ENTERPRISE RISK MANAGEMENT NARACOORTE … · · 2015-12-17... is committed to a structured and...
Transcript of ENTERPRISE RISK MANAGEMENT NARACOORTE … · · 2015-12-17... is committed to a structured and...
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 2 of 45
Contents
INTRODUCTION .................................................................................................................. 3
1. Enterprise Risk Management Principles .................................................................... 5
2. The Enterprise Risk Management Framework .......................................................... 5
3. The Risk Management Process ................................................................................. 8
4. Establishing the context ............................................................................................. 9
5. Key Stakeholders ....................................................................................................... 9
6. The Business Objective ........................................................................................... 10
7. Key Phases and Key Processes .............................................................................. 10
8. Risk Assessment ..................................................................................................... 12
9. Risk Identification ..................................................................................................... 12
10. Risk Categories ........................................................................................................ 13
11. Risk Analysis ............................................................................................................ 14
12. Assess Consequence and Likelihood ...................................................................... 14
13. Determine Risk Level ............................................................................................... 20
14. Risk Evaluation ........................................................................................................ 21
15. Risk Treatment ......................................................................................................... 22
16. General .................................................................................................................... 22
17. Selection of Risk Treatment Options ....................................................................... 22
18. Preparing and Implementing Continuous Improvement Plans ................................. 23
19. Monitoring and Review ............................................................................................ 24
20. Scanning Risk Sources ............................................................................................ 25
21. Risk Monitoring and Reporting ................................................................................. 25
22. Review of the Risk Profile ........................................................................................ 26
23. Emerging Risk Identification .................................................................................... 27
24. Executive Risk Reporting ......................................................................................... 27
25. Review of the Risk Management Framework .......................................................... 28
26. Reporting to the Audit Committee ............................................................................ 29
27. Communication and Consultation ............................................................................ 29
28. References ............................................................................................................... 30
Appendix 1 – Risk Register ................................................................................................ 31 Appendix 2 - Sample Template Risk Record (optional) ..................................................... 36 Appendix 3 - Aligning Risk Management to Strategic and Business Planning, Budgeting and Performance Management .......................................................................................... 37 Appendix 4 – Definition of Terms ....................................................................................... 44 Appendix 5 – Roles and Responsibilities ........................................................................... 45
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 3 of 45
INTRODUCTION
The Naracoorte Lucindale Council (NLC, the Council) is committed to a structured and
systematic approach to the management of risk across the whole organisation in accordance
with current industry standards and best practice.
Enterprise Risk Management (ERM) involves the management of risks that impact (either
positively or negatively) on the organisational strategies used to achieve corporate
objectives.
During our normal day to day activities we face internal and external factors and influences
that make it uncertain whether, when and the extent to which we will achieve or exceed our
objectives. The effect this uncertainty has on our objectives is “risk”.
Each and every one of us has a responsibility for managing risk.
All our activities involve risk. We manage risk by anticipating, understanding and deciding
whether to modify it. Throughout this process we communicate and consult with stakeholders
and monitor and review the risk and the controls that are modifying the risk.
Risks will always continue to emerge due to the increasing complexity and scope of our
operations, the changing nature of our environment and our relationships with stakeholders,
and the increasing need for accountability.
Risk Management is an integral part of good business practice and involves the
implementation of cost effective strategies such as foreseeing opportunities and/or potentially
damaging events, implementing risk treatment actions, and providing decision makers with
information to effectively assess potential risks.
Enterprise Risk Management (ERM) encapsulates the extension of Risk Management from a
purely business unit focus to an organisational wide operational and strategic focus. This is
designed to identify the whole range and relative priority of risks that have to be managed by
the organisation as a whole and allow all reasonable steps including any necessary action at
Executive level to help ensure these risks are adequately managed.
When effectively implemented and maintained, the management of risk enables us to -
a) increase the likelihood of achieving objectives
b) encourage proactive management
c) be aware of the need to identify and treat risk throughout the Council
d) improve the identification of opportunities and threats
e) achieve compatible risk management practices between our own business units and
between us and other organisations
f) comply with relevant legal and regulatory requirements and good practice
g) improve financial reporting
h) improve governance
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 4 of 45
i) improve stakeholder confidence and trust
j) establish a reliable basis for decision making and planning
k) improve controls
l) effectively allocate and use resources for risk treatment
m) improve operational effectiveness and efficiency
n) enhance health and safety performance as well as environmental protection
o) improve loss prevention and incident management
p) minimise losses
q) improve organisational learning
r) improve organisational resilience
The intent of these guidelines is to facilitate the implementation of the ERM policy by
providing a framework that integrates the process for managing risk into our overall
governance, strategy and planning, management, reporting processes, policies, values and
culture, in a manner that is holistic, inclusive and consistent.
Risk Management is compulsory as part of the Enterprise Risk Management in the
Naracoorte Lucindale Council policy. These guidelines are provided to assist in the
implementation of this Policy and should be used as a guide only. However, the risk
methodology used to manage risk must be documented. These guidelines and the policy are
located on the NLC network.
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 5 of 45
1. ENTERPRISE RISK MANAGEMENT PRINCIPLES The following Enterprise Risk Management Principles have been endorsed by the Naracoorte Lucindale Council for use throughout the council.
1. The Executive is committed to a management culture that embeds enterprise risk management in all council processes.
2. The Executive and each department will manage risk consistent with the agreed set of ERM principles and NLC ERM guidelines.
3. ERM forms part of all policy and operational decision making.
4. ERM is integral to planning and budgetary processes and is reflected in performance management agreements of senior executive staff.
5. Executive and departmental level risks are monitored, reviewed and subject to regular reporting based on the best available information.
6. ERM addresses uncertainty and at the Executive level means ‘aim for no surprises’.
7. Stakeholder relations and engagement will be risk managed in relation to any change management activity.
8. ERM processes and tools will focus on ‘ease of use’ and integration into existing activities.
2. THE ENTERPRISE RISK MANAGEMENT FRAMEWORK The Enterprise Risk Management (ERM) Framework helps to ensure that risk is managed across the council in a holistic manner, is integrated into our culture, business practices and business plans, is inclusive of all levels of staff and is applied in a consistent manner.
ERM supports the needs of the council at both the Management level as well as the operational level. A two-tier collaborative risk model is shown in Figure 1, which involves strengthening and enhancing risk governance and management practices at both Management and operational levels.
The approach to governing the risks at the portfolio level recognises the diverse nature of the departments’ activities and risks and therefore, should be tailored to the departments’ operations.
