Policy No: 3.10 Minute No: C841/26-18

Approved by Council: December 2018 ECM File No: 12.110

Next Review Date: December 2020 Version: 2.0

Responsible Officer: Chief Financial Officer

Risk Management Policy

POLICY STATEMENT: 1.1 Council recognises that risk management is an integral part of good management practice and is committed to establishing an organisational culture that ensures risk management is embedded in Council activities and business processes.

1.2 Council will evaluate potential benefits alongside potential risks as a routine part of its business planning processes. Where the balance of advantage favours a particular activity or initiative, the identified risks will be planned for and managed, taking account of broader Council objectives and priorities.

1.3 Risks will be managed at the operational level in accordance with this policy and within risk management processes established by Council.

DEFINITIONS: 2.1 Risk is the chance of something happening that will have an adverse impact on the achievement of Council is meeting its desired objectives. Risk is measured in terms of the likelihood of something happening and the severity/impact of the consequences arising from an event.

2.2 Risk management is the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.

2.3 Risk management process is the systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk.

OBJECTIVE: 3.1 The objectives of this policy are to ensure:

Council and senior management are in a position to make informed business decisions based on risk assessment;

risks are able to be identified, prioritised and managed in a coordinated manner;

strategic planning processes are improved as a result of a structured consideration of risk;

sound business opportunities that benefit Council are identified, without exposing Council to unacceptable levels of risk;

compliance with relevant legislation;

Council resources are safeguarded (eg. people, finance, property, information and reputation);

the community is protected against losses, both physical and financial, that are controllable by Council, and

continual improvement of Council.

3.2 This policy will be supported by a complementary Risk Management Framework.

SCOPE AND RESPONSIBILITIES:

4.1 This policy applies to all Councillors, employees, contractors, and representatives.

4.2 Council will oversee risk management within Council, on the advice of the General Manager.

4.3 The Audit Panel will review the risk management framework as per its Charter, and provide advice to Council on any issues.

4.4 The General Manager will be responsible for the implementation of risk management within Council, and for responding to and reporting on significant risks that may emerge from time to time.

4.5 Departmental Managers will be responsible for implementing risk management within their portfolio areas, and will report regularly to the General Manager on any significant risks or risk areas.

4.6 All staff will be responsible for the management of risk relevant to their areas of responsibility. This role may range from identifying and reporting risks associated with their own positions to participation in the risk management process.

PROCEDURE: (POLICY DETAIL)

5.1 Risks will normally be identified, evaluated and managed by responsible officers and reported in accordance with Council’s decision-making processes. Council’s strategic risks will be maintained in a strategic risk register and will be the subject of regular reports to Council through the Audit Panel.

5.2 Risk identification, evaluation and management in respect of particular operational and financial activities will be undertaken in accordance with Council’s Risk Management Framework.

5.3 Risks will be assessed with reference to Council’s strategic priorities, taking into account the likelihood of the risk occurring, the potential impact and the range of implications it may have for Council.

5.4 Where an unacceptable risk is identified, relevant Council staff with management responsibilities in areas that may be affected will be informed of it. Managers will be required to take action, as required, to address the matter and inform staff or other persons within their area of responsibility, about the matter.

5.5 The Council, through the Audit Panel shall ensure that there is ongoing review of its risk management system to ensure the continued sustainability and effectiveness of its Risk Management Policy.

5.6 Risk management strategies will be included in Annual Plans.

GUIDELINES: 6.1 The Risk Management Strategy will be implemented based on the following principles:

creating and protecting Council’s value,

as an integral part of Council processes,

as an integral part of decision making,

explicitly addressing uncertainty,

is systematic, structured and timely,

is based on the best available information,

is tailored,

takes human and cultural factors into account,

is transparent and inclusive, and

is dynamic, iterative and responsive to change.

6.2 Types of risks that need to be managed include:

strategic,

financial,

reputational

operational, and

hazard.

6.3 Council will include in its strategic risk register, a risk profile which examines the nature, likelihood and consequences of adverse events occurring, prioritising identified risks and determining the level of risk that it is prepared to tolerate.

6.4 The strategic risk register will be updated on a regular basis.

COMMUNICATION: 7.1 All Councillors and employees will be briefed on this policy as part of individual induction programs and on an on-going basis. Council will educate staff on good risk management practices.

LEGISLATION: 8.1 The following legislation should be considered in conjunction with this policy:

Local Government Act 1993 (Tasmania)

Work Health and Safety Act 2012 (Tasmania)

ISO31000:2009 Risk Management Principles and Guidelines

AS/NZS 4360:1999 Risk Management

RELATED DOCUMENTS: 9.1 Kingborough Council Strategic Plan 2015 - 2025

9.2 Long Term Asset Management Plan

9.3 Individual Asset Management Plans

AUDIENCE: 10.1 The Risk Management policy applies to all Councillors, employees, contractors, and representatives. The policy is publicly accessible via Council’s website.

KINGBOROUGH COUNCIL

RISK MANAGEMENT FRAMEWORK

November 2018

This should be read in conjunction with the Kingborough Council Risk Management Policy, the Strategic Risk

Register and Risk Appetite Statement.

RISK MANAGEMENT STRATEGY INDEX

FORWARD .............................................................................................................................. 2

1. INTRODUCTION ........................................................................................................... 3

2. STATEMENT OF COMMITMENT .................................................................................. 3

3. SCOPE and KEY STAKEHOLDERS .................................................................................. 5

4. OBJECTIVES AND OUTCOMES ..................................................................................... 5

5. RESPONSIBILITIES ........................................................................................................ 6

6. RISK MANAGEMENT PROCESS .................................................................................... 7

6.1 Knowing the strategic and operational Risks ........................................................ 7

6.2 Defining Risks ........................................................................................................ 7

6.3 Rating Risks ............................................................................................................ 8

6.4 Treating Risks ........................................................................................................ 9

6.5 Strategic Risk Register ......................................................................................... 10

6.6 Monitoring and Reporting Risks .......................................................................... 10

6.7 Reviewing Risks ................................................................................................... 10

6.8 Fraud Control....................................................................................................... 10

STRATEGIC RISKS ................................................................................................................. 11

Appendix A – Strategic Risk Register ................................................................................... 11

FORWARD Council’s Risk Management Strategy aims to improve the effectiveness of risk management across all functional activities of Council.

