risk management policy - kingborough council...2.3 risk management process is the systematic...
TRANSCRIPT
Policy No: 3.10 Minute No: C841/26-18
Approved by Council: December 2018 ECM File No: 12.110
Next Review Date: December 2020 Version: 2.0
Responsible Officer: Chief Financial Officer
Risk Management Policy
POLICY STATEMENT: 1.1 Council recognises that risk management is an integral part of good management practice and is committed to establishing an organisational culture that ensures risk management is embedded in Council activities and business processes.
1.2 Council will evaluate potential benefits alongside potential risks as a routine part of its business planning processes. Where the balance of advantage favours a particular activity or initiative, the identified risks will be planned for and managed, taking account of broader Council objectives and priorities.
1.3 Risks will be managed at the operational level in accordance with this policy and within risk management processes established by Council.
DEFINITIONS: 2.1 Risk is the chance of something happening that will have an adverse impact on the achievement of Council is meeting its desired objectives. Risk is measured in terms of the likelihood of something happening and the severity/impact of the consequences arising from an event.
2.2 Risk management is the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.
2.3 Risk management process is the systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk.
OBJECTIVE: 3.1 The objectives of this policy are to ensure:
Council and senior management are in a position to make informed business decisions based on risk assessment;
risks are able to be identified, prioritised and managed in a coordinated manner;
strategic planning processes are improved as a result of a structured consideration of risk;
sound business opportunities that benefit Council are identified, without exposing Council to unacceptable levels of risk;
compliance with relevant legislation;
Council resources are safeguarded (eg. people, finance, property, information and reputation);
the community is protected against losses, both physical and financial, that are controllable by Council, and
continual improvement of Council.
3.2 This policy will be supported by a complementary Risk Management Framework.
SCOPE AND RESPONSIBILITIES:
4.1 This policy applies to all Councillors, employees, contractors, and representatives.
4.2 Council will oversee risk management within Council, on the advice of the General Manager.
4.3 The Audit Panel will review the risk management framework as per its Charter, and provide advice to Council on any issues.
4.4 The General Manager will be responsible for the implementation of risk management within Council, and for responding to and reporting on significant risks that may emerge from time to time.
4.5 Departmental Managers will be responsible for implementing risk management within their portfolio areas, and will report regularly to the General Manager on any significant risks or risk areas.
4.6 All staff will be responsible for the management of risk relevant to their areas of responsibility. This role may range from identifying and reporting risks associated with their own positions to participation in the risk management process.
PROCEDURE: (POLICY DETAIL)
5.1 Risks will normally be identified, evaluated and managed by responsible officers and reported in accordance with Council’s decision-making processes. Council’s strategic risks will be maintained in a strategic risk register and will be the subject of regular reports to Council through the Audit Panel.
5.2 Risk identification, evaluation and management in respect of particular operational and financial activities will be undertaken in accordance with Council’s Risk Management Framework.
5.3 Risks will be assessed with reference to Council’s strategic priorities, taking into account the likelihood of the risk occurring, the potential impact and the range of implications it may have for Council.
5.4 Where an unacceptable risk is identified, relevant Council staff with management responsibilities in areas that may be affected will be informed of it. Managers will be required to take action, as required, to address the matter and inform staff or other persons within their area of responsibility, about the matter.
5.5 The Council, through the Audit Panel shall ensure that there is ongoing review of its risk management system to ensure the continued sustainability and effectiveness of its Risk Management Policy.
5.6 Risk management strategies will be included in Annual Plans.
GUIDELINES: 6.1 The Risk Management Strategy will be implemented based on the following principles:
creating and protecting Council’s value,
as an integral part of Council processes,
as an integral part of decision making,
explicitly addressing uncertainty,
is systematic, structured and timely,
is based on the best available information,
is tailored,
takes human and cultural factors into account,
is transparent and inclusive, and
is dynamic, iterative and responsive to change.
6.2 Types of risks that need to be managed include:
strategic,
financial,
reputational
operational, and
hazard.
6.3 Council will include in its strategic risk register, a risk profile which examines the nature, likelihood and consequences of adverse events occurring, prioritising identified risks and determining the level of risk that it is prepared to tolerate.
6.4 The strategic risk register will be updated on a regular basis.
COMMUNICATION: 7.1 All Councillors and employees will be briefed on this policy as part of individual induction programs and on an on-going basis. Council will educate staff on good risk management practices.
LEGISLATION: 8.1 The following legislation should be considered in conjunction with this policy:
Local Government Act 1993 (Tasmania)
Work Health and Safety Act 2012 (Tasmania)
ISO31000:2009 Risk Management Principles and Guidelines
AS/NZS 4360:1999 Risk Management
RELATED DOCUMENTS: 9.1 Kingborough Council Strategic Plan 2015 - 2025
9.2 Long Term Asset Management Plan
9.3 Individual Asset Management Plans
AUDIENCE: 10.1 The Risk Management policy applies to all Councillors, employees, contractors, and representatives. The policy is publicly accessible via Council’s website.
KINGBOROUGH COUNCIL
RISK MANAGEMENT FRAMEWORK
November 2018
This should be read in conjunction with the Kingborough Council Risk Management Policy, the Strategic Risk
Register and Risk Appetite Statement.
RISK MANAGEMENT STRATEGY INDEX
FORWARD .............................................................................................................................. 2
1. INTRODUCTION ........................................................................................................... 3
2. STATEMENT OF COMMITMENT .................................................................................. 3
3. SCOPE and KEY STAKEHOLDERS .................................................................................. 5
4. OBJECTIVES AND OUTCOMES ..................................................................................... 5
5. RESPONSIBILITIES ........................................................................................................ 6
6. RISK MANAGEMENT PROCESS .................................................................................... 7
6.1 Knowing the strategic and operational Risks ........................................................ 7
6.2 Defining Risks ........................................................................................................ 7
6.3 Rating Risks ............................................................................................................ 8
6.4 Treating Risks ........................................................................................................ 9
6.5 Strategic Risk Register ......................................................................................... 10
6.6 Monitoring and Reporting Risks .......................................................................... 10
6.7 Reviewing Risks ................................................................................................... 10
6.8 Fraud Control....................................................................................................... 10
STRATEGIC RISKS ................................................................................................................. 11
Appendix A – Strategic Risk Register ................................................................................... 11
FORWARD Council’s Risk Management Strategy aims to improve the effectiveness of risk management across all functional activities of Council.
