, decision-making
king and operational
operat
processes.
See Appendix 1 – Risk Management Policyy on page
p 12
R
All workers share in the collective

responsibility to identify and
assess risks in the activities
undertaken by the City.
4 City of Swan
OPER ATIONAL
MODEL
The City has adopted a ‘three lines of defence model’
to implement best practice risk management.
AUDIT COMMITTEE
EXECUTIVE MANAGEMENT TEAM
FIRST LINE OF DEFENCE SECOND LINE OF DEFENCE THIRD LINE

LI OF DEFENCE
ED
IS
OPERATIONAL RISK INTERNAL
MANAGEMENT MANAGEMENT
NAGEMENT AUDIT
EV
KEY ACTIVITIES KEY ACT

ACTIVITIES KEY ACTIVITIES
• Implement governance, risk • Design governance,

g risk • Independent assurance
and control Frameworks.
s. and contr
control Framework. that risk management and
• Measure and manage
ge project • Moni
Monitor adherence to internal control Frameworks
performance. Framework.
F are working as intended.
R
• Manage risk (in agreed risk • Provide timely, balanced • Offer independent oversight
appetite). information. of first and second lines.
OUTCOMES OUTCOMES OUTCOMES
MANAGEMENT MANAGEMENT INDEPENDENT

MONITORING REVIEW REVIEW

REVIEW ROLES, RESPONSIBILITIES

& ACCOUNTABILITIES
The Framework is reviewed every three years in line with Local
Government (Audit) Regulations 1996. Components in the Framework
COUNCIL
will be subject to continual review and improvement as driven by the
• Adopt and review the City’s Risk Management Framework, Policy
City’s operational requirements as follows:
and Risk Acceptance and Tolerance Criteria;
• Policy – every three years; • Establish and maintain an Audit Committee in accordance with
• Risk Management Improvement Plan – every three years or when section 7.1A of the Local Government Act 1995; and
material changes to operations occur; • Ensure responsible and effective decision making through
• Operational Model – every three years; and delegated authority.
• Risk Management Process – every three years or when material AUDIT COMMIT TEE
changes to operations occur or when process improvements are The Committee;
identified and approved.
• Operates in accordance with the Terms of Reference - Audit
OPERATING RELATIONSHIPS Committee and will coverr the reporting requirements in accordance
with the Local Government (Audit Regulations 1996.
nment (Audit)
The following diagram depicts the current operating structure for risk • Support Council-driven
-driven
driven effective corpo
corporate
corp governance; and
management in the City:
FIGURE 3: DIAGRAM
REPRESENTING THE CITY’S
ED
O P E R AT I N G R E L AT I O N S H I P S
• Monitor andd review the appropriateness
appropriaten
appropriatenes and effectiveness of the
anagement Framework and improvement strategies.
Risk Management
THIRD LINE
FROM A RISK MANAGEMENT OF DEFENCE
IS
PERSPECTIVE
COUNCIL
COUNC
AUDIT
COMMITTEE
EV
EXTERNAL
AUDIT
CHIEF
C AUDITOR
EXECUTIVE
EX GENERAL
OFFICER
INTERNAL
R
AUDIT
SECOND LINE
NE APPOINTED
OF DEFENCE BY CEO
GOVERNANCE EXECUTIVE
& STRATEGY MANAGEMENT
BUSINES UNIT TEAM
FIRST LINE
OF DEFENCE
STAKEHOLDER COMMUNIT Y OPERATIONS PLANNING AND OFFICE OF

RELATIONS WELLBEING DEVELOPMENT THE CEO
6 City of Swan
CHIEF EXECUTIVE OFFICER ( CEO ) BUSINESS UNIT MANAGERS / TEAMS

• Own, promote and drive the effective implementation of the Risk • Ownership, responsibility and accountability for directly assessing,
Management Framework for all functions across City operations; controlling and mitigating risks;
• Provide the Audit Committee and Council with reports on the risks • Drive risk management culture in work areas by encouraging
being managed by the City; openness and honesty in the reporting and escalation of risks;
• Review the appropriateness and effectiveness of the Risk • Ensure appropriate education and awareness initiatives are provided
Management Framework; to all employees;
• Drive the embedding of a risk management culture through all parts • Participate in risk and control assurance process as required;
of the organisation by encouraging open and honest reporting and • Highlight any emerging risks or issues accordingly; and
escalation of risks; • Incorporate ‘Risk Management’ into team meetings, by incorporating
• Ensure resources are appropriately allocated throughout the the following agenda items;
organisation to meet the City’s risk management requirements; • New or emerging risks;
• Ensure risk is considered in the decision making process; and • Review existing risks;
• Liaise with Council in relation to risk acceptance requirements. • Control adequacy; and
EXECUTIVE MANAGEMENT TEAM • Outstanding
ding issues
issue and actions.
• Support the CEO in promoting and driving the effective
WORKERS
RS
S
implementation of the Risk Management Framework across
all functions of the organisation;
• Monitor and review the regular risk reports and Framework
implementation activities from the Risk Management Officer;
• Encourage cross-divisional interactions in the management
ED
• Report
ort to management risks that
ttha exist in their area;
• Adopt the principles of risk management and comply with all
policies, processes and practices relating to risk management; and
• Conduct assessments during the performance of daily duties.
duct risk asses
of the City’s risks;

IS
• Ensure risk is considered in the decision making process; and
• Identify, manage and/or escalate strategic risks as appropriate
ate
GOVERNANCE AND STRATEGY BUSINESS

USINESS UNIT
EV
• Design governance, risk and control Framework;

ework
ework;
• Monitor and facilitate implementationn of effective ris
risk managem
management
ement;
ment;
practices by operational management;
• Monitor and facilitate control
ol assurance activities;
ting adequate risk relat
• Assist risk owners in reporting relate
related information
R
across the organisation; and

• Monitor key performance indicators for rris
risk.
Drive risk management culture in

work areas by encouraging open
and honest reporting and escalation
of risks

RISK
MANAGEMENT
PROCESS
The risk management process is standardised
across all areas of the City. The following diagram
outlines this process with the following commentary
providing broad descriptions of each step.
FIGURE 4: RISK MANAGEMENT PROCESS ISO 31000:2018
ED
SCO PE / CO NTE X T/ C RITE
ERRIA
IA
IS
CO M M U N ICATIO N AN D CO N S U LTATIO N
R I S K A S S E S S M E NT
M O N ITO R I N G AN D R E VI EW
EV
RI S K I D E NTI FICATIO
FI N
R
R I S K A N ALYS I S
R I S K E VALUATIO N
RI S K TR E ATM E NT
R ECO R D I NG AN D R E P O RTI NG
8 City of Swan
A : SCOPE, CONTEXT, CRITERIA • Indirect refers to the risks which threaten the delivery
of project outcomes.
The first step in the risk management process is to understand the It is also important to understand the key stakeholders who
scope, context and criteria in which the risks are to be assessed may need to be involved in the risk assessment.
and what is being assessed. This forms two elements:
Whilst risk management should form part of all projects,
ORGANISATIONAL CRITERIA
the responsibility of the Manager - Project Management
This includes the Risk Assessment and Acceptance Criteria (Appendix 4)
to determine how risks are to be recorded as part of the
and any other tolerance tables as developed.
management of the project.
All risk assessments are to use these documents to ensure consistent
and comparable risk information is developed and considered in B : RISK IDENTIFICATION
planning and decision making processes.
Once the context is determined the next step is to identify the risk.
SCOPE AND CONTEXT This involves identification of what events or situations might affect
To direct the identification of risks, the specific risk assessment context key operations of the City in executing its strategy.
is to be determined prior to and used in the risk assessment process.
Risk sources can be internal or external. Having identified
edd what might happen,
ha we need to identity why it might
happen. This
is iss known as the risk cause.
ca
risk assessment context:
1. STRATEGIC CONTEXT
ED
For specific risk assessment purposes, the City has three levels of
These risks are associated with achieving the City’s long

See Risk Tipp B – Risk Identificati
C : RISK ANA
ANALYSIS
Identificatio
Identification
term objectives. Inputs to establishing the strategic risk

isk
sk Risk analysis
analys ininvolves developing an understanding of each risk,
IS
assessment context may include: consequences and the likelihood of those consequences.
its conseq
consequ
• Organisation’s vision/mission The

There are four steps of the risk analysis process:
• Stakeholder analysis
EV
1. Control effectiveness - how effective current controls are;

nalysis
alysis
• Environment scan/SWOT analysis
2. Consequence - considering control effectiveness, what the
goals
als (Integrated Planning
• Strategies/objectives/goals Planni
consequence would be if the risk occurred;
mework)
and Reporting Framework)
3. Likelihood - how likely is it for the consequence to occur; and
2. OPERATIONAL
AL CONTEXT 4. Level of risk, from the consequence and likelihood measures.
R
This level involves thee City’s day to day activities, functions,

infrastructure and services.
s. Prior to identifying operational STEP 1 – CONTROLS EFFECTIVENESS
risks, the business unit should identify
i its key activities. Control effectiveness takes into account adequacy and effectiveness
in modifying consequence and likelihood of the risk.
In addition, existing risk themes should be used where
possible to assist in the identification of related risks. The criterion for applying a value to the overall control is the same as
Current Risk Themes are described in Appendix 3. for individual controls and can be found in Appendix 4 under ‘Control
Effectiveness’.
Risk themes are expected to change over time, however, to
ensure consistency, amendments must be endorsed by the See Risk Tip C – Control Identification and Effectiveness
Governance and Strategy Business Unit and approved by the
Executive Management Team. STEP 2 – CONSEQUENCE
This step involves assessing the control effectiveness to determine
3. PROJECT CONTEXT the potential consequence of the risk event in terms of their
Project Risk has two main components: potential severity.
• Direct refers to the risks that may arise as a result of The consequence should be rated the ‘probable worst consequence’ if the
project activity (i.e. impacting on process, resources or risk eventuated with existing controls in place. This is not the worst case
IT systems) which may prevent the City from meeting scenario, but rather a qualitative judgement of the worst scenario that is
its objectives. probable or foreseeable.