Effective risk management allows Council to:

have increased confidence in achieving our priorities and outcomes;

constrain threats to acceptable levels;

make informed decisions about exploiting opportunities;

more effectively manage capital investment and operational planning;

refine and enhance Council’s Asset Management capacity;

ensure that we get the right balance between rewards and risks; and

improve partnership working arrangements and corporate governance. Ultimately, effective risk management will help to ensure Council maximises its opportunities and minimises the impact of the risks it face, thereby improving Council’s ability to deliver priorities, improve outcomes for residents and mitigating legal action and financial claims against Council and any damage to its reputation. This Strategy explains Kingborough Council’s approach to risk management, and the framework that will operate to ensure that risks are effectively managed. Gary Arnold GENERAL MANAGER

1. Introduction Managers within Council recognise that the management of risk is a daily task. However, we require an overall strategy to ensure that a risk management framework and culture is embedded throughout Council. Risk management is a critical element of Council’s operations. Council has limited human, financial and material resources. Prudent decision making in relation to their use is critical in assisting Council to achieve its vision of developing Kingborough as a “vibrant, diverse and connected community, with well managed natural and physical assets and a wide range of economic and lifestyle opportunities”. To this end, not only must Council staff identify and minimise threats to the safe and effective use of Council resources, they also have an obligation to identify and to make the most of opportunities ensuring the most efficient delivery of services to the community. In order to develop a strong internal risk management culture, it is vital to align the risk management process with the organisation’s culture, processes, structure and strategy. It is essential that the organisation understands its internal context which can include, but is not limited to:

governance, organisational structure, roles and accountabilities,

policies, objectives, and the strategies that are in place to achieve them,

capabilities, understood in terms of resources and knowledge (eg capital, time, people, processes, systems and technologies),

the relationships with and perceptions and values of internal stakeholders,

the organisation’s culture,

information systems, information flows and decisions making processes (both formal and informal),

standards, guidelines and models adopted by the organisation, and

form and extent of contractual relationships.1 2. Statement of Commitment The major risk for most organisations is that they fail to achieve their strategic, business or project objectives, or are perceived to have failed their stakeholders. Council is committed to managing its risk by identifying, analysing, evaluating, treating, monitoring and communicating all risks that may directly or indirectly impact on its ability to achieve its the vision and strategic objectives.

This strategy demonstrates Council’s commitment, by detailing the risk management framework for all staff, contractors, committees and volunteers engaged in the delivery of Council services and programs and defining the responsibilities for contemporary risk management processes.

Organisations aiming at being an effective manager of risk should comply with the following principles. (a) Risk management creates and protects value – by contributing to the demonstrable achievement of

objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product/service quality, project management, effectiveness in operations, governance and reputation.

(b) Risk management is an integral part of all organisational processes – not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and integral to all organisational processes, including strategic planning and all project and change management processes.

(c) Risk management is part of decision making – by helping decision makers make informed choices, prioritise actions and distinguish between alternate courses of action.

1 ISO 3100:2009, Sec 5.3.3, pp 15-16.

(d) Risk management explicitly address uncertainty, the nature of that uncertainty and how it can be addressed.

(e) Risk management is systematic, structured and timely – which contributes to efficiency and consistent, comparable and reliable results.

(f) Risk management is based on the best available information – however, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.

(g) Risk management is tailored – and aligned with the organisation’s external and internal control and risk factors.

(h) Risk management takes human and cultural factors into account – by recognising the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organisation’s objectives.

(i) Risk management is transparent and inclusive – through appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organisation, so that risk management remains relevant and up-to-date. Involvement also allows stakeholder to be properly represented and to have their views taken into account in determining risk criteria.

(j) Risk management is dynamic, iterative and responsive to change – by continually sensing and responding to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change and some disappear.

(k) Risk management facilitates continual improvement of the organisation – from development and implementation of strategies to improve their risk management maturity alongside all other aspects of the organisation.2

The success of risk management depends on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organisation at all levels. The framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organisation levels.3 The dependency of the management framework components in managing risk is shown in the following figure.

Mandate and commitment

Design of framework for managing riskUnderstanding the organisation and its contextEstablishing risk management policyAccountabilityIntegration into organisation processesResourcesEstablishing internal communication and reporting mechanismsEstablishing external communication and reporting mechanisms

Continual improvement of the framework Implementing risk managementImplementing the framework for managing riskImplementing the risk management process

Monitoring and review of the framework

Fig 1.3: Relationship between the components of framework for managing risk Source: Based on ISO 31000; 2009, Fig 2, p 9

2 ISO 3100:2009, Sec 3, pp 7-8.

3 ISO 3100: 2009, Sec 4.1, p 8.

3. Scope and Key Stakeholders This Risk Management Strategy will be implemented across all Council services, functions and activities, whether directly controlled by Council or delivered through third party arrangements. All employees, contractors, partner organisations and volunteers engaged in the conduct of Council business are to apply consistent, proactive and systematic risk management practices in the delivery of Council services and use of resources. Successful risk management relies on input and commitment from all stakeholders.

The risk management process outlined within this Strategy applies primarily to the strategic and business risk management areas of Council. 4. Objectives and Outcomes The objectives of this Strategy are to:

fully integrate risk management into the culture of Council and into Council’s strategic planning, performance management processes, templates and procedures;

ensure that the framework for identifying, evaluating, controlling, reviewing, reporting and communicating risks across Council is implemented and understood by all staff;

communicate to stakeholders Council’s approach and commitment to risk management;

improve co­ordination of risk management activity across all Council activities;

ensure that the Council through its Executive Management Team and external regulators are provided with the necessary assurance that Council is committed to mitigating its risks and complies with contemporary corporate governance practices; and

ensure consistency throughout Council in the identification and management of risk. The principle outcomes of the Strategy are:

achievement of Council’s strategic and operational objectives through the identification, evaluation and prioritising of Council’s risks with a view to reducing, mitigating, transferring or eliminating them;

more effective allocation and use of resources;

protecting Council’s corporate image as a professional, responsible and ethical organisation and as an employer of choice;

minimising Council’s exposure to loss and litigation;

protecting and enhancing Council’s reputation;

protecting Council’s financial and physical assets; and

maintaining a commitment to employee Work Health & Safety programs. 5. Responsibilities All employees, contractors and volunteers are to be familiar with and competent in the application of Council’s risk management policy and strategy. Managers and supervisors are accountable for adherence to this Strategy within their areas of responsibility. Council

Endorse the risk framework that has been established.