Effective risk management allows Council to:
have increased confidence in achieving our priorities and outcomes;
constrain threats to acceptable levels;
make informed decisions about exploiting opportunities;
more effectively manage capital investment and operational planning;
refine and enhance Council’s Asset Management capacity;
ensure that we get the right balance between rewards and risks; and
improve partnership working arrangements and corporate governance. Ultimately, effective risk management will help to ensure Council maximises its opportunities and minimises the impact of the risks it face, thereby improving Council’s ability to deliver priorities, improve outcomes for residents and mitigating legal action and financial claims against Council and any damage to its reputation. This Strategy explains Kingborough Council’s approach to risk management, and the framework that will operate to ensure that risks are effectively managed. Gary Arnold GENERAL MANAGER
1. Introduction Managers within Council recognise that the management of risk is a daily task. However, we require an overall strategy to ensure that a risk management framework and culture is embedded throughout Council. Risk management is a critical element of Council’s operations. Council has limited human, financial and material resources. Prudent decision making in relation to their use is critical in assisting Council to achieve its vision of developing Kingborough as a “vibrant, diverse and connected community, with well managed natural and physical assets and a wide range of economic and lifestyle opportunities”. To this end, not only must Council staff identify and minimise threats to the safe and effective use of Council resources, they also have an obligation to identify and to make the most of opportunities ensuring the most efficient delivery of services to the community. In order to develop a strong internal risk management culture, it is vital to align the risk management process with the organisation’s culture, processes, structure and strategy. It is essential that the organisation understands its internal context which can include, but is not limited to:
governance, organisational structure, roles and accountabilities,
policies, objectives, and the strategies that are in place to achieve them,
capabilities, understood in terms of resources and knowledge (eg capital, time, people, processes, systems and technologies),
the relationships with and perceptions and values of internal stakeholders,
the organisation’s culture,
information systems, information flows and decisions making processes (both formal and informal),
standards, guidelines and models adopted by the organisation, and
form and extent of contractual relationships.1 2. Statement of Commitment The major risk for most organisations is that they fail to achieve their strategic, business or project objectives, or are perceived to have failed their stakeholders. Council is committed to managing its risk by identifying, analysing, evaluating, treating, monitoring and communicating all risks that may directly or indirectly impact on its ability to achieve its the vision and strategic objectives.
This strategy demonstrates Council’s commitment, by detailing the risk management framework for all staff, contractors, committees and volunteers engaged in the delivery of Council services and programs and defining the responsibilities for contemporary risk management processes.
Organisations aiming at being an effective manager of risk should comply with the following principles. (a) Risk management creates and protects value – by contributing to the demonstrable achievement of
objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product/service quality, project management, effectiveness in operations, governance and reputation.
(b) Risk management is an integral part of all organisational processes – not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and integral to all organisational processes, including strategic planning and all project and change management processes.
(c) Risk management is part of decision making – by helping decision makers make informed choices, prioritise actions and distinguish between alternate courses of action.
1 ISO 3100:2009, Sec 5.3.3, pp 15-16.
(d) Risk management explicitly address uncertainty, the nature of that uncertainty and how it can be addressed.
(e) Risk management is systematic, structured and timely – which contributes to efficiency and consistent, comparable and reliable results.
(f) Risk management is based on the best available information – however, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
(g) Risk management is tailored – and aligned with the organisation’s external and internal control and risk factors.
(h) Risk management takes human and cultural factors into account – by recognising the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organisation’s objectives.
(i) Risk management is transparent and inclusive – through appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organisation, so that risk management remains relevant and up-to-date. Involvement also allows stakeholder to be properly represented and to have their views taken into account in determining risk criteria.
(j) Risk management is dynamic, iterative and responsive to change – by continually sensing and responding to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change and some disappear.
(k) Risk management facilitates continual improvement of the organisation – from development and implementation of strategies to improve their risk management maturity alongside all other aspects of the organisation.2
The success of risk management depends on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organisation at all levels. The framework ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant organisation levels.3 The dependency of the management framework components in managing risk is shown in the following figure.
Mandate and commitment
Design of framework for managing riskUnderstanding the organisation and its contextEstablishing risk management policyAccountabilityIntegration into organisation processesResourcesEstablishing internal communication and reporting mechanismsEstablishing external communication and reporting mechanisms
Continual improvement of the framework Implementing risk managementImplementing the framework for managing riskImplementing the risk management process
Monitoring and review of the framework
Fig 1.3: Relationship between the components of framework for managing risk Source: Based on ISO 31000; 2009, Fig 2, p 9
2 ISO 3100:2009, Sec 3, pp 7-8.
3 ISO 3100: 2009, Sec 4.1, p 8.
3. Scope and Key Stakeholders This Risk Management Strategy will be implemented across all Council services, functions and activities, whether directly controlled by Council or delivered through third party arrangements. All employees, contractors, partner organisations and volunteers engaged in the conduct of Council business are to apply consistent, proactive and systematic risk management practices in the delivery of Council services and use of resources. Successful risk management relies on input and commitment from all stakeholders.
The risk management process outlined within this Strategy applies primarily to the strategic and business risk management areas of Council. 4. Objectives and Outcomes The objectives of this Strategy are to:
fully integrate risk management into the culture of Council and into Council’s strategic planning, performance management processes, templates and procedures;
ensure that the framework for identifying, evaluating, controlling, reviewing, reporting and communicating risks across Council is implemented and understood by all staff;
communicate to stakeholders Council’s approach and commitment to risk management;
improve coordination of risk management activity across all Council activities;
ensure that the Council through its Executive Management Team and external regulators are provided with the necessary assurance that Council is committed to mitigating its risks and complies with contemporary corporate governance practices; and
ensure consistency throughout Council in the identification and management of risk. The principle outcomes of the Strategy are:
achievement of Council’s strategic and operational objectives through the identification, evaluation and prioritising of Council’s risks with a view to reducing, mitigating, transferring or eliminating them;
more effective allocation and use of resources;
protecting Council’s corporate image as a professional, responsible and ethical organisation and as an employer of choice;
minimising Council’s exposure to loss and litigation;
protecting and enhancing Council’s reputation;
protecting Council’s financial and physical assets; and
maintaining a commitment to employee Work Health & Safety programs. 5. Responsibilities All employees, contractors and volunteers are to be familiar with and competent in the application of Council’s risk management policy and strategy. Managers and supervisors are accountable for adherence to this Strategy within their areas of responsibility. Council
Endorse the risk framework that has been established.