A principles-based approach (see previous page) to managing risks within the departments will provide the required flexibility at departmental level while still enabling us to achieve a minimum required consistency of risk management across the council and enabling operations to demonstrate effectiveness of risk management activities.
Risks are escalated to Council based on consideration of the NLC-wide risk environment including stakeholder expectations, community concerns, government reputation, senior management interventions, and as identified by the Audit Committee.
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 6 of 45
Figure 1: Two Tier Collaborative Risk Model
The ERM framework has focus in the following areas:
Strategic or Transient Risks – risks associated with: carrying out our business objectives as articulated in high level plans; major programs/initiatives; risks that are associated with strategies that are transient or short term in nature. Risks are identified, documented (usually in a risk register), and managed using structured processes at all business unit levels (Council wide, departmental, regions, directorates and other business units). Corporate reporting systems are used to report achievement of objectives and management of identified risks. For information and guidance on reporting templates and how to create a risk register refer to Appendix 1 and 2 Operational or Business-As-Usual Risks – this relates to the management of risks associated with day to day business or operational activities. Risks are identified, documented (usually in a risk register), and managed using structured processes at the business unit’s operational level. Existing reporting systems are used to report achievement of objectives and management of identified risks.
To support both strategic and operational risk management, we have established specific policies, procedures and guidelines to help ensure effective management of risks which include but are not limited to:
o business continuity
o volunteers
o corruption prevention
o emergency planning & response
o work health & safety
o project management
o safety and security for users of council facilities
o hire of council equipment
Executive Risk
Governance
Combined Top Down/Bottom Up Approach
Operational Risk
Governance
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 7 of 45
o building construction
o road repairs and construction
The ERM framework provides for consistent and ongoing processes for identifying, analysing, treating/responding to, monitoring and reporting on risk so that any changes in risk exposures or areas requiring immediate action are highlighted promptly so that appropriate improvement actions can be implemented.
The framework provides for the identification and assignment of risk ownership to those who have the authority and responsibility to help ensure it is managed effectively.
The following section illustrates the risk management process itself.
For information and guidance on how to integrate risk management with strategic and business planning, budgeting and performance management refer to Appendix 3.
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 8 of 45
3. THE RISK MANAGEMENT PROCESS
Enterprise Risk Management (ERM) involves the management of risks that impact on the
organisational strategies used to achieve corporate objectives.
The process described in this section can be used as a methodology for conducting
strategic or operational risk assessments.
Details of all risks within a business unit or initiative should be recorded in a risk register.
The ERM process that we use is based on Australian Standard AS/NZS ISO 31000:2009
Risk management - Principles and Guidelines. This Standard provides the steps of the
risk management process as shown in the diagram below. Definition of Terms relating to
risk management is contained in Appendix 4. The numbers in the diagram represent the
sections in this document.
Figure 2: Risk Management Process
(Adapted from AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines)
(3.1)
(3.2)
(3.2.1)
(3.2.2)
(3.2.3)
(3.3)
(3.5
)
(3.4
)
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 9 of 45
4. ESTABLISHING THE CONTEXT
The purpose of this step is to define the context and
scope for the risk assessment.
This involves understanding the internal and external
environment in which risks occur including strategic,
operational, financial, competitive, stakeholder,
social, cultural and legal aspects of your functions.
This will provide the structure for the risk assessment
tasks that follow.
In this step you will need to identify the business
objectives and the strategies or key processes
developed to achieve the business objectives.
Below are some possible environmental characteristics that may affect the risk context.
1. Short timeframe to achieve actual results 2. In-house capacity limits in resources and skills/expertise to undertake all
aspects of project. 3. Interdependencies with other major initiatives. 4. Cross departmental impacts 5. Reliance on infrastructure capacity external to the organisation 6. Impact of unforeseen circumstances 7. Market trends and competition 8. Economic factors 9. Completion of capital works 10. Environmental conditions or influences 11. Community awareness and support.
5. KEY STAKEHOLDERS Key stakeholders have a significant role in risk identification as they have a vested interest in the outcomes. They include but are not limited to the following: 1. Community 5. Community Groups 9. Disabled 2. Business owners 6. Ratepayers 10. Indigenous 3. LCLGA 7. Council employees 11. Aged 4. Adjoining councils 8. Govt. – State & Fed 12. Unions
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 10 of 45
6. THE BUSINESS OBJECTIVE
The risk process is a recognition that in striving for a specific goal or outcome there are
often elements or risks associated with the achievement of those outcomes. If these risks
are not considered or addressed at the time of developing business plans they can delay,
frustrate or cause unexpected outcomes to arise affecting the achievement of the
objectives, or there may be opportunities that are missed.
The primary purpose of this step is to gain some assurance we will be focusing on the
correct risks, barriers, and opportunities in achieving our stated business objectives.
Part of the business objective step involves ensuring we are very clear about what we are
trying to achieve through the program and involves ensuring the business objective
addresses the following SMART criteria:
7. KEY PHASES AND KEY PROCESSES
The following key phases are essential for any initiative to be effective:
Planning Implementation Monitoring and reporting Evaluation and Review.
Planning – this represents any key process relied on to outline how an activity is intended to be carried out (eg policies, procedure manuals, guidelines, business cases that identify needs, strategic and business plans that set out targets, deliverables and key milestones, implementation plans etc.).
Implementation – this phase represents those key processes relied on to implement the plans from the planning phase (eg application of project management processes, application of resource allocation criteria, training, change management, accountabilities, recording of actions/decisions, meetings and actioning, matching of skills to tasks, succession planning).
Monitoring and Reporting – this phase represents those key processes relied on to monitor performance and progress against business plans which include targets, deliverables at key milestones on the activity and some reporting on the same. This monitoring and reporting might be in terms of KPI’s and other performance criteria set.
Evaluation and Review – this phase is sometimes more commonly understood as continuous improvement and relates to some form of improvement on past mistakes,
S pecific M easurable A chievable R elevant T imely
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 11 of 45
what went well, or lessons learnt. It can relate to new and innovative methods and technologies being adopted to replace existing approaches.
To help you identify the type of key processes that might fall under each of the four
phases the table below shows some examples.
