ENTERPRISE RISK MANAGEMENT NARACOORTE LUCINDALE COUNCIL GUIDELINES

Transcription

1 ENTERPRISE RISK MANAGEMENT NARACOORTE LUCINDALE COUNCIL GUIDELINES December 2015

2 NLC Enterprise Risk Management Guidelines Contents INTRODUCTION Enterprise Risk Management Principles The Enterprise Risk Management Framework The Risk Management Process Establishing the context Key Stakeholders The Business Objective Key Phases and Key Processes Risk Assessment Risk Identification Risk Categories Risk Analysis Assess Consequence and Likelihood Determine Risk Level Risk Evaluation Risk Treatment General Selection of Risk Treatment Options Preparing and Implementing Continuous Improvement Plans Monitoring and Review Scanning Risk Sources Risk Monitoring and Reporting Review of the Risk Profile Emerging Risk Identification Executive Risk Reporting Review of the Risk Management Framework Reporting to the Audit Committee Communication and Consultation References Appendix 1 Risk Register Appendix 2 - Sample Template Risk Record (optional) Appendix 3 - Aligning Risk Management to Strategic and Business Planning, Budgeting and Performance Management Appendix 4 Definition of Terms Appendix 5 Roles and Responsibilities NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

3 NLC Enterprise Risk Management Guidelines INTRODUCTION The Naracoorte Lucindale Council (NLC, the Council) is committed to a structured and systematic approach to the management of risk across the whole organisation in accordance with current industry standards and best practice. Enterprise Risk Management (ERM) involves the management of risks that impact (either positively or negatively) on the organisational strategies used to achieve corporate objectives. During our normal day to day activities we face internal and external factors and influences that make it uncertain whether, when and the extent to which we will achieve or exceed our objectives. The effect this uncertainty has on our objectives is risk. Each and every one of us has a responsibility for managing risk. All our activities involve risk. We manage risk by anticipating, understanding and deciding whether to modify it. Throughout this process we communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk. Risks will always continue to emerge due to the increasing complexity and scope of our operations, the changing nature of our environment and our relationships with stakeholders, and the increasing need for accountability. Risk Management is an integral part of good business practice and involves the implementation of cost effective strategies such as foreseeing opportunities and/or potentially damaging events, implementing risk treatment actions, and providing decision makers with information to effectively assess potential risks. Enterprise Risk Management (ERM) encapsulates the extension of Risk Management from a purely business unit focus to an organisational wide operational and strategic focus. This is designed to identify the whole range and relative priority of risks that have to be managed by the organisation as a whole and allow all reasonable steps including any necessary action at Executive level to help ensure these risks are adequately managed. When effectively implemented and maintained, the management of risk enables us to - a) increase the likelihood of achieving objectives b) encourage proactive management c) be aware of the need to identify and treat risk throughout the Council d) improve the identification of opportunities and threats e) achieve compatible risk management practices between our own business units and between us and other organisations f) comply with relevant legal and regulatory requirements and good practice g) improve financial reporting h) improve governance NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

4 NLC Enterprise Risk Management Guidelines i) improve stakeholder confidence and trust j) establish a reliable basis for decision making and planning k) improve controls l) effectively allocate and use resources for risk treatment m) improve operational effectiveness and efficiency n) enhance health and safety performance as well as environmental protection o) improve loss prevention and incident management p) minimise losses q) improve organisational learning r) improve organisational resilience The intent of these guidelines is to facilitate the implementation of the ERM policy by providing a framework that integrates the process for managing risk into our overall governance, strategy and planning, management, reporting processes, policies, values and culture, in a manner that is holistic, inclusive and consistent. Risk Management is compulsory as part of the Enterprise Risk Management in the Naracoorte Lucindale Council policy. These guidelines are provided to assist in the implementation of this Policy and should be used as a guide only. However, the risk methodology used to manage risk must be documented. These guidelines and the policy are located on the NLC network. NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