Review the strategic risks and establish the risk appetite that forms the basis for how risks are rated and managed.

Audit Panel

Review the risk management framework and risk matrix to ensure that it is current, comprehensive and meets relevant standards.

Review whether the risk management framework is being adhered to, and that associated procedures exist for the effective identification, assessment, management and reporting of Council’s significant risk

areas including, but not limited to, financial, legislative, compliance, fraud, business and environmental risks.

Monitor the organisational performance in managing the risks identified in the strategic and operational risk register.

Review the impact of the Council’s risk management framework on its control environment and insurance arrangements, including workers compensation.

Review whether a sound and effective approach has been followed in establishing the Council’s business continuity planning arrangements, including whether disaster recovery plans have been tested periodically.

Review the Council’s fraud control plan and satisfy itself that the Council has appropriate policies, processes and systems in place to deter, capture and effectively investigate fraud related information.

Determine if Council has appropriately considered legal and compliance risks as part of its risk assessment and management arrangements.

Review the effectiveness of the system for monitoring compliance with relevant laws, regulations and associated Government policy.

General Manager

Maintain overall responsibility and leadership for the effective management of all types of risks across Council operations.

Define responsibility and authority for officers with involvement in risk management.

Recognise, actively encourage and adopt Risk Management as a key function of the Council. Managers / Supervisors

Ensure risks are managed in accordance with the relevant risk register and to relevant standards.

Prepare and implement risk management procedures for each area of operations.

Employ risk management principles and practises to ensure that loss control and prevention is a priority.

Monitor and report on practices and processes to ensure appropriateness to current conditions and standards.

Actively participate in training provided.

Implement risk management audit recommendations.

Employees, Contractors, Volunteers and Representatives

Familiarisation with Council’s Risk Management Policy and Strategy.

Actively participate in training provided in relation to risk management.

Use risk management principles and practices while undertaking daily tasks.

Take notice of and implement recommendations from risk management audits conducted in the workplace.

Chief Financial Officer

Develop, review and maintain Council’s risk management policies, systems, and procedures.

Recommend new processes to manage risk.

Review and monitor Council risk management performance measures.

Monitor recommendations and outcomes from risk management audits.

Provide a central liaison point for staff and management in relation to risk management. 6. Risk management Process The risk management procedure to be applied within Council will be based on relevant Australian Standards, particularly AS/NZS ISO 31000:2009, Risk management - Principles and guidelines. .

Council’s risk management process consists of seven steps:

1) knowing the strategic and operational priorities;

2) defining risks;

3) scoring risks;

4) treating risks;

5) compiling a risk database and register;

6) monitoring and reporting risks; and

7) reviewing risks. 6.1 Knowing the strategic and operational priorities The starting point for risk management is a clear understanding of what Council is trying to achieve. Risk management is about managing the threats that may hinder delivery of our priorities and maximising the opportunities that will help to deliver them. Effective risk management must therefore be clearly aligned to the business planning processes, and will take into account the environment within which Council operates. 6.2 Defining Risks There are many ways of identifying risks depending upon the type of risk being considered. These include:

interviews or facilitated workshops with all stakeholders;

reviewing published information;

checklists for similar events/activities/projects;

an examination of previous events/activities/projects; and

taking advantage of past experiences in undertaking an event/activity/project.

Types of risks include:

product and service delivery;

people;

financial and economic;

technology and information management;

leadership and corporate governance;

assets and security;

ethics and corporate image; and

environment. The risk management process is based on the fundamentals of International Standard ISO 31000:2009. It is an analysis and problem solving technique designed to provide a logical process for the selection of treatment plans and management actions to protect the community against unacceptable risks.

RISK ASSESSMENT

ESTABLISHING THE CONTEXT

- The external context- The internal context- Define risk criteria

RISK ANAYLSIS

Identify existing controls

Determine DetermineConsequences Likelihood

Determine level of risk

RISK EVALUATION

- Compare against risk criteria- Set priorities

Is risk acceptable?

Is risk acceptable?

RISK TREATMENT

- Identify options (cost & residual risk)- Assess options (risk reduction & cost)- Prepare and implement treatment plans- Communicate residual risks

CO

MM

UN

ICA

TIO

N &

CO

NSU

LTA

TIO

N

MO

NIT

OR

ING

& R

EVIE

W

RISK IDENTIFICATION

- What can happen?- When and why?- How and why?

Yes

No

Fig 1.5: Risk Management Process – Detail Source: Based on ISO 31000; 2009, Fig 3, p 14

In order to effectively manage identified risks, they must first be rated. 6.3 Rating Risks In order to decide on the best treatment option and to prioritise the treatment of identified risks, the risk must first be rated. Risks are rated by identifying the likelihood of the event occurring and the impact or consequences of the event if it did occur. When rating a risk the impact on the following needs to be considered:

achievement of strategic priorities;

reputation;

work, health and safety of employees, residents, service users, contractors, volunteers, etc;

ability to deliver services (eg - in particular key services); and

financial (eg - budgets, claims, fines, penalties etc.).

Council uses a five-by­five matrix to determine its risk rating as follows:

LIKELIHOOD

(probability)

Insignificant Minor Moderate Major Catastrophic

No injuries Some injuries External medical Extensive injuries Death or major injuries

No Env damage Low Env damage Medium Env damage High env damage Toxic Env damage

<$1,000 <$10,000 <$100,000 <$1,000,000 >$1,000,000

Almost Certain

Likely

Possible

Unlikely

Rare

CRITICAL RISK

MODERATE

RISKCRITICAL RISK

(expected in most

circumstances - 100%)

(probably in most

circumstances - 10%)

(might occur at some time -

1%)

HIGH RISK

MODERATE

RISK

MODERATE

RISKHIGH RISK HIGH RISK CRITICAL RISK

(could occur at some time -

0.1%)

(exceptional circumstances

only - 0.01%)

LOW RISKMODERATE

RISK

MODERATE

RISKHIGH RISK

LOW RISK

LOW RISK

LOW RISK

HIGH RISK HIGH RISK

CONSEQUENCES

What is the severity of the injuries/potential damages/financial impacts (if the risk event

actually occurs)?