Review the strategic risks and establish the risk appetite that forms the basis for how risks are rated and managed.
Audit Panel
Review the risk management framework and risk matrix to ensure that it is current, comprehensive and meets relevant standards.
Review whether the risk management framework is being adhered to, and that associated procedures exist for the effective identification, assessment, management and reporting of Council’s significant risk
areas including, but not limited to, financial, legislative, compliance, fraud, business and environmental risks.
Monitor the organisational performance in managing the risks identified in the strategic and operational risk register.
Review the impact of the Council’s risk management framework on its control environment and insurance arrangements, including workers compensation.
Review whether a sound and effective approach has been followed in establishing the Council’s business continuity planning arrangements, including whether disaster recovery plans have been tested periodically.
Review the Council’s fraud control plan and satisfy itself that the Council has appropriate policies, processes and systems in place to deter, capture and effectively investigate fraud related information.
Determine if Council has appropriately considered legal and compliance risks as part of its risk assessment and management arrangements.
Review the effectiveness of the system for monitoring compliance with relevant laws, regulations and associated Government policy.
General Manager
Maintain overall responsibility and leadership for the effective management of all types of risks across Council operations.
Define responsibility and authority for officers with involvement in risk management.
Recognise, actively encourage and adopt Risk Management as a key function of the Council. Managers / Supervisors
Ensure risks are managed in accordance with the relevant risk register and to relevant standards.
Prepare and implement risk management procedures for each area of operations.
Employ risk management principles and practises to ensure that loss control and prevention is a priority.
Monitor and report on practices and processes to ensure appropriateness to current conditions and standards.
Actively participate in training provided.
Implement risk management audit recommendations.
Employees, Contractors, Volunteers and Representatives
Familiarisation with Council’s Risk Management Policy and Strategy.
Actively participate in training provided in relation to risk management.
Use risk management principles and practices while undertaking daily tasks.
Take notice of and implement recommendations from risk management audits conducted in the workplace.
Chief Financial Officer
Develop, review and maintain Council’s risk management policies, systems, and procedures.
Recommend new processes to manage risk.
Review and monitor Council risk management performance measures.
Monitor recommendations and outcomes from risk management audits.
Provide a central liaison point for staff and management in relation to risk management. 6. Risk management Process The risk management procedure to be applied within Council will be based on relevant Australian Standards, particularly AS/NZS ISO 31000:2009, Risk management - Principles and guidelines. .
Council’s risk management process consists of seven steps:
1) knowing the strategic and operational priorities;
2) defining risks;
3) scoring risks;
4) treating risks;
5) compiling a risk database and register;
6) monitoring and reporting risks; and
7) reviewing risks. 6.1 Knowing the strategic and operational priorities The starting point for risk management is a clear understanding of what Council is trying to achieve. Risk management is about managing the threats that may hinder delivery of our priorities and maximising the opportunities that will help to deliver them. Effective risk management must therefore be clearly aligned to the business planning processes, and will take into account the environment within which Council operates. 6.2 Defining Risks There are many ways of identifying risks depending upon the type of risk being considered. These include:
interviews or facilitated workshops with all stakeholders;
reviewing published information;
checklists for similar events/activities/projects;
an examination of previous events/activities/projects; and
taking advantage of past experiences in undertaking an event/activity/project.
Types of risks include:
product and service delivery;
people;
financial and economic;
technology and information management;
leadership and corporate governance;
assets and security;
ethics and corporate image; and
environment. The risk management process is based on the fundamentals of International Standard ISO 31000:2009. It is an analysis and problem solving technique designed to provide a logical process for the selection of treatment plans and management actions to protect the community against unacceptable risks.
RISK ASSESSMENT
ESTABLISHING THE CONTEXT
- The external context- The internal context- Define risk criteria
RISK ANAYLSIS
Identify existing controls
Determine DetermineConsequences Likelihood
Determine level of risk
RISK EVALUATION
- Compare against risk criteria- Set priorities
Is risk acceptable?
Is risk acceptable?
RISK TREATMENT
- Identify options (cost & residual risk)- Assess options (risk reduction & cost)- Prepare and implement treatment plans- Communicate residual risks
CO
MM
UN
ICA
TIO
N &
CO
NSU
LTA
TIO
N
MO
NIT
OR
ING
& R
EVIE
W
RISK IDENTIFICATION
- What can happen?- When and why?- How and why?
Yes
No
Fig 1.5: Risk Management Process – Detail Source: Based on ISO 31000; 2009, Fig 3, p 14
In order to effectively manage identified risks, they must first be rated. 6.3 Rating Risks In order to decide on the best treatment option and to prioritise the treatment of identified risks, the risk must first be rated. Risks are rated by identifying the likelihood of the event occurring and the impact or consequences of the event if it did occur. When rating a risk the impact on the following needs to be considered:
achievement of strategic priorities;
reputation;
work, health and safety of employees, residents, service users, contractors, volunteers, etc;
ability to deliver services (eg - in particular key services); and
financial (eg - budgets, claims, fines, penalties etc.).
Council uses a five-byfive matrix to determine its risk rating as follows:
LIKELIHOOD
(probability)
Insignificant Minor Moderate Major Catastrophic
No injuries Some injuries External medical Extensive injuries Death or major injuries
No Env damage Low Env damage Medium Env damage High env damage Toxic Env damage
<$1,000 <$10,000 <$100,000 <$1,000,000 >$1,000,000
Almost Certain
Likely
Possible
Unlikely
Rare
CRITICAL RISK
MODERATE
RISKCRITICAL RISK
(expected in most
circumstances - 100%)
(probably in most
circumstances - 10%)
(might occur at some time -
1%)
HIGH RISK
MODERATE
RISK
MODERATE
RISKHIGH RISK HIGH RISK CRITICAL RISK
(could occur at some time -
0.1%)
(exceptional circumstances
only - 0.01%)
LOW RISKMODERATE
RISK
MODERATE
RISKHIGH RISK
LOW RISK
LOW RISK
LOW RISK
HIGH RISK HIGH RISK
CONSEQUENCES
What is the severity of the injuries/potential damages/financial impacts (if the risk event
actually occurs)?