5 NLC Enterprise Risk Management Guidelines 1. ENTERPRISE RISK MANAGEMENT PRINCIPLES The following Enterprise Risk Management Principles have been endorsed by the Naracoorte Lucindale Council for use throughout the council. 1. The Executive is committed to a management culture that embeds enterprise risk management in all council processes. 2. The Executive and each department will manage risk consistent with the agreed set of ERM principles and NLC ERM guidelines. 3. ERM forms part of all policy and operational decision making. 4. ERM is integral to planning and budgetary processes and is reflected in performance management agreements of senior executive staff. 5. Executive and departmental level risks are monitored, reviewed and subject to regular reporting based on the best available information. 6. ERM addresses uncertainty and at the Executive level means aim for no surprises. 7. Stakeholder relations and engagement will be risk managed in relation to any change management activity. 8. ERM processes and tools will focus on ease of use and integration into existing activities. 2. THE ENTERPRISE RISK MANAGEMENT FRAMEWORK The Enterprise Risk Management (ERM) Framework helps to ensure that risk is managed across the council in a holistic manner, is integrated into our culture, business practices and business plans, is inclusive of all levels of staff and is applied in a consistent manner. ERM supports the needs of the council at both the Management level as well as the operational level. A two-tier collaborative risk model is shown in Figure 1, which involves strengthening and enhancing risk governance and management practices at both Management and operational levels. The approach to governing the risks at the portfolio level recognises the diverse nature of the departments activities and risks and therefore, should be tailored to the departments operations. A principles-based approach (see previous page) to managing risks within the departments will provide the required flexibility at departmental level while still enabling us to achieve a minimum required consistency of risk management across the council and enabling operations to demonstrate effectiveness of risk management activities. Risks are escalated to Council based on consideration of the NLC-wide risk environment including stakeholder expectations, community concerns, government reputation, senior management interventions, and as identified by the Audit Committee. NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

6 NLC Enterprise Risk Management Guidelines Executive Risk Governance Operational Risk Governance Figure 1: Two Tier Collaborative Risk Model Combined Top Down/Bottom Up Approach The ERM framework has focus in the following areas: Strategic or Transient Risks risks associated with: carrying out our business objectives as articulated in high level plans; major programs/initiatives; risks that are associated with strategies that are transient or short term in nature. Risks are identified, documented (usually in a risk register), and managed using structured processes at all business unit levels (Council wide, departmental, regions, directorates and other business units). Corporate reporting systems are used to report achievement of objectives and management of identified risks. For information and guidance on reporting templates and how to create a risk register refer to Appendix 1 and 2 Operational or Business-As-Usual Risks this relates to the management of risks associated with day to day business or operational activities. Risks are identified, documented (usually in a risk register), and managed using structured processes at the business unit s operational level. Existing reporting systems are used to report achievement of objectives and management of identified risks. To support both strategic and operational risk management, we have established specific policies, procedures and guidelines to help ensure effective management of risks which include but are not limited to: o business continuity o volunteers o corruption prevention o emergency planning & response o work health & safety o project management o safety and security for users of council facilities o hire of council equipment NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

7 NLC Enterprise Risk Management Guidelines o building construction o road repairs and construction The ERM framework provides for consistent and ongoing processes for identifying, analysing, treating/responding to, monitoring and reporting on risk so that any changes in risk exposures or areas requiring immediate action are highlighted promptly so that appropriate improvement actions can be implemented. The framework provides for the identification and assignment of risk ownership to those who have the authority and responsibility to help ensure it is managed effectively. The following section illustrates the risk management process itself. For information and guidance on how to integrate risk management with strategic and business planning, budgeting and performance management refer to Appendix 3. NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

8 NLC Enterprise Risk Management Guidelines 3. THE RISK MANAGEMENT PROCESS Enterprise Risk Management (ERM) involves the management of risks that impact on the organisational strategies used to achieve corporate objectives. The process described in this section can be used as a methodology for conducting strategic or operational risk assessments. Details of all risks within a business unit or initiative should be recorded in a risk register. The ERM process that we use is based on Australian Standard AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines. This Standard provides the steps of the risk management process as shown in the diagram below. Definition of Terms relating to risk management is contained in Appendix 4. The numbers in the diagram represent the sections in this document. (3.1) (3.5) (3.2) (3.2.1) (3.4) (3.2.2) (3.2.3) (3.3) Figure 2: Risk Management Process (Adapted from AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines) NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

9 NLC Enterprise Risk Management Guidelines 4. ESTABLISHING THE CONTEXT The purpose of this step is to define the context and scope for the risk assessment. This involves understanding the internal and external environment in which risks occur including strategic, operational, financial, competitive, stakeholder, social, cultural and legal aspects of your functions. This will provide the structure for the risk assessment tasks that follow. In this step you will need to identify the business objectives and the strategies or key processes developed to achieve the business objectives. Below are some possible environmental characteristics that may affect the risk context. 1. Short timeframe to achieve actual results 2. In-house capacity limits in resources and skills/expertise to undertake all aspects of project. 3. Interdependencies with other major initiatives. 4. Cross departmental impacts 5. Reliance on infrastructure capacity external to the organisation 6. Impact of unforeseen circumstances 7. Market trends and competition 8. Economic factors 9. Completion of capital works 10. Environmental conditions or influences 11. Community awareness and support. 5. KEY STAKEHOLDERS Key stakeholders have a significant role in risk identification as they have a vested interest in the outcomes. They include but are not limited to the following: 1. Community 5. Community Groups 9. Disabled 2. Business owners 6. Ratepayers 10. Indigenous 3. LCLGA 7. Council employees 11. Aged 4. Adjoining councils 8. Govt. State & Fed 12. Unions NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

