Risk Management Strategy

Transcription

1 Management Strategy Mission: To support and develop a sustainable, thriving and resilient community through leadership and partnerships NOTE: This Document should be read in conjunction with the Indigo Shire Council Management Policy Author: Jo Riley Manager Governance & Review period: 2 Years Approved: Review date: 2014 Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 1 of 20

2 TABLE OF CONTENTS TABLE OF CONTENTS... 2 SECTION 1: INTRODUCTION PURPOSE...3 SECTION 2: FRAMEWORK FOR MANAGING RISK INTERNATIONAL STANDARD FOR RISK MANAGEMENT PRINCIPLES APPROACH TO RISK MANAGEMENT ORGANISATIONAL CONTEXT ORGANISATIONAL CULTURE...8 SECTION 3: OBJECTIVES RISK MANAGEMENT & THE COUNCIL PLAN...9 SECTION 4: ROLES AND RESPONSIBILITIES...11 SECTION 5: RISK MANAGEMENT PLANNING STRATEGIES FOR ADDRESSING RISK...13 SECTION 6: RISK MANAGEMENT TOOLS RISK MANAGEMENT ACTIONS...14 APPENDICES 1. DEFINITIONS 2. RISK MANAGEMENT PROCESS 3. RISK MATRIX CONSEQUENCES AND LIKELIHOOD SCALES 4. ROLES AND RESPONSIBILITIES 5. RELEVANT COUNCIL DOCUMENTATION Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 2 of 20

3 SECTION 1: INTRODUCTION This Strategy has been developed in support of the Indigo Shire Council s ( the Council ) Management Policy with the intention of improving and enhancing existing risk management practices throughout the organisation. Indigo Shire Council is committed to ensuring that Management is an important element and integral part of the wide range of activities undertaken by and on behalf of Council in a complex Local Government environment. Therefore, Council has developed a Management Framework to assist Council in achieving its goals and objectives including those set out in the Council Plan. This Framework is based on principles that are the current industry best practice and is strongly influenced by the international standard for Management: AS/NZS ISO 31000:2009. This Strategy is to be employed by all Councillors, staff members, contractors, committees and volunteers engaged in Council business and assists in defining the responsibilities and accountabilities of individuals and committees involved in the Management process. 1.1 Purpose The purpose of this document is to align effective risk management practices across Council within a common framework that can be clearly understood and applied by everyone engaged in Council business. The Management Strategy assists the organisation to prevent and/or minimise the adverse effects of risks associated with its operation and to capitalise on any positive opportunities. The consideration of Management should be applied at all stages of an activity, function or project and is an integral part of the overall risk management process. The implementation of a Management Strategy for Indigo Shire Council will create some key opportunities which are outlined in Section 2.1. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 3 of 20

4 SECTION 2: FRAMEWORK FOR MANAGING RISK The Management Framework is the structure within Indigo Shire Council that supports the risk management practice, reporting, responsibilities and accountabilities at all management levels. The success of Indigo Shire Council s Management Framework will depend on the effectiveness of the foundations and processes that embed it throughout the organisation. The Framework will assist in communicating risk information, promoting greater awareness and will lead to improved co-ordination of risk management processes. It will guide Council on how we will identify, evaluate, prioritise and treat risks, with a view to maximising opportunities and avoiding, reducing, sharing or eliminating threats. It also identifies how Management will be monitored and reported. The Management Framework comprises the following elements: Management Policy Management Principles Management Objectives Organisational Structure and Operating Environment Criteria Management Process Communications / Reporting Roles and Responsibilities Mandate and commitment Framework for managing risk Continual improvement of the framework Implementation of risk management process Monitoring and review of the framework Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 4 of 20

5 2.1 International Standard for Management Principles AS/NZS ISO 31000:2009 Management - Principles and Guidelines ( the Standard ) is internationally recognised and is considered best practice for compliance. The Standard sets out eleven principles which need to be applied for risk management to be effective. All elements of the Framework are based upon these principles and provide an understanding of managing risks at all levels of the organisation: management:- 1. Creates and protects value Management contributes to the achievement of objectives and improvement of performance in e.g. human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation. 2. Is an integral part of all organisational processes Management is not a stand-alone activity that is separate from the main activities and processes of the organisation. management is part of the responsibilities of management and an integral part of all organisational processes, including strategic planning and all project and change management processes. 3. Is part of decision making Management helps decision makers make informed choices, prioritise actions and distinguish among alternative courses of action. 4. Explicitly addresses uncertainty Management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. 5. Is systematic, structured and timely A systematic, timely and structured approach to Management contributes to efficiency and to consistent, comparable and reliable results. 6. Is based on the best available information The input to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts. 7. Is tailored; aligned to the organisation s context and risk profile Management is aligned with the organisation s external and internal context and risk profile. 8. Takes human and cultural factors into account Management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organisation s objectives. 9. Is transparent and inclusive Appropriate and timely involvement of stakeholders, and in particular, decision makers at all levels of the organisation, ensures that Management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. 10. Is dynamic, iterative and responsive to change Management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. 11. Facilitates continual improvement of the organisation Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 5 of 20

