ENTERPRISE RISK MANAGEMENT · AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines,...

All policies can be reviewed or revoked by a resolution of Council, at any time.

Enterprise Risk Management V1_18 of 28 Next Review – March 2019

ENTERPRISE RISK MANAGEMENT ST056 F22

OBJECTIVE

To provide an Enterprise Risk Management framework that takes a proactive approach in identifying, analysing, evaluating and treating risks to Orange City Council.

APPLICABILITY

This policy applies to all areas of Orange City Council, Staff, Councillors and Council Delegates.

GENERAL

1 Orange City Council is committed to a structured and systematic approach to the management of risk across the organisation.

2 The Enterprise Risk Management framework and the process for managing Council’s risks is consistent with the Australian International Risk Management Standard AS/NZS ISO 31000:2009.

3 Council has developed an Enterprise Risk Management Program Toolkit to facilitate the implementation and ongoing integration of Enterprise Risk Management into both Council’s strategic planning processes and everyday operational activities.

4 Council has implemented the Pulse software solution to manage the Enterprise Risk Management Program.

5 Treatment of the high level strategic risks identified as part of the Enterprise Risk Management program will be considered annually as part of Council’s integrated planning and reporting processes.

PROCEDURE

The process for managing Council’s risk is consistent with the Australian International Risk Management Standard AS/NZS ISO 31000:2009 which is shown below. The Enterprise Risk Management toolkit provides the procedure to be utilised in the Enterprise Risk Management process.

ST

RA

TE

GIC

P

OL

IC

Y

All policies can be reviewed or revoked by a resolution of Council, at any time.


RELATED POLICIES/DOCUMENTS

Orange City Council Enterprise Risk Management toolkit

Pulse Risk Management User Guide

AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines, Australian Standard 2009

Local Government Act 1993

Responsible Area – Corporate and Commercial Services

REVISION

DATE RESOLUTION DATE RESOLUTION

1 16 April 2013 13/168 3 July 2018 18/308

2 1 July 2014 14/799

3 17 Nov 2015 15/541

All policies can be reviewed or revoked by resolution of Council, at any time.

Summary of Amendments

Date Amendments

April 2013 New policy

June 2014 Minor formatting updates

October 2015 Inclusion of Pulse software solution to the toolkit

April 2018 Formatting updates. Inclusion of Tool 4 into the toolkit – Project Risk Questionnaire

Replaced the ERM Committee with the Audit and Risk Management Committee in the

toolkit. Replaced ERM Officer with Governance Coordinator.

Enterprise Risk Management Toolkit

Orange City Council Enterprise Risk Management Program Toolkit


TABLE OF CONTENTS

PART ONE - INTRODUCTION ......................................................................................................... 5

PART TWO – RISK FRAMEWORK ................................................................................................... 6

PART THREE – RISK CATEGORIES .................................................................................................. 9

PART FOUR – THE RISK MANAGEMENT PROCESS ........................................................................ 10

4.a COMMUNICATE AND CONSULT ..................................................................................... 11

4.b ESTABLISHING THE CONTEXT ........................................................................................ 11

4.c IDENTIFY THE RISK ........................................................................................................ 12

4.d ANALYSE THE RISK ........................................................................................................ 12

4.e EVALUATE THE RISK ...................................................................................................... 13

4.f TREAT THE RISK ............................................................................................................ 14

4.g MONITOR AND REVIEW ................................................................................................ 17

APPENDIX ONE - Definitions

APPENDIX TWO - Tools

Tool 1 – Risk Management Context .............................................................................. 20

Tool 2 – Stakeholder Register ....................................................................................... 21

Tool 3 – Risk Identification Tool ................................................................................... 22

Tool 4 – Project Risk Assessment Questionnaire ........................................................... 23



PART ONE - INTRODUCTION Orange City Council is committed to a structured and systematic approach to the management of risk across the whole organisation. Council is adopting a proactive approach in committing resources and energy to implementing Enterprise Risk Management. Enterprise Risk Management (ERM) involves the management of risks that impact (either positively or negatively) on the achievement of organisational objectives. Council recognises that risks are an integral part of normal everyday life that are unavoidable. Taking control of informed risks is part of good business practice, and allows for risks to be identified, analysed, evaluated and treated. The ultimate objective of the Risk Management Program is to embed the principles of risk management in all aspects of Council’s operations. It is recognised this is a long-term goal, and will require a phased implementation to ensure that risk management is effective and sustained across all of Council’s operations. When effectively implemented and maintained, the management of risk enables us to – a) Increase the likelihood of achieving objectives b) Create an environment where employees have a key role in managing risk c) Encourage proactive management d) Be aware of the need to identify and treat risk e) Improve the identification of opportunities and threats f) Comply with relevant legal and regulatory requirements and good practice g) Improve financial reporting h) Improve governance i) Improve stakeholder confidence and trust j) Establish a reliable basis for decision making and planning k) Improve controls l) Effectively allocate and use resources for risk treatment m) Improve loss prevention and incident management n) Enhance health and safety performance and environmental protection o) Improve loss prevention and incident management p) Minimise losses q) Improve organisational learning r) Improve organisational resilience The intent of this toolkit is to facilitate the implementation of ERM by providing a framework that integrates the process for managing risk into Council’s overall governance, integrated planning and reporting processes, policies, values and culture. The ERM process is based on the Australian Standard AS/NZS ISO 31000:2009 Risk Management –Principles and Guidelines. This standard provides the steps of the risk management process. Part Four of this toolkit provides a more detailed review of this Standard and how it is applied in the ERM process.