10 NLC Enterprise Risk Management Guidelines 6. THE BUSINESS OBJECTIVE The risk process is a recognition that in striving for a specific goal or outcome there are often elements or risks associated with the achievement of those outcomes. If these risks are not considered or addressed at the time of developing business plans they can delay, frustrate or cause unexpected outcomes to arise affecting the achievement of the objectives, or there may be opportunities that are missed. The primary purpose of this step is to gain some assurance we will be focusing on the correct risks, barriers, and opportunities in achieving our stated business objectives. Part of the business objective step involves ensuring we are very clear about what we are trying to achieve through the program and involves ensuring the business objective addresses the following SMART criteria: S pecific M easurable A chievable R elevant T imely 7. KEY PHASES AND KEY PROCESSES The following key phases are essential for any initiative to be effective: Planning Implementation Monitoring and reporting Evaluation and Review. Planning this represents any key process relied on to outline how an activity is intended to be carried out (eg policies, procedure manuals, guidelines, business cases that identify needs, strategic and business plans that set out targets, deliverables and key milestones, implementation plans etc.). Implementation this phase represents those key processes relied on to implement the plans from the planning phase (eg application of project management processes, application of resource allocation criteria, training, change management, accountabilities, recording of actions/decisions, meetings and actioning, matching of skills to tasks, succession planning). Monitoring and Reporting this phase represents those key processes relied on to monitor performance and progress against business plans which include targets, deliverables at key milestones on the activity and some reporting on the same. This monitoring and reporting might be in terms of KPI s and other performance criteria set. Evaluation and Review this phase is sometimes more commonly understood as continuous improvement and relates to some form of improvement on past mistakes, NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

11 NLC Enterprise Risk Management Guidelines what went well, or lessons learnt. It can relate to new and innovative methods and technologies being adopted to replace existing approaches. To help you identify the type of key processes that might fall under each of the four phases the table below shows some examples. EXAMPLES OF KEY PROCESSES Planning Implementation Monitoring & Reporting Governance structure Consultation on changes and decisions made Regular meetings with stakeholders key players Review Reviewing best practice Consultation with stakeholders Compliance with guidelines, business rules Monitoring and reporting requirements Adopting new methods, technologies Policies/guidelines available to staff Application of Project management discipline Capture and reporting performance against KPI s Abandoning failed strategies Critical milestones/targets set Allocation and matching of resources and skills Prompt remedial action on poor performance, delays, and budgetary issues Criteria for budget allocations Roll out of training Reporting requirements followed up Responsibilities and accountability requirements assigned Recording of decisions, meetings, action records succession planning, accountability for outcomes Analysis of data conducted These phases can be used to help identify where there might be gaps in key processes for the initiative which can point to potential sources of risk to the activity under consideration. Once these have been worked through we can conduct a risk analysis and risk response for the initiative. NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

12 NLC Enterprise Risk Management Guidelines 8. RISK ASSESSMENT 9. RISK IDENTIFICATION Describing risks involves two elements namely an event (or cause) and an impact (or consequence). The context and key processes defined above will set the boundaries for which risks will be included. It is critical that all risks impacting on the achievement of the business objectives are identified, whether or not they are under the control of the Council. If risks are not identified they will be excluded from analysis from this point onwards. To identify risks for each of the key business processes identified above, ask the following questions: What can go wrong (event or cause)? or What opportunities are available how can we achieve our objectives more easily (event or cause)? and What does this lead to (impact or consequence)? It is important that you consult with people who are knowledgeable about the activity being assessed. You can identify risks through individual staff interviews or by conducting focus group meetings and workshops. The latter is recommended if the activity is complex and involves staff in more than one area. In describing risks, you should always relate the event and impact to the business objective. It helps to use terms such as resulting in or due to which link the event to the impact. An example is Failure to meet commonwealth objective deadline, resulting in withdrawal of current funds, loss of future funds, damage to relationship with commonwealth, negative media, and damage to the Council s reputation. This example shows that there are a number of potential impacts due to one event. This could then lead to a number of possible risk treatment options. NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