How likely is the event

to occur at some time

in the future?

CRITICAL RISK

MODERATE

RISK

MODERATE

RISKHIGH RISK HIGH RISK

MODERATE

RISKHIGH RISK

6.4 Treating Risks There are four general approaches to treating risk:

(i) avoid,

(ii) reduce,

(iii) transfer, or

(iv) accept.

Avoiding the risk – not undertaking the activity that is likely to trigger the risk.

Reducing the risk – controlling the likelihood of the risk occurring, or controlling the impact of the consequences if the risk does occur.

Transferring the risk – handing the risk on elsewhere, either totally or in part (eg - through insurance).

Accepting the risk – acknowledging that the ability to take effective action against some risks may be limited or that the cost of taking action may be disproportionate to the potential benefits gained.

Assessment of each treatment option is used to provide the basis for selecting the best option to manage each risk identified. Risk treatment is concerned with actions taken to reduce the impact or likelihood of risks not wholly avoided or transferred (retained risks). 6.5 Strategic Risk Register A risk register lists potential risks identified, how serious the problem is, how it can be fixed, who is responsible for what and by when. The aim of the register is to proactively raise the profile of what risks exist within Council.

The Strategic Risk Register is provided in Appendix A. This document provides a high level snapshot of Council’s risks by listing the risks identified in Section 7 and applying the likelihood and consequence rating for each risk. An overall risk rating is then arrived at. Note that all of Council’s strategic risks are rated as either moderate or high, with no risks rated as low or critical. Council has strategies in place for all risks and these are included in the comments column of the Register.

6.6 Risk Appetite Risk appetite is the amount and type of risk that an organisation is willing to accept to achieve a desired outcome / objective. In the evaluation of a risk, following the completion of the risk analysis, the Councils risk appetite statement provides guidance in the risk treatment vs. risk toleration decision.

The purpose of the risk appetite statement is to:

Assist in determining whether a risk can be tolerated at the current level, or if risk treatments should be implemented.

Target risk treatment at those risks that exceed the stated risk appetite.

Ensure risks are not tolerated outside the risk appetite where cost effective treatment can occur.

Ensure risks that can continue to be tolerated are not subjected to further excessive risk treatment. Applying the Risk Appetite Statement

In the evaluation of a risk, following the completion of the risk analysis, the risk appetite statement provides guidance in the risk treatment vs. risk toleration decision.

The purpose of the risk appetite statement is to:

Assist in determining whether a risk can be tolerated at the current level, or if risk treatments should be implemented.

Target risk treatment at those risks that exceed the stated risk appetite.

Ensure risks are not tolerated outside the risk appetite where cost effective treatment can occur.

Ensure risks that can continue to be tolerated are not subjected to further excessive risk treatment. Refer to the Council’s Risk Appetite Statement in Appendix B. 6.7 Monitoring and Reporting Risks The Executive Management Team is responsible for ensuring that key risks on the Strategic Risk Register are managed and that progress made with risk mitigation measures is monitored. Department Managers are responsible for ensuring that key risks in the Strategic Risk Register relating to their area of responsibility are managed and that the ‘high risks’ feature as a standing item on the management team meeting agendas. Service specific business risks must be included within the respective service plans and be monitored through the performance and risk management arrangements of the Department to which it relates. 6.8 Reviewing Risks All risks should be reviewed and reported at least annually in conjunction with the annual planning processes.

Everyone in Council is involved in risk management and should be aware of their responsibilities in identifying and managing risk. However, the ultimate responsibility for managing risk lies with the General Manager. Risk management audits are conducted periodically as required by external bodies, or can be initiated by the General Manager or by a recommendation to Council by the Audit Panel. Risk management performance measures are set by Council through recommendations by the Audit Panel and are to be reviewed on a regular basis. 6.9 Fraud Control Council has developed a Fraud Control and Corruption Prevention Policy and has recently undertaken a self-assessment of fraud control risks. Council considers that the development of an anti-fraud culture and strong internal controls will provide an appropriate mitigation against the risk of fraud.

Appendix A:

Stra

tegi

c R

isk

Re

gist

er

Ref

Ris

k t

itle

Det

ails

Cau

ses/

Co

nse

qu

ence

s

Un

cert

ain

ty s

urr

ou

nd

ing

the

del

iver

y o

f th

e la

rge-

scal

e

pro

ject

, in

clu

din

g:

N

egat

ive

imp

act

on

th

e f

inan

cial

sust

ain

abil

ity

of

Co

un

cil

and

it

s ab

ilit

y t

o

del

iver

ser

vic

es t

o c

om

mu

nit

y.

Cri

tica

l (C

riti

cal

7;

Hig

h 2

;

· R

FP

's t

o d

eter

min

d r

even

ue

fro

m s

ale

of

lan

d

bei

ng

fin

alis

ed

Par

tial

ly

effe

ctiv

eH

igh

A

ccu

racy

of

fin

anci

al m

od

elli

ng;

L

ow

RO

I.M

ediu

m 3

; L

ow

1)

· E

xpen

dit

ure

on

th

e p

roje

ct b

eco

min

g cl

eare

r.

A

chie

vin

g so

un

d r

etu

rn o

n i

nv

estm

ent

(RO

I);

· U

se o

f P

rob

ity

Ad

vis

or

to e

nsu

re a

pp

rop

riat

e

gov

ern

ance

.

M

itig

atin

g th

e i

mp

act

of

exte

rnal

fac

tors

R

isk

to

Co

un

cil's

rep

uta

tio

n t

hro

ugh

no

t

mee

tin

g co

mm

un

ity

exp

ecta

tio

ns.

·Co

nsu

ltat

ion

wit

h c

om

mu

nit

y o

n p

lay

gro

un

d

and

op

en s

pac

e d

evel

op

men

t

Fai

lure

of

Co

un

cil

to m

ain

tain

fin

anci

al s

ust

ain

abil

ity

in

the

lon

g te

rm d

ue

to

in

adeq

uat

e m

od

elli

ng,

pla

nn

ing

and

mo

nit

ori

ng

pro

cess

es.