This program incorporates the CENTROC Enterprise Risk Management framework. Council’s ERM program is recorded in the Pulse software solution. This can be accessed via the link on the homepage of Council’s intranet. A Pulse User Guide is also available on the intranet.



PART TWO – RISK FRAMEWORK

a) Risk Management Framework ISO 31000:2009 identifies a number of components in implementing a Risk Management Framework, and provides a continuous improvement model to allow for ongoing monitoring, evaluation and improvement as the ERM program is implemented.

Council has committed to the ERM Program, and to the implementation of the program throughout all areas of Council. The implementation process will see a phased approach, with the program being introduced at the strategic planning level initially, as part of Council’s annual budgeting process. It is intended that over the first two years of implementation, workshops will be held with Council staff, to identify, analyse, record and treat all strategic and operational risks. These risks will be recorded in Council’s Enterprise Risk Management system in the Pulse software solution. Ongoing monitoring and review of the framework is vital in ensuring the program is as useful to Council as possible. Risk Action Plans will be developed, and the performance of actions identified in those Plans will be assessed as part of the performance appraisal process of management staff responsible for those Plans. The Manager Administration and Governance will be responsible for ensuring the ongoing maintenance and continual improvement of the Enterprise Risk Management Program.

Mandate and

Commitment

Design of the framework

for managing risk

Implementing risk

management

Continual improvement

of the framework

Monitoring and

reviewing of the

framework



b) Risk Structure

The following diagram shows ERM as forming part of Council’s overall governance. The program will support Council to achieve the community’s vision for Orange.

c) Enterprise Risk Management Committee Council has established an Enterprise Risk Management Committee, to:

Develop, implement and review an effective enterprise risk management framework

Review risk management framework for business continuity, disaster recovery, fraud and corruption prevention, security and privacy policies and practices

Consider broad strategic risk and insurance issues

Undertake annual reviews of key risk areas that impact across Council

The ERM Committee will meet as required, and make recommendations to the General Manager for consideration.



d) ERM Roles and Responsibilities

All levels of Council have a responsibility for managing risk, and a role to play in Enterprise Risk Management. The specific roles and responsibilities relating to Council’s ERM program are detailed below: Council Approve Council’s commitment to ERM by adopting the ERM Strategic Policy, allocate funding via the Integrated Planning and Reporting process incorporating the principles of ERM, and reporting to the community. General Manager Oversee the implementation of the ERM program and maintain strong leadership to assist Council and staff integrate ERM into organisational culture. Directors Support implementation of the ERM program and take a proactive role in identifying risk and best practice, drive the ERM process, and provide leadership and direction across the Division. Audit and Risk Management Committee Undertake an annual review of the Corporate Risk Register and provide feedback. Provide feedback on risk relates matters as required, including amendments to the ERM Policy and Toolkit. Manager Administration and Governance Drive the development, implementation and maintenance of the ERM program in conjunction with the General Manager, Directors and ERM Committee; coordinate the ERM committee, monitor and review the ERM program, including regular reporting on implementation. Governance Coordinator Assist in the ongoing operation of the ERM system across Orange City Council. Line Managers Take a proactive role in ERM operation in their area, maintain adherence to Action Plans and timeframes, monitor and review, ensure training and resources are available, and provide leadership and support in ERM implementation. Supervisors Implement and maintain ERM initiatives, maintain adherence to Action Plans and timeframes, monitor and review. Staff Be proactive in the ERM implementation and participate in risk identification, analysis and treatment processes, report unsafe acts or any conditions of risk, work to timeframes and comply with policies and procedures.



PART THREE – RISK CATEGORIES To assist in the risk identification process, a number of risk categories have been developed. These categories are not designed to be exhaustive but as a guide for organising, identifying and reporting risks and findings.

Table 1

NB. Projects may be of a strategic, operational or capital works nature. They are to be treated as a Project if deemed to be a Project by the General Manager.

Enterprise Risk Management Categories Risk Category Broad Definitions

Corporate Governance Risks relating to the efficient and effective direction and operation of the organisation; risks to ethical, responsible and transparent decision making; corruption, fraud risks; risks to compliance with Council policy/procedure; risks relating to legislative compliance; legal matters.

Service Delivery Risks to the operation of the organisation in providing services to the community; impact on assets or infrastructure; impact on projects.

Financial Management Risks relating to any activity that results in either an increase or a decrease to expenses or revenue; impact on Delivery Program and Operational Plan.

Image and Reputation Risks relating to generation of positive or negative publicity; deletion or creation of goodwill.

Political Risks relating to public reaction; risks relating to activities that cause involvement by watchdog agencies such as ICAC; public pressure that impacts on decision-making.

Environmental Risks relating to environmental impacts including pollution, climate change, natural climatic events, land use and the natural environment.

Health and Safety Risks relating to accident, injury or illness to Council staff, Councillors, contractors, visitors or members of the public.

Employees Risks to staff, recruitment, skill shortages, availability, management, moral, retention etc of Council employees.

Stakeholders Risks relating to parties external to Council and their relationship/interaction with Council; impact of change; stakeholder expectations.

