Council Meeting Agenda 27/07/15

Transcription

1 3 Risk Management Framework Abstract Council s Risk Management Framework ( the Framework ) was adopted by Council in The Framework provides structure and guidance to Council s risk management activities and outlines the components that provide the foundations and organisational arrangements for designing, implementing, monitoring and reviewing risk management throughout Council s operations. In November 2014, an Internal Audit review provided a number of recommendations to review, enhance and update the Framework. Following that report, a consultant was engaged to assist with the review and update of the Framework. The revised Framework (Attachment 1) reflects all recommendations from the November 2014 Internal Audit review and includes amendments to ensure the Framework; incorporates governance requirements for the risk register and the role of the Business Enterprise Risk Committee (BERC). includes explicit links to Council s planning processes. aligns with AS/NZS 31000:2009 by including the application of the risk management principles, and incorporating emerging risk and project risk. includes a risk management action plan. maps all departments specialised risk management functions to determine how they are linked and to incorporate their risk assessment tools into the Framework. The proposed revised Framework was reviewed by the Audit Committee at its May 2015 meeting. Some minor enhancements were suggested and the committee supported the presentation of the revised Framework to Council for formal consideration and adoption. Officers' recommendation That Council resolve to adopt the revised Risk Management Framework (as annexed to the minutes). Document information City of Boroondara Risk Management Framework Page 1 of 39

2 Responsible director: Marilyn Kearney Corporate Services 1. Purpose To seek Council approval of the revised Risk Management Framework document (Attachment 1). 2. Policy implications and relevance to council plan Council s Annual Plan contains the Strategic Objectives of providing financial management processes in accordance with professional standards and legislative requirements and we will provide risk management processes in accordance with the relevant Australian Standards and legislative requirements. 3. Background Council s Risk Management Framework was adopted by Council in In November 2014, an Internal Audit review provided a number of recommendations to review, enhance and update the Framework. Following that report, a consultant was engaged to assist with the review and update of the Framework. The revised Framework (Attachment 1) reflects all recommendations from the November 2014 Internal Audit review. 4. Outline of key issues/options The November 2014 Internal Audit review recommended that the Framework be reviewed to: incorporate governance requirements for the risk register and the role of the Business Enterprise Risk Committee (BERC). include explicit links to Council s planning processes. align with AS/NZS 31000:2009 by including the application of the risk management principles, and incorporating emerging risk and project risk. include a risk management action plan. map all departments specialised risk management functions to determine how they are linked and to incorporate their risk assessment tools into the Framework. (For example business continuity, emergency management, crisis management, project management, contract management, insurance, IT disaster recovery, stakeholder management, fraud control, climate adaptation, OH&S, compliance and event management). The revised Framework addresses the recommendations made in the Internal Audit report. 5. Consultation/communication The proposed revised Framework was reviewed and discussed at the May 2015 Audit Committee meeting. The committee provided a small number of suggestions for improvement to the draft document and were supportive of the document being presented to Council for consideration and adoption. City of Boroondara Risk Management Framework Page 2 of 39

3 6. Financial and resource implications No direct financial or resource implications. Planned initiatives contained within the proposed Framework are funded from departmental operating budgets. 7. Governance issues Officers involved in the preparation of this report have no conflict of interest. The list of prescribed human rights contained in the Victorian Charter of Human Rights and Responsibilities has been reviewed in accordance with Council's Human Rights Compatibility Assessment Tool and it is considered that the proposed actions contained in this report present no breaches of, or infringements upon, those prescribed rights. 8. Social and environmental issues No direct impacts arise from consideration of this policy. 9. Conclusion The revised Framework reflects recommendations made in the November 2014 Internal Audit Report and provides guidance and structure to Council s risk management practices. The Framework highlights the role played by all Council departments in risk management and reinforces the importance of a risk focussed approach to management of Council s activities. Manager: Report officer: Chris Hurley, Commercial and Property Services Sasha Allan, Team Leader Risk Management City of Boroondara Risk Management Framework Page 3 of 39

4 Risk Management Framework 2015 Draft Responsible Directorate: Corporate Services Authorised by: Council Date of adoption: July 2015 Review date: May 2018 Revocation/sunset date: Nil Policy type: Council Page 1 of 36 City of Boroondara Risk Management Framework Page 4 of 39

5 Page 2 of 36 City of Boroondara Risk Management Framework Page 5 of 39

6 Table of contents Terminology... 5 Section One: Risk Management Framework Overview Introduction Risk Management Drivers Risk Management Standard Risk Management Principles Risk Management Mandate and Commitment Risk Management Framework Objectives Risk Management Integrated Design Section Two: Risk Management Framework Key Elements Risk Culture Risk Governance and Accountability Risk Management Resources and Planning Risk Management Process Risk Assurance Interagency Risk Management Section Three: Key Guidelines and Risk Tools Training and Education Monitor, Review and Improvement Risk Review and Register Risk Appetite Risk Likelihood Ratings Consequence Rating Calculate Risk Ratings Risk Reporting Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators Attachment 2: Risk Management Framework Action Plan Attachment 3: Strategic Risks Attachment 4: Risk Attestation Wording Template Page 3 of 36 City of Boroondara Risk Management Framework Page 6 of 39