EXAMPLES OF KEY PROCESSES
Planning Implementation Monitoring &
Reporting
Review
Governance structure
Consultation on changes and decisions made
Regular meetings with stakeholders key players
Reviewing best practice
Consultation with stakeholders
Compliance with guidelines, business rules
Monitoring and reporting requirements
Adopting new methods, technologies
Policies/guidelines available to staff
Application of Project management discipline
Capture and reporting performance against KPI’s
Abandoning failed strategies
Critical milestones/targets set
Allocation and matching of resources and skills
Prompt remedial action on poor performance, delays, and budgetary issues
Criteria for budget allocations
Roll out of training Reporting requirements followed up
Responsibilities and accountability requirements assigned
Recording of decisions, meetings, action records succession planning, accountability for outcomes
Analysis of data conducted
These phases can be used to help identify where there might be gaps in key processes
for the initiative which can point to potential sources of risk to the activity under
consideration.
Once these have been worked through we can conduct a risk analysis and risk
response for the initiative.
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 12 of 45
8. RISK ASSESSMENT
9. RISK IDENTIFICATION
Describing risks involves two elements namely an
event (or cause) and an impact (or consequence).
The context and key processes defined above will set
the boundaries for which risks will be included.
It is critical that all risks impacting on the achievement
of the business objectives are identified, whether or not
they are under the control of the Council.
If risks are not identified they will be excluded from
analysis from this point onwards.
To identify risks for each of the key business processes identified above, ask the
following questions:
What can go wrong (event or cause)?
or
What opportunities are available – how can we achieve our objectives more
easily (event or cause)?
and
What does this lead to (impact or consequence)?
It is important that you consult with people who are knowledgeable about the activity
being assessed. You can identify risks through individual staff interviews or by conducting
focus group meetings and workshops. The latter is recommended if the activity is
complex and involves staff in more than one area.
In describing risks, you should always relate the event and impact to the business
objective. It helps to use terms such as “resulting in” or “due to” which link the event to
the impact. An example is “Failure to meet commonwealth objective deadline, resulting in
withdrawal of current funds, loss of future funds, damage to relationship with
commonwealth, negative media, and damage to the Council’s reputation”. This example
shows that there are a number of potential impacts due to one event. This could then
lead to a number of possible risk treatment options.
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 13 of 45
10. RISK CATEGORIES
The following ten risk categories can be used to facilitate easy identification of risks.
These categories are the sources of risk i.e. where the risk can arise (see also Section
3.4.1). Examples of risk themes that would be grouped in each category are also
provided. Note: the list is not exhaustive, it is provided as a guide.
Service delivery delivery, achievement, assessment & reporting of
Councils strategic objectives & outcomes provision of quality community environments migrant, youth and Aboriginal community outcomes sport & recreation outcomes provision of information & communication
technologies corporate governance business development outcomes -p-communication
of core activities service delivery rate payer needs equity
Corruption & Fraud theft misappropriation conflicts of interest bribery falsification of records favouritism in recruitment misuse of resources including
communication devices
Human Resources attracting & maintaining key staff staff skills & qualifications staff disputes
Financial revenue expenditure assets & liabilities corporate credit cards
Stakeholder changes in government community expectations legislative changes unions media staff associations & councils
Legal & Legislative breaches of contract public liability professional liability legislative non-compliance government & industry
partnerships
Reputation service delivery stakeholder, employer & customer perceptions and
expectations brand protection
Health & Safety community welfare/protection staff welfare work health & safety
Business Continuity technological change natural disasters strikes computer breakdowns
Security intellectual property privacy of information property & equipment data integrity
Environment Biosecurity Bushfire Flood
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines, Version no. 2, December 2015 Policy document reference 104 14 of 45
11. RISK ANALYSIS
12. ASSESS CONSEQUENCE AND LIKELIHOOD The purpose of this step is to rank the identified risks so that resources to treat risks are allocated to those of greater priority. We will formally analyse and assess risks to our strategy, business plans, major organisational change, major projects and programs.
All risks identified at the Council and departmental level will be assessed in the residual terms using the NLC-wide risk consequence and likelihood criteria.
To evaluate the risk level, you will need to first assess the risk consequence by
identifying the potential consequences of a risk event occurring. The 'NLC-wide
consequence criteria’ is used to estimate a potential impact which a risk might have on
the achievement of the Council/departmental objectives (both in terms of negative
consequence (threats – see Tables 1 & 2) or positive consequence (opportunities – see
Tables 3 & 4). Select the appropriate table. The risk is either positive or negative – not
both.
The percentage of appropriate baseline amount as indicated in the ‘Financial’
consequence category should be applied to the Council budget or a departmental budget
accordingly to facilitate an appropriate calibration of the risk consequence across the
Council.
The consequence is the impact or effect that the risk could have on the outputs or
outcomes in the listed Risk Focus areas. The Risk Focus areas may be different than the
Risk Categories used for identification of the risks (section 3.2.1.1) because they are
more to do with the results of the risk eventuating rather than the source of the risk.
The risk likelihood will then be considered using the ‘NLC-wide likelihood criteria’ by
determining the probability of the risk occurring with the identified consequences. Existing
or planned controls should be taken into consideration when determining the risk
likelihood.
The risk consequence and likelihood criteria are provided in the tables below. Additional
risk consequence tables have been provided to facilitate an assessment of
project/program specific risks.
NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C1.10 15 of 45
Consequence Table Level Estimated Cost Business Process & Systems Health and Safety Environmental Community Legal Compliance
1 ‐ Insignificant 0>$10,000 Schedule slips one day Insignificant impact on Council's ability to achieve strategic outcomes, impact can be dealt with by routine operations
First Aid Injury Nuisance value
No or very low environmental impact. Impact confined to small area
Isolated complaint No media enquiry
Minor technical/legal compliance issue unlikely to attract a regulatory response
2 ‐ Minor >$10,000 Schedule slips one week Some impact on strategic initiatives but only minor aspects impacted. Overall strategic intent still achievable
Medical Treatment Injury Restricted Work Injury
Low environmental impact. Rapid clean‐up by site staff and/or contractors Impact contained to area currently impacted by operations
Small numbers of sporadic complaints. Local media enquiries
Possible fraud implications. Technical/legal compliance issue which may attract a low level administrative response from regulator Incident requires reporting in routine reports (eg monthly)
3 ‐ Moderate >$50,000 Schedule slips one month Some key components of the strategic plan could not be achieved as a result of risk event. Additional funding / resources required to rectify
Single Lost Time Injury Moderate environmental impact. Clean‐up by site staff and/or contractors Impact confined within lease boundary
Serious rate of complaints, repeated complaints from the same area (clustering) Increased local media interest
Breach of regulation with possible prosecution and penalties Continuing occurrences of minor breaches Incident requires immediate (< 48 hours) notification
4 ‐ Major >$100,000 Schedule slips 3 months Council unable to deliver on numerous key strategic initiatives without additional funding / resources. Breakdown of key activities leading to reduction in business performance ie service delays, community dissatisfaction, loss of revenue, cost delays, legislative breaches. Major review of strategic plan required
Multiple Lost Time Injuries Admission to intensive care unit or equivalent Serious ,chronic, long term effects
Major environmental impact Considerable clean‐up effort required using site and external resources Impact may extend beyond the lease boundary
Increasing rate of complaints, repeated complaints from the same area (clustering) Increased local/national media interest
May involve fraud. Major breach of regulation resulting in investigation by regulator Prosecution, penalties or other action likely
5 – Critical >$1,000,000 Schedule slips one year Critical business failure preventing core activities from being performed. Impact threatens not only the survival of project but Council itself. Majority of initiatives and / or key initiative within the Council’s strategic plan unattainable.