13 NLC Enterprise Risk Management Guidelines 10. RISK CATEGORIES The following ten risk categories can be used to facilitate easy identification of risks. These categories are the sources of risk i.e. where the risk can arise (see also Section 3.4.1). Examples of risk themes that would be grouped in each category are also provided. Note: the list is not exhaustive, it is provided as a guide. Service delivery delivery, achievement, assessment & reporting of Councils strategic objectives & outcomes provision of quality community environments migrant, youth and Aboriginal community outcomes sport & recreation outcomes provision of information & communication technologies corporate governance business development outcomes -p-communication of core activities service delivery rate payer needs equity Human Resources attracting & maintaining key staff staff skills & qualifications staff disputes Stakeholder changes in government community expectations legislative changes unions media staff associations & councils Corruption & Fraud theft misappropriation conflicts of interest bribery falsification of records favouritism in recruitment misuse of resources including communication devices Financial revenue expenditure assets & liabilities corporate credit cards Legal & Legislative breaches of contract public liability professional liability legislative non-compliance government & industry partnerships Reputation service delivery stakeholder, employer & customer perceptions and expectations brand protection Business Continuity technological change natural disasters strikes computer breakdowns Environment Biosecurity Bushfire Flood Health & Safety community welfare/protection staff welfare work health & safety Security intellectual property privacy of information property & equipment data integrity NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

14 NLC Enterprise Risk Management Guidelines 11. RISK ANALYSIS 12. ASSESS CONSEQUENCE AND LIKELIHOOD The purpose of this step is to rank the identified risks so that resources to treat risks are allocated to those of greater priority. We will formally analyse and assess risks to our strategy, business plans, major organisational change, major projects and programs. All risks identified at the Council and departmental level will be assessed in the residual terms using the NLC-wide risk consequence and likelihood criteria. To evaluate the risk level, you will need to first assess the risk consequence by identifying the potential consequences of a risk event occurring. The 'NLC-wide consequence criteria is used to estimate a potential impact which a risk might have on the achievement of the Council/departmental objectives (both in terms of negative consequence (threats see Tables 1 & 2) or positive consequence (opportunities see Tables 3 & 4). Select the appropriate table. The risk is either positive or negative not both. The percentage of appropriate baseline amount as indicated in the Financial consequence category should be applied to the Council budget or a departmental budget accordingly to facilitate an appropriate calibration of the risk consequence across the Council. The consequence is the impact or effect that the risk could have on the outputs or outcomes in the listed Risk Focus areas. The Risk Focus areas may be different than the Risk Categories used for identification of the risks (section ) because they are more to do with the results of the risk eventuating rather than the source of the risk. The risk likelihood will then be considered using the NLC-wide likelihood criteria by determining the probability of the risk occurring with the identified consequences. Existing or planned controls should be taken into consideration when determining the risk likelihood. The risk consequence and likelihood criteria are provided in the tables below. Additional risk consequence tables have been provided to facilitate an assessment of project/program specific risks. NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference of 45

15 Consequence Table Level Estimated Cost Business Process & Systems Health and Safety Environmental Community Legal Compliance 1 Insignificant 0>$10,000 Schedule slips one day Insignificant impact on Council's ability to achieve strategic outcomes, impact can be dealt with by routine operations 2 Minor >$10,000 Schedule slips one week Some impact on strategic initiatives but only minor aspects impacted. Overall strategic intent still achievable 3 Moderate >$50,000 Schedule slips one month Some key components of the strategic plan could not be achieved as a result of risk event. Additional funding / resources required to rectify First Aid Injury Nuisance value Medical Treatment Injury Restricted Work Injury Single Lost Time Injury No or very low environmental impact. Impact confined to small area Low environmental impact. Rapid clean up by site staff and/or contractors Impact contained to area currently impacted by operations Moderate environmental impact. Clean up by site staff and/or contractors Impact confined within lease boundary Isolated complaint No media enquiry Small numbers of sporadic complaints. Local media enquiries Serious rate of complaints, repeated complaints from the same area (clustering) Increased local media interest Minor technical/legal compliance issue unlikely to attract a regulatory response Possible fraud implications. Technical/legal compliance issue which may attract a low level administrative response from regulator Incident requires reporting in routine reports (eg monthly) Breach of regulation with possible prosecution and penalties Continuing occurrences of minor breaches Incident requires immediate (< 48 hours) notification 4 Major >$100,000 Schedule slips 3 months Council unable to deliver on numerous key strategic initiatives without additional funding / resources. Breakdown of key activities leading to reduction in business performance ie service delays, community dissatisfaction, loss of revenue, cost delays, legislative breaches. Major review of strategic plan required 5 Critical >$1,000,000 Schedule slips one year Critical business failure preventing core activities from being performed. Impact threatens not only the survival of project but Council itself. Majority of initiatives and / or key initiative within the Council s strategic plan unattainable. Multiple Lost Time Injuries Admission to intensive care unit or equivalent Serious,chronic, long term effects Fatality(s) or permanent disability Major environmental impact Considerable clean up effort required using site and external resources Impact may extend beyond the lease boundary Severe environmental impact Local species destruction and likely long recovery period Extensive clean up involving external resources Impact on a regional scale Increasing rate of complaints, repeated complaints from the same area (clustering) Increased local/national media interest High level of concern or interest from local community National and/or international media interest May involve fraud. Major breach of regulation resulting in investigation by regulator Prosecution, penalties or other action likely Serious breach of regulation resulting in investigation by regulator. Operation suspended, licenses revoked NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C of 45