7 Page 4 of 36 City of Boroondara Risk Management Framework Page 7 of 39

8 Terminology Risk management process: definitions Consequence Control Establishing the context Event External context Internal context Likelihood Monitoring Operational Risk Residual risk Risk Risk analysis Risk assessment Risk attitude Risk criteria Risk evaluation Risk identification Risk management The outcome of an event affecting organisational objectives. The measure that is modifying a risk. Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria. The occurrence or change of a particular set of circumstances. The external environment in which the organisation seeks to achieve its objectives. The internal environment in which the organisation seeks to achieve its objectives. The chance of a risk event occurring. Continual checking, critically observing or determining status in order to identify change from the performance level required or expected. Operational risks are linked to the Business Plan objectives and take into consideration risks which will prevent Departments from delivering their annual business plans and ongoing services to the community The risk remaining after risk treatment. The effect of uncertainty on objectives. An effect is a deviation from the expected and can be either positive or negative. The process to comprehend the nature of risk and to determine the level of risk. The overall process of risk identification, risk analysis and risk evaluation. The organisation s approach to assessing and eventually pursuing, retaining, taking or turning away from risk. The terms of reference against which the significance of a risk is evaluated. The process of comparing the results of a risk analysis with the risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable. The process of finding, recognising and describing risks. The coordinated activities to direct and control an organisation with requirements to manage risk. Page 5 of 36 City of Boroondara Risk Management Framework Page 8 of 39

9 Risk management process: definitions Risk management framework Risk management plan Risk management policy Risk management process Risk owner Risk profile Risk source Risk treatment Stakeholder Strategic Risk The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. The scheme within the risk management framework that specifies the approach, the management components and the resources that are to be applied to the management of risk. The statement of overall intention and direction of an organisation related to risk management. The systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. The person or entity with the accountability and authority to manage a risk. The description of any set of risks. An element that, either alone or in combination, has the intrinsic potential to give rise to a risk. The process to modify risk. A person or organisation that can affect, be affected by or perceive themselves to be affected by a decision or activity. Strategic risks are the risks that will prevent Council from meeting the objectives outlined in the Council Plan Reference: ISO 31000:2009 Risk management Principles and guidelines, pp. 4 7 Page 6 of 36 City of Boroondara Risk Management Framework Page 9 of 39

10 Section One: Risk Management Framework Overview 1.1 Introduction This Risk Management Framework aims to support an integrated and effective approach to risk management incorporating and representing the organisation-wide approach to risk management. This Framework provides guidance on the arrangements for designing, implementing, monitoring and continually improving risk management, and outlines the drivers, principles, objectives and risk process. The Risk Management Plan is the work plan that is incorporated into the Risk Management Framework and specifies the approach, the risk management components and resources that are to be applied reflecting an integrated risk management approach. Section 1: provides an outline of the risk management principles and how they apply to the organisation, the drivers of risk management, mandate and commitment, objectives, and summarises the design of the integrated Risk Management Framework. Section 2: provides an overview and description of the Risk Management Framework features. Section 3: provides the risk assessment process, guidelines and tools to support enterprise risk management practices and decision making. This Risk Management Framework has been developed with input and review from the Executive Leadership Team, the Audit Committee, the Business Enterprise Risk Committee and was adopted by Council. 1.2 Risk Management Drivers Risk management is integral to good governance and good management. In the Local Government context: Key legislation drivers include: Local Government Act 1989 Equal Opportunity Act 2010 Planning and Environment Act 1987 Public Health and Wellbeing Act 2008 Occupational Health and Safety Act 2004 Protected Disclosure Act 2012 Charter of Human Rights & Responsibilities Act 2006 Ombudsman Act 1973 Privacy & Data Protection Act 2014 Key good governance drivers require Council and the administration to work towards: Accountability by reporting, explaining and being answerable for the consequences of decisions it has made on behalf of the community it represents. Transparency by providing avenues for people to follow and understand the decision making process. Following the rule of law by ensuring decisions are consistent with relevant legislation or common law and are within the powers of council. Responsiveness by servicing the needs of the entire community while balancing competing interests in a timely, appropriate and responsive manner. Equity and inclusion where by members of the community feel their interests have been considered by Council in the decision-making process. Participation where by community members have the opportunity to participate in the process of decision making. Page 7 of 36 City of Boroondara Risk Management Framework Page 10 of 39