6 To achieve this, Indigo Shire Council will aim to: embed risk management into the organisation through the integration of risk management processes; create and maintain a high level of consultation, awareness and ownership by stakeholders; recognise and align risk management with the organisation s external and internal context and risk profile; and continually monitor and review risk management to ensure we recognise and respond to changes affecting our risk management processes. In line with the Standard, the process of embedding risk management and increasing involvement and ownership by stakeholders will be implemented through awareness and communication of the Strategy. 2.2 Approach to Management Senior Management Commitment The Chief Executive Officer, General Managers and Senior Managers of the Indigo Shire Council are committed to the pro-active management of all risks in a systematic way in order to enhance our operation as one organisation rather than as a group of individual entities. The risk management process makes a significant contribution towards establishing the priorities in the allocation of resources. Managers at all levels are accountable and responsible for the management of risk within their areas of control. Corporate Governance Every organisation is governed by a set of rules and principles, which enable its effective and transparent operation. Transparency in decision making, accuracy in reporting and adequacy in compliance are all essential elements of good governance. The three pillars of governance are: Management: which identifies and assesses threats and opportunities confronting the organisation's attempts to achieve their business objectives and defines effective response strategies. Compliance: which identifies regulatory and statutory obligations and defines organisational obligations. Audit: which ensures the critical response strategies and processes are being implemented effectively and are delivering the benefits for which they are designed. Sound risk management not only contributes to good governance, it also provides protection in the event of adverse outcomes. Provided risks have been managed in accordance with the Council s guidelines, protection occurs on two levels. Firstly, the adverse outcome may not be as severe as it might otherwise have been. Secondly, those accountable can, in their defence, demonstrate that they have exercised a proper level of diligence. 2.3 Organisational Context Local Government is a complex, multi business enterprise that has constant conflicts in allocating limited resources to build and maintain infrastructure and deliver community programs. The Framework is an important tool to assist in making consistent decisions in a strategic, operational and project context. For the Framework to work, both internal and external factors must be considered as they will influence the way in which objectives are set and priorities are determined. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 6 of 20

7 The political, social, economic, legal and physical environments are important in the day-to-day operation of Council. It is essential that the internal and external environment within which the activity is conducted be adequately understood if the subsequent steps of the process are to have a meaningful context. Managers need to identify their role in contributing to the Council s wider goals, objectives, values, policies and strategies when making decisions about risk. These assist with defining the criteria by which it is decided whether a risk is tolerable or not, and form the basis of controls and management options. Key Questions in establishing the context:- What are the Council s strengths and weaknesses? What are the major outcomes expected? What are the major threats and opportunities presented? What are the significant factors in the Council s internal and external environment? What is the policy, program, process or activity to which the risk management process is being applied? What problems were identified in previous reviews? What risk criteria should be established? Who are the stakeholders? Defining our Internal Environment To understand the internal environment we need to consider the organisational structure, key/core processes, resources available, their capacity and their relationship and interdependency. As Council manages activities that are community based, risks need to be addressed with potentially non-economic outcomes. Internal factors which may affect Council s management of risk include strategic plans and policies, organisational processes and procedures, systems and technology, the management of corporate records and availability of evidence, budget allocation, staff culture, and internal relationships. These internal and external factors, will affect the organisation s risk appetite; that is the level of risk the organisation is willing to retain or pursue, and the setting of the risk criteria and policy. Understanding risk appetite helps to determine what level of risk is acceptable or unacceptable, and the level of additional controls and risk treatment required. Indigo Shire Council has a low to medium appetite for risks related to service delivery, finance, health and safety, environment, reputation and legal/regulatory, where effective controls are in place. Where the level of risk is high or extreme, additional controls are required to reduce the level of risk. Where the level of risk cannot be reduced below a rating of high, close monitoring of risk controls is required to ensure that controls continue to be effective. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 7 of 20