Projects Risks relating to major projects - including planning, scheduling, scope, procurement, design, quality, repairs & maintenance, materials, and contractor/consultant availability and management. Note: consideration and ratings must be given to all other risk categories for each Project.



PART FOUR – THE RISK MANAGEMENT PROCESS The risk management process described in this section is to be used as the methodology for conducting strategic or operational risk assessments. The process is based on Australian Standard AS/NZS ISO 31000:2009. A definition of terms relating to ERM is contained in Appendix 1. Tools and templates referred to in this section can be found at Appendix 2. AS/NZS ISO 31000:2009 Risk Management Process

ESTABLISH THE CONTEXT

The internal context

The external context

The Risk Management context

IDENTIFY THE RISK

Establish objectives

Identify risks and causes

What can happen, when, how and why?

ANALYSE THE RISK

Identify Existing Controls/Causes

Determine Determine

Consequences Likelihood

Determine Level of Risk

- Inherent and Residual

C

OM

MU

NIC

ATE

AN

D C

ON

SULT

M

ON

ITOR

AN

D R

EVIEW

EVALUATE RISK

Compare against criteria

Set priorities

TREAT RISK

Identify options

Assess options

Develop Action Plan

Implement Action Plan



4.a COMMUNICATE AND CONSULT

Communication and consultation are important elements in each step of the risk management process. Ongoing risk management stakeholder engagement is crucial for success in identification and management of risk. Effective communication will ensure that those responsible for implementing risk management and those with a vested interest, understand the basis on which risk management decisions are made and why particular actions are required.

It is important that the communication approach recognises the need to promote risk management concepts across all management and staff. It is also important to consider the expectations and needs of stakeholders when identifying and assessing risk.

A template Stakeholder Register (Tool 2) can be found at Appendix 2. The Stakeholder Register should be used to identify relevant stakeholders and record stakeholder needs/expectations to be taken into account as part of the risk management process.

4.b ESTABLISHING THE CONTEXT

The purpose of this step is to define the context and scope for the risk assessment. This involves understanding both the internal and external environment. Reference should be made to the Risk Management Context template (Tool 1), found at Appendix 2.

The stage involves consideration of:

External Context This should take into account the external environment in which Council operates, including: - The physical environment Council operates within - The business, social, regulatory, financial and political environment - The Local Government Act and other legislation of key relevance - The strengths and weaknesses of Council - The threats and opportunities faced by Council - Identification of the external stakeholders - Social responsibility issues

Internal Context An understanding of Council is important prior to undertaking the risk management process, regardless of the level. Areas to consider include: - Organisational structure - Organisational culture - Risk culture - including risk appetite and risk tolerance - Internal stakeholders eg. staff, volunteers - Capabilities of Council eg. staffing, Councillors, work areas, locations, sites, IT systems etc - The goals and objectives of the organisation - The strengths and weaknesses of Council

Risk Management Context The level of detail that will be entered into during the risk management process must be considered prior to commencement. The extent and scope of the risk management process will depend on the goals and objectives of the Council activity which is likely to inform the budget, scope and importance that has been allocated. In each instance, consideration must also be given to the roles and responsibilities for implementing and the undertaking of the risk management process.



4.c IDENTIFY THE RISK The next step is to identify the risks to be managed. Comprehensive identification using a well-structured systematic process is critical, because a risk not identified at this stage may be excluded from further analysis. Identification should include risks whether or not they are under the control of the Council. A number of questions should be asked when attempting to identify risks. These include:

o What can happen? (event or cause) o Where could it happen? o When could it happen? o Why would it happen? o How can it happen? o What does this lead to? (impact or consequence)

It is important to consider relevant objectives when answering these questions.

Risk Identification Methods

There are a number of different methods to identify risk, some of which may include: o Brainstorming sessions with relevant stakeholders or staff o Checklists developed for similar events/projects/activities o An examination of previous events/projects/activities of this type o Individual staff interviews o Utilising relevant codes or standards

Risks can be entered directly into the Pulse Risk Management solution. Access Pulse via the link on the homepage of Council’s intranet. The Project Questionnaire tool (Tool 4) can be used to help identify risks found in Projects.

4.d ANALYSE THE RISK Once all risks have been identified, we then analyse the risks. This involves assessing (a) the likelihood (with reference to the Likelihood Table – Table 2) of the risk actually occurring, and (b) the consequence (with reference to the Consequence Table - Table 3) on the operations or objectives if the risk event did occur.

Likelihood For Council, likelihood requires consideration of “frequency”, and is rated from rare to almost certain, as indicated in Table 2.

Two Likelihood ratings have been established – one for Operational risks, and a second criteria to be applied to “Project” risk assessments.

Table 2

Likelihood Table Rating Description (operational and project criteria)

Almost Certain Imminent or will occur within 1 to 6 months Project criteria: Highly likely to occur during the life of the project

Likely Expected to occur at least once in a 6 to 12 month period Project criteria: Likely to occur during the life of the project

Possible Will probably occur between 1 to 5 years Project criteria: Will possibly occur during the life of the project

Unlikely May occur every 5 to 10 years Project criteria: Unlikely to occur during the life of the project

Rare Not likely to occur within a 10 year period Project criteria: May occur in exceptional circumstances during the project



Consequence

When scoring the consequence associated with a risk, consideration needs to be given to its impact in terms of the risk categories (note, not all risk categories will be relevant for every risk) of:

- Corporate Governance - Service Delivery - Financial Management - Image and Reputation - Political - Environmental - Health and Safety - Employees - Stakeholders - Projects (if deemed to be a “Project” by the General Manager) The impact scale is rated from “negligible” to “severe” as indicated in the Consequence Table (Table 3). In determining the overall consequence score for each risk, the highest individual score should be applied. The Consequence Table provides specific examples on the types of incidents and their associated impact scale, as indicators to assist staff in determining the Consequence rating that applies to the identified risk.