11 Key external assurance drivers include: Auditor-General: The Auditor-General is an independent officer of the Victorian Parliament, appointed to examine the management of resources within the public sector on behalf of Parliament and Victorians. The Victorian Auditor General s Office audits public entities who receive government funding. There are two types of audits, financial and performance. (a) Financial: A financial audit provides assurance that the financial statements of an entity present fairly the financial position, cash flows and results of operations for the year, in accordance with relevant financial reporting frameworks and standards. (b) Performance: A performance audit assesses whether an agency is meeting its aims effectively, using its resources economically and efficiently, and complying with legislation. Ombudsman Victoria: The Ombudsman is accountable to Parliament, rather than the government of the day, and can only be dismissed by Parliament. The Ombudsman investigates complaints about administrative actions and decisions taken by government authorities and about the conduct or behaviour of their staff. Complaints can be made to the Ombudsman by any member of the public which may need to be investigated or responded to by Council. Key internal drivers include: Values (Integrity, collaboration, accountability, innovation and respect) Staff and Councillors Code of Conduct Audit Committee Internal audit program Business Enterprise Risk Committee (BERC) Frameworks (staff capability, accountability, planning) Standards Service delivery Legislation ion Governance Assurance Frameworks rks Standards ds Service City of Boroondara Enterprise Risk Management Framework Our Regulation Our mandate Our structure Our values Our people Our services Page 8 of 36 City of Boroondara Risk Management Framework Page 11 of 39

12 1.3 Risk Management Standard The risk management approach is aligned to the AS/NZS 31000:2009 Risk management-principles and guidelines (the Standard). This practice is driven by a set of principles and is supported by a risk management governance framework and a risk process methodology. AS/NZ 31000: Risk Management Principles The risk management principles which guide our risk management approach have been aligned to the Principles outlined in the Standard. They are: 1. Risk Management creates and protects value by contributing to the achievement of objectives and improving performance. 2. Risk Management is an integral part of organisational processes by not being a stand-alone activity and is an integral part of all organisational processes. 3. Risk Management is part of decision making by helping decision makers make informed choices and prioritise actions. 4. Risk Management explicitly addresses uncertainty by taking into account the nature of that uncertainty and how it can be addressed. 5. Risk Management is systematic, structured & timely and contributes to efficiency and consistency. 6. Risk Management is based on the best available information. 7. Risk Management is tailored and aligned with the organisation s external and internal context and risk profile. 8. Risk Management takes human and cultural factors into account by recognising people s capabilities and perceptions that can facilitate or hinder achievement of the organisation s objectives. 9. Risk Management is transparent and inclusive and involves stakeholders and decision makers in ensuring risk management remains relevant and up-to-date. 10. Risk Management is dynamic, iterative and responsive to change. 11. Risk Management facilitates continual improvement and enhancement of the organisation by developing and implementing strategies to improve risk maturity. 1.5 Risk Management Mandate and Commitment Management, employees, volunteers and contractors are all responsible for the successful management of risk. The risk management function resides with the Corporate Services Directorate, Commercial and Property Services Department. Page 9 of 36 City of Boroondara Risk Management Framework Page 12 of 39

13 1.6 Risk Management Framework Objectives The key objectives of the Risk Management Framework are to: Respond to the objectives of the Council Plan. Embed a commitment to the Risk Management Framework. Document accountability for the management and reporting of risks. Support a consistent risk management practice aligned to the Standard. The focus for risk management maturity includes: Increasing the competency levels of staff in the management of risk. Developing a culture where risk assessment and management is a part of everyday practice. Providing accessible resources and information to staff. Continuing to embed risk management through the integration of techniques and processes within current systems and practices. Financing the recurrent insurable risk in the most efficient way. Improving the scope and type of management information available for the monitoring and review of risks. Training for staff. Management review and reporting. An integrated Risk Management Framework has evolved and is built around six key elements. These elements are summarised in Section 1.7. Page 10 of 36 City of Boroondara Risk Management Framework Page 13 of 39

14 1.7 Risk Management Integrated Design Building an integrated and effective Risk Management Framework takes commitment and resources. Our Framework is built around the elements identified as risk: culture, governance and accountability, resources and planning, process, assurance and interagency. A brief description of the six elements is outlined below: (a) (b) (c) (d) (e) (f) Risk Culture: Risk culture is a sub-set of the organisation s culture. The risk management behaviour of the people within Council can be described as the way things are done. Risk Governance and Accountability: Governance and Accountability is the approach taken for making decisions about risk and developing, supporting, and embedding the risk framework. Risk Management Resources and Planning: Resources is the allocation of human and financial resources to oversee risk and planning. It is the thinking and organising of activities that are required to implement an integrated Risk Management Framework. Risk Management Process: Refers to the process around managing all risks, including strategic, operational and emerging risks. This involves identifying, assessing and monitoring risks through Riskware, our software system. Risk Assurance: Risk assurance is making sure the internal controls are adequately supporting the management of risk and compliance with regulations. Interagency Risk Management: These are the risks which apply to Council and can affect another agency. In some cases the flow-on effects will require intervention strategies across multiple agencies. Council s organisational risk management planning processes take into account the potential effects of organisational risks and strategies on other areas or agencies. Page 11 of 36 City of Boroondara Risk Management Framework Page 14 of 39