How likely is the event
to occur at some time
in the future?
CRITICAL RISK
MODERATE
RISK
MODERATE
RISKHIGH RISK HIGH RISK
MODERATE
RISKHIGH RISK
6.4 Treating Risks There are four general approaches to treating risk:
(i) avoid,
(ii) reduce,
(iii) transfer, or
(iv) accept.
Avoiding the risk – not undertaking the activity that is likely to trigger the risk.
Reducing the risk – controlling the likelihood of the risk occurring, or controlling the impact of the consequences if the risk does occur.
Transferring the risk – handing the risk on elsewhere, either totally or in part (eg - through insurance).
Accepting the risk – acknowledging that the ability to take effective action against some risks may be limited or that the cost of taking action may be disproportionate to the potential benefits gained.
Assessment of each treatment option is used to provide the basis for selecting the best option to manage each risk identified. Risk treatment is concerned with actions taken to reduce the impact or likelihood of risks not wholly avoided or transferred (retained risks). 6.5 Strategic Risk Register A risk register lists potential risks identified, how serious the problem is, how it can be fixed, who is responsible for what and by when. The aim of the register is to proactively raise the profile of what risks exist within Council.
The Strategic Risk Register is provided in Appendix A. This document provides a high level snapshot of Council’s risks by listing the risks identified in Section 7 and applying the likelihood and consequence rating for each risk. An overall risk rating is then arrived at. Note that all of Council’s strategic risks are rated as either moderate or high, with no risks rated as low or critical. Council has strategies in place for all risks and these are included in the comments column of the Register.
6.6 Risk Appetite Risk appetite is the amount and type of risk that an organisation is willing to accept to achieve a desired outcome / objective. In the evaluation of a risk, following the completion of the risk analysis, the Councils risk appetite statement provides guidance in the risk treatment vs. risk toleration decision.
The purpose of the risk appetite statement is to:
Assist in determining whether a risk can be tolerated at the current level, or if risk treatments should be implemented.
Target risk treatment at those risks that exceed the stated risk appetite.
Ensure risks are not tolerated outside the risk appetite where cost effective treatment can occur.
Ensure risks that can continue to be tolerated are not subjected to further excessive risk treatment. Applying the Risk Appetite Statement
In the evaluation of a risk, following the completion of the risk analysis, the risk appetite statement provides guidance in the risk treatment vs. risk toleration decision.
The purpose of the risk appetite statement is to:
Assist in determining whether a risk can be tolerated at the current level, or if risk treatments should be implemented.
Target risk treatment at those risks that exceed the stated risk appetite.
Ensure risks are not tolerated outside the risk appetite where cost effective treatment can occur.
Ensure risks that can continue to be tolerated are not subjected to further excessive risk treatment. Refer to the Council’s Risk Appetite Statement in Appendix B. 6.7 Monitoring and Reporting Risks The Executive Management Team is responsible for ensuring that key risks on the Strategic Risk Register are managed and that progress made with risk mitigation measures is monitored. Department Managers are responsible for ensuring that key risks in the Strategic Risk Register relating to their area of responsibility are managed and that the ‘high risks’ feature as a standing item on the management team meeting agendas. Service specific business risks must be included within the respective service plans and be monitored through the performance and risk management arrangements of the Department to which it relates. 6.8 Reviewing Risks All risks should be reviewed and reported at least annually in conjunction with the annual planning processes.
Everyone in Council is involved in risk management and should be aware of their responsibilities in identifying and managing risk. However, the ultimate responsibility for managing risk lies with the General Manager. Risk management audits are conducted periodically as required by external bodies, or can be initiated by the General Manager or by a recommendation to Council by the Audit Panel. Risk management performance measures are set by Council through recommendations by the Audit Panel and are to be reviewed on a regular basis. 6.9 Fraud Control Council has developed a Fraud Control and Corruption Prevention Policy and has recently undertaken a self-assessment of fraud control risks. Council considers that the development of an anti-fraud culture and strong internal controls will provide an appropriate mitigation against the risk of fraud.
Appendix A:
Stra
tegi
c R
isk
Re
gist
er
Ref
Ris
k t
itle
Det
ails
Cau
ses/
Co
nse
qu
ence
s
Un
cert
ain
ty s
urr
ou
nd
ing
the
del
iver
y o
f th
e la
rge-
scal
e
pro
ject
, in
clu
din
g:
N
egat
ive
imp
act
on
th
e f
inan
cial
sust
ain
abil
ity
of
Co
un
cil
and
it
s ab
ilit
y t
o
del
iver
ser
vic
es t
o c
om
mu
nit
y.
Cri
tica
l (C
riti
cal
7;
Hig
h 2
;
· R
FP
's t
o d
eter
min
d r
even
ue
fro
m s
ale
of
lan
d
bei
ng
fin
alis
ed
Par
tial
ly
effe
ctiv
eH
igh
A
ccu
racy
of
fin
anci
al m
od
elli
ng;
L
ow
RO
I.M
ediu
m 3
; L
ow
1)
· E
xpen
dit
ure
on
th
e p
roje
ct b
eco
min
g cl
eare
r.
A
chie
vin
g so
un
d r
etu
rn o
n i
nv
estm
ent
(RO
I);
· U
se o
f P
rob
ity
Ad
vis
or
to e
nsu
re a
pp
rop
riat
e
gov
ern
ance
.
M
itig
atin
g th
e i
mp
act
of
exte
rnal
fac
tors
R
isk
to
Co
un
cil's
rep
uta
tio
n t
hro
ugh
no
t
mee
tin
g co
mm
un
ity
exp
ecta
tio
ns.