Fatality(s) or permanent disability
Severe environmental impact Local species destruction and likely long recovery period Extensive clean‐up involving external resources Impact on a regional scale
High level of concern or interest from local community National and/or international media interest
Serious breach of regulation resulting in investigation by regulator. Operation suspended, licenses revoked
NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C1.10 16 of 45
PROJECT / PROGRAM THREATS
Risk Focus
Table 2 – Negative Consequence Criteria (Threats) – Projects / Programs (The potential impact on the objectives and resources)
Insignificant (1)
No change in projects
Minor (2)
Can be accommodated with existing resources
Moderate (3)
Impact can be absorbed with treatment but will require additional resources to be
allocated
Major (4)
The program will require considerable additional
resources from other areas
Critical (5)
The program may not be delivered
Quality
G
Negligible quality issues with no effect on objective
Objective achieved but quality diminished slightly
Objective achieved but quality diminished substantially
Substantial part of objective not met for quality reasons
Quality issues lead to non-achievement of objectives
Outputs/outcomes are not delivered
Time
H
Project/ Program/Service delayed by up to 5%
Project/ Program/Service delayed > 5% to 10%
Project/Program/Service delayed > 10% to 20%
Project/Program/Service delayed > 20% to 30%
Delay causes objective to not be achieved
Cost
I
Up to 1% variance to budget > 1% to 5% variance to budget > 5% to 10% variance to budget > 10% to 15% variance to budget but not requiring Treasury approval
Over 15% variance to budget or requiring Treasury approval
Benefits
J
Up to 5% not delivered > 5% to 20% not delivered > 20% to 30% not delivered > 30% to 50% not delivered > 50% not delivered
NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C1.10 17 of 45
Risk Focus Table 3 - NLC-Wide Positive Consequence Criteria (Opportunities)
(The potential impact on the objectives and resources) Insignificant (1)
Negligible improvement in ability for NLC/Business
unit to meet its objectives
Minor (2)Minor improvement in ability
for NLC/Business unit to meet its objectives
Moderate (3)Moderate improvement in ability for
NLC/Business unit to meet its objectives
Major (4)Major improvement in ability for NLC/Business unit
to meet its objectives
Critical (5) Significant improvement in ability
for NLC to meet its objectives
Service delivery
A
Negligible improvement in Council or community/ program/ project/service outcomes
Changes implemented by routine operations
Minor improvement in Councilor community/ program/project/ service outcomes
Minor improvement in efficiency or effectiveness
Moderate improvement in delivery of Council or community/ program/service outcomes for identified groups
Moderate improvement in efficiency or effectiveness
Moderate improvement in utilisation of council assets
Moderate improvement in community participation & access
Major improvement in Council or community/program/service outcomes
Major improvement in ability to implement program Major improvement in the development of essential
infrastructure Major improvement in utilisation of council assets Major improvement in community participation &
access
Significant improvement in Council or community/program/service outcomes
Significant improvement to reputation of public education or sport & recreation
Financial
B
Saving or benefit up to 1% of the appropriate baseline amount, e.g.:
o Program/project budget
o Annual budget o Projected revenue
Saving or benefit > 1% to 5% of the appropriate baseline amount, e.g.:
o Program/project budget o Annual budget o Projected revenue
Saving or benefit > 5% to 10% of the appropriate baseline amount, e.g.:
o Program/project budget o Annual budget o Projected revenue
Saving or benefit > 10% to 15% of the appropriate baseline amount, e.g.:
o Program/project budget o Annual budget o Projected revenue
Saving or benefit > 15% of the appropriate baseline amount, e.g.:
o Program/project budget o Annual budget o Projected revenue
Management Effort
C
An event, the impact of which slightly reduces the management effort required
An event, the impact of which reduces the management effort required
Potential to free up resources within a department
An event, the impact of which results in a moderate reduction in the management effort required
Potential to free up resources between the departmen
An event, the impact of which results in a major reduction in the management effort required
Resources can be released for other functions
An event, the impact of which significantly reduces the management effort required
Able to free up resources, reallocate responsibilities, and significantly realign functions
Health & Safety
D
Negligible effect on health and safety
Negligible effect on site security
Little effect on reputation
Minor preventative measures Minor improvements in site
security and controls Minor improvement in
reputation
Moderate improvements in prevention and control
Moderate improvements in site security
Positive improvement in reputation and community interest
Major improvements in prevention and control Major improvements in site security Major improvement in reputation and community /
stakeholder interest
Significant improvements in prevention and control
Significant improvements in site security
Significant improvement in reputation and community / stakeholder interest
Legal / Compliance
E
Negligible improvement in compliance ability
Little effort required
Minor improvement in compliance ability
Process improvements assist with a proactive approach
Moderate improvement in compliance ability
Positive cultural change Process improvements assist with a
proactive approach
Major improvement in compliance ability Large change in behaviours Positive cultural change Proactive approach
Significant improvement in compliance ability with cultural change and a proactive approach
Significant improvement in reputation and community / stakeholder interest
Reputation / External relationships
F
Modest positive publicity Modest positive attention
from minor stakeholders
Local positive publicity Visible satisfaction from
public, limited / localised media interest
Region wide positive publicity Short term improvements, public
interest in Council, positive publicity from local & regional media
Sustained region wide positive publicity Mainstream media reports, community satisfaction supportive comments SELGA members Positive reinforcements from LGA
Significant recognition leading to major improvement in community and stakeholder support
Broad public interest, media event
NLC Enterprise Risk Management Guidelines V1.0 August 2013 Policy document referenced: C1.10 18 of 45
PROJECT / PROGRAM OPPORTUNITIES
Risk Focus
Table 4 - Positive Consequence Criteria (Opportunities) – Projects / Programs (The potential impact on the objectives and resources)
Insignificant (1)
Small change in projects
Minor (2)
Minor improvements in outcomes
Moderate (3)
Moderate improvements in outcomes
Major (4)
Major improvements in outcomes
Critical (5)
Significant improvements in outcomes
Quality
G
Negligible effect on objective Objective achieved Quality starting to exceed
expectations
Objective achieved Moderate increase in
outcomes Exceeding expectations
Major increase in quality Greatly improved outcomes High level of stakeholder
satisfaction Exceeding expectations
Significant increase in quality Significantly improved
outcomes High level of stakeholder
satisfaction Greatly Exceeding
expectations
Time
H
Project/ Program/Service improved by up to 5%
Project/ Program/Service improved by > 5% up to 10%
Project/Program/Service improved by >10% up to 20%
Project/Program/Service improved by >20% up to 30%
Project/Program/Service improved by > 30%
Cost
I
Up to 1% below budget > 1% to 5% below budget > 5% to 10% below budget > 10% to 15% below budget >15% below budget
Benefits
J
Negligible increase in planned benefits
Minor increase in benefits over those planned
Moderate increase in benefits over those planned
Major increase in benefits over those planned
Significant increase in benefits over those planned
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 19 of 45
NLC-WIDE LIKELIHOOD CRITERIA How likely is it that the Council will be exposed to this specific risk (looking at both the event
(cause) and the impact (consequence)) considering factors such as:
Anticipated frequency
The external environment
The procedures, tools, skills currently in place
Staff commitment, morale, attitude
History of previous events
The ‘Description’ column in the following table is to be used as a guide only. Not all
initiatives will align to the time frames shown.