8 Defining our External Environment External factors include community expectations, state government policy and personnel, federal and state legislation, carbon economy, funding, and reputation and relationship management. External Context Economic conditions Ratepayer issues Political conditions Growth of Shire Funding Other agencies Perception of ratepayers Reputation Councillor performance Reputation Contractual Feasibility Economic Strategic s These are the risks associated with longterm Council or Department objectives. Operational s These are the risks associated with normal business functions of Council Departments objectives. Project s These are risks associated with specific projects or undertakings made by Council. Any project will go through a lifecycle incorporating conception, planning, scoping, contracting, design, construction, testing/commissioning, handover and operation. Project risks exist at every stage, and they need to be identified and managed. Internal Context Culture Governance Structure Staff Structure Strategies & Policies Systems Budget Skilled resources Processes Support services Compliance Staff performance Budget Project Management Skills Contract Management Processes 2.4 Organisational Culture One of the most crucial elements of a successfully integrated Management Framework is having a culture that promotes and facilitates its proactive use. Management is a corporate priority and as such, all staff are required to actively participate in the risk management process, as outlined in individual position descriptions. The Performance Development Process provides for risk management related indicators being reviewed on a quarterly basis. Actions arising from the treatment action plans for specific risks may be used as performance measures for individual or business performance plans. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 8 of 20

9 SECTION 3: OBJECTIVES RISK MANAGEMENT & THE COUNCIL PLAN Scope of Management objectives management addresses a very broad range of potential exposure to risks across the entire operations of the Council which include core activities as outlined below: Council Plan Objectives Indigo Shire Council s key strategic document, the Council Plan , identifies Council s commitment to the management of risk. This is evident in the following strategic objectives:- Objective Strategy Action Build a workplace culture that is committed to the Health & Safety of employees and contractors communications; 1.1 Provide Good Governance (p10) 1.1 Provide Good Governance (p10) 2.3 Manage and maintain to a high standard assets critical to our economic prosperity (p15) Build a workplace culture that is committed to the Health & Safety of employees and contractors Identify critical assets and prioritise actions Continue to incorporate OH&S policies and procedures into normal business as usual practice via training, education and internal Improve our monitoring and evaluation in the OH&S area to ensure we provide a safe and healthy work environment; Maintain a prioritised Capital Works Program and ensure it is revised at least annually to check relevant priorities and cost estimates; Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 9 of 20

10 3.1 Optimise our financial sustainability (p19) 3.3 Encourage and facilitate appropriate economic growth and employment opportunities (p20) 4.2 Provide a safe environment for our community (p23) 4.2 Provide a safe environment for our community (p23) 4.2 Provide a safe environment for our community (p24) Benchmarking Target (p31) Benchmarking Target (p34) identify the challenges, risk and opportunities for financial sustainability; Strategic assessment of the existing status and need for wider economic development across the municipality to build and nurture a more resilient Council economy develop an integrated Community Safety Plan; maintain appropriate emergency management capabilities; Formulation of a 10-year financial plan, incorporating long term budgeting, and links to the Council Plan Identify business and economic development opportunities and threats that can be addressed by Council; Implement the key approved priorities of the Community Safety Plan Finalise the review and update all Emergency Management policies, plans and procedures Provide safe facilities; Strategically implement recommendations from inspections by Council s insurers Traffic Management and Parking Recreational Facilities Seek funding assistance to address deficiencies identified in the Link Road Safety Audit Review 2010 Support Committees of Management and other volunteer community group through continuation of Asset and Community Grants Programs, regular forums/information sessions around key issues e.g. risk management, insurance, sourcing grants. Linkages to Council Planning and Budgeting Cycles The Management Strategy raises issues ranging from the highest strategic level of the organisation down to the detailed issues of service delivery and the caretaking of community assets. The risk program provides an effective and transparent prioritisation tool for decision making when annual financial resource allocations are decided. January Mid year Budget Review and commencement of Annual Budgetary process (Qtr 2) February Council Plan Review Management Review Review of the Register Potential for new initiatives associated with risk management Annual Staff Performance Reviews April Quarterly Budget Review (Qtr 3) Quarterly Council Plan Review Annual Budget Review May Finalise Annual Budget Preparation Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 10 of 20