16 PROJECT / PROGRAM THREATS Risk Focus Table 2 Negative Consequence Criteria (Threats) Projects / Programs (The potential impact on the objectives and resources) Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5) No change in projects Can be accommodated with existing resources Impact can be absorbed with treatment but will require additional resources to be allocated The program will require considerable additional resources from other areas The program may not be delivered Quality G Negligible quality issues with no effect on objective Objective achieved but quality diminished slightly Objective achieved but quality diminished substantially Substantial part of objective not met for quality reasons Quality issues lead to nonachievement of objectives Outputs/outcomes are not delivered Time Project/ Program/Service delayed by up to 5% Project/ Program/Service delayed > 5% to 10% Project/Program/Service delayed > 10% to 20% Project/Program/Service delayed > 20% to 30% Delay causes objective to not be achieved H Cost I Up to 1% variance to budget > 1% to 5% variance to budget > 5% to 10% variance to budget > 10% to 15% variance to budget but not requiring Treasury approval Over 15% variance to budget or requiring Treasury approval Benefits Up to 5% not delivered > 5% to 20% not delivered > 20% to 30% not delivered > 30% to 50% not delivered > 50% not delivered J NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C of 45

17 Risk Focus Service delivery A Financial B Management Effort C Health & Safety D Legal / Compliance E Reputation / External relationships F Insignificant (1) Negligible improvement in ability for NLC/Business unit to meet its objectives Negligible improvement in Council or community/ program/ project/service outcomes Changes implemented by routine operations Saving or benefit up to 1% of the appropriate baseline amount, e.g.: o Program/project budget o Annual budget o Projected revenue An event, the impact of which slightly reduces the management effort required Negligible effect on health and safety Negligible effect on site security Little effect on reputation Negligible improvement in compliance ability Little effort required Modest positive publicity Modest positive attention from minor stakeholders Table 3 - NLC-Wide Positive Consequence Criteria (Opportunities) (The potential impact on the objectives and resources) Minor (2) Minor improvement in ability for NLC/Business unit to meet its objectives Minor improvement in Council or community/ program/project/ service outcomes Minor improvement in efficiency or effectiveness Saving or benefit > 1% to 5% of the appropriate baseline amount, e.g.: o Program/project budget o Annual budget o Projected revenue An event, the impact of which reduces the management effort required Potential to free up resources within a department Minor preventative measures Minor improvements in site security and controls Minor improvement in reputation Minor improvement in compliance ability Process improvements assist with a proactive approach Local positive publicity Visible satisfaction from public, limited / localised media interest Moderate (3) Moderate improvement in ability for NLC/Business unit to meet its objectives Moderate improvement in delivery of Council or community/ program/service outcomes for identified groups Moderate improvement in efficiency or effectiveness Moderate improvement in utilisation of council assets Moderate improvement in community participation & access Saving or benefit > 5% to 10% of the appropriate baseline amount, e.g.: o Program/project budget o Annual budget o Projected revenue An event, the impact of which results in a moderate reduction in the management effort required Potential to free up resources between the departmen Moderate improvements in prevention and control Moderate improvements in site security Positive improvement in reputation and community interest Moderate improvement in compliance ability Positive cultural change Process improvements assist with a proactive approach Region wide positive publicity Short term improvements, public interest in Council, positive publicity from local & regional media Major (4) Major improvement in ability for NLC/Business unit to meet its objectives Major improvement in Council or community/program/service outcomes Major improvement in ability to implement program Major improvement in the development of essential infrastructure Major improvement in utilisation of council assets Major improvement in community participation & access Saving or benefit > 10% to 15% of the appropriate baseline amount, e.g.: o Program/project budget o Annual budget o Projected revenue An event, the impact of which results in a major reduction in the management effort required Resources can be released for other functions Major improvements in prevention and control Major improvements in site security Major improvement in reputation and community / stakeholder interest Major improvement in compliance ability Large change in behaviours Positive cultural change Proactive approach Sustained region wide positive publicity Mainstream media reports, community satisfaction supportive comments SELGA members Positive reinforcements from LGA Critical (5) Significant improvement in ability for NLC to meet its objectives Significant improvement in Council or community/program/service outcomes Significant improvement to reputation of public education or sport & recreation Saving or benefit > 15% of the appropriate baseline amount, e.g.: o Program/project budget o Annual budget o Projected revenue An event, the impact of which significantly reduces the management effort required Able to free up resources, reallocate responsibilities, and significantly realign functions Significant improvements in prevention and control Significant improvements in site security Significant improvement in reputation and community / stakeholder interest Significant improvement in compliance ability with cultural change and a proactive approach Significant improvement in reputation and community / stakeholder interest Significant recognition leading to major improvement in community and stakeholder support Broad public interest, media event NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C of 45