·Co
nsu
ltat
ion
wit
h c
om
mu
nit
y o
n p
lay
gro
un
d
and
op
en s
pac
e d
evel
op
men
t
Fai
lure
of
Co
un
cil
to m
ain
tain
fin
anci
al s
ust
ain
abil
ity
in
the
lon
g te
rm d
ue
to
in
adeq
uat
e m
od
elli
ng,
pla
nn
ing
and
mo
nit
ori
ng
pro
cess
es.
R
esu
ltin
g in
neg
ativ
e im
pac
ts o
n t
he
fin
anci
al
sust
ain
abil
ity
of
Co
un
cil
and
it
s ab
ilit
y t
o
del
iver
ser
vic
es t
o t
he
com
mu
nit
y.
Cri
tica
l
LT
FP
to
ach
iev
e su
rplu
s b
y 2
02
1
and
rev
iew
ed.
Su
bst
anti
ally
Eff
ecti
ve
Mo
der
ate
Inab
ilit
y o
f C
ou
nci
l to
rai
se s
uff
icie
nt
rev
enu
e o
r ch
arge
fees
to
co
st r
eco
ver
su
ffic
ien
t to
su
pp
ort
th
e c
ost
stru
ctu
re o
f C
ou
nci
l.
R
esu
ltin
g in
sig
nif
ican
t re
sou
rce
req
uir
emen
ts
for
Co
un
cil
wh
ich
can
be
un
fun
ded
.(C
riti
cal
10
, H
igh
3)
A
nn
ual
bu
dge
t in
lin
e w
ith
LT
FP
.
Ris
k o
f re
lian
ce o
n e
xter
nal
fu
nd
ing
sou
rces
su
ch
as
Fed
eral
go
ver
nm
ent
gran
ts a
nd
div
iden
ds
L
ack
of
con
tro
l o
ver
fin
anci
al o
utc
om
es (
eg:
Tas
wat
er D
ivid
end
)
Co
un
cil
has
co
ntr
ol
in s
etti
ng
rate
s an
d f
ees.
Co
st s
hif
tin
g o
r d
efer
ral
of
resp
on
sib
ilit
y f
rom
Sta
te
or
Fed
eral
Go
ver
nm
ent
to L
oca
l G
ov
ern
men
t.
R
eso
urc
e an
d
staf
fin
g ra
mif
icat
ion
s, d
ue
to
chan
gin
g re
spo
nsi
bil
itie
s an
d n
eed
fo
r v
arie
d
skil
ls a
nd
kn
ow
led
ge.
O
per
atio
nal
gra
nts
are
co
nsi
sten
t.
Po
ten
tial
fo
r in
adeq
uat
e co
nsu
ltat
ion
an
d/o
r
pla
nn
ing
wit
h t
he
co
mm
un
ity
to
un
der
stan
d
futu
re n
eed
s.
Cri
tica
l
Co
mm
un
ity
sta
keh
old
er m
anag
emen
t th
rou
gh
com
mu
nic
atio
n a
nd
co
nsu
ltat
ion
.
Su
bst
anti
ally
Eff
ecti
ve
Mo
der
ate
Imp
act
on
th
e p
eop
le w
ith
in t
he
mu
nic
ipal
ity
.(C
riti
cal
13
, H
igh
3)
E
nga
gem
ent
stra
tegy
cu
rren
tly
bei
ng
dev
elo
ped
..
Fin
anci
al o
r re
pu
tati
on
al i
mp
act
on
Co
un
cil
du
e
to t
he
inab
ilit
y t
o m
eet
the
nee
ds
of
the
com
mu
nit
y.
S
trat
egic
pla
nn
ing
pro
cess
in
clu
des
su
bst
anti
al
com
mu
nit
y e
nag
agem
ent.
Res
ult
ing
in p
ote
nti
al f
or
fin
anci
al a
nd
le
gal
imp
acts
du
e t
o i
nad
equ
atel
y m
ain
tain
ed
faci
liti
es o
r la
nd
an
d/o
r b
reac
h o
f le
ase
agre
emen
ts.
Hig
h (
Hig
h 9
; M
ediu
m 5
A
Bu
ild
ing
and
M
ain
ten
ance
Gro
up
has
bee
n
esta
bli
shed
to
man
age
bu
ild
ings
.
Su
bst
anti
ally
Eff
ecti
ve
Mo
der
ate
Po
ten
tial
fo
r lo
ss o
f re
ven
ue
fro
m i
nef
fect
ivel
y
man
aged
lea
ses.
A
sy
stem
of
regu
lar
insp
ecti
on
s an
d
mai
nte
nan
ce o
f p
rop
erti
es i
n u
nd
erta
ken
A
rev
iew
of
leas
e ar
ran
gem
ents
is
curr
entl
y
un
der
way
.
Ris
k m
itig
atio
n c
on
tro
ls
1
Co
ntr
ol
effe
ctiv
enes
s
4F
acil
itie
s an
d p
rop
erty
man
agem
ent
Inab
ilit
y o
f C
ou
nci
l to
eff
ecti
vel
y m
anag
e fa
cili
ties
, la
nd
and
le
ased
pre
mis
es o
wn
ed b
y C
ou
nci
l.
Kin
gsto
n P
ark
2F
inan
cial
Su
stai
nab
ilit
y
and
F
un
din
g M
od
el
Mit
igat
ed r
isk
rati
ng
3S
trat
egic
Pla
nn
ing
and
Ser
vic
e P
rov
isio
n
Th
e ri
sk o
f fa
ilin
g to
mee
t fu
ture
in
fras
tru
ctu
re a
nd
serv
ices
nee
ds
to s
up
po
rt a
vib
ran
t an
d
sup
po
rted
com
mu
nit
y.
Ris
k r
atin
g
Ref
Ris
k t
itle
Det
ails
Cau
ses/
Co
nse
qu
ence
s
Th
e ab
ilit
y o
f C
ou
nci
l to
en
sure
eff
ecti
ve,
eff
icie
nt
and
rob
ust
in
form
atio
n m
anag
emen
t an
d
tech
no
logy
sy
stem
s
to s
up
po
rt b
usi
nes
s o
per
atio
ns.
Po
ten
tial
fo
r in
effi
cien
t o
r in
effe
ctiv
e b
usi
nes
s
syst
ems
of
Co
un
cil
and
re
sult
ant
fin
anci
al a
nd
reso
urc
ing
imp
acts
.