R

esu

ltin

g in

neg

ativ

e im

pac

ts o

n t

he

fin

anci

al

sust

ain

abil

ity

of

Co

un

cil

and

it

s ab

ilit

y t

o

del

iver

ser

vic

es t

o t

he

com

mu

nit

y.

Cri

tica

l

LT

FP

to

ach

iev

e su

rplu

s b

y 2

02

1

and

rev

iew

ed.

Su

bst

anti

ally

Eff

ecti

ve

Mo

der

ate

Inab

ilit

y o

f C

ou

nci

l to

rai

se s

uff

icie

nt

rev

enu

e o

r ch

arge

fees

to

co

st r

eco

ver

su

ffic

ien

t to

su

pp

ort

th

e c

ost

stru

ctu

re o

f C

ou

nci

l.

R

esu

ltin

g in

sig

nif

ican

t re

sou

rce

req

uir

emen

ts

for

Co

un

cil

wh

ich

can

be

un

fun

ded

.(C

riti

cal

10

, H

igh

3)

A

nn

ual

bu

dge

t in

lin

e w

ith

LT

FP

.

Ris

k o

f re

lian

ce o

n e

xter

nal

fu

nd

ing

sou

rces

su

ch

as

Fed

eral

go

ver

nm

ent

gran

ts a

nd

div

iden

ds

L

ack

of

con

tro

l o

ver

fin

anci

al o

utc

om

es (

eg:

Tas

wat

er D

ivid

end

)

Co

un

cil

has

co

ntr

ol

in s

etti

ng

rate

s an

d f

ees.

Co

st s

hif

tin

g o

r d

efer

ral

of

resp

on

sib

ilit

y f

rom

Sta

te

or

Fed

eral

Go

ver

nm

ent

to L

oca

l G

ov

ern

men

t.

R

eso

urc

e an

d

staf

fin

g ra

mif

icat

ion

s, d

ue

to

chan

gin

g re

spo

nsi

bil

itie

s an

d n

eed

fo

r v

arie

d

skil

ls a

nd

kn

ow

led

ge.

O

per

atio

nal

gra

nts

are

co

nsi

sten

t.

Po

ten

tial

fo

r in

adeq

uat

e co

nsu

ltat

ion

an

d/o

r

pla

nn

ing

wit

h t

he

co

mm

un

ity

to

un

der

stan

d

futu

re n

eed

s.

Cri

tica

l

Co

mm

un

ity

sta

keh

old

er m

anag

emen

t th

rou

gh

com

mu

nic

atio

n a

nd

co

nsu

ltat

ion

.

Su

bst

anti

ally

Eff

ecti

ve

Mo

der

ate

Imp

act

on

th

e p

eop

le w

ith

in t

he

mu

nic

ipal

ity

.(C

riti

cal

13

, H

igh

3)

E

nga

gem

ent

stra

tegy

cu

rren

tly

bei

ng

dev

elo

ped

..

Fin

anci

al o

r re

pu

tati

on

al i

mp

act

on

Co

un

cil

du

e

to t

he

inab

ilit

y t

o m

eet

the

nee

ds

of

the

com

mu

nit

y.

S

trat

egic

pla

nn

ing

pro

cess

in

clu

des

su

bst

anti

al

com

mu

nit

y e

nag

agem

ent.

Res

ult

ing

in p

ote

nti

al f

or

fin

anci

al a

nd

le

gal

imp

acts

du

e t

o i

nad

equ

atel

y m

ain

tain

ed

faci

liti

es o

r la

nd

an

d/o

r b

reac

h o

f le

ase

agre

emen

ts.

Hig

h (

Hig

h 9

; M

ediu

m 5

A

Bu

ild

ing

and

M

ain

ten

ance

Gro

up

has

bee

n

esta

bli

shed

to

man

age

bu

ild

ings

.

Su

bst

anti

ally

Eff

ecti

ve

Mo

der

ate

Po

ten

tial

fo

r lo

ss o

f re

ven

ue

fro

m i

nef

fect

ivel

y

man

aged

lea

ses.

A

sy

stem

of

regu

lar

insp

ecti

on

s an

d

mai

nte

nan

ce o

f p

rop

erti

es i

n u

nd

erta

ken

A

rev

iew

of

leas

e ar

ran

gem

ents

is

curr

entl

y

un

der

way

.

Ris

k m

itig

atio

n c

on

tro

ls

1

Co

ntr

ol

effe

ctiv

enes

s

4F

acil

itie

s an

d p

rop

erty

man

agem

ent

Inab

ilit

y o

f C

ou

nci

l to

eff

ecti

vel

y m

anag

e fa

cili

ties

, la

nd

and

le

ased

pre

mis

es o

wn

ed b

y C

ou

nci

l.

Kin

gsto

n P

ark

2F

inan

cial

Su

stai

nab

ilit

y

and

F

un

din

g M

od

el

Mit

igat

ed r

isk

rati

ng

3S

trat

egic

Pla

nn

ing

and

Ser

vic

e P

rov

isio

n

Th

e ri

sk o

f fa

ilin

g to

mee

t fu

ture

in

fras

tru

ctu

re a

nd

serv

ices

nee

ds

to s

up

po

rt a

vib

ran

t an

d

sup

po

rted

com

mu

nit

y.

Ris

k r

atin

g

Ref

Ris

k t

itle

Det

ails

Cau

ses/

Co

nse

qu

ence

s

Th

e ab

ilit

y o

f C

ou

nci

l to

en

sure

eff

ecti

ve,

eff

icie

nt

and

rob

ust

in

form

atio

n m

anag

emen

t an

d

tech

no

logy

sy

stem

s

to s

up

po

rt b

usi

nes

s o

per

atio

ns.

Po

ten

tial

fo

r in

effi

cien

t o

r in

effe

ctiv

e b

usi

nes

s

syst

ems

of

Co

un

cil

and

re

sult

ant

fin

anci

al a

nd

reso

urc

ing

imp

acts

.