Inherent and Residual Risk Rating

The initial risk rating (assuming no controls are in place) for each risk is calculated by plotting the inherent likelihood and inherent consequence response scores on the Risk Rating Table (Table 4) to give an Inherent Risk Rating of 1 to 5. This rating provides a measure of the inherent level of risk (no controls in place) and will assist in identifying the risks that require further treatment. The Residual Risk Rating is the rating applied (Table 4) when the preventative and corrective controls are taken into consideration. When determining residual rating, consideration should be given to whether the actions proposed (should the risk eventuate) are sufficient. This will determine whether or not the residual risk is within Council’s adopted tolerance levels.



Table 3

Consequence Table

Parameters in the following table specify the consequences if an identified risk was realised

Category of Risk Negative Risk Rating Corporate Governance Widespread policy/legislative non-compliance/failure

Seve

re

Service Delivery Critical operational service failure/loss of delivery >3 days

Financial Management >10% of program/project budget, or $1 overspend of grant

Image and Reputation Severe negative national, and state coverage

Political Severe concern/intervention by DLG/loss of grant

Environmental Uncontained damage with major impact/major fine/public reaction

Health + Safety Death or serious injury

Employees Severe lack of skills/availability; increase in grievances/absences

Stakeholders Severe stakeholder concern/reduction or withdrawal of support

Projects Severe or ongoing gaps or variations in planning, scheduling, scope, procurement, design, quality, repairs & maintenance, materials, sub-contractor availability and management

Corporate Governance Systematic policy/legislative non-compliance

Maj

or

Service Delivery Major operational service failure/loss of service delivery >1 day

Financial Management >5% of program/project budget

Image and Reputation Extensive state and local coverage

Political Serious concern/loss of credibility/involvement by authorities

Environmental Major breach or impact/fines/Govt reprimands

Health + Safety Serious injury/long term hospitalisation

Employees Major lack of skills/availability; increase in grievances/absences

Stakeholders Major stakeholder concern/reduction or threat of withdrawal of support

Projects Major or ongoing gaps or variations in planning, scheduling, scope, procurement, design, quality, repairs & maintenance, materials, sub-contractor availability and management

Corporate Governance Frequent policy/legislative non-compliance

Mo

der

ate

Service Delivery Moderate operational service failure/loss of service delivery >3 hours

Financial Management >2.5% of program/project budget

Image and Reputation Moderate local coverage

Political Moderate concern/loss of credibility/ministerial correspondence.

Environmental Moderate breach or impact/Govt reprimands

Health + Safety Moderate injury/may require short term hospitalisation

Employees Moderate lack of skills/availability; increase in grievances/absences

Stakeholders Moderate stakeholder concern/rectification action required

Projects Moderate gaps or variations in planning, scheduling, scope, procurement, design, quality, repairs & maintenance, materials, sub-contractor availability and management

Corporate Governance Isolated policy/legislative non-compliance

Min

or

Service Delivery Loss of operational service delivery >1 hour


Image and Reputation Minor local coverage

Political Isolated loss of credibility/concern from government agencies

Environmental Minor breach or impact/some minor complaints

Health + Safety Minor injury, may require first aid

Employees Minor lack of skills/availability; increase in grievances/absences

Stakeholders Minor stakeholder concern/action required

Projects Minor gaps or variations in planning, scheduling, scope, procurement, design, quality, repairs & maintenance, materials, sub-contractor availability and management

Corporate Governance Rare policy/legislative non-compliance

Neg

ligib

le

Service Delivery No loss of operational service delivery


Image and Reputation Little or no coverage

Political Negligible concern/loss of credibility

Environmental Negligible breach/impact/complaint

Health + Safety Negligible or no injury

Employees Negligible lack of skills/availability; increase in grievances/absences

Stakeholders Negligible stakeholder concern

Projects Negligible gaps or variations in planning, scheduling, scope, procurement, design, quality, repairs & maintenance, materials, sub-contractor availability and management



Table 4

Inherent and Residual Risk Rating Table

Likelihood Consequences

Severe Major Moderate Minor Negligible

Almost Certain 1 1 2 4 5

Likely 1 1 2 4 5

Possible 1 1 3 5 5

Unlikely 2 2 4 5 5

Rare 3 3 4 5 5

4.e EVALUATE THE RISK The purpose of this step is to develop a prioritised list of risks requiring attention.

When the risk has been rated, the residual risk level needs to be compared with management’s acceptable level of risk (risk appetite) (Table 5 - OCC Target Risk Ratings). The ERM System in Pulse will identify whether or not the residual risk falls within the risk tolerance.

If a negative risk (threat) level is at or below management’s target risk rating then the risk is at an acceptable level and no additional risk treatment is required at this stage. This risk would be managed by ongoing monitoring to ensure no escalation of the risk.

If a negative risk (threat) level is above management’s target risk rating then the risk is at an unacceptable level and additional risk treatments may be required to reduce the risk to management’s acceptable level.