Hig
h (
Cri
tica
l 1
, H
igh
8,
Med
ium
4)
R
epla
cem
ent
of
Co
re S
yst
ems
un
der
way
.
Sp
ecif
icat
ion
req
uir
es t
igh
t in
tegr
atio
n
elim
inat
ing
any
exi
stin
g d
ata
du
pli
cati
on
or
do
ub
le h
and
lin
g re
sult
ing
in a
sea
mle
ssly
inte
grat
ed E
RP
sy
stem
.
Su
bst
anti
ally
Eff
ecti
ve
Mo
der
ate
Res
ult
ing
in m
ajo
r b
usi
nes
s d
isru
pti
on
, in
abil
ity
to a
cces
s an
d
pro
du
ced
req
uir
ed i
nfo
rmat
ion
in
a ti
mel
y m
ann
er,
loss
of
key
dat
a an
d
po
ten
tial
for
pro
du
ctio
n o
f in
accu
rate
dat
a d
ue
to
po
or
inte
grat
ion
of
syst
ems.
P
ath
way
p
rop
erty
an
d
regu
lato
ry s
yst
em
wel
l u
tili
sed
an
d m
ain
tain
ed a
t th
e la
test
rel
ease
dat
e. R
e-tr
ain
ing
un
der
tak
en b
y f
un
ctio
nal
are
a
as r
equ
ired
.
Th
e ri
sk o
f in
tern
al o
r ex
tern
al s
ecu
rity
th
reat
s to
Co
un
cil’
s d
ata,
in
form
atio
n o
r sy
stem
s, i
ncl
ud
ing
cyb
er
risk
s.
Po
ten
tial
fo
r lo
ss o
f d
ata,
in
form
atio
n o
r
syst
ems
cau
sin
g b
usi
nes
s d
isru
pti
on
, fi
nan
cial
con
seq
uen
ces
and
re
pu
tati
on
dam
age.
Sy
stem
sec
uri
ty h
as b
een
im
pro
ved
by
tw
o
fact
or
auth
enti
cati
on
fo
r re
mo
te l
ogi
n a
nd
mo
nth
ly e
xter
nal
sec
uri
ty v
end
or
chec
ks
of
secu
rity
str
ateg
y.
A
pp
rop
riat
e b
ack
up
an
d
syst
em r
edu
nd
ancy
in p
lace
Ab
ilit
y o
f C
ou
nci
l to
man
age
env
iro
nm
enta
l ri
sks
imp
acti
ng
the
mu
nic
ipal
ity
an
d
Co
un
cil
asse
ts –
incl
ud
ing
env
iro
nm
enta
l co
mp
lian
ce a
nd
em
erge
ncy
man
agem
ent
for
nat
ura
l d
isas
ters
.
Res
ult
ing
in p
oo
r en
vir
on
men
tal
ou
tco
mes
fo
r
the
Kin
gbo
rou
gh m
un
icip
alit
y a
nd
th
e l
oss
of
val
ue
ascr
ibed
to
nat
ura
l re
sou
rces
.
Hig
h
Wel
l es
tab
lish
ed p
rogr
ams
in p
lace
del
iver
ed
by
exp
erie
nce
d s
kil
led
sta
ff.
Su
bst
anti
ally
Eff
ecti
ve
Mo
der
ate
Inad
equ
ate
env
iro
nm
enta
l m
anag
emen
t b
y C
ou
nci
l
incl
ud
ing:
Res
ult
ing
in p
ote
nti
al f
or
clim
ate
chan
ge
imp
acts
to
ad
ver
sely
aff
ect
the
asse
ts a
nd
peo
ple
wit
hin
Kin
gbo
rou
gh.
(Cri
tica
l 3
, H
igh
6,
Med
ium
3)
E
ffec
tiv
e p
ub
lic
awar
enes
s p
rogr
ams
in p
lace
wit
h g
oo
d c
om
mu
nit
y n
etw
ork
s.
F
ailu
re t
o p
lan
fo
r, a
dap
t to
an
d m
anag
e th
e im
pac
ts o
f
clim
ate
chan
geP
ote
nti
al f
or
dam
age
to n
atu
ral
env
iro
nm
ent
M
anag
emen
t o
f en
vir
on
men
tal
asse
ts a
nd
p
ests
Res
ult
ing
in s
erio
us
dam
age/
loss
to
th
e
Kin
gbo
rou
gh c
om
mu
nit
y i
ncl
ud
ing
peo
ple
,
asse
ts,
and
co
mm
un
ity
fu
nct
ion
.
W
aste
m
anag
emen
t st
rate
gies
bei
ng
dev
elo
ped
.
C
han
gin
g st
and
ard
s fo
r en
vir
on
men
tal
per
form
ance
(in
clu
din
g w
aste
man
agem
ent)
.
Fai
lure
/ i
nab
ilit
y t
o p
rov
ide
esse
nti
al s
erv
ices
and
co
nti
nu
ed e
ssen
tial
Co
un
cil
op
erat
ion
s
du
rin
g em
erge
mci
es.
E
mer
gen
cy M
anag
emen
t O
ffic
er e
mp
lyed
to
man
age
ou
r em
erge
ncy
man
agem
ent
com
mit
men
ts.
V
alu
e p
lace
d a
nd
d
ecis
ion
mak
ing
rega
rdin
g n
atu
ral
asse
ts.
Fin
anci
al l
oss
an
d
lega
l ra
mif
icat
ion
s.
C
ou
nci
l’s
emer
gen
cy m
anag
emen
t m
itig
atio
n
con
tin
ues
in
co
nsu
ltat
ion
wit
h t
he
com
mu
nit
y
(e.g
. K
ings
ton
Bea
ch
Stu
dy
).
Po
ten
tial
im
pac
t o
f in
adeq
uat
e em
erge
ncy
man
agem
ent
on
Kin
gbo
rou
gh C
ou
nci
l an
d
the
Kin
gbo
rou
gh
com
mu
nit
y r
esu
ltin
g fr
om
an
en
vir
on
men
tal
/ n
atu
ral
dis
aste
r in
clu
din
g fl
oo
d,
bu
shfi
re,
sto
rm,
and
co
asta
l
ero
sio
n.