The criterion for applying the relevant consequence categories

F: COMMUNICATION AND
can be found in (Appendix 4)
CONSULTATION
See Risk Tip C - Consequence
Effective communication and consultation is essential to ensure that
STEP 3 – LIKELIHOOD those responsible for managing risk, and those with a vested interest,
Considering the effectiveness of control, determine the likelihood of the understand how decisions are made and why particular treatment-
consequence eventuating. action options are selected or the reasons to accept risks have changed.
The criterion for applying the relevant likelihood can be found in As risk is defined as the effect of uncertainty on objectives;
(Appendix 4) consulting with relevant stakeholders assists in reducing uncertainty.
See Risk Tip C - Likelihood Communicating these risks and the information surrounding the event
sequence ensures decisions are based on the best available knowledge.
STEP 4 – RISK RATING
Using the Risk Matrix, combine the measures of consequence and G : MONITORING AND REVIEW
likelihood to determine the risk rating. (Appendix 4)
It is essential to monitor and
nd review the management of risks as
D : RISK EVALUATION changing circumstances
es may result in ssome
ces so risks increasing or
decreasing in significance.
nificance.
D
Risk evaluation takes the risk rating and applies it to the Target Level of
Risk Acceptance Matrix (Appendix 4) to determine whether the risk is at This is onee of the most important step
steps in risk management, and
an acceptable level to the City.
E central
al to providing assurance (First
(Fir Line of Defence). It helps to ensure
(Fi
the
he risk management process
proces is dynamic and responsive to change.
See Risk Tip D – Evaluation
responsible for monitoring and reviewing risks,
Risk owners are re
respo
IS
E : RISK TREATMENT controls.
including controls
There are generally two requirements following the evaluation

ion
on of risks: Seee Risk TTip G – Management Monitoring & Review
EV
The Risk Management Officer is responsible for providing independent

1. In all cases, regardless of the risk rating, controls that are rated
reviews of the effectiveness of control, this is managed through the
inadequate or partially effective must havee a treatment
Control Assurance Process (Second Line of Defense).
ctiveness;
tiveness; or
plan (action) to improve the control effectiveness;
2. If the rating is outside of the target level or rated
rate high
gh or extreme,
extre
treatment plans must be implemented
ented to either:
R
a. Reduce the consequence of the risk material

materialising;
m
b. Reduce the likelihood of occurrence; or
c. Improve the effectiveness of the overall controls to
substantially effective and obtain delegated approval to
accept the risk as per the Risk Acceptance.
See Risk Tip E - Treatment
10 City of Swan
H : RECORDING AND REPORTING
STRATEGIC RISKS
Strategic risks are identified, assessed, owned and managed by the
Executive Management Team. The status of these risks must be
maintained in the City’s strategic risk profiles.
The Executive Management Team monitors and reviews these

risks through their regular meetings and provide updates to the
Risk Management Officer for recording in the strategic risk profiles.
Updated profiles will be made available to the Executive upon request
or through the quarterly risk report.
OPERATIONAL RISKS
Operational risks are identified, assessed, owned and managed by
Business Unit Managers. The status of these risks must be maintained
through individual Business Plans.
The Risk Management Officer monitors these plans and assists

teams in identifying and assessing operational risks as required.
The Risk Management Officer uses these plans (specifically the
‘Risk Management’ section) to ensure the City’s overarching
operational risk profiles are maintained.
IS
The Executive Management Team monitors and reviews thesee risks
through a Risk Dashboard Report prepared by the Risk Management
anagement
eme
Officer. Specific operational risk profiles can be madee available to th
the
Executive upon request.
EV
R
Operational risks are identified,

assessed, owned and managed
by Business Unit Managers.
The status of these risks must
be maintained through the
individual Business Plans.

APPENDIX 1 -
RISK MANAGEMENT
POLICY
1. PURPOSE c) Risk Management will form part of the strategic, operational,
project and line management responsibilities.
The City of Swan (the City) acknowledges its responsibility to effectively d) All risks are to be assessed according to the City’s Risk Assessment
manage risk and to provide a Framework that assists decision makers and Acceptance Criteria to allow consistency and informed
to make informed choices, prioritise actions, and is integral as part of decision making. For operational requirements, such as projects,
the responsibilities of management to increase efficiency in operations, takeho
or to satisfy external stakeholder requirements, alternative risk
governance and reputation. assessment criteriaa may be used
used; however these cannot exceed
cceptance criteria and
the City’s risk acceptance a are to be noted in the
2. OBJECTIVE
The objective of this policy is to clearly document the City’s commitment
to risk management and to ensure that identified and emerging risks are
managed so that threats are reduced, and opportunities are maximised
e)
f)
ED assessme
individual risk assessment.
ncil is committed to the conc
Council
as appointed a dedicated
and has dedicat
dedic
concept of resourcing risk management
Audit Committee to oversee the risk
a strategic risks facing the City.
management process and
Executiv Officer is responsible for the allocation
The Chief Executive
IS
in a continuous, proactive and systematic organisation-wide process that
hatt of operation
operational roles, responsibilities and accountabilities.
contributes to the achievement of the City’s corporate objectives. These are documented in the Risk Management Framework.
g) Al employees
All e in the City have a role in risk management from
3. DEFINITIONS the identification of risks to implementing risk treatments and
EV
shall be invited and encouraged to participate in the process.

International Standard for Risk management – Guidelines
uidelines
ideline
(ISO 31000:2018) defines risk as “the effect off uncertainty h) The City will facilitate an Internal Audit function by providing
on objectives.” resources required to effectively review the City’s risks, internal

controls (for both efficiency and effectiveness), governance,
isk sources, potential events,
Risk is usually expressed in terms of risk eev
R
performance and compliance. All internal audit activities will

their consequences and their likelihood. remain free of undue influence. This will include scope of audit
programs, the frequency and timing of examinations and the
An effect may be positive, negative, or a deviation from the expected.
content of internal audit reports.
Objectives can have different aspects and can be applied at
different levels.
4. POLICY STATEMENT
a) The City recognises the importance of the development and
provision of an effective Risk Management Framework and process
to mitigate potential negative outcomes.
b) To ensure a best practice approach to risk management is
employed, the Risk Management Framework will be developed
and implemented in accordance with the risk management
standard AS/NZS ISO 31000:2018 Risk management and will
include systems to identify, treat, monitor, review and report risks
across all of its operations.
12 City of Swan
All risks are to be assessed

according to the City’s Risk
Assessment and Acceptance
Criteria to allow consistency
and informed decision making.

APPENDIX 2 - RISK
MANAGEMENT
IMPROVEMENT PL AN
In line with ISO 31000 : 2018 Risk management – Guidelines, the
City has committed to the continuous improvement of risk
management throughout all operations, strategic initiatives
and project based activities.
This commitment has seen the implementation of the Risk Management

CONTROL
L ASSURA
ASSURANCE
Framework; integration and ownership develop in all areas and
appropriate resourcing of the risk management function.
This document sets out the continuous improvement strategy over the
next 12 months.
This strategy is focussed around three main goals:

ED
From an operational
rational
ational perspective, the effective
that residual risks are being managed

man
ma
ef
effe management of controls
provides the Executive Management Team and Council with assurance
effectively through process design
provides Management with a structured approach
and oversight. It also provid
effectiveness of controls in what is traditionally a
to assessing the effecti
effectiv
IS
bjective exercise.
subjective exercis
exercise
• Continuous improvement of the Framework.
sure the
• Establish an effective control assurance program to measure outcomes expected are:
The ou
outcome
performance of key controls.
• Structured
St approach to reviewing existing (and developing new)
EV
• Provide an effective education and awareness program geared

process controls from a risk mitigation perspective.
towards continual growth in maturity and riskk cultu
culture.
• Techniques for Management to review the effectiveness of
oals are listed in Appendix
The identified actions to achieve these goals pp 2 –
2a process controls in the operating environment.
Action Plan. • Risk-based approached to the frequency of control
R
assurance reviews.
FRAMEWORK IMPROVEMENTS
OVE
OVEME
EDUCATION AND AWARENESS
A risk management framework is defined as the set of components that
provide the foundations and organisational arrangements for designing, Effective risk management requires more than just a Framework,
implementing, monitoring, reviewing and continually improving risk it requires a culture where proactive identification and management
management. of risks is a part of daily processes and awareness is embedded
throughout all levels of the City.
The outcomes expected are:
This will be achieved through:
• Integrating documentation components to allow specific focus on
improving distinct areas. • Championing of risk by the City’s leadership structure. This includes
• Ensuring that processes are aligned to the City’s high level contexts behaviours such as ensuring that ‘risk’ forms part of meeting
of strategic, operational and project risk management. agendas for their teams and functional areas.
• Defining the risk operating model. • Specific risk management training for Managers and other key
• Providing clarity of roles and responsibilities. staff which forms part of the individual and corporate learning
and development framework.
• Ongoing assistance provided through the Risk Management
Officer, including access to risk processes and guidance
material on the intranet.
14 City of Swan
MEASURING RISK MANAGEMENT FRAMEWORK MATURITY

PERFORMANCE ASSESSMENT
The measurement of risk management performance in the City will The City will engage an external, independent party to undertake
involve three distinct activities: a review of the maturity of risk management prior to next formal
review of the Risk Management Framework.
• Measuring Compliance. This measures whether the City is
complying with it’s the Risk Management Framework obligations.
MEASURING THE VALUE ADD
• Measuring Maturity. This measures the current level of risk
management maturity in the City against industry best practice. The measurement of the contribution of the Risk Management
• Measuring the Value Add. This measures the extent to which Framework to the City’s performance is more difficult than the
risk management is contributing to the achievement of the City’s measurement of compliance and maturity. It can be referred to as
objectives and outcomes. the measurement of risks that did not eventuate.
There is however a correlation

el between the maturity of risk management
MEASURING COMPLIANCE and overall performance. that end the existing process of measuring
mance. To th
the organisational
onal measures against outcomes from the
nal effectiveness m
The City’s Risk Management Framework sets out obligations in respect Corporate Business Plan will be used
us as an indirect measure.
to risk management practices; consequently a review on the City’s
compliance against these obligations will assist in determining required
future improvements.
There are obligations in the Risk Management Framework that if not