18 PROJECT / PROGRAM OPPORTUNITIES Risk Focus Table 4 - Positive Consequence Criteria (Opportunities) Projects / Programs (The potential impact on the objectives and resources) Insignificant (1) Minor (2) Moderate (3) Major (4) Critical (5) Small change in projects Minor improvements in outcomes Moderate improvements in outcomes Major improvements in outcomes Significant improvements in outcomes Quality G Negligible effect on objective Objective achieved Quality starting to exceed expectations Objective achieved Moderate increase in outcomes Exceeding expectations Major increase in quality Greatly improved outcomes High level of stakeholder satisfaction Exceeding expectations Significant increase in quality Significantly improved outcomes High level of stakeholder satisfaction Greatly Exceeding expectations Time H Cost I Benefits J Project/ Program/Service improved by up to 5% Project/ Program/Service improved by > 5% up to 10% Project/Program/Service improved by >10% up to 20% Project/Program/Service improved by >20% up to 30% Project/Program/Service improved by > 30% Up to 1% below budget > 1% to 5% below budget > 5% to 10% below budget > 10% to 15% below budget >15% below budget Negligible increase in planned benefits Minor increase in benefits over those planned Moderate increase in benefits over those planned Major increase in benefits over those planned Significant increase in benefits over those planned NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C of 45

19 NLC Enterprise Wide Risk Management Guidelines NLC-WIDE LIKELIHOOD CRITERIA How likely is it that the Council will be exposed to this specific risk (looking at both the event (cause) and the impact (consequence)) considering factors such as: Anticipated frequency The external environment The procedures, tools, skills currently in place Staff commitment, morale, attitude History of previous events The Description column in the following table is to be used as a guide only. Not all initiatives will align to the time frames shown. Level Description Criteria (read as either/or) Probability 5 Certain Certain The event will occur The event occurs daily >95 100% 4 Likely Likely The event is expected to occur The event occurs weekly/monthly >70 95% 3 Possible Possible The event will occur under some circumstances The event occurs annually >30 70% 2 Unlikely Unlikely The event has happened elsewhere The event occurs every 10 years >5 30% 1 Rare Rare The event may occur in exceptional circumstances The event has rarely occurred <5% NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

20 NLC Enterprise Wide Risk Management Guidelines 13. DETERMINE RISK LEVEL Having assessed the consequence and likelihood of major risks, a risk level will be determined using the NLC-wide risk matrix. Risks which may have a larger consequence and a higher likelihood on business operations will have a higher priority rating than those with a minor consequence and lower likelihood. Risk treatment and escalation/delegation guidelines: Risk Risk Treatment Guidelines Risk Escalation NLC- Wide Risk Level Guidelines Delegation Guidelines Extreme Immediate action required to actively manage risk and limit exposure Escalate to CEO & Council The CEO responsibility and accountability High Cost / benefit analysis required to assess extent to which risk should be treated - monitor to help ensure risk does not adversely change over time Escalate to the CEO The CEO responsibility and accountability Medium Constant / regular monitoring required to help ensure risk exposure is managed effectively, disruptions minimised and outcomes monitored Escalate to the Management Team Specify risk management responsibility and accountability Assign accountability to the Management Team Low Effectively manage through routine procedures and appropriate internal controls Monitor and manage at operational management level Monitor and manage at operational management level NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