Table 5

Orange City Council Target Risk Ratings Risk Category Willingness to Accept Risk

Severe Major Moderate Minor Negligible

Corporate Governance

Service Delivery

Financial Management

Image and Reputation

Political

Environmental

Health and Safety

Employees

Stakeholders

Projects

Target Risk Ratings

Orange City Council aims to encourage a culture of identifying and pursuing opportunities that benefit Orange City Council, whilst also managing risks associated with such pursuits.

The above Target Risk Ratings (Table 5) have been established to ensure measures are in place to reduce our potential exposure to risks whilst allowing us to pursue opportunities and achieve our objectives.



4.f TREAT THE RISK Treating the risk requires identifying a range of options, evaluating the options and developing additional controls for implementation.

Selecting the most appropriate option involves balancing the costs of implementing each option against the benefits derived from it. It is important to consider all direct and indirect costs and benefits whether tangible or intangible.

The objective is to acknowledge and manage risks in operational areas, or throughout the life of a project, and to ensure changes are monitored from a risk perspective. The aim is not to eliminate all risk but to ensure that the risk is maintained at a level tolerable to Council’s risk appetite and target risk ratings, in a cost effective manner. Risks must be addressed within the resources available.

The Risk Action Table (Table 6) clearly outlines what treatments are required for each risk rating. Table 6

Risk Action Table

Rating Action Required by the Risk Owner

1 Severe Requires immediate attention of relevant Director and the General Manager, and Steering Committee (where established).

Detailed consultation, research, risk identification and reduction options to be investigated with a detailed action plan designed and implemented immediately.

2 Major Requires urgent attention of relevant Director, and Steering Committee (where established).

Risk control measures required.

3 Moderate Manager responsible for risk to implement action plan within appropriate/established timeframes.

Further risk control measures may be required.

Manager to monitor and review risk and action plan to ensure no escalation of risk.

4 Minor Manager responsible for risk to implement any action plan measures, and monitor and review risk to ensure no escalation of risk.

5 Negligible Manager responsible for risk to monitor and review.

Risk treatment or controls can be either preventive controls, designed to reduce the likelihood of the risk occurring, or corrective controls to be implemented if the risk does occur. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Select the best options in terms of feasibility and cost effectiveness. The options can include the following:

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Taking or increasing the risk in order to pursue an opportunity

Removing the risk source

Changing the consequences

Changing the likelihood

Sharing the risk with another party or parties (including contracts, insurance, and risk financing)

Retaining the risk by informed decision A number of treatment options can be considered and applied either individually or in combination. The organisation can normally benefit from the adoption of a combination of treatment options. The Corporate Risk Register and all Operational Risk Areas are recorded in the ERM System in Pulse. Actions planned to manage a risk are to be recorded in Pulse as a “task” and allocated to the appropriate staff member, with a timeframe included.



4.g MONITOR AND REVIEW Risk monitoring and review is an integral step in the risk management process. It enables Council to proactively identify changes on the risk profile and adjust the organisational response as required. Continuous monitoring and review of the external and internal risk environment is required to help shape the context and understanding of our risk profile, change in the risk ratings, identify new risks, or take risks off the radar. It allows us to understand the effectiveness (impacts, benefits and costs) of implementing risk management strategies. Risk monitoring and review is a continuous process. It is essential that our risk priorities and risk management plans remain relevant in the changing environment, and that risk management is responsive to change. Risks and their associated tasks require the relevant staff member to monitor and provide updates on progress. Reports can be generated from Pulse system that indicate progress, risks above tolerance and tasks to be completed. Strategic and operational risks will be reviewed on an annual basis as part of Council’s Strategic Planning processes. In major projects, a review of risks throughout the project life is an essential component. Project Managers will be assessed on their delivery of a project in terms of timeframes, budgets and risk management.



Appendix One

DEFINITIONS

Control An existing process, policy, device, practice or other action that acts to minimise negative risk or enhance positive opportunities. Note: The word ‘control’ may also be applied to a process designed to provide reasonable assurance regarding the achievement of objectives.

Control measures These may include hierarchy of controls, risk aversion, reduction in risk likelihood, reduction of consequences (impacts) of risk, transfer of responsibility (or ownership) of risk, retention of risks.

Inherent risk This is more commonly described as the inherent risk rating, which is a subjective measure of the threat of a risk on a profile based on its inherent likelihood and inherent consequence measures, without considering the effectiveness of controls. This produces a score that indicates the worst-case exposure range in the event that there are no controls in place, or the controls fail to take effect during a risk event. Note: Assess the likelihood and consequence of the risk occurring WITHOUT any controls in place. The inherent risk rating is thus calculated on these assumptions.

Likelihood Used as a general description of probability or frequency. Note: Can be expressed qualitatively or quantitatively.

Measure of success

Such measures include costs, reductions impact and/or likelihood and reductions in occurrence.

Target Risk Rating A rating that Council establishes for risks to be maintained at or below, set for each Risk Category. Additional controls are usually called for if the Residual Likelihood and/or Residual Consequence are still at unacceptable levels.

Task Action to be undertaken to manage a risk

Project A project may be of an operational or capital works nature, and is defined as a Project if deemed so by the General Manager.

Project Risk Management

A process that assists to identify, and realise or treat risks found in Projects.