15 Section Two: Risk Management Framework Key Elements The purpose of this section of the Risk Management Framework is to provide an overview of the Framework s six key elements and how they apply to Council. 2.1 Risk Culture Our organisational culture is the behaviours, values and beliefs that are shared by the people within the organisation. Risk culture is fundamental to supporting governance, stakeholder confidence, trust and compliance with relevant legal and regulatory requirements for improving the control environment, the operational effectiveness and efficiency and the identification of opportunities and threats. Risk is implied within legislation, governance, service delivery, policy, planning, priority setting and risk criteria tools. The management of risk is the responsibility of all staff and this requirement is included in all position descriptions. Engagement surveys can be conducted which will inform us about our culture. Key risk performance indicators are measures which support our transparent approach to maturing risk management. The risk management performance indicators which we are working towards are provided as Attachment Risk Governance and Accountability Our risk management accountability framework is aligned to our existing accountability requirements and summarised in Table 1. Page 12 of 36 City of Boroondara Risk Management Framework Page 15 of 39

16 Table 1: Risk Management Accountability Structure Role Council Chief Executive Officer Executive Leadership Team (ELT) Managers Team Leaders and Coordinators Responsibilities Council s responsibilities are to: Adopt a Risk Management Policy that complies with the requirements of AS/NZS ISO 31000:2009 and to review and amend the Policy in a timely manner and/or as required. Adopt the Risk Management Framework for the Council. Be satisfied that risks are identified, managed & controlled appropriately to achieve Council s Strategic Objectives. Appoint and resource the Audit Committee. Provide adequate budgetary provision for the financing of risk management including approved risk mitigation activities. Review Council s risk appetite. The Chief Executive Officer is accountable for the implementation and maintenance of risk management policies and processes across the organisation. The CEO is responsible for ensuring that strategic risks are regularly reviewed. The Chief Executive Officer is responsible for raising awareness and leading the culture of managing risk responsibly across the organisation. Promote and champion a strong risk management culture by linking and embedding risk management, and maintaining organisational risk focus across Council Manage and monitor the strategic risks. Ensure that an effective risk control environment is implemented and maintained. Ensure that risks are considered and integrated into corporate and business planning processes. Participate in the review and updating of the organisation s strategic risk profiles. Ensure that accountabilities for managing risks are clearly defined. Managers are accountable for implementing the risk management practices in their area of responsibility. This includes ensuring that risks are identified, managed, reviewed and updated regularly. Ensure that assets and operations, together with liability risk to the community, are adequately protected through treatment plans and measures. Provide risk management related information as requested by their Directorate. Managers are responsible for raising awareness and leading the culture of managing risk responsibly across the organisation by ensuring that risk management policies, procedures, standards, guidelines and risk management treatment plans are implemented in everyday business practice. Advising of any risk management matter that should be included in forthcoming budgets. Are responsible for raising awareness and leading the culture of managing risk responsibly across the organisation by assisting with the implementation of risk management policies, procedures, standards, guidelines and risk treatment plans. Page 13 of 36 City of Boroondara Risk Management Framework Page 16 of 39

17 Role Responsibilities Internal Auditor The internal auditor reviews operational and strategic risks annually as part of the development of the Three Year Strategic Internal Audit Plan. The Risk Management Framework directs the focus of audit resources to ensure higher level risks are reviewed. Risk controls and treatment plans are considered as part of each internal audit review. The Internal Auditor liaises with the Risk Management Team to share Risk Management Team information and knowledge. The Risk Management Team are responsible for overseeing the development, facilitation and implementation of a risk management culture and framework, including training and awareness across the organisation. They also provide advice to the organisation and are responsible for strategic overview. Page 14 of 36 City of Boroondara Risk Management Framework Page 17 of 39