Level Description Criteria (read as either/or) Probability
5 ‐ Certain Certain The event will occurThe event occurs daily >95‐100%
4 ‐ Likely Likely The event is expected to occurThe event occurs weekly/monthly >70‐95%
3 ‐ Possible Possible The event will occur under some circumstances The event occurs annually >30‐70%
2 ‐ Unlikely Unlikely The event has happened elsewhereThe event occurs every 10 years >5‐30%
1 ‐ Rare Rare The event may occur in exceptional circumstances The event has rarely occurred <5%
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 20 of 45
13. DETERMINE RISK LEVEL
Having assessed the consequence and likelihood of major risks, a risk level will be
determined using the NLC-wide risk matrix. Risks which may have a larger consequence
and a higher likelihood on business operations will have a higher priority rating than those
with a minor consequence and lower likelihood.
Risk treatment and escalation/delegation guidelines:
Risk
Level
Risk Treatment Guidelines Risk Escalation
Guidelines
NLC- Wide Risk
Delegation
Guidelines
Extreme Immediate action required to actively manage risk and limit exposure
Escalate to CEO & Council The CEO responsibility and accountability
High Cost / benefit analysis required to assess extent to which risk should be treated - monitor to help ensure risk does not adversely change over time
Escalate to the CEO The CEO responsibility and accountability
Medium Constant / regular monitoring required to help ensure risk exposure is managed effectively, disruptions minimised and outcomes monitored
Escalate to the Management Team Specify risk management responsibility and accountability
Assign accountability to the Management Team
Low Effectively manage through routine procedures and appropriate internal controls
Monitor and manage at operational management level
Monitor and manage at operational management level
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 21 of 45
14. RISK EVALUATION
The purpose of this step is to develop a prioritised list of risks requiring attention.
When the risk has been rated, the risk level needs to be compared with management’s acceptable level of risk.
If a negative risk (threat) level is at or below management’s acceptable level of risk then the risk is at an acceptable level and no additional risk treatment is required at this stage. This risk would be managed by ongoing monitoring and be subject to review in the next risk assessment.
If a negative risk (threat) level is above management’s acceptable level of risk then the risk is at an unacceptable level and additional risk treatments may be required to reduce the risk to management’s acceptable level.
If a positive risk (opportunity) level is low or medium but could be increased (improved) with reasonable steps (subject to cost/benefit analysis) then it is at an unacceptable level and additional risk treatments may be required.
If a positive risk level (opportunity) is high or extreme it may be at an acceptable level so no additional risk treatment may be required (subject to cost/benefit analysis) at this stage. This risk would be managed by ongoing monitoring and be subject to review in the next risk assessment.
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 22 of 45
15. RISK TREATMENT
The purpose of this step is to identify the most appropriate treatments for risks that are at
an unacceptable level.
16. GENERAL
Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify the controls.
Risk treatment involves a cyclical process of:
assessing a risk treatment
deciding whether residual risk levels are tolerable
if not tolerable, generating a new risk treatment
assessing the effectiveness of that treatment.
Risk treatment options are not necessarily mutually exclusive or appropriate in all
circumstances. Select the best options in terms of feasibility and cost effectiveness. The
options can include the following:
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
Taking or increasing the risk in order to pursue an opportunity
Removing the risk source
Changing the consequences
Changing the likelihood
Sharing the risk with another party or parties (including contracts, insurance, and risk financing)
Retaining the risk by informed decision.
17. SELECTION OF RISK TREATMENT OPTIONS
Selecting the most appropriate risk treatment option involves balancing the costs and
efforts of implementation against the benefits derived, with regard to legal, regulatory,
and other requirements such as social responsibility and the protection of the natural
environment. Decisions should also take into account risks which can warrant risk
treatment that is not justifiable on economic grounds, e.g. severe (high negative
consequence) but rare (low likelihood) risks.
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 23 of 45
A number of treatment options can be considered and applied either individually or in
combination. The organisation can normally benefit from the adoption of a combination of
treatment options.
When selecting risk treatment options, the organisation should consider the values and
perceptions of stakeholders and the most appropriate ways to communicate with them.
Where risk treatment options can impact on risk elsewhere in the organisation or with
stakeholders, these should be involved in the decision.
Though equally effective, some risk treatments can be more acceptable to some
stakeholders than to others.
The treatment plan should clearly identify the priority order in which individual risk
treatments should be implemented.
Risk treatment itself can introduce risks. A significant risk can be the failure or
ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of
the risk treatment plan to give assurance that the measures remain effective.
Risk treatment can also introduce secondary risks that need to be assessed, treated,
monitored and reviewed.
These secondary risks should be incorporated into the same treatment plan as the
original risk and not treated as a new risk. The link between the two risks should be
identified and maintained.