ED
Thee main benefit of measuring this from a risk perspective is not to
ortion credit (or blame)
apportion blam but rather identify specific risks or control /
treatment failures so that
t continual improvement can occur.
th
performance against these measures is to be recorded at the same

The perform
performanc
IS
carried out, can have a significant impact on its effectiveness.
time that each
e maturity assessment is conducted. In doing so, the
Appendix 2B – Compliance Measures contains the currentt list of relationship
relation
l ti between the improvement in the risk management program
obligations under the framework that are subject too measurement. can be compared to improvement in the City’s performance.
ca
EV
APPENDIX 2A – ACTION
TION PLAN
R
Action Responsibility
Framework Improvements
Complete review of all Framework components and have adopted by Council. CEO
Risk & Control Environment
Identify and profile the City’s Strategic Risks CEO

Identify and profile the City’s Operational Risks CEO
Implement the Project Risk reporting process CEO
Education and Awareness
Provide formal training for Managers on the Risk Management Framework and specific process requirements. Risk Management Officer
Attend Business Unit risk workshops Risk Management Officer
Publish the risk management framework on the intranet Risk Management Officer
Complete the Compliance Measurement requirements Risk Management Officer
Complete the Risk Framework Maturity Assessment Risk Management Officer
Complete the ‘Review of the Risk Management Framework Report’ and provide to the Audit Committee. Risk Management Officer
Review Business Continuity Plan Risk Management Officer
Conduct City Business Continuity exercises Risk Management Officer

APPENDIX 2B – COMPLIANCE MEASURES
Requirement
Risks
Annual strategic risk review workshops conducted at least annually and in line with the Annual Business Planning process
Annual operational risk review workshops conducted at least annually and in line with the Annual Business Planning process
Business Unit risk reviews (extreme/high risks) conducted at least quarterly
Controls
Not Effective controls have a treatment plan in place

Controls for Extreme or High risks are rated Effective or have a treatment plan in place
Controls for Extreme risks are reviewed weekly for operating effectiveness
Controls for High risks are reviewed monthly for operating effectiveness
Critical controls are reviewed annually for design effectiveness (See Strategic Audit Plan)
Treatments
Treatments for Extreme risks are updated weekly

Treatments for High, Medium and Low risks are updated quarterly
ED
IS
EV
R
16 City of Swan
APPENDIX 3 – OPER ATIONAL

RISK THEMES
ASSET MANAGEMENT COMPLIANCE REQUIREMENTS
PRACTICES
Failure to correctly identify, interpret, assess, respond and communicate
Failure or reduction in service of infrastructure assets, plant, equipment laws and regulations as a result of an inadequate compliance
or machinery. framework. This includes, new or proposed regulatory and legislative
changes, in addition to the failure to maintain updated internal and
These include fleet, buildings, roads and playgrounds and all other public domain legal documentation.
assets during their lifecycle from procurement to disposal. Areas
included in the scope are: others) the Local Government Act, Planning &
It includes (amongstt others
Development Act,
ct, Health Act, BBuilding Act, Dog Act, Cat Act, Freedom
• Inadequate design (not fit for purpose); of Information
onn Actt and all other le
legis
legislative based obligations for Local
• Ineffective usage (down time)
• Outputs not meeting expectations;
• Inadequate maintenance activities; and
• Inadequate financial management and planning (capital
renewal plan).
ED
Government.
ment.
include Occupatio
Itt does not includ Occupational
ccupati
and security”) or any Employment
Em
mployment practices”).
“Employment pract
Safety & Health Act (refer to “Safety
Practices based legislation (refer to
IS
ant
It does not include issues with the inappropriate use of the Plant,
Equipment or Machinery. Refer Misconduct.
EV
BUSINESS AND COMMUNITY

MUNITY
DISRUPTION
Failure to adequately prepare and respond to events that ccause

disruption to the local community business activities.
nity and/or normal bus
busin
R
This could be a natural disaster, weather

eather event, or an act carried out
by an external party (e.g. sabotage/terrorism).
rorism
This includes:
• Lack of (or inadequate) emergency response / business

continuity plans;
• Lack of training for specific individuals or availability of
appropriate emergency response;
• Failure in command and control functions as a result of incorrect
initial assessment or untimely awareness of incident; and
• Inadequacies in environmental awareness and monitoring of fuel
loads, curing rates, etc.
This does not include disruptions due to IT Systems or infrastructure

related failures (refer to “Failure of IT & communication systems and
infrastructure”).

DOCUMENT MANAGEMENT ERRORS, OMISSIONS OR DELAYS

PRACTICES
Errors, omissions or delays in operational activities as a result of
Failure to adequately capture, store, archive, retrieve, provide or unintentional errors or failure to follow due process.
dispose of documentation.
Examples include:
This includes:
• Human error;
• Contact lists; • Inaccurate recording, maintenance, testing or reconciliation of data;
• Process documents, personnel files, complaints; • Inaccurate data being used for management decision-making and
• Applications, proposals or documents; reporting; and
• Contracts; and • Delays in service to customers.
• Forms or requests. This excludes process failures caused by inadequate/incomplete process

documentation (refer to “Document Management Processes”).
EMPLOYMENT PRACTICES
EXTERNAL THEFT & FRAUD
Failure to effectively manage and lead human resources (full-time,
part-time, casuals, temporary and volunteers).
This includes:
• Not having appropriately qualified or experienced people in

the right roles;
ED
Loss of funds, assets,
or successful)
electronic).
onic).
c)
ssets, data or unauthorised
For the purposes of:

unauthoris access, (whether attempted
ul) by external parties, through
throu any means (including
• Insufficient staff numbers to achieve objectives;

IS
• Fraud: benefit or gain by deceit;
• Breaching employee regulations; • Malicious
alicious Damage;
Da
• Discrimination, harassment and bullying in the workplace; • Theft:
Thef sstealing of data, assets or information.
• Poor employee wellbeing (causing stress);
EV
ession
• Key person dependencies without effective succession F
FACILITIES / VENUES / EVENTS
planning in place; and
MANAGEMENT
• Industrial activity.
Failure to effectively manage the day to day operations of facilities,
ENVIRONMENTAL
L MANAGEMENT
MANAGEM venues and/or events.
R
Inadequate prevention, identification, enforcement

ement an
and management of This includes:
environmental issues. • Inadequate processes in place to manage quality or availability;
The scope includes; • Poor crowd control;

• Ineffective signage;
• Lack of adequate planning and management of erosion issues;
• Booking issues;
• Failure to identify and effectively manage contaminated sites
• Stressful interactions with hirers/users (financial issues or not
(including groundwater usage)
adhering to rules of use of facility); and
• Waste facilities (landfill/transfer stations);
• Inadequate oversight or provision of peripheral services
• Weed and mosquito/Vector control; (e.g. cleaning/maintenance)
• Ineffective management of water sources (reclaimed, potable);
• Illegal dumping; and
• Illegal clearing/land use.
18 City of Swan
INACCURATE ADVICE • Theft by an employee;

• Inappropriate use of plant, equipment or machinery;
Incomplete, inadequate or inaccuracies in advice to customers or internal • Inappropriate use of social media;
staff. This could be caused by using unqualified, or inexperienced staff, • Inappropriate behaviour at work; and
however it does not include instances relating to Misconduct. • Purposeful sabotage.
Examples include: This does not include instances where it was not an intentional breach
(refer to ”Errors, Omissions or Delays”).
• Incorrect planning, development or building advice;
• Incorrect health or environmental advice;
• Inconsistent messages or responses from staff and/or
SAFETY & SECURITY PRACTICES
Councillors; and
Non-compliance with the Occupation Safety & Health Act, associated
• Any advice that is not consistent with legislative requirements or regulations and standards.
local laws.
It is also the inability to ensure the physical security requirements of
IT SYSTEMS AND staff, contractors andd visitors.

visito Other considerations are negligence or
INFRASTRUCTURE ( INCLUDING
carelessness.
COMMUNICATIONS )
information technology systems.

ED
Disruption, financial loss or damage to reputation from a failure of
Instability, degradation of performance, or other failure of IT or

PPLIER / CONTRACT
SUPPLIER
MANAGEMENT
CON
CONT
Inadequate managem
management of external Suppliers, Contractors, IT Vendors
or Consultants engaged
een for core operations. This includes issues
IS
communication system or infrastructure causing the inability too continue that arise
ise from
fro
f the ongoing supply of services or failures in contract
business activities and provide services to the community. This
is may or management and monitoring processes.
manage
may not result in IT Disaster Recovery Plans being invoked.
oked.
TThis also includes:
EV
Examples include failures or disruptions causedd by:

• Concentration issues (contracts awarded to one supplier)
• Networks , hardware or software; and
nd • Vendor sustainability
• Failures of IT Vendors.
This also includes where poorr governance results in the breakdown of

R
IT maintenance such as:
• Configuration management; and

• Performance monitoring.
This does not include new system implementations.
MISCONDUCT
Intentional activities intended to circumvent the Code of Conduct or
activities in excess of authority, which circumvent endorsed policies,
processes or delegated authority.
This would include instances of:
• Relevant authorisations not obtained;

• Distributing confidential information or misrepresenting data
in reports;
• Accessing systems and/or applications without correct
authority to do so;