Residual risk A subjective measure of the threat of a risk on a profile based on its Residual Likelihood and Residual Consequence measures, giving the remaining level of risk after risk treatment measures have been taken or considered. Residual Risk can only be claimed if the controls work to reduce the risks and or consequences to the level that is expected. These controls can be currently in place, in progress or planned as a task for future completion. Note: Assess the likelihood and consequence of the risk occurring WITH controls in place. Therefore, the Residual Risk Rating should be lower than the Inherent Risk Rating.

Risk The chance of something happening that will have an impact on objectives. It is measured as the product of the likelihood of occurrence and the impact. Risk may have a positive or negative impact, and may include:

Commercial and legal relationships

Damage to property/equipment

Economic circumstances and scenarios

Environmental

Equipment/system failures

Financial/economic loss/failure

Management activities and controls

Natural disasters/events

Work Health and Safety (including disease)

Political events/circumstances

Professional incompetence

Security failure (including criminal or terrorist activities)

Technological issues



Risk analysis A systematic use of available information to determine the occurrence rate of events and the magnitude of the consequence.

Risk appetite The tolerance of attitude that an Organisation, or part of (e.g. project) has for risk. How conservative is an organisation towards taking on new opportunities? What is the Organisation’s attitude in regards to the potential impacts of risk?

Risk assessment The overall process of risk identification, risk analysis and risk evaluation

Risk avoidance A decision not to become involved in, or to withdraw from, a risk situation.

Risk control Part of risk management that involves the implementation of actions, policies, standards, procedures and physical changes to eliminate or minimise adverse risks. Controls can be distinguished into those that prevent the risk (preventative controls) and those that assist in recovering from the adverse incident as quickly and effectively as possible (corrective controls).

Risk identification The process of determining what, where, when, why and how something could happen.

Risk management Developing techniques that assist to have the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.

Risk management process

The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysis, evaluating, treating, monitoring and reviewing risk.

Risk priorities Risk priorities include assigning a value to identify risk using available tools and an assessment of consequences and likelihoods.

Risk rating Subjective measures of exposure, derived by assessing estimates of likelihood and consequences. Note: Relates to both Inherent Risk and Residual Risk.

Risk reduction Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.

Risk register A register of all identified risks and documentation of the strategies/plans in place to deal with any event/incident which might occur.

Risk retention Acceptance of the burden of loss, or benefit of gain, from a particular risk.

Risk sharing Sharing with another party the burden of loss, or benefit of gain from a particular risk. Note 1: Legal or statutory requirements can limit, prohibit or mandate the sharing of some risks. Note 2: Risk sharing can be carried out through insurance or other agreements. Note 3: Risk sharing can create new risks or modify an existing risk.

Risk transfer Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means.

Risk treatment Selection and implementation of appropriate options for dealing with risk. The most commonly used terms for these are avoid, reduce, transfer, accept and retain.

Stakeholders Stakeholders may include all those individuals and groups both inside and outside the organisation, which have some direct interest in the organisation's behaviour, actions, products and services. They may include:

Employees at all levels of the Organisation

Other public sector Organisations or Ministers

Union and association representatives

Boards of management

Community groups



Appendix Two

Tool 1

RISK MANAGEMENT CONTEXT

Area of Risk or Project being assessed

Position responsible for risk assessment

Business area that owns this risk assessment

Risk assessment undertaken by

Date initial risk assessment undertaken

Date(s) Risk Review undertaken and Risk Register/Action Plan updated

Short description of the internal/external context (environment) of the risk management scenario

Provide outline of the possible stakeholders/project sponsors in this scenario (input from Tool 2)

Describe your objectives in relation to this above scenario

Document any assumptions or comments being made in regard to the above scenario

(For projects) Project Team/Steering Committee Members



Tool 2

STAKEHOLDER REGISTER


Stakeholder What are their interests/needs/consultation requirements?



Tool 3

RISK IDENTIFICATION TOOL


Description of Risk

Risk Owner

Risk assessment undertaken by

Date initial risk assessment undertaken

Date(s) Risk Review undertaken and Risk Register/Action Plan updated

If a Risk Review – what has changed and why?

Risk Category Corporate Governance Service Delivery Financial Management Image and Reputation Political Environmental Health and Safety Employees Stakeholders Projects

Comments

Cause (Why would it happen?)

Consequence (What does the risk lead to?)

Where could it happen?

When?

How?

Risk Stakeholders?



Tool 4

Orange City Council

Project Risk Assessment Questionnaire

Project name:

Prepared by: Date:

Instructions for using this document

Project Risk Assessment Questionnaire

This template is to be used in conjunction with the following

o Enterprise Risk Management Toolkit o Operational/Project Risk Register (in Pulse) o Corporate Risk Register (in Pulse)

This questionnaire is to be used to start to identify risks that will impact the project, and the level of threat or opportunities to the project’s success. Customise the questionnaire by adding to the list other questions or characteristics that may apply to your project.

Characteristics are grouped into typical categories of project and enterprise risks, namely:

1. Corporate Governance 5. Political 9. Stakeholders

2. Service Delivery 6. Environmental 10. Projects

3. Financial Management 7. Health & Safety

4. Image & Reputation 8. Employees

Negligible, moderate and severe risk ratings are assigned to descriptions of each project characteristic. For each characteristic, choose the phrase that best describes your project at the time of assessment.