18 Role All staff Business Enterprise Risk Committee (BERC) Audit Committee Responsibilities All staff are responsible for applying risk management practices in their business activities. This involves: Systematically identifying, analysing, evaluating and treating risks. Maintaining awareness of current and potential risks that relate to areas of responsibility. Risk management practices and treatments are regularly reviewed and monitored. Risk management reporting is appropriately undertaken. Advice to Managers of any risk issues believed to require attention, such as property exposures for potential loss or damage and community risk. The purpose of the BERC is to monitor Council s approach to risk management as outlined in the scope and to provide advice and recommendations to the Executive Leadership Team. Scope: To oversee the strategic direction of the Risk Management Framework in relation to non-oh&s-related risk management issues. Make recommendations in relation to risk policies and procedures. To review recommendations of JMAPP reports and MAV risk reviews/audits and identify appropriate actions. To monitor performance in the completion of new risk control plans and review of existing risk control plans. To monitor strategies for reducing risk in identified areas. To monitor and ensure the accuracy of the strategic risk register. Monitor and report to ELT regarding the implementation of the Risk Management Framework. Monitor Council s insurance portfolio and identify any potential exposures. Provide advice to management on the resolution of the organisation's high risk issues as identified. Assist in the resolution of issues referred to the Committee for consideration. Monitor Business Continuity Planning programs across Council. On behalf of Council, the purpose of Audit Committee is to oversee that Council carries out its responsibilities for accountable financial management, good corporate governance, fostering an ethical environment and maintains a system of internal control and risk management. They have been constituted to monitor and report on the systems and activities of Council in ensuring: Reliable financial reporting and management information. High standards of corporate governance. Appropriate application of accounting policies. Compliance with applicable laws and regulations. Effective monitoring and control of all identified risks. Effective and efficient internal and external audit functions. Measures to provide early warning of any issues affecting the organisation's financial well-being. The level and effectiveness of appropriate Crisis Management, Business Continuity and Disaster Recovery planning. Maintenance and fostering an ethical environment. Page 15 of 36 City of Boroondara Risk Management Framework Page 18 of 39

19 2.3 Risk Management Resources and Planning Risk management resources and planning are embedded within existing processes and operates on a number of levels. A summary of our integrated approach to resources and planning is outlined below: Responsibility for risk management is outlined in our Risk Management Accountability Structure (Refer to Table 1). Risk management resources are embedded within all Departments across all functions. Leadership for specialist related risk areas are overseen by Departmental Managers. For example, o responsibility for overseeing business continuity management, insurance, the fraud control plan, procurement, and internal audit resides with Commercial and Property Services; o responsibility for overseeing business planning and finance accounting systems resides with Finance and Corporate Planning; o responsibility for overseeing the Occupational Health and Safety program resides with People, Culture and Development; o responsibility for overseeing risk matters relating to stakeholder engagement programs resides with Communications and Engagement; o responsibility for overseeing the Code of Conduct resides with Governance; and o responsibility for overseeing climate adaptation risks resides with Environment and Sustainable Living. o responsibility for Emergency Management procedures resides with Infrastructure Services and Health Aged and Disability Services (HAADS) o responsibility for major project risks resides with Projects and Strategy o responsibility for IT disaster recovery risks resides with Information Technology Infrastructure Services and HAADS oversee the Emergency Management Procedures People, Culture & Development oversee OH&S risks Governance oversee compliance and code of conduct Information Technology oversee IT Disaster Recovery risks Risk Management Communications and Engagement oversee Stakeholder Enagement risks and Social Media risks Commercial and Property Services oversee Fraud risks Projects and Strategy oversee Project risks Environment and Sustainable Living oversee Climate Adaptation risks Page 16 of 36 City of Boroondara Risk Management Framework Page 19 of 39

20 Our approach to enterprise risk management is aligned to our strategic and business planning frameworks. Strategic risks are overseen by BERC and operational risks are identified and monitored as part of our annual business planning cycle. Our risk register is enabled by a licenced enterprise risk information system (Risk ware) Our maturity and performance can be measured against our integrated risk management performance indicators. Our continual improvement program is outlined in the risk management action plan. The risk management action plan requirements are reviewed annually. The risk management action plan is provided as Attachment Risk Management Process Risk is the effect of uncertainty on objectives. The risk management process takes into account risk from a number of perspectives: strategic, operational and emerging. Strategic risk Strategic risks are the risks that will prevent Council from meeting the objectives outlined in the Council Plan. Strategic risks should be few in number and are the critical risks for the organisation and considered in the same time horizon as the Council Plan. The Council Plan describes the vision and strategic objectives of the elected Council based on the following key themes: Strong and engaged communities; Sustainable environment; Enhanced amenity; Quality facilities and assets; and responsible management The strategic risks are annually reviewed by BERC and ELT. A summary of the strategic risks are provided as Attachment 3. Operational risk Operational risks are linked to the Business Plan objectives and take into consideration risks which will prevent Departments from delivering their annual business plans and ongoing services to the community. These risks are linked to the strategic risk profile. The Annual Plan details the actions that will be undertaken in support of the Council Plan objectives. It details how the strategic objectives will be delivered. Each Department is required to undertake a risk assessment in accordance with this Framework to determine the risks in meeting its delegated statutory obligations and stated objectives. This process is incorporated into the business planning process. Emerging risk Emerging risks are newly developing or changing risks and therefore by their nature are difficult to identify and evaluate. Characteristics of emerging risks commonly include a high level of uncertainty, lack of consensus, difficult to communicate, difficult to assign ownership and often are systemic or business practice issues. The BERC has a standing agenda item to review emerging risks as part of their quarterly meeting cycle. As required the emerging risks will be escalated for discussion to ELT. 2.5 Risk Assurance The risk management validation and assurance program operates on a number of levels from management reviews to internal and external reviews. Management reviews: These reviews are initiated by management to inform and to provide advice to management about the organisation. Page 17 of 36 City of Boroondara Risk Management Framework Page 20 of 39