APPENDIX 4 – RISK ASSESSMENT

RISK MATRIX AND TARGET LEVEL OF RISK
CONSEQUENCE LIKELIHOOD
Description People Financial Reputation & External Service Delivery/Strategic Environment Governance / Compliance Almost Certain Likely Possible Unlikely Rare
Stakeholders Objectives (5) (4) (3) (2) (1)
Target Low Medium Low Medium Medium Medium
Insignificant (1) Negligible injuries. <$5,000 Insignificant public Key services disrupted Little impact, contained Minor breach p
ach of policy or
comment or local media for up to half a day, usual and reversible, no long app
processs requiring approval
coverage, no complaint. scheduled interruptions. term effect or short term ariance
or variance. 5 4 3 2 1
Negligible impact on negative impact on urban Medium Low Low Low Low
inciden
Minor opportunistic incident
objectives. design, or loss of sense of
volving a single person.
involving
place for part of area.
Minor (2) First aid injuries, routine $5,000 - $250,000 Heightened concerns Short term temporary Minor damage or proces
Breach of policy, process
industrial issues. from localised group of interruption, backlog contamination, contain
n, contained or legislation requir
require
requirement.
residents, one off negative cleared in <1 – 7 days. Minor sible, short
and reversible, rt term investig
invest
Internal investigation
media attention, possible setbacks that are easily effectt on environment, no
complaint.
D
remedied. long
ng term effect
term
effec or short
rm negative impact on
Opportunis
Opportunistic
portuni incident
involv
involvi
involving several people.
10
High
8
Medium
6
Medium
4
Low
2
Low
urban
ban design, or loss of
sense of place for part of
Moderate (3) Medically treated injuries, $250,000 - $1m Heightened concerns

E
Medium term m temporary ry
area
area.
Medium
dium te
term effects
effec on Breach of contractual
staff turnover slightly higher from localised group tion,
ion, backlog cleared
interruption, environment,
nment, lolong term or statutory obligations
than 20%, one off industrial
issues.
of residents, negative
media attention,
possible complaint.
S dditional resources
by additional resou
<22 – 4 weeks. Some of the
I
organisation’s objectives
in recovery or long term
negativ
negative impact on urban
des
ddesign, or loss of sense of
resulting in internal
investigation, ongoing legal
issues not easily addressed.
15
High
12
High
9
Medium
6
Medium
3
Low
cannot be met place for part of area.
Planned unethical action
V by one or more staff.
Significant (4) Lost time or severe injury, $1m - $5m utcry

tcry from
Significant outcry Prolonged
rolonged interrupt
interruption Significant environmental Major breach of contractual
staff turnover well above amage
public, damage
mage tot of services, add
additional impact, long term negative or statutory obligations
20%, ongoing industrial ion,
reputation,
on, significant resources re
required, issue impact on urban design, or resulting in significant legal
action. negative state level media resolved in <4 – 12 weeks. loss of sense of place for action. External or third 20 16 12 8 4
attention, several pub
complaints or on-going
complaint.
going
E
eral public Som
Some important objectives
of the organisation cannot
be met.
the whole area. party investigation.
Major one off fraud or
corruption by a senior
Extreme High High Medium Low
person.
Severe (5) Fatality or Disablement,

sustained and serious
industrial action, loss of
>$5m Significant and widespread
public outcry, sustained
negative national media
R Indeterminate prolonged
interruption of services.
Most of the organisation’s
Severe environmental harm
or permanent negative
impact on urban design.
Serious breach of
contractual or statutory
obligations resulting in
multiple staff at once. attention, many public objectives cannot be met. significant prosecution and
complaints or on-going fines. External investigation 25 20 15 10 5
heighten complaint. and/or third party action. Extreme Extreme High High Medium
Systemic fraud and
corruption, major external
investigation with
adverse findings.
Risk Management Framework City of Swan

CONTROL EFFECTIVENESS LIKELIHOOD
Rating Foreseeable Description Category Probability Description Indicative Frequency (times per year)
Effective There is no current scope Documentation Processes (Controls) fully documented, with accountable Almost Certain >75% Is expected to occur in most circumstances 5+ times
for improvement. ‘Control Owner’
Likely 51% - 75% Is expected to occur more often than not 1 - 5 times
Operating Subject to ongoing monitoring and compliance to process is
Effectiveness assured Possible 26% - 50% Might occur at some time 1
Design Effectiveness Reviewed and tested regularly Unlikely 5% - 25% Will probably not occur in most circumstances More than 0.5 and less than 1
Moderately Effective There is some scope Documentation Processes (Controls) partially documented, with a clear
for improvement. ‘control owner’
Operating Limited monitoring, ad-hoc approach and compliance to
Effectiveness process is generally in place
RISK ACCEPTANCE
PTAN
PTANCE
Design Effectiveness Reviewed and tested , but not regularly.
Target Level of Risk
Partially Effective There is scope for Documentation Processes (Controls) noted, no clear ‘control owner’
Impact
ctt Category
Categ Low 1-5
Lo Medium 6-10 High 11-19 Extreme 20-25
improvement. Operating Some monitoring, occasional compliance to process
People
eoplee X
Effectiveness is reviewed
Financ
Financial X
Inadequate There is a need for

Design Effectiveness
Documentation
Ad-hoc review or testing, when an issues arises
Processes (Controls) not documented or no

D Reputation
on & External
Stakeholders
takeholders
X
improvement or action. understanding or clear ‘control owner’ Delivery/Strategic

Service Delivery/
Delivery/Str X
Specific inadequacies
exist.
Operating
Effectiveness
E
No monitoring or compliance to process is not assured Objectives
Environment
Environme
i X
Design Effectiveness Have not been reviewed or tested for some time.
ime. S Governance/Compliance
Go
Gove X
Risk Acceptance Acceptable Monitor Attention Required Urgent Attention
Risk acceptable with Risk acceptable within Risk acceptable if as low as Risk only acceptable with
I partially effective controls.
Risk subject to annual
target level of risk with
partially effective controls.
possible with moderately
effective controls. Risk
effective controls and all
treatment plans explored
monitoring. Risk subject to semi-annual subject to quarterly and implemented where
E V Responsibility to manage B/Unit Manager

monitoring
B/Unit Manager
monitoring.
Executive Management Team

possible. Risk subject to
monthly monitoring.
CEO/Council
R
Risk Management Framework City of Swan
www.swan.wa.gov.au
ED
IS
EV
R
City of Swan
2 Midland Square Midland
PO Box 196 Midland WA 6936
9267 9267
This document can be made available in

CoS1917 alternative formats on request.
POLICY
POL-C-067 - Risk Management
1 Objective
The City of Swan ("the City") is committed to organisation-wide risk management
principles, systems and processes that deliver consistent, efficient and effective
assessment of risks in planning, decision-making and operational processes.
This policy is to be read in conjunction with the City of Swan Risk Management
Framework.
2 Definition
Australian / New Zealand International Standard for Risk Management – Principles and
guidelines (AS/NZS ISO 31000:2009) define risk as “the effect of uncertainty on
objectives.”
A risk is often specified in terms of an event or circumstance and the consequences

that may flow from it. An effect may be positive, negative, or a deviation from the
T
expected. An objective may be strategic, community based, financial, related to health
and safety, or defined in other terms.
EN
3 Policy Statement
The City is committed to the principles, framework and process of managing risk as
outlined in AS/NZS ISO 31000:2009.
The City will adopt the Framework provided in AS/NZS ISO 31000:2009 to the
R
management of risk associated throughout the life of any process, activity, asset,
operation or project of the City.
R
The Framework sets out a structure for managing risks to ensure that the City:
U
a) Has incorporated risk management into the corporate governance system and
management structure;
C
b) Has identified and applied appropriate strategies to manage significant risks,

including alignment of risk management and the internal audit process; and
c) Has developed effective and efficient risk management processes.
These objectives will be achieved by:
a) Continually and systematically understanding the risks to the City as it pursues

its strategic and operational objectives;
b) Developing a culture of risk awareness at all levels of the Organisation;
c) Developing and maintaining the appropriate tools for the management of risk;
and
d) Ensuring robust, continuous, logical and systematic processes are

implemented.
Page 1 of 4
Date Accessed - 09/03/2016
POLICY
3.1 Responsibilities
3.1.1 Council
a) Is committed to the concept of resourcing risk management.
b) Appoints a dedicated committee (Audit Committee) to oversee the risk

management process and the strategic risks facing the City.
3.1.2 Audit Committee

a) Reviews and approves the scope of the internal audit plan and program as well
as assesses the effectiveness of the function.
b) Reviews whether the internal audit plan systematically addresses internal

controls over significant areas of risk, including non-financial risks.
c) Critically analyses and follows up any internal or external audit report that raises
T
significant issues relating to risk management and reviews actions taken as a
result of the issues raised.
EN
d) Monitors the risk exposure of the City by reviewing risk management processes
and management information systems.
3.1.3 Executive
R
a) Ensures that risk management is embedded in the operations and processes of
the organisation.
R
b) Identifies and controls strategic risks facing the City.
c) Monitors the organisation’s strategic and operational risk management

U
performance.
C
3.1.4 Employees
a) All employees, after appropriate training, will adopt the principles of risk
management and comply with all policies, processes and practices relating to
risk management.
b) All employees will alert management to the risks that exist within their area.
c) All employees will, as required, conduct risk assessments commensurate with

the scope of the task and the associated level of risk identified.
4 Internal Audit relationship with Risk Management

The City will facilitate an Internal Audit function by providing resources required to
effectively review the City’s risks, internal controls (for both efficiency and
effectiveness), governance, performance and compliance.
All internal audit activities will remain free of undue influence. This will include scope of
audit programs, the frequency and timing of examinations and the content of internal
audit reports.
Page 2 of 4
POLICY
The internal audit process is to provide independent advice and assurance to Council
and management that the policies, operations, systems and procedures designed to
mitigate the risks associated with the operations and management of the City:
a) Comply with relevant legislation and standards (compliance);
b) Are carried out with optimum use of resources (economy and efficiency);
c) Achieve the objectives specified in Strategic and Operational Plans

(effectiveness);
d) Pro-actively reduces the Council's risk exposure; and
e) Promotes a culture of continuous improvement practices across Council.
5 Performance Measurement
T
The Management Team, the Risk Management function and Internal Audit shall
EN
measure the effectiveness of the Risk Management Framework in assisting the City to
achieve its strategic objective.
Key measurement areas are:
a) Audit ratings;
R
b) Implementation of audit findings;

R
c) Achievement of risk control improvement;
d) Success of projects, events and major organisational change; and

U
e) Changes in risk ratings; and

C
f) Level of risk reduction.
Page 3 of 4
POLICY
Governance References
Statutory
Nil.
Compliance
Industry
AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
Compliance
Risk Management Framework
Organisational
City of Swan Strategic Community Plan 2012-2022
Compliance
KRA: Governance
G2.1 Improve capability and capacity
Decision Maker Council
Process Links Risk Management Process
Policy Administration
Business Unit Name Officer Title Contact:
T
Governance Manager, Governance 9267 9267
Risk Complexity
3 Review Frequency 2018
Classification
EN
Version Decision Reference Synopsis
1. OCM 18/12/02 New Policy adopted.
2. OCM 05/09/07-Pt.B-1.1 Policy Revision to align with new corporate approach.
3. OCM 24/02/10 Policy revised to reflect change of ISO standard.
Executive 29/11/12 Endorsed the policy review and proposed amendments.
R
4. Governance 30/04/13 Endorsed the policy review and proposed amendments.
OCM 22/05/13 Endorsed the policy review and proposed amendments.
Executive - 31/07/2014 Endorsed review of policy.
R
5. Governance - 26/08/2014 Endorsed review of policy.