Inju
ry t
o e
mp
loy
ee o
r co
mm
un
ity
mem
ber
.
A n
um
ber
of
po
lici
es h
ave
bee
n d
evel
op
ed t
o
add
ress
nat
ura
l h
azar
ds
Inad
equ
ate
emer
gen
cy m
anag
emen
t in
tro
du
ces
the
ris
k
of
inef
fect
ive
pla
nn
ing,
res
po
nse
an
d
com
mu
nic
atio
n o
f
emer
gen
cy m
anag
emen
t st
rate
gies
an
d c
om
mu
nit
y
reco
ver
y s
trat
egie
s.
Dam
age
or
loss
of
nat
ura
l re
sou
rces
.
Co
un
cil
has
an
em
erge
ncy
man
agem
ent
pla
n
and
st
and
ard
op
erat
ing
pro
ced
ure
s.
Po
ten
tial
fo
r co
mm
un
ity
dis
sati
sfac
tio
n w
ith
Co
un
cil’
s p
lan
nin
g an
d
resp
on
se r
esu
ltin
g in
rep
uta
tio
n i
mp
act.
B
ush
fire
Man
agem
ent
Off
icer
ap
po
inte
d t
o
min
imis
e th
e ri
sk i
n C
ou
nci
l o
wn
ed l
and
.
Lo
ss o
f C
ou
nci
l as
sets
in
clu
din
g d
ata.
Ris
k r
atin
gR
isk
mit
igat
ion
exa
mp
les
fro
m p
rev
iou
s ri
sk
regi
ster
Mit
igat
ed R
isk
Rat
ing
5In
form
atio
n m
anag
emen
t
and
se
curi
ty
6E
nv
iro
nm
enta
l an
d
Em
erge
ncy
Man
agem
ent
Co
ntr
ol
effe
ctiv
enes
s
Ref
Ris
k t
itle
Det
ails
Cau
ses/
Co
nse
qu
ence
s
Un
cert
ain
ty s
urr
ou
nd
ing
the
ab
ilit
y t
o d
eliv
er,
man
age
and
fu
nd
th
e in
fras
tru
ctu
re a
nd
as
sets
of
Co
un
cil.
Res
ult
ing
in t
he
po
ten
tial
fo
r:
Ass
et m
anag
emen
t p
lan
s re
gula
rly
up
dat
ed.
Su
bst
anti
ally
Eff
ecti
ve
Hig
h
A
bil
ity
to
fu
nd
req
uir
ed i
nfr
astr
uct
ure
an
d
mai
nte
nan
ce.
I
nsu
ffic
ien
t o
r in
adeq
uat
ely
mai
nta
ined
infr
astr
uct
ure
;
L
on
g te
rm a
sset
man
agem
ent
pla
ns
up
dat
ed
yea
rly
to
ref
lect
ch
ange
s in
cap
ital
an
d
mai
nte
nen
ace
req
uir
emen
ts f
or
exis
tin
g as
sets
and
to
acc
ou
nt
for
new
ass
ets.
A
bil
ity
to
man
age
dev
elo
pm
ent
in t
he
mu
nic
ipal
ity
co
nsi
sten
t w
ith
in
fras
tru
ctu
re
con
stra
ints
/ p
lan
nin
g.
F
inan
cial
im
pac
ts o
f la
rge
/ u
nfo
rese
en
infr
astr
uct
ure
req
uir
emen
ts
R
elat
ion
ship
s w
ith
var
iou
s se
rvic
e au
tho
riti
es
mai
nta
ined
A
bil
ity
to
man
age
pro
ject
s, c
on
trac
ts a
nd
th
ird
par
ties
to
ach
iev
e in
fras
tru
ctu
re o
bje
ctiv
es.
R
egu
lar
rev
alu
atio
ns
and
in
dex
atio
n o
f as
sets
un
der
tak
en t
o r
efle
ct c
han
gin
g co
st o
f
con
stru
ctio
n a
nd
co
nd
itio
n o
f as
set
sto
ck.
A
bil
ity
of
Co
un
cil
to m
anag
e th
e st
and
ard
of
the
asse
ts t
o a
ccep
tab
le c
on
dit
ion
.
I
nab
ilit
y t
o f
un
d o
ngo
ing
mai
nte
nan
ce o
f
infr
astr
uct
ure
;
S
tro
ng
pro
ject
man
agem
ent
app
roac
h w
ith
clo
se m
on
ito
rin
g o
f ex
pen
dit
ure
an
d e
ver
yth
ing
is
wel
l d
ocu
men
ted
.
R
edu
ctio
n i
n s
erv
ice
del
iver
y o
f C
ou
nci
l.E
xter
nal
exp
erti
se i
s so
urc
ed w
her
e n
eces
sary
.
Incl
ud
ing
lega
l ad
vic
e.
C
ou
nci
l as
sets
no
t m
eeti
ng
legi
slat
ive,
regu
lato
ry o
r co
mm
un
ity
sta
nd
ard
s.
P
rov
idin
g o
ngo
ing
pu
bli
c in
form
atio
n a
nd
inv
olv
ing
com
mu
nit
y i
n d
ecis
ion
mak
ing
wh
en
app
rop
riat
e.
L
oss
of
stra
tegi
c b
enef
its
fro
m p
roje
ct.
C
lose
fin
anci
al o
ver
sigh
t an
d e
xter
nal
gra
nts
sou
rced
wh
enev
er p
oss
ible
.
P
ote
nti
al f
or
fin
anci
al,
rep
uta
tio
nal
an
d l
egal
imp
acts
res
ult
ing
fro
m f
ailu
re o
f p
roje
cts.
C
od
e o
f T
end
ers
and
C
on
trac
ts p
rov
ides
po
licy
dir
ecti
on
.
W
ell
def
ined
co
ntr
act
man
agem
ent
pro
cess
in
pla
ce.
P
rocu
rem
ent
Off
icer
po
siti
on
pro
vid
es a
dv
ice
acro
ss C
ou
nci
l.
Sig
nif
ican
t le
gal,
rep
uta
tio
nal
an
d
fin
anci
al
ram
ific
atio
ns
for
Kin
gbo
rou
gh C
ou
nci
l.C
riti
cal
S
tro
ng
WH
S f
ocu
s w
ith
sp
ecia
lise
d C
ou
nci
l
Off
icer
ov
erse
ein
g co
mp
lian
ce.