The completed questionnaire will identify some of the project’s risk factors. These risks should then populate your Project Risk Register and Action Plan to formally assess risk levels in greater detail and in accordance with the ERM Toolkit; record control measures of each risk where required; and ensure risks are being managed within acceptable OCC Risk Target Ratings.

Risks and Action Plans are to be monitored, reviewed and regularly reported against to the Project Manager, or Steering Committee (if established).



Risk Assessment Questionnaire Characteristics Negligible Risk (N) Moderate Risk (M) Severe Risk (S) Rating

N, M, S

1 Corporate Governance

1.1 Project is approved under corporate strategic planning process and in line with the adopted Delivery and Operational Plan:

Yes No

1.2 Legislative and corporate requirements, including approvals are:

Identified, understood, straightforward and documented

Somewhat identified, understood, or are subject to change

Not identified or very complex

1.3 Contractual and/or funding agreement obligations are:

Identified, understood, straightforward and documented

Somewhat identified, understood, or are subject to change

Not identified or very complex

1.4 Proposed form of contract (eg. Design & Construct, lump sum, schedule of rates) for project delivery is:

Agreed, understood, straightforward and documented

Involves several forms of delivery, but is agreed and understood.

Not identified, or very complex delivery method (eg. PPP, turn key)

1.5 Levels of authority, including procurement, are clear

Yes, and they have been formally communicated

Somewhat known, but need to be formally communicated

Not clear

1.6 The impact on organisational procedures, process, policies or changes as a result of this project is:

Zero, or only minor changes Moderate changes only Major changes or unknown at this time

2 Service Delivery

2.1 Feasibility of project has been investigated and is: Formally assessed as a low risk project.

Assessed as a medium risk project.

Not assessed, or assessed as high risk project.

2.2 Are staff and appropriate skills available to run the project, or deliver outcomes, post-completion?

Yes. Requirements identified and resources already in place.

Partially, with minor resourcing or training still required.

Unknown, or resources and staff need to be acquired or trained.

2.3 How would you rate the operational readiness level for post-project completion roll-out?

High - policies, procedures, equipment etc all in place

Moderate – more planning required

Low. Stakeholders(s) passive and hard to engage, policies, procedures, equipment etc not in place

2.4 Is there a risk that a competitor may enter the market and impact service or feasibility of this project?

Unlikely Possible Likely

3 Financial Management

3.1 Project funding: Is greater than estimated cost and is expected to be stable

Is adequate and expected to remain relatively stable

Is less than estimated and/or its stability is highly uncertain

3.2 The risk of any grant(s) for this project being withdrawn is:

Low Medium High

3.3 The project budget is based upon use of a proven successful cost estimation process, used by personnel with estimation qualifications and experience:

Yes. Proven estimation process with qualified, experienced estimation personnel

Some qualifications, experience or process

No. Estimates not established by personnel with any experience at this level, nor any proven process




N, M, S

3.4

Project budget has been completed to a high level of detail and is not based on cost plan only:

Yes Cost plan has been expanded with some detail

No. Cost plan only been completed

3.5 The budget has been updated: Within the last six months, and includes all changes in scope to date

Within 12 months, and includes all changes in scope

More than 12 months ago, or does not include all changes in scope to date.

3.6 Project cash flow has been established and approved:

Yes Yes, although is complex and will require updating regularly

No, or includes large sums of money which will require close monitoring and regular updates.

3.7 A financial sensitivity analysis has been considered and documented (ie.factoring in interest rates on loan funding, market adjustments, CPI or relevant index etc):

Analysis documented, and no concerns noted.

Analysis documented, and some concerns noted.

Analysis not undertaken, or undertaken and major concerns noted.

3.8 Has the financial capacity of all contractors/consultants been formally investigated?

Yes, and evidence has been provided to support their financial viability

No due diligence has been undertaken, or there are major concerns as to their financial viability

3.9 Does the project require complicated or large amounts of security from the contractor(s)?

No Yes, large amounts and security required

Yes, complicated types of security required.

3.10 Is the project subject to penalty clauses and potential damages payments?

No Yes

4 Image and Reputation

4.1 Could our performance on previous projects affect funding on this project?

No Possibly Yes

4.2 Could the outcome on the quality of this project affect Councils reputation?

No Possibly Yes

4.3 The community perception/ understanding of this project is:

Supportive Moderate Unknown, or unclear/ unsupportive

4.4 The community perception of Council’s risk on this project is:

Supportive Moderate Unknown, or perception that risk is too high or too conservative

5 Political

5.1 The political perception of Council’s risk on this project is:

Supportive Moderate Unknown, or perception that risk is too high or too conservative

5.2 Is there a chance of a change in Federal, State or local government during the life of this project?

No Possibly Yes

5.3 Are there likely to be political timing pressures on this project ie. to bring forward or defer?

No Possibly Yes




N, M, S

5.4 Is there potential for this project to be affected by a change of priorities as part of Councils regular assessment of projects and priorities?