OCM - 10/09/2014 Adopted reviewed policy.
Executive - 28/01/16 Endorsed the policy review and proposed amendments.
Governance - 16/02/16 Endorsed the policy review and proposed amendments.
U
6.
Audit - 23/02/16 Endorsed the policy review and proposed amendments.
OCM - 02/03/16 Adopted the amended policy.
7.
C
Page 4 of 4
T
EN
R
R
U
C
CONTENTS
1 Introduction .............................................................................................................................................1
2 Purpose ....................................................................................................................................................1
3 Objective .................................................................................................................................................1
4 Definitions ...............................................................................................................................................1
5 Organisational Risk Management Context ..............................................................................................1
5.1 Internal Context .............................................................................................................................2
5.2 External Context ............................................................................................................................2
6 Integration into Strategic and Business Planning ....................................................................................2
7 Risk Management Roles and Responsibilities.........................................................................................2
8 Risk Acceptance/Tolerance .....................................................................................................................3
9 Internal Audit Link to Risk Management ................................................................................................3
10. Risk Management Process.......................................................................................................................4
10.1 Establishing the Context of an Individual Risk .............................................................................4
10.2 Risk Identification .........................................................................................................................4
10.2.1 Risk Breakdown Structure - Risk Categories ..........................................................5
10.2.2 Record the Risk........................................................................................................7
10.2.3 Cause of risk ............................................................................................................7
T
10.3 Risk Analysis.................................................................................................................................7
10.3.1 Determine Consequence ..........................................................................................8
EN
10.3.2 Determine Likelihood ............................................................................................10
10.3.3 Level of Risk..........................................................................................................10
10.4 Risk Evaluation ...........................................................................................................................10
10.4.1 Overview of controls .............................................................................................10
10.4.2 Assessing Controls.................................................................................................11
10.5 Communication & Consultation ..................................................................................................12
R
10.6 Risk Treatment ............................................................................................................................12
10.6.1 Risk Treatment Options .........................................................................................14
10.7 Monitor and Review ....................................................................................................................14
R
10.7.1 Risk Treatment Monitoring and Reporting ............................................................14

10.7.2 Methods of Risk Review .......................................................................................14
U
10.7.3 Archiving Risks .....................................................................................................15

10.7.4 Risk Register..........................................................................................................15
10.7.5 Risk Reporting to EMT and Audit Committee ......................................................16
C
11. Other Aspects of Risk Management ......................................................................................................16

11.1 Business Continuity.....................................................................................................................16
11.2 Occupational Safety & Health Risk Management.......................................................................16
11.3 Insurance .....................................................................................................................................17
11.3 Measuring Risk Management Performance ................................................................................17
List of Appendix .................................................................................................................................................19
Appendix A - Glossary of Terms ..........................................................................................................20
Appendix B - Roles and Responsibilities for Risk Management ..........................................................22
Appendix C Risk Breakdown Structure - Examples of risks ................................................................24
1 Introduction
Risk Management is the culture, processes and the structures that are directed towards the
effective management of potential opportunities and adverse effects. The City of Swan is committed
to a formal structure and systematic risk management system.
The management of risk assists the City to meet the expectations of our customers and clients
whilst providing services that are of the highest level.
The management of risk delivers certainty for our customers, clients, councillors and employees.
We are better informed, more decisive and able to make decisions with confidence which will assist
us in achieving our strategic outcomes and objectives.
This framework is to read in conjunction with policy POL-C-067 Risk Management.
2 Purpose
The purpose of this framework is to:
T
x Establish risk management practices that support the City's strategic goals and objectives;
x Define the relationship between risk management and strategic and operational planning;
x
EN
Define the parameters and corporate approach to risk management;
x Define the roles and responsibilities, monitoring and reporting requirements for the management
of risks; and
x Support the City's governance and compliance requirements by ensuring areas of risk are
R
identified, assessed and managed to benefit the organisation.
3 Objective
R
The objective of this Framework is to provide the City and its employees with a comprehensive
U
approach to identify and manage risk. The Framework articulates the organisation’s commitment to
applying risk management processes which facilitate achievement of the City’s strategic and
operational objectives.
C
4 Definitions
Definitions applicable to risk management are detailed in the Glossary - See Appendix A.
5 Organisational Risk Management Context

Risk management is an integral part of operations to ensure objectives are achieved without
unnecessary exposure to risk. The City of Swan focuses on the management of business risk, in
this constantly changing environment, to provide reasonable assurance to our customers, clients
and Councillors that there is:
x efficient and effective use of resources;

x compliance with policy, processes and legal requirements;
x control systems to manage risk;
x a reduced likelihood of external investigation or litigation;
x protection of City Officers from possible inadvertent actions; and
x An operating environment resistant to potential corruption.
1
5.1 Internal Context
Internal context relates to factors within the organisation that influence the way in which an
organisation manages risk. This reflects the organisation’s capabilities. Areas that may impact
include:
x Leadership
x Customers and Other Stakeholders
x Information and Knowledge
x People
x Process Management, Improvement and Innovation
x Strategy and Planning
x Results and Sustainable Performance
5.2 External Context
The risk management context for City of Swan is impacted by a range of external factors. These
may include:
T
x Policy
x Funding
EN
x Legislative
x Economic
x Environmental
x
R
Social
x Cultural
R
6 Integration into Strategic and Business Planning

U
The City of Swan requires the capability to meet the community's expectations by building
efficiencies through an effective risk management system. Aligning the risk management systems to
the Strategic Community Plan and Corporate Business Planning assists in identifying both strategic
C
and operational risks that may impact the City on achieving the agreed objectives.
The City uses risk management processes when making strategic decisions as follows:
x to identify strategic risks that require further controls in the form of risk mitigation strategies;
x to identify strategic risks that are dependent upon the effectiveness of existing controls;
x to identify strategic risks that are over controlled and for which control measures can be
reduced;
x to allocate resources to controls and risk mitigation strategies through close analysis and
comparison of objective and subjective measures of risk; and
x to assess changes to the organisational context which impact upon risk and therefore require
review of the City’s approach to strategies, risks and the control framework.
7 Risk Management Roles and Responsibilities

Roles and responsibilities applicable to risk management are detailed in the Role and
Responsibilities - See Appendix B.
2
8 Risk Acceptance/Tolerance
The table below outlines the risk acceptance and tolerance levels for City operations and the levels
at which residual risk maybe accepted and treated.
Figure 1 - Risk Acceptance Criteria/Tolerance
LEVEL
CRITERIA FOR MANAGEMENT OF RISK RESPONSIBILITY
OF RISK
Acceptable Risk acceptable with adequate Staff members
1-4 controls, managed by routine
Low procedures that are subject to
annual review.
Monitor Risk acceptable with adequate Supervisor/Coordinator/
5-9 controls, managed by specific Manager
Medium procedures that are subject to
quarterly review.
Urgent Management Risk acceptable with robust Manager/Executive
10 - 19 Attention Required controls, and management
T
High supervision, subject to monthly
monitoring.
EN
Usually Unacceptable Risk only acceptable with
excellent management controls
Executive/Council
20 - 25
and all treatment plans to be
Very
explored and implemented where
High
possible, subject to continuous
monitoring.
R
When managing occupational safety and health risk, any risks rated as medium or low where the
R
consequence is classified as significant or severe will require urgent management attention
9 Internal Audit Link to Risk Management