Su
bst
anti
ally
Eff
ecti
ve
Mo
der
ate
Inju
ry o
r d
eath
of
emp
loy
ee/c
ou
nci
llo
r.
Sig
nif
ican
t w
ork
ers
com
pen
sati
on
co
sts
and
imp
act
on
sta
ff.
(Cri
tica
l 1
0,
Hig
h 2
)
S
tro
ng
sy
stem
s to
su
pp
ort
co
mp
lian
ce w
ith
bu
ild
ing
and
pla
nn
ing
regu
lati
on
s.
Res
ult
ing
in i
nju
ry o
r d
eath
of
a m
emb
er o
f th
e
pu
bli
c d
ue
to
Co
un
cil’
s fa
ilu
re o
f
resp
on
sib
ilit
y.
C
om
pli
ance
ch
eck
list
has
bee
n d
evel
op
ed w
ith
an a
nn
ual
sig
n-o
ff b
y M
anag
ers.
Fin
anci
al c
ost
s o
f re
sou
rces
req
uir
ed t
o e
nsu
re
com
pli
ance
.
E
xper
ien
ced
Man
ager
s en
suri
ng
com
pli
ance
wit
h r
egu
lati
on
s.
Po
or
ou
tco
mes
fo
r m
emb
ers
of
the
mu
nic
ipal
ity
an
d/o
r th
e co
mm
un
ity
as
a w
ho
le.
Co
ntr
ol
effe
ctiv
enes
sR
isk
rat
ing
Ris
k m
itig
atio
n e
xam
ple
s fr
om
pre
vio
us
risk
regi
ster
7In
fras
tru
ctu
re
man
agem
ent
Cri
tica
l (C
riti
cal
9;
Hig
h 3
)
Mit
igat
ed R
isk
Rat
ing
8L
egis
lati
ve
and
reg
ula
tory
com
pli
ance
Ab
ilit
y o
f C
ou
nci
l to
id
enti
fy a
nd
m
ain
tain
co
mp
lian
ce
wit
h r
elev
ant
regu
lati
on
s in
clu
din
g W
H&
S,
Fai
r W
ork
,
Lo
cal
Go
ver
nm
ent
Act
, ta
xati
on
, en
vir
on
men
tal
regu
lati
on
, an
d
pu
bli
c sa
fety
.
In
clu
des
th
e ab
ilit
y o
f
Co
un
cil
to m
ain
tain
Co
un
cil
asse
ts t
o s
tan
dar
ds
Appendix B:
KINGBOROUGH COUNCIL
RISK APPETITE STATEMENT
May 2018
This should be read in conjunction with the Kingborough Council Risk Management Policy and Framework.
RISK APPETITE Risk appetite is the amount and type of risk that an organisation is willing to accept in order to achieve a
desired outcome / objective.
The Council has a strategic plan which outlines the key objectives and goals of Council into the future – it is
how the Council has defined success. In order to achieve these objectives, Council must take on risk. With
scarce resources, Council must also make trade-offs between priorities. Risk appetite is a tool which assists
Council in having clear guidance on what types of risks are appropriate, what level of risk the Council is
comfortable with, and which objectives and risks are most important to Council and must be prioritised for
attention. Risk appetite statements include an overall statement, and a risk appetite level for each
category of risk eg. reputation, safety, financial, etc.
A strong risk management framework includes the following elements: risk appetite is one of those elements.
Why have a defined risk appetite?
Facilitates a shared understanding of the acceptance of risk
Provides guidance to Councillors, management and staff on expectations and acceptable risks
Assists in resolving tensions in the business plan and priorities
Provides guidance for budget allocation - the allocation of scarce resources to reducing risk
(risk mitigation strategies) and supporting internal controls There are different levels to risk appetite, for example:
Low risk appetite – only desire to take minimal or limited risks (or no risk) to pursue
organisational objectives
Medium risk appetite – Will take a moderate level of risk to pursue organisational
objectives
High risk appetite – Will take on a high level of risk to pursue organisational objectives
Policy and procedures
Ethics and behaviours
Risk appetite
Governance and
accountability
Internal controls
Risk culture
RISK APPETITE STATEMENTS The following risk appetite statements have been developed for consideration by Council based on the results from the workshop.
Overall risk appetite
Overall risk appetite statement
Council has, by its nature, a low appetite for risk given that many of the functions of Council are regulated under the Local Government 1993. The Council will however tolerate and pursue some risk consistent with the objective of providing efficient and effective Council services, and providing infrastructure, development and policy decisions which will benefit the ratepayers, both current and future, of the Kingborough municipality.
Sub-risk category risk appetite
Financial Council has a moderate risk appetite for financial risk in pursuit of Council objectives. In relation to budget management and cost control, Council has a low risk appetite for variances to the approved budget for matters that are within Council’s control. In relation to key projects, Council has a higher risk appetite and understands that major projects will inherently involve more risk. The Council will consider all decisions based on robust business cases / analysis and is willing to take on financial risk in order to deliver the infrastructure required for a growing municipality.
Legal The Council has a low appetite for legal and compliance risks consistent with its role in local government. Resources will be applied to ensure both Council and stakeholders comply with the legal and regulatory environments.
Safety Council has a low risk appetite for anything that may impact the safety of councillors, Council staff and the community.
Stakeholder Council has a moderate risk appetite to stakeholder risk. This is consistent with the local government environment and the wide range of stakeholder interests in the objectives and decisions of Council. Council will make decisions based on the information and analysis available and will be prepared to make decisions which may impact some stakeholder groups if it is felt the decision is in the best interests of the municipality or the Council.
Reputation Council has a moderate risk appetite to reputation risk. Consistent with stakeholder risk, Council will make decisions based on the information and analysis available and will be prepared to make decisions which may impact the reputation of Council if it is felt the decision is in the best interests of the municipality or the Council. Council will however take steps to ensure that internal processes and the management of Council projects is performed well to minimise the risk of reputation damage as a result of Council actions or activities.
Environment Council has a moderate risk appetite in relation to the environment. While the target risk level is no or limited damage to the environment, Council accepts that some damage may occur in a limited resource environment.