21 Audit services: The internal audit program is overseen by the Commercial & Property Services Department. The internal audit plan is developed with consideration to the strategic and operational business risk profile. The internal audit program is designed as a rolling three year plan based on risk against which Internal Audit is to prepare audit reports for the Audit Committee's consideration. These audit reports are to also include, where applicable, management responses, accountabilities and timelines for corrective actions. This plan shall detail the nature and timing of reports to be presented to the Audit Committee and to Council and will reflect the priorities and functions of the Audit Committee as detailed in their Charter. External reviews: These reviews are conducted by an agency external to Council. Typically the agencies which currently conduct independent reviews are the Victorian Auditor General s Office and Ombudsman Victoria. A brief overview of the role of their offices is provided below. Victorian Auditor General s Office: The Auditor-General is an independent officer of the Victorian Parliament, appointed under legislation to examine, on behalf of Parliament and the Victorian taxpayers, the management of resources within the public sector. The independence of the Auditor-General is enshrined in Victoria s Constitution Act This aims to ensure that findings that arise from financial statements and performance audits are communicated to Parliament. The Audit Act 1994 is the main legislation governing the powers and functions of the Auditor-General. The Council is subject to financial and performance audit reviews. The Commercial & Property Services Department is the conduit between the Victorian Auditor- General s Office. Ombudsman Victoria reviews: The Ombudsman is an officer of the Victorian Parliament and has the power to investigate decisions, actions and conduct of Victorian government departments and statutory bodies and employees of local government (councils). The Ombudsman investigates complaints about administrative actions and decisions taken by government authorities and about the conduct or behaviour of their staff. Cultural Survey: People, Culture and Development conduct biennial whole of staff engagement survey s that will be utilised to measure and test staff s perception of Council s risk management culture. The results are reported to the Executive Leadership Team and where appropriate incorporated into an action plan. Attestation requirements: A risk attestation process has been established requiring Managers and Directors to attest that critical risks are reviewed annually and internal control systems are robust. The risk attestation process is consistent with State Government and public companies. The Directors and Managers will attest to the CEO that their risk management approach is aligned to the Risk Management Framework and an internal control system is in place that enables Managers and Directors to understand, manage and satisfactorily control risk exposures. The risk attestation statement is provided as Attachment Interagency Risk Management Interagency risks are the risks which apply to Council and can affect another agency. In some cases the flow-on effects will require intervention strategies across multiple agencies. Council s organisational risk management planning processes take into account the potential effects of organisational risks and strategies on other areas or agencies. Where interagency risks have been identified, there are appropriate consultation and communication channels to relevant agencies. Section Three: Key Guidelines and Risk Tools The process of risk management involves risk identification, risk analysis, evaluation of risk treatment options and implementation of the appropriate treatment options. There are a number of steps within this process. The basic risk management process methodology follows the AS/NZS ISO 31000:2009 risk management approach as per the diagram below: Page 18 of 36 City of Boroondara Risk Management Framework Page 21 of 39

22 A key output from the risk management process is the risk assessment. The risk management process must incorporate a defined methodology for completing a risk assessment. The table below outlines the risk process: Page 19 of 36 City of Boroondara Risk Management Framework Page 22 of 39

23 Communication and Consultation Step 1: Establish the Context Organisation s objectives Set scope for risk criteria Step 2: Identify Risks What can happen? When, Where? How and Why? Step 3: Analyse Risks Identify existing controls Determine level of risk Step 6: Monitor and Review Inspections, Reports, Evaluations Audit Communication and Consultation Step 5: Treat Risks Identify options Assess options Develop treatment plans Assess the cost implications Step 4: Evaluate Risks Compare against criteria Set priorities Page 20 of 36 City of Boroondara Risk Management Framework Page 23 of 39