18. PREPARING AND IMPLEMENTING CONTINUOUS IMPROVEMENT PLANS
The purpose of continuous improvement plans is to document how the chosen treatment
options will be implemented.
The information provided in continuous improvement plans should include:
the reasons for selection of treatment options, including expected benefits to be gained
those who are accountable for approving the plan and those responsible for implementing the plan
proposed actions
resource requirements including contingencies
performance measures and constraints
reporting and monitoring requirements
timing and schedule.
Improvement plans should be integrated with the management processes of the
organisation and discussed with appropriate stakeholders.
Decision makers and other stakeholders should be aware of the nature and extent of the
residual risk after risk treatment. The residual risk should be documented and subjected
to monitoring, review and, where appropriate, further treatment.
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 24 of 45
19. MONITORING AND REVIEW
Risk monitoring and review is an integral step in the risk
management process.
It enables us to proactively identify changes on the risk
profile and adjust the organisational response as
required.
It also enables us to understand the effectiveness
(impacts, benefits and costs) of implementing risk
management strategies.
Risk monitoring and review is a continuous process and
is essential that our risk priorities and risk management
plans remain relevant in the changing environment we
operate in.
Risk management is responsive to change.
Continuous monitoring and review of the external and
internal risk environment is required to help shape the
context and understanding of our risk profile, change in
the risk ratings, identification of new risks, or taking
risks off the radar.
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 25 of 45
20. SCANNING RISK SOURCES
Environmental scanning is an important part of the monitoring framework and involves
analysis of multiple sources of risk information as depicted in Figure 3 below.
Figure 3: Sources of risk information
Environmental scanning by the Management team, and the Council assists to identify
new and emerging risks from external and internal environment through:
Analysis of Political, Economic, Social, Technological, Environmental factors, Government policies and other regulatory environment
Interviews or meetings with the LGA, SELGA, Councillors
Interviews or meetings with staff and stakeholders
External reports and papers from recognised subject matter experts
Consideration of our operations, systemic issues arising from incidents analysis, audit results and other historical risk information.
21. RISK MONITORING AND REPORTING
The Management Team monitors the risk profile and associated risk treatment strategies
(as detailed in the Organisational Risk Register) using the following approaches:
Management and Council meetings
Lessons Learned
(incidents management experience
Ratepayer / Stakeholder expectations
Strategic Plan
NLC Risk
Profile
Business
Plans
Major Projects/Key
business processes
Emerging
risks /
uncertainty
Regulatory / reputational
issues
KPIs/
Operational
indicators
Audit Reports
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 26 of 45
Formal risk profile and risk appetite reviews
Early escalation of emerging risks.
Management Meetings
Management meetings are important forums for tracking movements on the risk profile
and the implementation of key risk treatment strategies. The Management team meets on
a regular basis to monitor performance against the strategic initiatives and monitor the
risks. The Management Team considers risks at the following meetings:
Weekly management meetings allow for discussion on performance matters, emerging risks and major ongoing concerns
The department face-to-face meetings include discussion on major department risks
Monitoring of strategy and major projects includes review of the risk profile and risk treatment activities biennially by the Management team. A Risk Escalation Report and details of overdue/partially completed risk treatment activities in relation to high and extreme risks are reviewed as part of these meetings. Refer to Appendix 2 for a Risk Escalation Report example.
22. REVIEW OF THE RISK PROFILE
The risk profile is an important source of risk information, represented by the
Organisational Risk Register, which contains the most significant risks faced by the
Council as a whole and includes the following:
Strategic and operational risks
Major departmental risks escalated to the Council via the Management team.
Risks representing strategic projects or major initiatives
Escalated risks will procedurally progress to the Audit Committee.
The Management team will undertake a High Level Overview of the most significant risks/risk areas facing the Council.
The profile is collaboratively reviewed by the Council on an annual basis.
A formal annual refresh of the risk profile includes revision of the risk ratings taking into account the progress against risk treatment activities. New and emerging risks are considered for the inclusion on the risk profile
A comprehensive annual review of the risk profile and risk appetite is performed by the Management team.
The profile monitoring is an integral part of monitoring business performance and is
underpinned by the following:
Prioritisation of the major strategic risks which may have impact on the Strategic Plan
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 27 of 45
Identification and prioritisation of new or emerging risks which may have a significant impact
Monitoring of key performance indicators of major projects and initiatives which constitute areas of significant risk.
To help ensure that the risk profile is relevant, up to date and effectively managed, the
Management risk review approach addresses the following:
Alignment of the risks to strategic priorities
Risk magnitude
Key treatment strategies in place to manage the risk
Effectiveness of the current risk treatment activities
Movements in the risk ratings
Initiatives to address risks which are above risk appetite or to strengthen risk management processes
Accountabilities assigned to implement the risk treatment strategies and associated due dates
Sufficiency of resourcing requirements to implement the risk treatment strategies.
Where the risk rating increases or potential risks are identified, the Management team
considers the adequacy of the current risk treatment activities. The following questions
may be considered:
Are the assumptions relating to the risk context (including environment, technology and resources) still relevant?
Is the risk treatment activity effective in managing the risk? How it can be improved?
Are there performance measures or indicators in place to measure key outcomes?
Does the risk management activity comply with legal requirements, and Council policies?
23. EMERGING RISK IDENTIFICATION
All staff members are responsible for ensuring new and emerging risk areas are
captured, monitored and escalated appropriately through existing communication
channels.
24. EXECUTIVE RISK REPORTING
Risk reporting supports the Executive discussion and decision-making on major risks and
business priorities.
Risk reports are prepared by the CEO annually. The reports are focussed on high and
extreme risks and highlight “hot spots” on the Risk Profile including:
Risk description
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 28 of 45
Reference to the strategy (target)
Residual risk ratings
Target risk ratings
Movements in risk ratings
Reference to a department (if applicable)
Reference to a risk treatment strategy
Accountability
Status of risk treatment strategies (completed, partially implemented and overdue)
Assurance activities in place to assess the management of the risk
High level overview of the significant risks/risk areas facing the Council (including emerging negative risks and opportunities).
For major initiatives, updates are provided to management meetings. Updates should include details of overdue or partially implemented risk treatment strategies and the following information:
Description
Commentary
Budget
Accountability and
Due date.
The dashboard report is supported by a commentary including highlights of the annual environmental scan and analysis of systemic issues and trends arising from historic information such as incidents and internal audit findings or resource implications for additional risk treatment activities.