21 NLC Enterprise Wide Risk Management Guidelines 14. RISK EVALUATION The purpose of this step is to develop a prioritised list of risks requiring attention. When the risk has been rated, the risk level needs to be compared with management s acceptable level of risk. If a negative risk (threat) level is at or below management s acceptable level of risk then the risk is at an acceptable level and no additional risk treatment is required at this stage. This risk would be managed by ongoing monitoring and be subject to review in the next risk assessment. If a negative risk (threat) level is above management s acceptable level of risk then the risk is at an unacceptable level and additional risk treatments may be required to reduce the risk to management s acceptable level. If a positive risk (opportunity) level is low or medium but could be increased (improved) with reasonable steps (subject to cost/benefit analysis) then it is at an unacceptable level and additional risk treatments may be required. If a positive risk level (opportunity) is high or extreme it may be at an acceptable level so no additional risk treatment may be required (subject to cost/benefit analysis) at this stage. This risk would be managed by ongoing monitoring and be subject to review in the next risk assessment. NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

22 NLC Enterprise Wide Risk Management Guidelines 15. RISK TREATMENT The purpose of this step is to identify the most appropriate treatments for risks that are at an unacceptable level. 16. GENERAL Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify the controls. Risk treatment involves a cyclical process of: assessing a risk treatment deciding whether residual risk levels are tolerable if not tolerable, generating a new risk treatment assessing the effectiveness of that treatment. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Select the best options in terms of feasibility and cost effectiveness. The options can include the following: Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk Taking or increasing the risk in order to pursue an opportunity Removing the risk source Changing the consequences Changing the likelihood Sharing the risk with another party or parties (including contracts, insurance, and risk financing) Retaining the risk by informed decision. 17. SELECTION OF RISK TREATMENT OPTIONS Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks. NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

23 NLC Enterprise Wide Risk Management Guidelines A number of treatment options can be considered and applied either individually or in combination. The organisation can normally benefit from the adoption of a combination of treatment options. When selecting risk treatment options, the organisation should consider the values and perceptions of stakeholders and the most appropriate ways to communicate with them. Where risk treatment options can impact on risk elsewhere in the organisation or with stakeholders, these should be involved in the decision. Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others. The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented. Risk treatment itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective. Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed. These secondary risks should be incorporated into the same treatment plan as the original risk and not treated as a new risk. The link between the two risks should be identified and maintained. 18. PREPARING AND IMPLEMENTING CONTINUOUS IMPROVEMENT PLANS The purpose of continuous improvement plans is to document how the chosen treatment options will be implemented. The information provided in continuous improvement plans should include: the reasons for selection of treatment options, including expected benefits to be gained those who are accountable for approving the plan and those responsible for implementing the plan proposed actions resource requirements including contingencies performance measures and constraints reporting and monitoring requirements timing and schedule. Improvement plans should be integrated with the management processes of the organisation and discussed with appropriate stakeholders. Decision makers and other stakeholders should be aware of the nature and extent of the residual risk after risk treatment. The residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

24 NLC Enterprise Wide Risk Management Guidelines 19. MONITORING AND REVIEW Risk monitoring and review is an integral step in the risk management process. It enables us to proactively identify changes on the risk profile and adjust the organisational response as required. It also enables us to understand the effectiveness (impacts, benefits and costs) of implementing risk management strategies. Risk monitoring and review is a continuous process and is essential that our risk priorities and risk management plans remain relevant in the changing environment we operate in. Risk management is responsive to change. Continuous monitoring and review of the external and internal risk environment is required to help shape the context and understanding of our risk profile, change in the risk ratings, identification of new risks, or taking risks off the radar. NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

25 NLC Enterprise Wide Risk Management Guidelines 20. SCANNING RISK SOURCES Environmental scanning is an important part of the monitoring framework and involves analysis of multiple sources of risk information as depicted in Figure 3 below. Strategic Plan Audit Reports Business Plans KPIs/ Operational indicators NLC Risk Profile Major Projects/Key business processes Lessons Learned (incidents management experience Emerging risks / uncertainty Regulatory / reputational issues Ratepayer / Stakeholder expectations Figure 3: Sources of risk information Environmental scanning by the Management team, and the Council assists to identify new and emerging risks from external and internal environment through: Analysis of Political, Economic, Social, Technological, Environmental factors, Government policies and other regulatory environment Interviews or meetings with the LGA, SELGA, Councillors Interviews or meetings with staff and stakeholders External reports and papers from recognised subject matter experts Consideration of our operations, systemic issues arising from incidents analysis, audit results and other historical risk information. 21. RISK MONITORING AND REPORTING The Management Team monitors the risk profile and associated risk treatment strategies (as detailed in the Organisational Risk Register) using the following approaches: Management and Council meetings NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