11 Commence Annual Business Plan/Council Plan preparation June Annual Budget adoption Annual Business Plan/Council Plan adopted by Council July Annual Report Preparation Annual Financial Accounts preparation August Annual Report Preparation based on end of financial year (Qtr 4) Annual Financial Accounts preparation September Annual Financial Accounts to Auditor General Annual Report including Financials Audit lodged with Minister October Quarterly Budget Review (Qtr 1) Quarterly Council Plan Review Quarterly Management Review November Annual CMP & JMAPP Insurance Audits SECTION 4: ROLES AND RESPONSIBILITIES Role Successful implementation of risk management requires a consistent and systematic approach at all levels of Council. Councillors, Managers, employees and contractors are responsible for ensuring that risk management is given high priority in both strategic and day-to-day conduct of the Council and its related activities. Responsibilities Successful risk management requires the full support and acceptance of management and staff at all levels of Council, applied via a consistent and systematic approach in the day-to-day management of risks. The Council, management, staff and contractors are responsible for ensuring that risk management forms part of the consideration for all major projects, events or activities that are conducted by or on behalf of the Council. This is to ensure the long-term sustainability of the organisation and to continually strengthen our relationships and trust with our stakeholders. Management responsibilities have been added to all Position Descriptions within the organisation and will be added for all future roles. As part of the Annual Review process, the General Technical Competencies within each Position Description will be reviewed with the staff member, and they will then be rated against the risk management skills required for their position. Notwithstanding our whole of organisation approach to risk management responsibility, our Management Framework has specific elements which require defined alignment of roles and responsibilities. The specific roles associated with the Management Strategy and their interdependencies are identified in Appendix 4. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 11 of 20

12 SECTION 5: RISK MANAGEMENT PLANNING The Management Strategy acknowledges the limitations of Council resources to deal with risk treatments. However, identification of risks should not be limited by the knowledge that there are insufficient funds to immediately change how we currently manage all of Council s risks. This Management Strategy approaches the understanding and identification of risks faced by Council in the broadest context. The approach to be used is to identify risks with a mindset of abundance, but then manage risks in an environment of scarcity. This approach is based on the philosophy that it is better to be aware of risks (even knowing that only the most critical can be dealt with after application of a prioritisation process), than to be ignorant and surprised when a risk event occurs, and then be guilty of negligence. In order to implement and nurture a true culture of Management within Council, Management will occur at four levels within the organisation. These levels are not mutually exclusive but should feed from one level to the other: Strategic Context A framework for effective risk management requires integration with the strategic and organisational planning within Council. This Management Framework has been established within the context of the delivery of the Council Plan, Council Strategy and policies. It is essential that the Management processes at all levels in the Council are carried out in the context of these strategic directions and the respective operational plans. management must be carefully planned and managed. This will ensure that the process produces worthwhile results. In order to get the best results from strategic risk management, Council will do the following: (a) (b) (c) (d) Initiate communication, consultation and participation Lead by example and empower staff Develop and improve tools and reporting Train participants Operational Context Management Plans (RMPs) should be used for all major processes, events and activities at the operational level. It is important that all staff understand the need for completing a RMP in order to ensure the best possible chance of success for their processes or activities. Part of the shift toward a risk management culture within the organisation is for risk management processes to be practiced as outlined in the framework. Project or Event-based Context Most business units, at one time or another, may have the need to complete a project or event. It is important to apply risk management processes to these projects or events in the same manner that we do operationally. However, the main difference between the two is that the risk management tool may not necessarily be completed by a member of staff. If a contractor is engaged for the provision of a professional service, then the staff member should ensure that, as a minimum standard, one or more of the Management Tools be applied (See appendix 3) supplied prior to the works commencing. The resulting risk and opportunity management analysis should be closely scrutinized by the Project Team/Manager Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 12 of 20

13 to ensure that as many as possible of the risks and opportunities have been identified and that any risks that are outlined as Significant, High or Extreme, or any opportunities that are outlined as Significant, High or Outstanding should be elevated to the appropriate levels of the organization for a decision to be made as to how they should be managed. For example: The Council would like to construct a new Childcare facility. A builder has won the tender for the construction. The Project Manager/Team will request an analysis of the risks on the design of the building be supplied by the builder. Assessment of risks during the construction phase of the project will then be supplied by the contractor in the form of OHS documentation. Any RMP that is completed will be supplied to the Manager Governance and and a copy filed immediately in TRIM. 5.1 Strategies for addressing Treatment (or Response) treatment involves identifying the most appropriate responses to reducing the risk level to a status acceptable to Council. There are a variety of response options available. Firstly, if the assessed risk level is insignificant, no further action may be required. A watching brief should still be maintained to ensure that the status of the risk does not alter. The principle of effective risk management is a four tiered hierarchical approach to the management of risk that emphasises mitigation of the exposure, i.e. prevention rather than cure. Management of risk will address the issue in the following priority order:- Wherever possible, the risk should be eliminated. Where elimination is not possible, the risk should be transferred. If the risk is transferred, the external organisation in which it has an interest must have adequate insurances and Council must be indemnified and noted as an interested party. Where elimination or transfer is not possible, the risk should be reduced by undertaking a hazard analysis and risk assessment and preparing a treatment/control plan. This plan should identify the development of procedures, processes, policies & systems that will reduce the risk. As a final resort to mitigating risk, Council should ensure that it has adequate insurance and appropriate risk financing options for all risk exposures. Insurance should be the last resort in managing risk exposure in the organisation. Prioritisation of Human Consequence The Human consequence area is weighted higher than all other consequence areas at Council. This reflects the greater impact that a Human consequence will have on the organisation. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 13 of 20