No Possibly Yes

5.5 Is there potential for this project to be impacted by community or lobby groups?

No Possibly – but not in a insignificant way

Yes – potentially in a significant way

6 Environmental

6.1 Is there potential for environmental pollution of any kind from this project?

No Possibly, but of a minor nature

Yes, potentially of a significant nature

6.2 Are there environmental risks if the project does not proceed?

No Yes, but moderate impact only

Yes, potentially of a significant nature

6.3 Are there sustainability or efficiency considerations that need to be factored into this project?

No Yes, moderate considerations

Yes

6.4 Project location is adjacent to environmentally sensitive area(s)

No Yes, but will have minimal impact

Yes, located within environmentally sensitive area

6.5 Does this project require rehabilitation work to be undertaken now or some time in the future?

No Yes, moderate work required Yes, significant work required

6.6 Community perception/understanding of environmental issues is:

Very clear Somewhat clear Unknown, or unclear/ unsupportive

6.7 Are there potential implications of carbon tax and other environmental legislative changes/requirements on this project?

No or insignificant Yes, but moderate impact only

Yes, potentially of a significant impact

7. Health & Safety

7.1 Does Workcover need to be consulted on this project?

Not needed Yes, but have been consulted and ongoing consultation occurring

Yes. Consultation still to take place.

7.2 Have site safety assessments been undertaken? Yes No

7.3 Have site inductions been completed? Yes No

7.4 Has the requirement of AS4801 accreditation of contractors been agreed (if applicable)?

Not required Is required, but could be delivered under OCC Tech Services systems

Is required by one or more contractors

7.5 Is the project located within an operational or public area?

No Yes, but of minimal impact Yes, and area has high activity. eg: airport, aquatic centre

7.6 Does the project involve high risk activities that require licensing eg. asbestos, demolition, confined spaces?

No Yes, but with minimal impact Yes, large quantities and or location of work creates higher risk

7.7 Does the project involve the alteration of major city infrastructure eg. dam, water treatment plant?

No Yes, requires planned shut downs and or temporary services to be established




N, M, S

7.8

Are there issues of staff welfare on this project that need to be considered and addressed?

No Yes, but of minimal impact Yes, with potential for significant impact

8 Employees

8.1 The Project Manager’s experience and training can be described as:

Highly qualified/experienced, with recent success in managing projects similar to this one in scope and budget

Experienced, with recent success in managing a project not similar to this one

No recent experience or project management training

8.2 The project team is: Located together Dispersed at multiple sites

8.3 Describe the experience of project personnel with the tools and techniques to be used.

Trained and experienced in use of tools and techniques

Formal training in use of tools and techniques but limited practical experience

No formal training or practical experience in use of tools and techniques

8.4 Are authority levels and roles and responsibilities clear, and have they been formally communicated?

Yes Somewhat, but need further clarification in writing

No

8.5 Is there a risk of loss of critical personnel during this project?

Rate internal and external personnel.

Internal – Unlikely

External – Unlikely

Internal – Possible

External – Possible

Internal – High

External – High

8.6 Is the Project team’s time dedicated and adequate for this project?

Yes Part time only, have other project(s) but no conflict

Part time only, have other project(s) that could create conflict.

8.7 Are contractors/consultants required and committed to the project?

No contractors/consultants are required

Yes – some contractors/consultants are required (less than 50% of work) and are expected to be signed before start of project

Yes – project will be staffed by over 50% contractors/ consultants and/or commitment is not expected to be signed prior to the start of project

8.8 If using contractors/consultants expertise: The contractor(s) are very experienced in this field

The contractor(s) have some experience in this field

The contractor(s) are new to this field

8.9 Have key contractors/consultants been individually identified and their time commitments/expectations on this project confirmed in writing?

Yes No

9 Stakeholders

9.1 The project stakeholder(s) are: Identified, committed, and enthusiastic

Not identified or not enthusiastic

9.2 The number of stakeholder groups this project will affect is:

1 or 2 (minor impact) 3 or 4 (moderate impact) More than 5 (significant impact)

9.2 Stakeholders perception/understanding of the project is:

Very clear and supportive Somewhat clear Unknown, or unclear/ unsupportive

9.3 A consultation and communications plan has been Yes Somewhat, but needs further No




N, M, S

documented and communicated to all parties: clarification in writing

10 Projects

10.1 The scope of the project is: Well defined and understood Defined, but subject to change

Poorly defined and/or likely to change

10.2 The requirements of the project are: Understood and straight forward

Understood, but subject to change

Vague or very complex

10.3 Project duration is estimated at: Less than 3 months 3 months to 12 months Greater than 12 months

10.4 The project’s major milestones and operational dates are:

Flexible or known. Pre-established and missed dates may affect the business in a moderate way.

Fixed by a specific commitment or requirements beyond the team’s control.

10.5 The design of the project is: Finalised, understood and straightforward

Somewhat identified, understood, but needs further refining, or is subject to minor changes

Not prepared or finalised, or very complex

10.6 Quality requirements of the project are understood? Yes Yes, but are complicated and project team may require expert assistance

No or are complex

10.7 Products/technology being utilised is: Mature (existing), widely used on previous projects and well researched and understood

Emerging. Somewhat known or limited use previously

Leading edge (new), or complex, or previously unused by Council

10.8 Materials required are: Identified, and readily available Unidentified, or difficult to source

10.9 The method of tendering has been considered, agreed and approved by Council or relevant Director?

Yes Yes, although complicated and involves numerous forms of tender

No, or very complex

10.10 The tender evaluation panel and evaluation criteria has been considered, agreed and approved?

Yes Yes, although complicated No, or very complex

ENTERPRISE RISK MANAGEMENT · AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines,...

Documents

Transcript of ENTERPRISE RISK MANAGEMENT · AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines,...