Progress on performance against expected outcomes for major projects by reviewing key risk performance indicators for major initiatives is reported as part of the business performance reporting. This information contributes to the monitoring of major risks associated with these projects.
Full details of the roles and responsibilities of portfolios, the Executive and the ERM Group are outlined in Appendix 5.
25. REVIEW OF THE RISK MANAGEMENT FRAMEWORK
The risk management framework is subject to review to meet the requirements of the current risk management standards (AS/NZS ISO 31000:2009). The review includes the following:
Annual review of Council’s risk profile and departmental risk profiles in conjunction with the self-assessment of the achievement of strategic objectives and progress against the strategic initiatives
Self-assessment of the ERM Group performance in accordance with the ERM Group Charter
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 29 of 45
An independent review of the risk management function and process every two years
A review of departmental alignment with the risk management principles.
Significant changes to operations should prompt a review and update of the risk management framework to help ensure that it remains appropriate to support business needs.
26. REPORTING TO THE AUDIT COMMITTEE
The results of the risk management framework review are reported to the Audit Committee and the Council which will include recommendations for improvement.
27. COMMUNICATION AND CONSULTATION
Communication and consultation with internal and external
stakeholders should take place during all stages of the risk
management process. Therefore, plans for communication
and consultation should be developed at an early stage.
These should address issues relating to the risk itself, its
causes, its consequences (if known), and the measures
being taken to treat it. Effective internal and external
communication and consultation should take place to help
ensure that stakeholders and those accountable for
implementing the risk management process understand
the basis on which decisions are made, and the reasons
why particular actions are required.
A consultative team approach may:
help establish the context appropriately
help ensure that the interests of stakeholders are understood and considered
help ensure that risks are adequately identified and defined
bring different areas of expertise together for analysing risks
help ensure that different views are appropriately considered when defining risk criteria and in evaluating risks
secure endorsement and support for a treatment plan
enhance appropriate change management during the risk management process
develop an appropriate external and internal communication and consultation plan.
Communication and consultation with stakeholders is important as they make judgements about risk based on their perceptions of risk. These perceptions can vary due to differences in values, needs, assumptions, concepts and concerns of stakeholders. As their views can have a significant impact on the decisions made, the
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 30 of 45
stakeholders' perceptions should be identified, recorded, and taken into account in the decision making process. Communication and consultation should facilitate truthful, relevant, accurate and understandable exchanges of information, taking into account confidential and personal integrity aspects.
Communication and consultation in the Council includes business units:
reporting untreated risks through existing corporate reporting frameworks
communicating the results of the risk assessment to stakeholders
28. REFERENCES
AS/NZS ISO 31000:2009 Risk management - Principles and Guidelines Standards Australia (and related standards and handbooks) HB 89-2012, Risk management - Guidelines on risk assessment techniques Standards Australia
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 31 of 45
APPENDIX 1 – RISK REGISTER (See also Recording Risk Information – Appendix 3 Section 8)
The purpose of a risk register is to provide a central repository or focal point of identified risks that can be monitored and reviewed on a regular basis by both internal and external stakeholders.
Risk information gained through conducting risk assessments should be documented and maintained in the register. The Executive Risk Register following is included as a guide only.
The risk assessment will provide managers with information to assist them to manage risks remaining at an unacceptable risk level.
The strategic and operational risk assessments should be updated at least annually and or at times when new and emerging risks may arise for example, the introduction of new business products, processes, systems and or services.
The creation and application of a risk register leads to improved management decision making as it helps to:
identify managed and unmanaged risks especially during the planning cycle
evaluate the severity of any identified risk
apply possible solutions to those risks through a systematic approach
monitor and analyse the effectiveness of actions taken to mitigate the risks.
When risks are effectively managed, the confidence level in achieving goals and objectives is increased. By creating and maintaining risk registers across the Council, stakeholder engagement will increase through communication and the accountability and escalation of risks.
There is no standard list of components that should be included in the risk register.
The Council’s Organisational Risk Register (ORR) is being used here as a model. The ORR documents the following information for each risk:
1. Target or Strategic Objective –This column consists of two components: the number is a sequential number on the register and may change in relation to the risks as risks are removed, added, escalated or de-escalated. Then follows a brief description of the target or strategic objective that the risk relates to and may come directly from business plans or other higher level sources.
2. Planned Action – The action(s) required to achieve the target or strategic objective. 3. Risk Number – A unique number given to each individual risk. There may be more
than one risk linked to each objective. These numbers are not necessarily sequential in the listings as the risks may be removed, added, escalated or de-escalated as time progresses.
4. Identified Risk – A brief description of each risk as it relates to the target or objective or planned action(s). This is normally described in terms of an event and an impact, i.e. something happens...resulting in...
5. Existing Treatments/Strategies – Relates to current or existing treatments, strategies or controls either in-place or planned.
6. C – Consequence Rating from Section 3.2.2 (see the following Legend). There can be
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 32 of 45
multiple consequence ratings as a risk can affect multiple categories e.g. financial, reputation, compliance etc.
7. L – Likelihood (Rating) of the risk occurring with the predetermined Consequence Rating and with the risk treatments, strategies or controls either in-place or planned – from Section 3.2.2 (see the following Legend).
8. Residual Rating – The estimated risk rating based on the predetermined consequence and likelihood ratings with the current or existing treatments, strategies or controls (planned or in-place).
9. Additional Treatment Needed – If the Residual Rating is unacceptable, additional treatments or strategies or controls will be put in place to reduce the rating to an acceptable Target Risk Rating (if the Residual Risk Rating is acceptable or unchangeable this column could be empty).
10. Target Risk Rating – If the Residual Risk Rating is unacceptable, the Target Risk Rating is the acceptable rating of the risk (if the Residual Risk Rating is acceptable or unchangeable this column could be empty).
11. Executive Action Required – If the Residual Risk Rating is unacceptable or unchangeable and no Additional Treatment would be effective, then Executive Action or intervention may be required. If no specific or explicit Executive Action is required this column could be empty.
12. Executive Owner – The member of the Executive (one person) accountable for ensuring that the risk is managed as effectively as possible.
13. KPIs – The Key Performance Indicators which are a measure of how well the risk is being or could be managed.
14. Internal Audit Assurance – Internal audit activities that assess the management of the risk.
15. Other Internal Assurance – Other internal mechanisms or Council groups (steering committees etc.) who have oversight of the management of the risk or related objectives.
16. External Assurance – External bodies or organisations with a role in assuring the effective management of the risk (Audit Committee, etc.).