14 Sources of The following categories will be used during a risk assessment to identify potential organisational and business unit risk and opportunities but are not exhaustive: Source Example Potential impact on Leadership and Change of key leadership personnel, Corporate strategic planning, relationships, Governance corporate image, ethical conduct, communication, segregation of responsibilities People People Retention / loss of key personnel, management activities and controls, succession planning, industrial relations, skills training, relationships, communication, ethics, work life balance Business Continuity Continuity of supply of essential goods or services, records & information management, machinery maintenance & replacement, industrial action, utilities Council s Reputation interruption, computer breakdown, contingency planning, emergency management Business Activity Customer service, customer relationships, marketing & promotion, occupational injury / illness / wellbeing, physical security, property damage or loss / acquisition, environment, resources / assets management Political Change of government, legislative changes, community expectations, communications Natural disaster Flood, storms, lightening, fire Financial Planning & management, insurance, initiatives & new services, fraud Contractual & legal Contract management, professional liability, public liability, statutory compliance, errors and omissions, commercial & legal relationships Harmful actions Sabotage, vandalism, terrorism, arson, theft /misappropriation Business performance Finances Environment SECTION 6: RISK MANAGEMENT TOOLS 6.1 Management Actions Key objectives and associated actions underpinning Councils Management function are detailed below. Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 14 of 20

15 Management Strategy OBJECTIVES 1. Training awareness & Communication 2. Organisational Culture 3. Policies, Procedures & Processes 4. Reporting 5. Compliance & Audits 6. Continual improvement ACTIONS Staff Training Program. Communication and consultation with staff through Team Meetings. Continue to raise the profile of Management with volunteers and community groups. Sharing experiences and identifying improvement opportunities for the future. Utilising Council s values to guide and influence behaviour and decisions. Lead by example and empower staff Gap analysis Roles & Responsibilities. Management Plan. Assessments. Records Management Insurance coverage Organisational Register Audit Results. Audit Committee. Annual Report. Council Plan. I Spy. Indigo Informer. KPI s. CMG. Local Government Act. Audit Recommendations. Advent Manager Compliance Software. Best Practice. Learning Outcomes. Legislative and Policy amendments Improvements from implementation of Audit Recommendations Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 15 of 20

16 Objective 1 Actions Training Awareness & Communication Responsibility Timeframe Develop a risk management staff training program to be implemented on an ongoing basis and to include: Manager Governance & Ongoing awareness in Corporate and Councillor Induction /Manager Specific risk training/education relevant to position, such as: o training session/s, whether delivered internally or using an external provider o attendance/participation in relevant risk forums/networks/workshops Organisational Development Self-paced study through Learning Seat, whether developed internally or externally developed/ sourced Address the Senior Management Group and relevant staff at least annually on risk management issues. Manager Governance & Annually Keep volunteer Committees of Management and Community Groups informed of risk issues. Develop risk management Fact Sheets for Council staff and specific groups (for instance, Special Committees, Volunteers, Sporting Groups and Seasonal Users, Event Organisers) summarising Council s approach to risk management. Include risk management advice in Leases, Licences and volunteer information sheets. Manager Governance & /Manager Community Planning Ongoing Manager Governance & Ongoing /Relevant Managers Inclusion of Management as a discussion item within team meetings. All Senior Managers Ongoing Objective 2 Actions Organisational Culture Responsibility Timeframe Incorporate the explicit consideration of risk management into business planning and budgeting processes and Council All Senior Managers Ongoing decisions. Include Management as a key entry in all relevant Council Reports and operational documents, in such a way that it adds All Senior Managers Ongoing values to the reporting framework. Facilitate the accurate and timely identification and management of risks with an overall aim to improve Council operations. All Senior Managers Ongoing Utilise Council s values to guide and influence both the behaviour and decisions of those representing the organisation. In particular, keeping these values at the forefront when considering the overall objectives of any decision or function. Manager Organisational Development/All Senior Ongoing Facilitate a process that enables identification of improvement opportunities in such a way that unauthorised actions are prevented from reoccurring and enhancements are encouraged. Managers Manager Governance & /Manager Organisational Development Ongoing Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 16 of 20