24 3.1 Training and Education Risk management training and awareness is recognised as an important requirement for all staff and a training schedule has been developed. These are designed to increase the knowledge and awareness of staff and management in a number of risk management topics including general risk management, liability, fraud awareness, environment, events and Business Continuity. In addition to formal training the Risk Management Team act as specialist advisors to staff. This includes help with identifying and assessing risk exposures and the steps in developing, implementing and monitoring of sustainable control measures. 3.2 Monitor, Review and Improvement A continual process of monitor, review and improvement of all components of the Risk Management Framework is required to ensure an effective and up-to-date Framework. Monitoring the Framework involves inspections, reports, self-assessments or audits to assess whether objectives of the Framework components are being achieved. Reviewing the Framework involves assessing whether various components of the Framework still match the risk profile. This assessment may involve the review of policies, strategies and processes. 3.3 Risk Review and Register Risks are identified and mitigated at all levels of the organisation using a top down and bottom up assessment process. The Risk Register is a database that allows Managers and Directors to register and monitor risks associated with business operations. Coordinators and Team Leaders have the delegated responsibility to review and monitor risks as determined by their Manager. These risks may be linked to various plans or projects/council works or events. Risks need to be regularly reviewed according to their risk rating. The review dates for the different levels of risk are listed below, the review date for risks need to be realistic and linked to those accountable. The appropriate review schedule is shown below. Level of risk Low Medium High Extreme Review Yearly Half yearly Quarterly Monthly 3.4 Risk Appetite Risk appetite refers to the risk exposures that are or are not tolerated. The consequence table and risk matrix below determine how the risk is rated. The rating then determines the tolerance level of that risk. This is referred to as risk appetite. The table below outlines the risk tolerance level and risk escalation expectations and reporting requirements. Page 21 of 36 City of Boroondara Risk Management Framework Page 24 of 39

25 Extreme High Moderate Low Needs Active Management Needs Regular Monitoring Needs Periodic Monitoring No Major Concerns A risk treatment plan must be established and implemented. A treatment process should be adopted, primarily focused on paying close attention to the maintenance of excellent/good controls. A treatment process should be adopted, primarily focused on monitoring risks in conjunction with a review of existing control procedures. Significant management effort should not be directed towards the risk in this section of the risk matrix. The residual rating for a particular risk is based on its potential impact and the likelihood of the risk event given the quality of the control process designed to reduce the likelihood and impact. Consequence Likelihood Negligible Minor Moderate Major Catastrophic Almost Certain Moderate High High Extreme Extreme Likely Moderate Moderate High High Extreme Possible Low Moderate High High High Unlikely Low Low Moderate Moderate High Rare Low Low Moderate Moderate High After the risk rating has been determined, the business area must assess what treatment, if any, will be applied to those risks.. Each treatment plan must be assessed to determine if the cost of implementing the plan outweighs the derived benefit. However there will be situations where due to legal or social reasons the cost will not be a factor in the treatment plan and this will usually be the case when there is a rare or severe risk. 3.5 Risk Likelihood Ratings Some events happen once in a lifetime. Others can happen almost every day. Analysing risks requires an assessment of the frequency of occurrence. The following table provides broad descriptions used to support likelihood ratings. The occurrence should be considered, initially, without reference to known management/mitigating practices. Page 22 of 36 City of Boroondara Risk Management Framework Page 25 of 39

26 Likelihood Rating Definition table ALMOST CERTAIN LIKELY POSSIBLE UNLIKELY RARE Definition Event is expected to occur in most circumstances. Event is imminent for specific item. Event will probably occur in most circumstances. Event might occur at some time. Event could occur at some time Event may occur only in exceptional circumstances Anticipated Frequency In the order of 100 times a year In the order of 10 times per year Annually Once in every 10 years Once in 100 years AS/NZS ISO 31000/2009 Page 23 of 36 City of Boroondara Risk Management Framework Page 26 of 39