U
To maximise the efficiency and effectiveness of the City's Internal Audit function the City produces a
Strategic Audit Plan which is based on the high risk areas within the organisation and those areas
C
that depend highly on controls. The Executive Management Team (EMT) is required to approve the
plan prior to Audit Committee approval.
During the audit process internal auditors review risk registers and advise the City on the following:
x whether the inherent and residual risk ratings are accurate;

x whether existing controls are adequate or further risk mitigation strategies are required; and
x whether existing controls are effective.
Based on the audit findings further risk mitigation strategies may be required.
Business Unit Managers are responsible for ensuring that approved actions and treatments are
dealt with within the timeframes recommended. Overdue items are escalated to the EMT and further
to the Audit Committee.
For additional information please view Strategic Audit Plan, Audit Committee Charter and Internal
Audit Processes.
3
10. Risk Management Process
General
The City’s risk management process is based on the Australian Standard AS/NZS ISO 31000:2009
and is set out in the diagram below.
The City’s approach to risk requires the consideration of all risks which could impact upon the
achievement of business objectives.
The process is ongoing, monitoring and review of all stages is critical, and ensuring that a periodic
review of risks and controls is in place is crucial to the success of the process.
Figure 2 - Risk Management Process
T
EN
R
R
U
C
10.1 Establishing the Context of an Individual Risk
The context for each individual risk must be considered in relation to the City’s goals, objectives and
activities in order to effectively assess, analyse and treat risk.
10.2 Risk Identification
The aim of the risk identification process is to generate a comprehensive list of events which may
affect the City’s objectives and operations. These risks are then considered in more detail, to
identify the potential impact of each risk.
Risk is the chance of something happening that will have an impact upon objectives. Risk is
measured in terms of a combination of the consequences of an event and their likelihood.
4
It is important to ensure risks are identified as events and are described in a way that they can be
treated.
Identification should include all risks, whether or not they are under the control of the City.
It is important to note that there are three stages of risk:
Inherent Risk the risk which exists prior to and without the implementation of risk controls
and risk reviews
Residual Risk the risk which remains after risk controls have been implemented
Projected Risk the risk which remains after treatments have been implemented
10.2.1 Risk Breakdown Structure - Risk Categories
Strategic risks are identified in relation to the impact they have on the City’s achievement of its
strategic objectives as set out in the Strategic Community Plan.
The Risk Breakdown Structure (RBS) (figure 3) provides a framework to categorise operational
risks, which are placed in a hierarchy organised by source.
T
Strategic risks are categorised into the red heading boxes. A strategic risk is something that is
outside the control of the City, which is out in the environment within which the City is operating.
EN
The impact of strategic risks on the City may force a change in our strategic direction.
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes,
people and systems or from external events.
R
The RBS demonstrates a cumulative effect of similar risks which allows the Executive Management
Team to respond to trending issues.
R
Refer to Appendix C for RBS examples of risks.

U
C
5
Figure 3 - Risk Breakdown Structure
T
EN
R
R
U
C
6
10.2.2 Record the Risk
Once identified it is necessary to record and describe the risk so that it can be correctly analysed.
The method to be used for describing a risk within City is as follows:
Figure 4 - Risk Description Structure
Risk Breakdown Structure Risk Identified Cause/s Risk Source

Identify which Risk Breakdown Relate name to system Explanation of what might
Structure this risk falls within. impacted and explanation of cause the risk event to occur
cause. (list each cause).
An example of a risk in this format is shown below:
Figure 5 - Example Risk in Risk Description Structure
Risk Breakdown Structure Risk Identified Cause/s Risk Source

5.2 Safety, well-being and Worker falls from heights No safety equipment
security Failure of safety equipment
T
Workers fails to wear safety
equipment
Lack of/ineffective
EN training/induction
Lack of/ineffective supervision
10.2.3 Cause of risk

R
It is important to capture all significant causes, so that the risk strategies determined will reduce or
manage not only the risk but also the causes to the risk.
R
Factors to consider:
x What - what has the potential to cause a risk to the City?

U
x When - in what instances can the risk occur? Does the position pose a risk?
x Where - does location pose a risk?
x
C
How - how can it happen, how did it happen?

x Why - what can cause the risk to occur?
Risks identified at a Business Unit level may have causes similar to those experienced in another
business unit; therefore a corporate wide risk strategy may be required to mitigate the risk.
10.3 Risk Analysis
Risk is analysed by balancing estimates of consequence against likelihood to arrive at a level of

risk. This level is used to assist in the assessment and treatment of risks.
The level of risk is identified at stage one of the process so that lower level risks can be excluded
from further more detailed risk considerations. Although low risks may not be subject to further
mitigation, it is important that they are documented and added to the risk register to demonstrate the
completeness of the risk analysis.
7
10.3.1 Determine Consequence
Consequence can be described in a number of ways depending on category. The following list
describes some examples of consequence to the City:
x Human impact;
x Dollar cost;
x Damage to reputation and brand;
x Damage to property, assets;
x Harm to the environment
x Strategy or loss of opportunity
x Service delivery and meeting of customer expectations;
x Regulatory or legal compliance
Consequences are rated, in terms of severity, from severe to insignificant. To assist in determining
the level of consequence, the following table provides a summary of consequence and severity
ratings. In most instances consequence is relevant to a single risk category. However, where the
T
consequence applies to several categories the highest impact statement relates.
EN
R
R
U
C
8
Figure 6 - Definition and Classification of Risk Consequence
DESCRIPTION HEALTH FINANCIAL REPUTATION OPERATION ENVIRONMENT REGULATORY PROJECT
An insignificant Minor breach of policy Insignificant change in cost

No material service
Low impact, with low environmental event that or process requiring or time; barely noticeable
interruption,
Insignificant Negligible injuries <$5,000 profile and no can be immediately some response with change of quality or
backlog cleared in 2
complaint corrected under the control little impact on other increase / decrease in
– 4 hours
of the City. criteria. scope.
Short term A minor environmental Identified breach of 10% increase in cost; 5%

Low impact, with low
temporary event that can be policy or process increase in time or some
$5,000 - profile, low media
Minor First aid injuries interruption, corrected within one month requiring additional quality degradation with
$250,000
T
attention, possible
complaint
backlog cleared in
<1 – 7 days
under the control of the
City.
work or minimal
damage control.
minor areas of scope
affected.
N
Moderate impact,
Medium term
temporary
A moderate
environmental event that
Breach requiring
10-20% increase in costs;
5-10% increase in time or
can be rehabilitated but
Medically treated $250,000 - moderate media interruption, investigation, reduction in the quality that
Moderate injuries $1,000,000
E
attention, public
complaint
backlog cleared by
additional resources
requires multiple
stakeholder input.
mediation or
restitution.
will require sponsor
approval with major areas
Expected recovery time of
within <2 – 4 weeks of scope affected.
less than one year.
R Prolonged
A significant
Damage to environmental event Breach involving
interruption of
reputation, public where rehabilitation external investigation 20-40% increase in cost;
Significant
Lost time or severe $1,000,000 -
R
embarrassment,
high media attention,
services, additional
resources required;
involves multiple
stakeholders and various
or third party actions
resulting in tangible
10-20% increase in time,
or a reduction in the quality
injury $5,000,000 performance
several public levels of the community loss or reputation and scope that is
U
complaints, third
party intervention
affected, issue
resolved within <4 –
12 weeks
and government with an
expected recovery time of
damage to the
organisation.
unacceptable to sponsor.
C between 1 and 5 years.
A severe environmental
Breach involving
Irreversible damage Indeterminate event requiring multiple
regulatory investigation
to reputation, very prolonged stakeholders, all levels of >40% increase in cost;
and / or third party
high level of public interruption of the community and >20% increase in time or
actions resulting in
Severe Fatality or Disablement >$5,000,000 embarrassment, services that government with an project end item is
tangible loss or
very high media impacts on public expected recovery time of effectively useless in terms
significant reputation
attention, many safety and core greater than 5 years or of quality and scope.
damage to the
public complaints services where potentially it is
organisation.
irrecoverable.
9
10.3.2 Determine Likelihood
The table below provides broad descriptions to support likelihood ratings.
Figure 7 – Likelihood table
DESCRIPTION DEFINITION FREQUENCY

OPERATIONAL PROJECT TRANSACTIONAL
The event is Greater than 1 in 100
Almost More than once
expected to occur in 90% chance of
Certain per year
most circumstances occurrence (P90)
60% - 90% 1 in 1,000
The event will
At least once chance of
Likely probably occur in
per year occurrence (P60-
most circumstances
P90)
40% - 60% 1 in 10,000
The event should At least once in chance of
Possible
occur at some time 3 years occurrence (P40-
P60)
T
10% - 40% 1 in 100,000
The event could At least once in chance of
Unlikely
EN
occur at some time 10 years occurrence (P10-
P40)
The event may only Less than once Less than 10% 1 in 1,000,000
Rare occur in exceptional in 20 years chance of
circumstances occurrence (P10)
R
10.3.3 Level of Risk
R
The level of risk is determined, using the following matrix, at the point on the grid where likelihood
meets consequence. The level of risk is defined in a numerical rating which determines the criteria
for management of risk. See figure 1 Risk Acceptance Criteria/Tolerance table.
U
Figure 8 - Level of Risk

C
CONSEQUENCES
Insignificant Minor Moderate Significant Severe
LIKELIHOOD
(1) (2) (3) (4) (5)
Medium High High Very High Very High
Almost Certain (5)
(5) (10) (15) (20) (25)
Low Medium High High Very High
Likely (4)
(4) (8) (12) (16) (20)
Low Medium Medium High High
Possible (3)
(3) (6) (9) (12) (15)
Low Low Medium Medium High
Unlikely (2)
(2) (4) (6) (8) (10)
Low Low Low Low Medium
Rare (1)
(1) (2) (3) (4) (5)
10.4 Risk Evaluation
10.4.1 Overview of controls
Controls are City policies, processes and systems developed and implemented that assist in
mitigating a risk.
10
Corporate governance practices within the City require a robust internal control system.
The existence and proper application of these and other controls assist the City to operate
efficiently, effectively and ethically.
10.4.2 Assessing Controls
The degree and effectiveness of existing controls over risks needs to be evaluated to allow a
definitive risk ranking process. These controls need to be identified clearly and their effectiveness
assessed.
Controls fit into four distinct types as detailed below:
Figure 9 - Control Types
These controls are aimed at preventing risk occurring in the first place.
Preventative Controls They include: plans, policies, procedures, Safe Work Method Statements
etc.
These controls are used to identify when a risk becomes an
T
Detective Controls issue/incident. They include: audits, stocktakes and reviews, safety
incident reports etc.
These controls are aimed at minimising the consequences that arise from
EN the issue/incident. They include: Business Continuity Plans and Disaster
Mitigating Controls
Recovery Plans, Personal Protective Equipment, insurance, outsourcing
of risk etc.
Corrective controls restore the system or process back to the initial state
prior to a harmful event. For example, a business may implement a full
Corrective Controls
R
restoration of a system from backup tapes after evidence is found that
someone has improperly altered the payment data.
R
Experience has demonstrated that there is a direct correlation between the effectiveness of an
existing control and the likelihood of the risk occurring (i.e. the more effective the control, the less
likely the risk is to occur) and/or the impact of the risk (i.e. non effective controls may increase the
U
impact).
C
The outcome of the evaluation should influence further analysis of the likelihood and potential
consequences of the risk.
The table below is used to determine the effectiveness of controls.
Figure 10 - Effectiveness of Controls
Poor/Non- Will not have any effect in terms of reducing the likelihood and/or consequence
Existent of the risk.
Will have very little effect in terms of reducing the likelihood and/or
Inadequate
consequence of the risk
Will have some effect in terms of reducing the likelihood and/or consequence of
Satisfactory
the risk
Will have a reasonably significant effect in terms of reducing the likelihood
Good
and/or consequence of the risk
Will significantly reduce the likelihood and/or consequence of the risk at all
Excellent
times
11
10.5 Communication & Consultation
Communication and consultation is a key factor in effective risk management, particularly as the
City's activities are diverse, complex and involve multiple stakeholders.
Stakeholder engagement is imperative to effective consultation; stakeholders may include:

x Customers
x Clients
x Contractors
x Councillors
x City Employees
x Visitors
x Members of the public
Regular communication and consultation adds value throughout the Risk Management Process:
Figure 11 - Benefits of Communication and Consultation
Sharing information and perspectives on risk will help to create organisational
T
Identification coherence, which is particularly relevant given the complexity and range of the
activities undertaken within the City.
Analysis
EN
Communication will often improve the understanding of risk. Involving others
will enable the likelihood to be better determined, historical knowledge drawn
from others is valuable.
A diversity of knowledge and experience is essential to achieve a balanced
Evaluation
review of the controls and treatments in place.
Experience and expertise are crucial in developing appropriate treatments that
R
Treatment will be effective. Allocation of treatments to the most appropriate party either
within or outside of the City can be established.
R
10.6 Risk Treatment

U
Risk treatment involves identifying a range of options for treating the risk, evaluating those options,
selecting the most effective treatment and preparing and implementing a risk treatment plan.
C
Where a risk is shared across business units, the treatment plan must be agreed and endorsed by
all relevant business unit managers.
Use the flowchart below together with the Risk Acceptance/Tolerance table (figure 1) in order to
arrive at the correct criteria for management of risk. Treatment options should be considered
weighing the cost of implementing against the potential benefit.
12
Figure12 - Treatment Process
Is the Risk
Acceptable? YES Accept
NO
Monitor and
Review
- Reduce likelihood and/or consequence
- Share - in part or fully Progress
- Avoid Reporting
Treatment Strategy
T
-Recommend
-Choose
-Implement
EN
In actioning treatment plans the process should include:
R
x allocation of risk treatment responsibilities;
x approval or allocation of resources needed for treatment; and
R
x establishment of deadlines, or in the case of long–term treatment processes, agreement on

milestones and deadlines;
U
Where treatment plans have long lead times, consideration should be given to implementing interim
measures and actions. Where treatment plans cannot be implemented at the time of approval,
C
alternative measures should be prioritised.
The following timeframes apply to treatment plans.
Figure 13 - Treatment Action Timeframe
Risk Level Timeframe Agreed By

Very High CEO and Internal Auditor
High Executive Manager and Internal

Auditor
Medium Business Unit Manager and
Internal Auditor
Low Business Unit Manager and
Internal Auditor
13
10.6.1 Risk Treatment Options
There are four broad treatment options available for the mitigation of identified risks. These are
outlined below.
Treat - risk treatments that will reduce the likelihood and/or consequence of the risk are determined
and documented in a Risk Treatment Plan. The projected risk is recorded on the Risk Register in
CID.
All risk treatments must be assigned an owner. Upon completion of the risk treatments, the Risk
Register is updated to reflect completion of the treatment, the treatment is added as a control and
the residual risk is updated to reflect the projected risk rating.
Where a risk affects multiple business units, the business unit wherein the consequence is the
highest is the risk owner.
Transfer/Sharing - where a risk is applied to one business unit and its treatment is undertaken by a
different business unit, the managers must communicate regularly to ensure that mitigation
practices are effective and maintained.
T
Escalation - risk and treatment plans are escalated to the EMT by the Risk Management Officer
when:
EN
x the residual risk is above the City’s tolerance;
x the risk treatment actions are outside the control of the City;
x shared risk owner/treatments cannot be agreed; or
x
R
there are no further treatments to reduce the risk
The EMT has authority and accountability to accept the risk on behalf of the organisation provided it
R
meets the above items.
Accept/Retain - risk acceptance may only be undertaken (in line with the Risk Acceptance
U
Criteria/Tolerance table - refer to figure 1) as follows:
x there are no treatment options available;

C
x the level of the risk is so low that it does not warrant treatment; or
x Risk treatment would cost more than the consequences of the risk (not just in dollar terms).
10.7 Monitor and Review
In order to ensure that treatment/controls remain effective and continue to meet the City’s Criteria
and Tolerance Level regular review is essential.
10.7.1 Risk Treatment Monitoring and Reporting
Treatment items are monitored and completion progress reported within the City's Corporate
Information Database (CID) quarterly.
Treatment items not completed by their due dates are escalated via reporting to EMT.
10.7.2 Methods of Risk Review
Monitoring and review procedures form part of the risk management plan. As a guide, some
methods of review include:
14
x self-assessment by Business Unit Manager/Coordinator/Supervisor;

x physical inspections;
x assessing the effectiveness and efficiency of controls;
x Audit and reassessment of risk.
The following timeframes apply to the review of risks.
Figure 14 - Risk Review Timeframes
Risk Level Reviewed (by Risk Owner)

Very High (20-25) Weekly
High (10-16) Monthly
Medium (5-9) Quarterly
Low (1-4) Annually
It should be noted that when there is a significant change to circumstances, all risks should be
T
reviewed at that time. EN
10.7.3 Archiving Risks
Risks are archived when the risk no longer exists. Archiving is undertaken in consultation with the
Risk Management Officer. Risks may not be archived simply because no treatment is required or
treatments have already been implemented and the risk has reached its target level.
R
Appropriate approval is required according to the following table.
R
Figure 15 - Archive Risk Approval - Operational risks
Risk Level Authority Level

U
Very High Risks Audit Committee

High Risks CEO
C
Medium Risks Executive Manager

Low Risks Business Unit Manager
Figure 16 - Archive Risk Approval - Strategic risks
Risk Level Authority Level

All Risks Audit Committee
10.7.4 Risk Register
Each business unit has a Risk Register in which risks and individual treatment plans are recorded.
Risk Registers are accessible on the intranet and within CID.
Risk Registers are reviewed annually by way of meetings scheduled by the Risk Management
Officer and conducted as part of the Business Planning Process.
15
10.7.5 Risk Reporting to EMT and Audit Committee
In order to ensure the ongoing maintenance and effectiveness of risk management, a number of
reports are generated. The following reports present data captured from CID.
x Quarterly Risk Management Report - presented to EMT – reports on the progress of risk within
the organisation including the approval of escalated risks.
x Quarterly Risk Analysis Report - presented to EMT – reports on overdue treatment items.
x Internal Audit Register Open Items - presented to Audit Committee – progress report, reports
on completed, current and overdue audit items.
x Strategic Risk Register - presented to Audit Committee.
11. Other Aspects of Risk Management

11.1 Business Continuity
Business Continuity Planning (BCP) is an integral part of the City’s Risk Management Framework
and is undertaken to ensure that stakeholders and the community can rely on the continuation of
T
services from the City, during times of crisis.
EN
The City has developed a BCP that identifies the processes and resources required to ensure that
critical objectives under a conceivable disaster are met.
The Business Continuity process involves the following steps:
a) Perform a risk and vulnerability analysis;

R
b) Conduct a business impact analysis;
c) Develop response strategies/options;
R
d) Develop resource requirements;

e) Develop continuity plans; and
U
f) Plan Validation
The steps are similar to, or an extension of, those used during the risk assessment and treatment
C
process.
BCP's are located on the risk intranet page and reviewed annually as part of overall risk
management.
11.2 Occupational Safety & Health Risk Management
Occupational Safety and Health is a distinct subset of risk management which has legislated risk
management functions that must be undertaken.
All Occupational Safety and Health controls must be determined in accordance with the hierarchy of
control. Elimination of the hazard is always the most effective control. Lower order controls such as
Administrative Controls and Personal Protective Equipment should always be considered in
conjunction with higher order controls such as Substitution and Engineering/Isolation.
Refer to the OSH intranet page for the Occupational Safety and Health Legislation relevant to risk
management.
16
11.3 Insurance
The City's insurance function is managed within the Financial Services and Rates business unit.
Risk Management is essential to assist in reducing the financial cost and liability exposure to the
City associated with insurance claims.
The City is required to assess the themes emerging with insurance claims and implement risk
treatment strategies which will assist in the mitigation of risks occurring that result in insurance
claims.
11.3 Measuring Risk Management Performance
The assessment of risk management performance within the City is measured by assessing the
extent to which risk management is contributing to the achievement of the City's objectives and
outcomes.
The City endeavours to use objective measures of risk where appropriate.
T
EN
R
R
U
C
17
Framework Administration
Governance References
Statutory Compliance Local Government Act 1995
Industry Compliance AS/NZS ISO 31000 Risk Management - Principals and Guidelines 2009
City of Swan Strategic Community Plan 2012-2022
Organisational KRA: Governance
Compliance G2.1 Improve capability and capacity
Risk Management Policy
Decision Maker Executive
Process Links
Framework Administration
Business Unit Name Officer Title Contact:
Governance Manager, Governance 9267 9267
Risk Complexity Classification Review Frequency Biennial
3
Next Due 2018
Version Decision Reference Synopsis
T
1. Executive 28/01/2016 Approved Risk Management Framework.
2.
3.
EN
R
R
U
C
18
List of Appendix
A - Risk Management Glossary
B - Roles and Responsibilities
C - Risk Breakdown Structure - Examples
T
EN
R
R
U
C
19
Appendix A - Glossary of Terms
Terms Definitions
Assurance A process that provides confidence that planned objectives will be
achieved within an acceptable degree of residual risk. An evaluated
opinion, based on evidence gained from review, on the
organisation’s governance, risk management and internal control
framework.
Audit The formal examination of the City's accounts, financial situation,
internal controls, systems, policies and processes and compliance
with applicable terms, laws, and regulations
Compliance A state of being in accordance with established internal rules,
guidelines, policies, specifications, social ethics and norms and
legislation.
Consequence The outcome of an event or change in circumstances affecting the
achievement of objectives.
Controls All the policies, procedures, practices and processes in place to
provide reasonable assurance of the management of the City’s
risks.
T
Control Self-Assessment A formal assurance activity whereby managers make a formal
analysis of risks and controls and identify key controls that
EN collectively confirm acceptable operation. These controls are then
controls are then formally checked and reported on a regular basis.
Event An occurrence or change of a particular set of circumstances
Frequency A measure of the rate of occurrence of an event expressed as the
number of occurrences of an event in a given time (see also
Likelihood and Probability)
R
Hazard A source of potential harm or a situation with a potential to cause
loss
R
Inherent Risk Initial risk assessment prior to implementation of risk treatments

and risk reviews.
Level of Risk The magnitude of a risk or combination of risks, expressed in terms
U
of the combination of consequences and their likelihood