17 Objective 3 Actions Policies, Procedures & Processes Responsibility Timeframe Undertake gap analysis of documented procedures for each department. Manager Governance & December 2012 Develop schedule for development of written departmental procedures. Corporate Services Coordinator March 2013 Undertake review of how risk management obligations are met with Council s contractor management practices. Manager Governance & June 2013 /Manager Organisational Development/OH&S Officer Develop a procedure that links the risk management roles and responsibilities with performance evaluation to ensure that Manager Organisational January 2013 inconsistencies and unauthorised actions are appropriately addressed. Development Development of Management Plans Manager Governance & / All Senior Managers December As part of any project evaluation, a Management Assessment and business analysis be undertaken before a final decision is made on the project scope including any tender that may be required 2. Include the requirement of a Management Plan and Business Analysis in tender documentation for projects, contractors, architects and any other external body for works that they are responsible for. 3. Ensure all projects undergo a risk assessment before commencement of the works and that the risk treatment plan provides the project manager with a tool to continuously monitor project improvement through the implementation of the plan. Issues and risks identified through the course of the project must be assessed. Post gap analysis, develop procedure and/or tools for investigation of incidents (other than these related to staff OHS incidents which are handled separately). Ensure that all procedures include steps for the capture of key records, in line with the Records Management Compliance operational framework. Manager Governance & / Manager Project Delivery Manager Project Delivery/ Manager Governance & June 2012 December 2012 Manager Governance & Annually /Corporate Services Co-ordinator Monitor agreements, leases and contracts with third parties, ensuring that they have appropriate indemnity and insurance Manager Governance & Ongoing clauses in place to reduce Council s liability. /Corporate Services Co-ordinator At the commencement of significant planned activity a coordinated and cross-functional approach is taken to ensure that any risks that affect the activity are identified and addressed. All Senior Managers Commencem ent of activity Development of the Business Continuity Plan includes consideration of Council s Management Strategy. Manager Organisational December Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 17 of 20

18 Refine the Organisational Register so that strategic, operational and project risks are categorised. Development 2012 Manager Governance & February 2013 Objective 4 Actions - Reporting Responsibility Timeframe Report to the Senior Management Group and relevant key members of staff on risk management issues identified in the CMP Public Liability and Professional Liability Audit Report and the JMAPP Property Management Audit. Manager Governance & At least annually Inclusion of risk management status updates within Council s Annual Report and Council Plan; Manager Governance & Annually Use both the internal ISpy and external Indigo Informer newsletters to provide risk management status and initiatives updates Manager Governance & Quarterly throughout the year; Attendance at team meetings by the Manager Governance & and/or OH&S Officer as/when required. This may be to discuss specific risk issues, or when the department s Register is being reviewed. Manager Governance & and/or OH&S Officer As and when required Key Performance Indicators will be developed for the Management program and measures against these used to focus Manager Organisational on necessary improvements and/or to recognise good performance and progress. Development Attendance at CMG meetings to provide progress report on risk issues. Manager Governance & Monthly Reporting to the Audit Committee and Council on risk related issues including those from the Register which will provide indications of system effectiveness in reducing the organisation risk profile over time, and identify any problems or inconsistency across the organisation. Manager Governance & Quarterly Objective 5 Actions Compliance & Audits Responsibility Timeframe Communicate with the various Business Units to ensure that they are fully aware of the audit recommendations pertinent to their area(s) of operation. Manager Governance & /relevant Senior At least annually Managers Where audit recommendations cannot be addressed, prepare a draft report for CMG for review; and final report for auditors Manager Governance & Quarterly (for next audit), detailing reason(s). Review and monitor Council s risk management audits and performance measures, as well as each department s compliance Manager Governance & Ongoing with Council s Management Policy. Full implementation of Council s Advent Manager Compliance Software to ensure compliance with various obligations. Manager Governance & December 2012 Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 18 of 20