27 3.6 Consequence Rating Consequences can be described in a number of ways and determine an organisation's risk appetite. Each consequence can be rated in terms of its severity from minor to catastrophic. The following table provides descriptions for levels of consequence. DESCRIPTION INJURY (STAFF OR PUBLIC) FINANCIAL LOSS ENVIRONMENTAL IMPACT REPUTATION LEGISLATION & REGULATIONS STRATEGIC CATASTROPHIC Death/s > significant financial loss (e.g.> $5 Million) Toxic release off site with long term effects Substantial / long term damage to flora / fauna, soil / water Very high customer sensitivity and irreparable damage to Council name. National/international media coverage Total failure to meet relevant legislation and regulations leading to dismissal of Council. Selection of a strategic direction that negatively impacts on the future of Council. MAJOR Serious injury to one or more persons resulting in a permanent disability Major financial loss (e.g. >$1M - $5M) Off-site release with no long term effects Limited damage to flora/fauna, soil / water Significant customer sensitivity and damage to Council name Statewide Media coverage Failure to meet relevant legislation and regulations resulting in Material fines, penalties and restrictions on Council operations due to regulatory noncompliance. Senior employees charged for breaches/fraud. Selection of a strategic direction which requires significant resources, both monitoring and time to correct, impacting a part of Council MODERATE Injury requiring hospitalisation to one or more persons High financial loss (e.g. >$50,000 - $1M) On site release contained with outside assistance No damage to flora / fauna and short term effects on soil, water and air Moderate customer sensitivity and damage to Council name impacting noticeably on business activities Significant local community coverage Activity does not meet all of the requirements of relevant Australian Standards exposing Council to possible litigation risks. Selection of a strategic direction which impacts on smaller parts of Council and will require considerable resources to correct MINOR Minor injury requiring first aid only Medium financial loss (e.g. >$10,000 - $50,000) On site release contained immediately Minimal customer sensitivity and damage to Council name Limited local community coverage Activity does not follow relevant established Industry / Victorian / Australian guidelines Minimal impact on strategic / operational objectives INSIGNIFICANT Injury requiring no medical treatment Low financial loss (e.g. < $10,000) Minor leak, noncontaminating No impact on reputation of Council No media coverage No regulatory impact Consequences are dealt with by routine operations Page 24 of 36 City of Boroondara Risk Management Framework Page 27 of 39

28 3.8 Calculate Risk Ratings Risk Rating Process The process for calculating a risk rating is: 1. Identify appropriate consequence rating (refer Consequence Definition Table) 2. Identify appropriate likelihood rating (refer Likelihood Definition Table) 3. Ascertain risk rating by cross referencing the consequence and likelihood ratings (refer Risk Matrix). The table below identifies the definition and outcomes for the risk ratings. These outcomes are to be considered when developing Risk Control Plans. Page 25 of 36 City of Boroondara Risk Management Framework Page 28 of 39

29 RISK RATING OUTCOMES TABLE EXTREME (E) HIGH (H) MODERATE (M) LOW (L) Extreme risk is unacceptable. Comprehensive consideration by ELT required to ensure that the risk remaining is consistent with corporate objectives and risk appetite. If not, detailed research and planning is required to mitigate risk. Attention required to assess the acceptability of remaining risk or required mitigation measures. Management need to ensure that necessary mitigation actions are carried out and the risk does not increase by actively monitoring any changes to the control environment, consequence and likelihood. Management/team leaders to ensure that the control environment, consequence and likelihood does not substantially change. Consider the implementation of any additional cost effective controls. Manage by routine procedures and be mindful of changes to nature of risks. Consider the implementation of any cost effective internal controls. 3.9 Risk Reporting There is a structured approach to risk reporting. The matrix below details which information will be reported throughout the organisation together with the reporting frequency. The Risk Management Team is responsible for reporting to Senior Management on all risks that are due for review and current risk trends. Managers and Directors are responsible for reporting on risks that are due for review within each Quarter. Reporting will be on a rotational basis dependent on the risk rating schedule as per the table at 3.3. Risk Management Team Summary of risk information Audit Committee Executive Group Strategic risks yearly Quarterlydependant on risk rating Operational risks only extreme risks to be reported yearly Director Quarterly Department Manager Quarterly Half-yearly Quarterly Quarterly Risk trends yearly Half-yearly Half yearly Quarterly Page 26 of 36 City of Boroondara Risk Management Framework Page 29 of 39

30 Managers and Directors Summary of risk information Audit Committee Executive Group Director Strategic risks Yearly Quarterly Quarterly Operational risks only extreme risks to be reported on yearly Half yearly Quarterly A summary of the risk reporting parameters includes the following: Strategic risks All strategic risks as required by their risk ratings in the risk register, specifically the risk control/treatment plans for each of these risks. By providing the status updates on the implementation of risk control/treatment plans provides important information on the implementation of risk mitigation strategies. Operational risks the extreme risks as per the residual risk ratings in the risk register. Risk owners will provide treatment plans for the mitigation of these risks. Risk trends trend analysis to assist in identifying emerging risks and those increasing risk frequency which may be indicative of systematic flaws in risk control strategies. Date approved: Accountable officer: Responsible officer: Endorsed by: Approved by: Chris Hurley, Manager Commercial and Property Services Sasha Allan, Team Leader Risk Management Marilyn Kearney, Director Corporate Services Chief Executive Officer Next review: May 2018 Page 27 of 36 City of Boroondara Risk Management Framework Page 30 of 39

31 Attachments Attachment 1: Integrated Risk Management Framework Risk Maturity Performance Indicators Attachment 2: Risk Management Framework Action Plan Attachment 3: Strategic Risks Attachment 4: Risk Attestation Wording Template Page 28 of 36 City of Boroondara Risk Management Framework Page 31 of 39