Hig

h (

Cri

tica

l 1

, H

igh

8,

Med

ium

4)

R

epla

cem

ent

of

Co

re S

yst

ems

un

der

way

.

Sp

ecif

icat

ion

req

uir

es t

igh

t in

tegr

atio

n

elim

inat

ing

any

exi

stin

g d

ata

du

pli

cati

on

or

do

ub

le h

and

lin

g re

sult

ing

in a

sea

mle

ssly

inte

grat

ed E

RP

sy

stem

.

Su

bst

anti

ally

Eff

ecti

ve

Mo

der

ate

Res

ult

ing

in m

ajo

r b

usi

nes

s d

isru

pti

on

, in

abil

ity

to a

cces

s an

d

pro

du

ced

req

uir

ed i

nfo

rmat

ion

in

a ti

mel

y m

ann

er,

loss

of

key

dat

a an

d

po

ten

tial

for

pro

du

ctio

n o

f in

accu

rate

dat

a d

ue

to

po

or

inte

grat

ion

of

syst

ems.

P

ath

way

p

rop

erty

an

d

regu

lato

ry s

yst

em

wel

l u

tili

sed

an

d m

ain

tain

ed a

t th

e la

test

rel

ease

dat

e. R

e-tr

ain

ing

un

der

tak

en b

y f

un

ctio

nal

are

a

as r

equ

ired

.

Th

e ri

sk o

f in

tern

al o

r ex

tern

al s

ecu

rity

th

reat

s to

Co

un

cil’

s d

ata,

in

form

atio

n o

r sy

stem

s, i

ncl

ud

ing

cyb

er

risk

s.

Po

ten

tial

fo

r lo

ss o

f d

ata,

in

form

atio

n o

r

syst

ems

cau

sin

g b

usi

nes

s d

isru

pti

on

, fi

nan

cial

con

seq

uen

ces

and

re

pu

tati

on

dam

age.

Sy

stem

sec

uri

ty h

as b

een

im

pro

ved

by

tw

o

fact

or

auth

enti

cati

on

fo

r re

mo

te l

ogi

n a

nd

mo

nth

ly e

xter

nal

sec

uri

ty v

end

or

chec

ks

of

secu

rity

str

ateg

y.

A

pp

rop

riat

e b

ack

up

an

d

syst

em r

edu

nd

ancy

in p

lace

Ab

ilit

y o

f C

ou

nci

l to

man

age

env

iro

nm

enta

l ri

sks

imp

acti

ng

the

mu

nic

ipal

ity

an

d

Co

un

cil

asse

ts –

incl

ud

ing

env

iro

nm

enta

l co

mp

lian

ce a

nd

em

erge

ncy

man

agem

ent

for

nat

ura

l d

isas

ters

.

Res

ult

ing

in p

oo

r en

vir

on

men

tal

ou

tco

mes

fo

r

the

Kin

gbo

rou

gh m

un

icip

alit

y a

nd

th

e l

oss

of

val

ue

ascr

ibed

to

nat

ura

l re

sou

rces

.

Hig

h

Wel

l es

tab

lish

ed p

rogr

ams

in p

lace

del

iver

ed

by

exp

erie

nce

d s

kil

led

sta

ff.

Su

bst

anti

ally

Eff

ecti

ve

Mo

der

ate

Inad

equ

ate

env

iro

nm

enta

l m

anag

emen

t b

y C

ou

nci

l

incl

ud

ing:

Res

ult

ing

in p

ote

nti

al f

or

clim

ate

chan

ge

imp

acts

to

ad

ver

sely

aff

ect

the

asse

ts a

nd

peo

ple

wit

hin

Kin

gbo

rou

gh.

(Cri

tica

l 3

, H

igh

6,

Med

ium

3)

E

ffec

tiv

e p

ub

lic

awar

enes

s p

rogr

ams

in p

lace

wit

h g

oo

d c

om

mu

nit

y n

etw

ork

s.

F

ailu

re t

o p

lan

fo

r, a

dap

t to

an

d m

anag

e th

e im

pac

ts o

f

clim

ate

chan

geP

ote

nti

al f

or

dam

age

to n

atu

ral

env

iro

nm

ent

M

anag

emen

t o

f en

vir

on

men

tal

asse

ts a

nd

p

ests

Res

ult

ing

in s

erio

us

dam

age/

loss

to

th

e

Kin

gbo

rou

gh c

om

mu

nit

y i

ncl

ud

ing

peo

ple

,

asse

ts,

and

co

mm

un

ity

fu

nct

ion

.

W

aste

m

anag

emen

t st

rate

gies

bei

ng

dev

elo

ped

.

C

han

gin

g st

and

ard

s fo

r en

vir

on

men

tal

per

form

ance

(in

clu

din

g w

aste

man

agem

ent)

.

Fai

lure

/ i

nab

ilit

y t

o p

rov

ide

esse

nti

al s

erv

ices

and

co

nti

nu

ed e

ssen

tial

Co

un

cil

op

erat

ion

s

du

rin

g em

erge

mci

es.

E

mer

gen

cy M

anag

emen

t O

ffic

er e

mp

lyed

to

man

age

ou

r em

erge

ncy

man

agem

ent

com

mit

men

ts.

V

alu

e p

lace

d a

nd

d

ecis

ion

mak

ing

rega

rdin

g n

atu

ral

asse

ts.

Fin

anci

al l

oss

an

d

lega

l ra

mif

icat

ion

s.

C

ou

nci

l’s

emer

gen

cy m

anag

emen

t m

itig

atio

n

con

tin

ues

in

co

nsu

ltat

ion

wit

h t

he

com

mu

nit

y

(e.g

. K

ings

ton

Bea

ch

Stu

dy

).

Po

ten

tial

im

pac

t o

f in

adeq

uat

e em

erge

ncy

man

agem

ent

on

Kin

gbo

rou

gh C

ou

nci

l an

d

the

Kin

gbo

rou

gh

com

mu

nit

y r

esu

ltin

g fr

om

an

en

vir

on

men

tal

/ n

atu

ral

dis

aste

r in

clu

din

g fl

oo

d,

bu

shfi

re,

sto

rm,

and

co

asta

l

ero

sio

n.

Inju

ry t

o e

mp

loy

ee o

r co

mm

un

ity

mem

ber

.