19 Objective 6 Actions Continual Improvement Responsibility Timeframe Arrange an independent review of Council s insurance policies. Manager Governance & 30 June 2013 Develop process for sharing outcomes of significant incident analyses with relevant personnel. This formal process would allow Manager Governance & Council staff to investigate the actual cause of a given incident as well as identify any contributing factors, effectively reducing and/or OH&S Officer the likelihood of repeat incidents. Keeping abreast of industry best practice, and continually strive to improve Council s management of risk by including findings and recommendations within Council s risk management communications (including the risk management function s report to Senior Management, Audit Committee & OH&S Committee where relevant). The ongoing identification of new and altered risks by: o the quarterly inclusion of Management as a discussion item in team/ department/ management meetings o reviewing external resources (such as insurance advice, court decisions, and legislation changes) o considering the results of internal audits and assessments, claims investigations, and incident analysis o confirmation of reporting mechanisms for employees to raise risk management issues to management Manager Governance & and/or OH&S Officer Communication by Manager Governance & and/or OH&S Officer Ongoing Ongoing Indigo Shire Council Management Strategy TRIM Reference No. INTERNAL12/244 Page 19 of 20

20

21 Appendices 1. Definitions All definitions have been taken from the AS/NZS ISO Management Principles and guidelines (International Standard). For a full list of definitions, please refer to the ISO Guide 73: Management Vocabulary document. Terminology Enterprise Management Treatment (Response Strategy) Controls Appetite tolerance Register Strategic Definition Includes the methods and processes used by organisations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. The effect of uncertainty on objectives The process of developing, selecting and implementing controls. treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; seeking an opportunity by deciding to start or continue with an activity likely to create or enhance the risk; removing the source of the risk; changing the nature and magnitude of likelihood; changing the consequences; sharing the risk with another party or parties; and retaining the risk by choice. treatments that deal with negative consequences are sometimes referred to as risk mitigation, risk elimination, risk prevention, risk reduction, risk repression and risk correction. The measure to modify risk. Controls are the result of risk treatment. Controls include any process, policy, device, practice, or other actions designed to modify risk. The amount and type of risk an organisation is prepared to pursue or take. This is usually defined as either a formal statement, or within the parameters of your Appetite Table (Consequences and Likelihood Matrix) The organisation s readiness to bear the risk after risk treatments in order to achieve its objectives A record of information about identified risks. The effect of uncertainty on the strategic objectives of Council as outlined in the Council Plan. Indigo Shire Council Management Strategy Appendices TRIM Reference - INTERNAL12/660 Page 1 of 10

22 2. Management Process The Management process is the how to element of the Management Framework and is defined in the Australian / New Zealand Management ISO Standard as the systematic application of management policies, procedures and practices to the task of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk, The process includes the following elements: Communication & Consultation Establishing the Context Identification Analysis Evaluation Treatment Monitor and Review This process will be applied consistently across Council for all risk management activities whether they relate to strategic or business planning, policy / process development and review or project implementation. In each case, the risk assessment will focus on the specific objectives of the subject of the assessment. Indigo Shire Council Management Strategy Appendices TRIM Reference - INTERNAL12/660 Page 2 of 10

23 Management Process Establish the context The internal context The external context The organisational context The Management context Develop criteria Define the structure Identify s What can happen? When and where? How and why? Communicate and Consult Determine likelihood Identify existing controls Determine Level Determine Consequences Document, Monitor and Review Evaluate s Compare against criteria Set risk priorities Accept Yes No Treat s Identify treatment options Evaluate treatment options Select treatment options Prepare and implement treatment plans Analyse and evaluate residual risk. Indigo Shire Council Management Strategy Appendices TRIM Reference - INTERNAL12/660 Page 3 of 10

24 3. Matrix Consequence and Likelihood Scales Indigo Shire Council Management Strategy Appendices TRIM Reference - INTERNAL12/660 Page 4 of 10

25 RISK CATEGORIES Each may have an impact on one or several aspects, or Category, of Council s operation. For each identified, consideration must be given to the impact on the following Categories. Category Strategic Type Council Policy Council Plan Town Planning Ownership / Title Political Compliance (Laws/Acts/Local Laws/Contracts) Priority Legal Best Value Business Continuity Financial Current Budget Future Budget Recurrent Costs Loans Operational Available Skills and Resources Maintenance Responsibility and costs Design and Construction Liability and Insurance Contract Management Priority Security Procedures and systems Audit Environmental Sustainability Pollution EPA compliance Native Vegetation Habitat Monitoring Community Public Health and Safety Public Relations Perception Acceptance/Rejection Indigo Shire Council Management Strategy Appendices TRIM Reference - INTERNAL12/660 Page 5 of 10