Likelihood Used as a qualitative description of probability or frequency of
something happening
C
Monitor To check, supervise, observe critically, or record the progress of an

activity, action or system on a regular basis in order to identify
change from the performance level required or expected
Operational Risks Those risks that occur at the operational level of a business unit or
division. Operational risks can be owned by the project Manager,
Business Unit Manager or Executive Manager
Projected Risk Level of risk remaining after treatments
Residual Risk Level of risk remaining after risk controls
Risk Effect of uncertainty of the City achieving its objectives.
Risk Acceptance An informed decision to accept the consequences and the
likelihood of a particular risk.
Risk Analysis A process to comprehend the nature of risk and to determine the
level of risk
Risk Assessment The overall process of risk identification, risk analysis and risk
evaluation
Risk Avoidance An informed decision not to become involved in, or to withdraw
from, a risk situation.
Risk Identification The process of finding, recognising and describing risks
Risk Level The level of risk calculated as a function of likelihood and
consequence
20
Risk Management Coordinated activities to direct and control the City with regard to
risk
Risk Management The systematic application of management policies, procedures
Process and practices to the activities of communicating, consulting,
establishing the context, identifying, analysing, evaluating, treating,
monitoring and reviewing risk
Risk Owner The City officer with the accountability and authority to manage a
risk
Risk Register Document used for recording risk management process for
identified risk
Risk Sharing Sharing with another party the burden of loss, or benefit of gain
from a particular risk
Risk Source Element which alone or in combination has the intrinsic potential to
give rise to risk. A risk source can be tangible or intangible.
Risk Transfer Shifting the responsibility or burden for loss to another party
through legislation, contract, insurance or other means. Risk
transfer can also refer to shifting a physical risk or part thereof
elsewhere.
Risk Treatment Agreed action that has been identified to further mitigate a risk,
T
once completed the treatment will become a control
Strategic Risk Those risks that are holistic in nature, spread across the
EN organisation and are more appropriately managed at a corporate
level
The Standard AS/NZS ISO 31000:2009, Risk Management – Principles and
Guidelines Standards Australia.
R
R
U
C
21
Appendix B - Roles and Responsibilities for Risk Management
Council
x Approval of the Council policy for Risk Management; and
x Appointing a dedicated committee (Audit Committee) to oversee the risk management process
and the significant risks facing the City.
Audit Committee
x Approval of the Risk Management Framework;
x Reviewing and approving the scope of the internal audit plan and program as well as assess the
effectiveness of the function;
x Reviewing whether the internal audit plan systematically addresses internal controls over
significant areas of risk, including non-financial management matters;
x Critically analysing and following up any internal or external audit report that raises significant
issues relating to risk management and review management’s response to, and actions taken as
a result of the issues raised; and
x Monitoring the risk exposure of the City by determining if management has appropriate risk
T
management processes and adequate management information systems.
Executive
EN
x Leadership of the Risk Management Framework;
x Ensuring that risk management frameworks and models are embedded in the operations and
processes;
x Identifying and controlling strategic risks facing the City; and
R
x Continually monitoring the organisation’s strategic and operational risk management
performance.
R
Governance
x Development of the Risk Management Framework, including deployment and engagement;
U
x Development of the Strategic Audit Plan;

x Ensuring risk management practices are built into the organisation’s planning and reporting
C
processes;
x Delivery of relevant risk management training for all employees;
x Ensuring that the risk management reporting provides an effective overview of the significant risk
exposures to the City of Swan and an understanding of the measure that are being taken to
mitigate the identified risks; and
x Facilitating the escalation of risks that are outside the control of Business Units Managers to
ensure that these risks are acted upon appropriately.
Risk Management Officer

x Facilitating Strategic and Operational risk reviews;
x Liaising and mentoring of Executive, Business Unit Managers and staff regarding the effective
management of risk management issues;
x liaIsing with risk owners to ensure identified risks are documented in the risk register and
regularly reviewed in accordance with the assessed level of risk and consequent table;
x Reporting on risk and audit;
x Providing support and guidance to City employees in their risk management efforts; and
x Contract management of the outsourced Internal Audit program.
22
Internal Auditor/Contract Internal Auditor

x Providing independent advice by reviewing critical control systems and risk management
processes, and providing assurance to the Audit Committee on the adequacy of the Risk
Management Framework; and
x Undertaking reviews of Council's activities and provide the Audit Committee and management
with reports containing analyses, appraisals, recommendations, comments and observations.
Business Unit Managers

x Implementation of the risk management frameworks and models into operations and processes;
x Liaising with stakeholders in relation to risks that are outside of their responsibility;
x Taking ownership of risks assigned to them and that the risk is handled in accordance to the Risk
Management Framework;
x Ensuring controls are effective;
x Ensuring treatment actions are completed in a timely manner;
x Ensuring any indication that the risk has, or is about to eventuate is reported immediately; and
x Effective application of the City’s Risk Management framework to their respective business unit
activities.
T
Treatment Owners
x Day to day responsibility for the management of a particular treatment assigned to their role;
EN
x Ensuring treatments actions are completed as specified in treatment plan; and
x Ensuring treatment actions are progressing to completion in a timely manner.
All Employees
x Working and complying with the City’s Risk Management Framework;
R
x Attending and actively engaging with the City’s risk management training; and
x Actively reporting identified risks and, where appropriate, implementing agreed treatments.
R
U
C
23
Appendix C Risk Breakdown Structure - Examples of risks
T
EN
R
R
U
C
24
T
EN
R
R
U
C
25
T
EN
R
R
U
C
26

6.1 Risk Management Framework

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6.1 Risk Management Framework

Uploaded by

Copyright:

Available Formats

Ordinary Meeting of Council

6.1 RISK MANAGEMENT FRAMEWORK

Ward: (No Wards) (Governance & Strategy)

Disclosure of Interest: Nil

Authorised Officer: (Chief Executive Officer)

• The City is committed to the principles, framework and process of managing

• Council policy POL-C-067 Risk Management outlines the City's commitment to

• The Risk Management Framework outlines the City's approach to risk

• A review of policy POL-C-067 Risk Management and the Risk Management

• Operational content in policy POL-C-067 Risk Management has been

Risk is the effect of uncertainty on objectives. A risk is often specified in terms of an

• remain aligned with relevant statutory, industry and organisational requirements;

• are achieving its objective;

• works effectively and efficiently;

• are well supported by appropriate processes; and

• align with local government best practice.

• Updates to the Standard include:

• the importance of leadership by top management is highlighted, as is the

• greater emphasis is placed on the iterative nature of risk management, because

• the content is streamlined with greater focus on sustaining an open systems

• The review of policy POL-C-067 Risk Management identified that significant

• The proposed amendments to the policy are as follows:

Current Policy Proposed Amendments

Current Policy Proposed Amendments

in accordance with the risk

Current Policy Proposed Amendments

processes and management influence. This will include scope of

All internal audit activities will remain

The internal audit process is to provide

Current Policy Proposed Amendments

risk exposure; and

Key measurement areas are:

• The review of the Risk Management Framework identified the following:

Risk Breakdown Structure - the categorising of risks (formally Risk Breakdown

• Risk Analysis - Control Effectiveness

• Risk Analysis - Consequence

To enable the acceptance or treatment of a risk, the potential consequence of the

In reviewing these definitions and descriptions, the City undertook

HEALTH FINANCIAL REPUTATION OPERATION ENVIRONMENT REGULATORY

place for part of

HEALTH FINANCIAL REPUTATION OPERATION ENVIRONMENT REGULATORY

on-going design, or loss senior person.

HEALTH FINANCIAL REPUTATION OPERATION ENVIRONMENT REGULATORY

• Risk Rating - Changed Very High to Extreme

• Communication and Consultation

• Monitoring and Review

Control Assurance reviews conducted by the Risk Management Officer and

• Recording and Reporting

No change - this will be updated following the implementation of Performance

Internal consultation was undertaken in conjunction with external benchmarking and

Policy Review - Risk Management and Risk Management Framework 2019

Strategic Community Plan (2017 - 2027):

Key Area: Governance

Outcome: G1 City of Swan is seen as a place to live, work and visit

Objective: G1.1: Provide accountable and transparent leadership

Outcome: G2 Optimise use of City resources

Objective: G2.1: Improve capability and capacity

The Audit Committee recommends that the Council resolves to:

a) The City recognises the

risk management standard

POL-C-067 Risk Management Page 1

POL-C-067 Risk Management Page 2

STR ATEGIC RI S K S ARE THOSE RISKS THAT APPLY