26 NLC Enterprise Wide Risk Management Guidelines Formal risk profile and risk appetite reviews Early escalation of emerging risks. Management Meetings Management meetings are important forums for tracking movements on the risk profile and the implementation of key risk treatment strategies. The Management team meets on a regular basis to monitor performance against the strategic initiatives and monitor the risks. The Management Team considers risks at the following meetings: Weekly management meetings allow for discussion on performance matters, emerging risks and major ongoing concerns The department face-to-face meetings include discussion on major department risks Monitoring of strategy and major projects includes review of the risk profile and risk treatment activities biennially by the Management team. A Risk Escalation Report and details of overdue/partially completed risk treatment activities in relation to high and extreme risks are reviewed as part of these meetings. Refer to Appendix 2 for a Risk Escalation Report example. 22. REVIEW OF THE RISK PROFILE The risk profile is an important source of risk information, represented by the Organisational Risk Register, which contains the most significant risks faced by the Council as a whole and includes the following: Strategic and operational risks Major departmental risks escalated to the Council via the Management team. Risks representing strategic projects or major initiatives Escalated risks will procedurally progress to the Audit Committee. The Management team will undertake a High Level Overview of the most significant risks/risk areas facing the Council. The profile is collaboratively reviewed by the Council on an annual basis. A formal annual refresh of the risk profile includes revision of the risk ratings taking into account the progress against risk treatment activities. New and emerging risks are considered for the inclusion on the risk profile A comprehensive annual review of the risk profile and risk appetite is performed by the Management team. The profile monitoring is an integral part of monitoring business performance and is underpinned by the following: Prioritisation of the major strategic risks which may have impact on the Strategic Plan NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

27 NLC Enterprise Wide Risk Management Guidelines Identification and prioritisation of new or emerging risks which may have a significant impact Monitoring of key performance indicators of major projects and initiatives which constitute areas of significant risk. To help ensure that the risk profile is relevant, up to date and effectively managed, the Management risk review approach addresses the following: Alignment of the risks to strategic priorities Risk magnitude Key treatment strategies in place to manage the risk Effectiveness of the current risk treatment activities Movements in the risk ratings Initiatives to address risks which are above risk appetite or to strengthen risk management processes Accountabilities assigned to implement the risk treatment strategies and associated due dates Sufficiency of resourcing requirements to implement the risk treatment strategies. Where the risk rating increases or potential risks are identified, the Management team considers the adequacy of the current risk treatment activities. The following questions may be considered: Are the assumptions relating to the risk context (including environment, technology and resources) still relevant? Is the risk treatment activity effective in managing the risk? How it can be improved? Are there performance measures or indicators in place to measure key outcomes? Does the risk management activity comply with legal requirements, and Council policies? 23. EMERGING RISK IDENTIFICATION All staff members are responsible for ensuring new and emerging risk areas are captured, monitored and escalated appropriately through existing communication channels. 24. EXECUTIVE RISK REPORTING Risk reporting supports the Executive discussion and decision-making on major risks and business priorities. Risk reports are prepared by the CEO annually. The reports are focussed on high and extreme risks and highlight hot spots on the Risk Profile including: Risk description NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45

28 NLC Enterprise Wide Risk Management Guidelines Reference to the strategy (target) Residual risk ratings Target risk ratings Movements in risk ratings Reference to a department (if applicable) Reference to a risk treatment strategy Accountability Status of risk treatment strategies (completed, partially implemented and overdue) Assurance activities in place to assess the management of the risk High level overview of the significant risks/risk areas facing the Council (including emerging negative risks and opportunities). For major initiatives, updates are provided to management meetings. Updates should include details of overdue or partially implemented risk treatment strategies and the following information: Description Commentary Budget Accountability and Due date. The dashboard report is supported by a commentary including highlights of the annual environmental scan and analysis of systemic issues and trends arising from historic information such as incidents and internal audit findings or resource implications for additional risk treatment activities. Progress on performance against expected outcomes for major projects by reviewing key risk performance indicators for major initiatives is reported as part of the business performance reporting. This information contributes to the monitoring of major risks associated with these projects. Full details of the roles and responsibilities of portfolios, the Executive and the ERM Group are outlined in Appendix REVIEW OF THE RISK MANAGEMENT FRAMEWORK The risk management framework is subject to review to meet the requirements of the current risk management standards (AS/NZS ISO 31000:2009). The review includes the following: Annual review of Council s risk profile and departmental risk profiles in conjunction with the self-assessment of the achievement of strategic objectives and progress against the strategic initiatives Self-assessment of the ERM Group performance in accordance with the ERM Group Charter NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: of 45