26 4. Roles and Responsibilities Role Responsibility Council Adopt a Management Policy that complies with the requirements of AS/NZS ISO 31000:2009 and to review and amend the Policy in a timely manner and/or as required. Adopt the Management Framework for the Indigo Shire Council. Be satisfied that risks are identified, managed & controlled appropriately to achieve Council s Strategic Objectives. Appoint and resource the Audit Committee. Provide adequate budgetary provision for the financing of risk management including approved risk mitigation activities. Review Council s risk appetite. Audit Committee Review adequacy and effectiveness of the Management Framework. Review risk management policies, procedures and guidelines. Review and approve allocation of audit resources in conjunction with the Indigo Shire Council s Profile. Receive reports regarding identified risks/mitigation and their effectiveness from Management and Audit. Monitor changes to the Indigo Shire Council s risk profile and highlight material changes to Council. Develop and maintain the Indigo Shire Council s Fraud Prevention Policy. Undertake a risk assessment of the Fraud and Corruption risks in relation to Council s operation. Facilitate mitigation of the risks associated with Fraud and Corruption within Council. Ensure investigation of incidents related to Fraud or Corruption within Council. Review risk management strategies. Monitor performance of implementing action plans arising from risk assessments including the risk assessments undertaken by the internal audit. Audit Evaluate the use and effectiveness of key response plans identified through the risk management process. Review the implementation and effectiveness of the Management Framework. Ensure audit plan takes into consideration identified strategic risks and associated response activities. Report to Senior Management Group and Audit Committee. Evaluate effectiveness of internal controls structure & financial reporting. Chief Executive Officer Promote the effective management of risk across the Council s operations. Ensure that Councillors are aware of risk management objectives. Has ultimate responsibility for managing risk across the Council. Responsible for the recognition and adoption of risk management as a key function of Council, and to ensure the inclusion of risk management as a priority within Council s Strategic and Operational Plans, Annual Report, and other appropriate Council documentation. Accountability for the appropriate and timely implementation and Indigo Shire Council Management Strategy Appendices TRIM Reference - INTERNAL12/660 Page 6 of 10

27 Role Senior Management Group Responsibility maintenance of sound risk management practice and processes for strategic and operational risks, to reduce or prevent the adverse effects of risk. Demonstrating a commitment to risk management for and by all staff. Ensuring resources are appropriately allocated throughout the organisation to meet Council s risk management requirements. Report to the Audit Committee on fraud and corruption incidents, actions taken, risks and mitigation activities. Monitor, appraise and guide the risk & opportunity management performance of General Managers through the Performance Agreement and Annual Review processes. Ensure that all staff are fully conversant with, and understand the role of risk management within Council operations. Ensure that there is adequate protection of Councils operations and assets from risk on an ongoing basis; considering appropriate budgeting, implementation of safety procedures, and loss-control programs. Supervise contractors to ensure that risk management policies and procedures are applied. In conjunction with the Management Coordinator and/or the OH&S Officer, ensure that a safe and healthy workplace environment is provided and that appropriate safe work practices and control measures are implemented and maintained. Ensure that liability risks to the community within the Shire boundaries are effectively managed. Support and encourage a risk aware culture within Indigo Shire Council by endorsement and promotion of Council s Management Framework. Use the outcomes of the Strategic Assessment to set priorities in the Strategic / Business Planning Process. Provide an environment to enable implementation of risk management response plans on a prioritised basis. Ensure that all identified risks for which they are individually responsible are appropriately managed in accordance with the guidelines, processes and tools contained in the Management Framework. Be satisfied that all risks are appropriately identified, managed and controlled by each responsible risk owner. Acceptance by the Corporate Management Group and Departmental Managers of their leadership role in Management and a commitment to supporting the identified priorities with appropriate resources. Where resources are limited, an implementation plan should be developed to ensure continuous progress towards the best outcomes. A commitment to the monitoring of staff progress on their assigned accountabilities for Management activities. The level of commitment given to risk management by management will greatly influence the commitment given to risk management by staff. Actively contribute to the analysis of all significant incidents within jurisdiction Undertake risk & opportunity assessments for all proposed projects in consultation with relevant stakeholders prior to the projects proceeding Understand the principles of risk and opportunity management and their Indigo Shire Council Management Strategy Appendices TRIM Reference - INTERNAL12/660 Page 7 of 10