A n

um

ber

of

po

lici

es h

ave

bee

n d

evel

op

ed t

o

add

ress

nat

ura

l h

azar

ds

Inad

equ

ate

emer

gen

cy m

anag

emen

t in

tro

du

ces

the

ris

k

of

inef

fect

ive

pla

nn

ing,

res

po

nse

an

d

com

mu

nic

atio

n o

f

emer

gen

cy m

anag

emen

t st

rate

gies

an

d c

om

mu

nit

y

reco

ver

y s

trat

egie

s.

Dam

age

or

loss

of

nat

ura

l re

sou

rces

.

Co

un

cil

has

an

em

erge

ncy

man

agem

ent

pla

n

and

st

and

ard

op

erat

ing

pro

ced

ure

s.

Po

ten

tial

fo

r co

mm

un

ity

dis

sati

sfac

tio

n w

ith

Co

un

cil’

s p

lan

nin

g an

d

resp

on

se r

esu

ltin

g in

rep

uta

tio

n i

mp

act.

B

ush

fire

Man

agem

ent

Off

icer

ap

po

inte

d t

o

min

imis

e th

e ri

sk i

n C

ou

nci

l o

wn

ed l

and

.

Lo

ss o

f C

ou

nci

l as

sets

in

clu

din

g d

ata.

Ris

k r

atin

gR

isk

mit

igat

ion

exa

mp

les

fro

m p

rev

iou

s ri

sk

regi

ster

Mit

igat

ed R

isk

Rat

ing

5In

form

atio

n m

anag

emen

t

and

se

curi

ty

6E

nv

iro

nm

enta

l an

d

Em

erge

ncy

Man

agem

ent

Co

ntr

ol

effe

ctiv

enes

s

Ref

Ris

k t

itle

Det

ails

Cau

ses/

Co

nse

qu

ence

s

Un

cert

ain

ty s

urr

ou

nd

ing

the

ab

ilit

y t

o d

eliv

er,

man

age

and

fu

nd

th

e in

fras

tru

ctu

re a

nd

as

sets

of

Co

un

cil.

Res

ult

ing

in t

he

po

ten

tial

fo

r:

Ass

et m

anag

emen

t p

lan

s re

gula

rly

up

dat

ed.

Su

bst

anti

ally

Eff

ecti

ve

Hig

h

A

bil

ity

to

fu

nd

req

uir

ed i

nfr

astr

uct

ure

an

d

mai

nte

nan

ce.

I

nsu

ffic

ien

t o

r in

adeq

uat

ely

mai

nta

ined

infr

astr

uct

ure

;

L

on

g te

rm a

sset

man

agem

ent

pla

ns

up

dat

ed

yea

rly

to

ref

lect

ch

ange

s in

cap

ital

an

d

mai

nte

nen

ace

req

uir

emen

ts f

or

exis

tin

g as

sets

and

to

acc

ou

nt

for

new

ass

ets.

A

bil

ity

to

man

age

dev

elo

pm

ent

in t

he

mu

nic

ipal

ity

co

nsi

sten

t w

ith

in

fras

tru

ctu

re

con

stra

ints

/ p

lan

nin

g.

F

inan

cial

im

pac

ts o

f la

rge

/ u

nfo

rese

en

infr

astr

uct

ure

req

uir

emen

ts

R

elat

ion

ship

s w

ith

var

iou

s se

rvic

e au

tho

riti

es

mai

nta

ined

A

bil

ity

to

man

age

pro

ject

s, c

on

trac

ts a

nd

th

ird

par

ties

to

ach

iev

e in

fras

tru

ctu

re o

bje

ctiv

es.

R

egu

lar

rev

alu

atio

ns

and

in

dex

atio

n o

f as

sets

un

der

tak

en t

o r

efle

ct c

han

gin

g co

st o

f

con

stru

ctio

n a

nd

co

nd

itio

n o

f as

set

sto

ck.

A

bil

ity

of

Co

un

cil

to m

anag

e th

e st

and

ard

of

the

asse

ts t

o a

ccep

tab

le c

on

dit

ion

.

I

nab

ilit

y t

o f

un

d o

ngo

ing

mai

nte

nan

ce o

f

infr

astr

uct

ure

;

S

tro

ng

pro

ject

man

agem

ent

app

roac

h w

ith

clo

se m

on

ito

rin

g o

f ex

pen

dit

ure

an

d e

ver

yth

ing

is

wel

l d

ocu

men

ted

.

R

edu

ctio

n i

n s

erv

ice

del

iver

y o

f C

ou

nci

l.E

xter

nal

exp

erti

se i

s so

urc

ed w

her

e n

eces

sary

.

Incl

ud

ing

lega

l ad

vic

e.

C

ou

nci

l as

sets

no

t m

eeti

ng

legi

slat

ive,

regu

lato

ry o

r co

mm

un

ity

sta

nd

ard

s.

P

rov

idin

g o

ngo

ing

pu

bli

c in

form

atio

n a

nd

inv

olv

ing

com

mu

nit

y i

n d

ecis

ion

mak

ing

wh

en

app

rop

riat

e.

L

oss

of

stra

tegi

c b

enef

its

fro

m p

roje

ct.

C

lose

fin

anci

al o

ver

sigh

t an

d e

xter

nal

gra

nts

sou

rced

wh

enev

er p

oss

ible

.

P

ote

nti

al f

or

fin

anci

al,

rep

uta

tio

nal

an

d l

egal

imp

acts

res

ult

ing

fro

m f

ailu

re o

f p

roje

cts.

C

od

e o

f T

end

ers

and

C

on

trac

ts p

rov

ides

po

licy

dir

ecti

on

.

W

ell

def

ined

co

ntr

act

man

agem

ent

pro

cess

in

pla

ce.

P

rocu

rem

ent

Off

icer

po

siti

on

pro

vid

es a

dv

ice

acro

ss C

ou

nci

l.

Sig

nif

ican

t le

gal,

rep

uta

tio

nal

an

d

fin

anci

al

ram

ific

atio

ns

for

Kin

gbo

rou

gh C

ou

nci

l.C

riti

cal

S

tro

ng

WH

S f

ocu

s w

ith

sp

ecia

lise

d C

ou

nci

l

Off

icer

ov

erse

ein

g co

mp

lian

ce.

Su

bst

anti

ally

Eff

ecti

ve

Mo

der

ate

Inju

ry o

r d

eath

of

emp

loy

ee/c

ou

nci

llo

r.

Sig

nif

ican

t w

ork

ers

com

pen

sati

on

co

sts

and

imp

act

on

sta

ff.

(Cri

tica

l 1

0,

Hig

h 2

)

S

tro

ng

sy

stem

s to

su

pp

ort

co

mp

lian

ce w

ith

bu

ild

ing

and

pla

nn

ing

regu

lati

on

s.

Res

ult

ing

in i

nju

ry o

r d

eath

of

a m

emb

er o

f th

e

pu

bli

c d

ue

to

Co

un

cil’

s fa

ilu

re o

f

resp

on

sib

ilit

y.

C

om

pli

ance

ch

eck

list

has

bee

n d

evel

op

ed w

ith

an a

nn

ual

sig

n-o

ff b

y M

anag

ers.

Fin

anci

al c

ost

s o

f re

sou

rces

req

uir

ed t

o e

nsu

re

com

pli

ance

.

E

xper

ien

ced

Man

ager

s en

suri

ng

com

pli

ance

wit

h r

egu

lati

on

s.

Po

or

ou

tco

mes

fo

r m

emb

ers

of

the

mu

nic

ipal

ity

an

d/o

r th

e co

mm

un

ity

as

a w

ho

le.

Co

ntr

ol

effe

ctiv

enes

sR

isk

rat

ing

Ris

k m

itig

atio

n e

xam

ple

s fr

om

pre

vio

us

risk

regi

ster

7In

fras

tru

ctu

re

man

agem

ent

Cri

tica

l (C

riti

cal

9;

Hig

h 3

)

Mit

igat

ed R

isk

Rat

ing

8L

egis

lati

ve

and

reg

ula

tory

com

pli

ance

Ab

ilit

y o

f C

ou

nci

l to

id

enti

fy a

nd

m

ain

tain

co

mp

lian

ce

wit

h r

elev

ant

regu

lati

on

s in

clu

din

g W

H&

S,

Fai

r W

ork

,

Lo

cal

Go

ver

nm

ent

Act

, ta

xati

on

, en

vir

on

men

tal

regu

lati

on

, an

d

pu

bli

c sa

fety

.

In

clu

des

th

e ab

ilit

y o

f

Co

un

cil

to m

ain

tain

Co

un

cil

asse

ts t

o s

tan

dar

ds

Appendix B:

KINGBOROUGH COUNCIL

RISK APPETITE STATEMENT

May 2018

This should be read in conjunction with the Kingborough Council Risk Management Policy and Framework.

RISK APPETITE Risk appetite is the amount and type of risk that an organisation is willing to accept in order to achieve a

desired outcome / objective.

The Council has a strategic plan which outlines the key objectives and goals of Council into the future – it is

how the Council has defined success. In order to achieve these objectives, Council must take on risk. With

scarce resources, Council must also make trade-offs between priorities. Risk appetite is a tool which assists

Council in having clear guidance on what types of risks are appropriate, what level of risk the Council is

comfortable with, and which objectives and risks are most important to Council and must be prioritised for

attention. Risk appetite statements include an overall statement, and a risk appetite level for each

category of risk eg. reputation, safety, financial, etc.

A strong risk management framework includes the following elements: risk appetite is one of those elements.

Why have a defined risk appetite?

Facilitates a shared understanding of the acceptance of risk

Provides guidance to Councillors, management and staff on expectations and acceptable risks

Assists in resolving tensions in the business plan and priorities

Provides guidance for budget allocation - the allocation of scarce resources to reducing risk

(risk mitigation strategies) and supporting internal controls There are different levels to risk appetite, for example:

Low risk appetite – only desire to take minimal or limited risks (or no risk) to pursue

organisational objectives

Medium risk appetite – Will take a moderate level of risk to pursue organisational

objectives

High risk appetite – Will take on a high level of risk to pursue organisational objectives

Policy and procedures

Ethics and behaviours

Risk appetite

Governance and

accountability

Internal controls

Risk culture

RISK APPETITE STATEMENTS The following risk appetite statements have been developed for consideration by Council based on the results from the workshop.

Overall risk appetite

Overall risk appetite statement

Council has, by its nature, a low appetite for risk given that many of the functions of Council are regulated under the Local Government 1993. The Council will however tolerate and pursue some risk consistent with the objective of providing efficient and effective Council services, and providing infrastructure, development and policy decisions which will benefit the ratepayers, both current and future, of the Kingborough municipality.

Sub-risk category risk appetite

Financial Council has a moderate risk appetite for financial risk in pursuit of Council objectives. In relation to budget management and cost control, Council has a low risk appetite for variances to the approved budget for matters that are within Council’s control. In relation to key projects, Council has a higher risk appetite and understands that major projects will inherently involve more risk. The Council will consider all decisions based on robust business cases / analysis and is willing to take on financial risk in order to deliver the infrastructure required for a growing municipality.

Legal The Council has a low appetite for legal and compliance risks consistent with its role in local government. Resources will be applied to ensure both Council and stakeholders comply with the legal and regulatory environments.

Safety Council has a low risk appetite for anything that may impact the safety of councillors, Council staff and the community.

Stakeholder Council has a moderate risk appetite to stakeholder risk. This is consistent with the local government environment and the wide range of stakeholder interests in the objectives and decisions of Council. Council will make decisions based on the information and analysis available and will be prepared to make decisions which may impact some stakeholder groups if it is felt the decision is in the best interests of the municipality or the Council.

Reputation Council has a moderate risk appetite to reputation risk. Consistent with stakeholder risk, Council will make decisions based on the information and analysis available and will be prepared to make decisions which may impact the reputation of Council if it is felt the decision is in the best interests of the municipality or the Council. Council will however take steps to ensure that internal processes and the management of Council projects is performed well to minimise the risk of reputation damage as a result of Council actions or activities.

Environment Council has a moderate risk appetite in relation to the environment. While the target risk level is no or limited damage to the environment, Council accepts that some damage may occur in a limited resource environment.