LEGEND for reading the Risk Register
Key to Columns C, L and Rating
C (Consequence) L (Likelihood) Residual or Target Risk Rating
1 = Insignificant 2 = Minor 3 = Moderate 4 = Major 5 = Catastrophic
1 = Rare 2 = Unlikely 3 = Possible 4 = Likely 5 = Certain
Low Medium (Med) High Extreme (Extr)
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 33 of 45
HOW TO DEVELOP A RISK REGISTER Risk registers are designed to capture risk information and is a primary tool for risk monitoring, reporting and follow up action.
The steps taken to create a risk register are outlined in the following table and are in parallel to the risk register development process shown below.
Steps in the Creation of a Risk Register
Step Step Descriptor
Comments
1 Risk register awareness and readiness Initial planning by business unit manager and key staff
2 Meet with business unit key stakeholders Building the contextual framework
3 Conduct business unit risk identification meetings (e.g. brainstorming)
Take into consideration all points of view
4 Stakeholder engagement with teams develop the risk register (see next table)
Populating the risk register
5 Development of risk register entries Coordination of risk evaluation and treatments
6 Sign off and assigning ownership of risks Agreement of budgets to control risks
7 Updating risk registers Reviewing and monitoring. Escalation and/or de-escalation process may need to be enacted
NLC Enterprise Wide Risk Management Guidelines
NLC Enterprise Risk Management Guidelines v.1.0 December 2015 Policy document reference: 104 34 of 45
Risk Register Development Process
Step No.
Process Component
Key Questions to be Asked
Linkages
1 Establishing the context
Have the business objectives been taken into account? Has an environmental scan been conducted? Have the risk criteria been defined?
Monitoring and review Communication and
consultation
2 Risk identification What do you want to achieve, what will stop it being achieved (threat), or what will help it being achieved (opportunity)?
What is the potential cost to time, money and performance? How likely is it to happen? What are the impacts of each risk? What is the source of the risk? What can be done to reduce/control the risk?
Monitoring and review Communication and
consultation
3 Risk analysis Are there any existing controls? Have the consequences of the risk been considered? Have the impacts been evaluated on a ‘gut feel’ or an
evidence-based approach? Has the likelihood criteria been applied?
Monitoring and review Communication and
consultation
4 Risk evaluation Have the risks been compared against the set criteria? Has the Council’s risk tolerance levels been considered in
accordance with legal, regulatory and other requirements? Has a decision been made to treat the risks?
If yes, go to Step 5. If no, continue to monitor and review the risks.
Monitoring and review Communication and
consultation
5 Risk treatment Have all treatment options been identified? Have all options been assessed? Have treatment plans been prepared and ready for
implementation? Have residual risks been analysed and evaluated?
Monitoring and review Communication and
consultation
6 Monitoring and review
Have the established procedures been followed? Is there is a requirement to escalate or de-escalate risks to
the next level?
Risk management plan, if held
The risk register when complete should be brought to the attention of all employees working in the business unit in a clear and understandable manner taking into account their level of training, knowledge and experience as well as their responsibility of managing the risks.
CONTINUOUS IMPROVEMENT A risk register is a ‘living document’, and not a one-off process. Accordingly, it should be regularly updated and used actively during planning and related activities. To align with Council requirements, industry standards and best practice, business units are encouraged to regularly review their risk register for accuracy and currency.
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines 35 of 45
SAMPLE TEMPLATE - RISK REGISTER
Risk No
Functional Area
Potential Hazard
Risk/Event Description Existing Controls Consequence Likelihood
Risk Rating
New Controls and Action Plan (3W)
Rev Likelihood
Residual Risk Level
Responsible Dept Comments
5 Legal compliance
Breach of confidentiality creating legal proceedings
Insurance; policies and procedures; ombudsman; external audits 2 ‐ Minor 4 ‐ Likely High Governance
6 Legal compliance
Incomplete records leading to poor decisions and inefficiencies
Records Management system and processes; dedicated records officer; 3 ‐ Moderate 4 ‐ Likely High
Corporate Services
8 Legal compliance
Development occurs in area inappropriate zoned or without appropriate building and planning conditions adding to council costs and loss of revenue
Development Plan processes 4 ‐ Major
3 ‐ Possible Extreme
Consistency in decision making, workshop with real estate agents and construction industry, constant engagement with relevant parties. Structure plan. Planning
11 Legal compliance
Litigations or incomplete work or financial loss as a result of contractors working without a contract in place
Register of contracts 4 ‐ Major
3 ‐ Possible Extreme
Establish project teams/project plans that include schedules and contractual arrangements. Standard contracts across Council.
Corporate Services
NLC Enterprise Risk Management Guidelines
NLC Enterprise Risk Management Guidelines 36 of 45
APPENDIX 2 - SAMPLE TEMPLATE RISK RECORD (OPTIONAL)
Risk Number:
Target (Strategic Objective) Planned Action (to achieve objective) Department Context / Assumptions
Identified Risk Existing Treatments/Strategies Conseq‐uence
Likeli‐hood
Risk Rating
DirectorRisk Manager
Completion Date
Budget Funding Approved / Required
Introduced Risks / Residual Risks / Risk Triggers (or indicators)
Additional Treatments Needed Conseq‐uence
Likeli‐hood
Residual Risk Rating
Target Risk Rating
KPI's
Executive Management Team Action Required Due Date Status KPI's
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 37 of 45
APPENDIX 3 - ALIGNING RISK MANAGEMENT TO STRATEGIC AND BUSINESS PLANNING, BUDGETING AND PERFORMANCE MANAGEMENT
1. RISK MANAGEMENT AT THE STRATEGIC LEVEL
Risk Management at the strategic level involves identifying circumstances and events that could have an impact (positive or negative) on the achievement of corporate objectives. Risk and strategy are linked and whenever there is a change in strategies, the risk assessment will also change.
The risk process is a recognition that in striving for a specific goal or outcome there are often elements or risks associated with the achievement of those outcomes. If these risks are not considered or addressed at the time of developing strategic plans they can delay, frustrate or cause unexpected outcomes to arise affecting the achievement of the objectives, or there may be opportunities that are missed.
Strategic plans and the risks impacting the outcomes in those plans are not likely to remain static due to changing priorities, new initiatives, government decisions, stakeholder issues, etc. and these risks along with the portfolio strategies may need re-assessment at the time portfolio plan progress is being monitored regularly throughout the year.
There are two distinct stages when risk needs to be considered at the strategic level:
At the time strategic plans are first being developed and
At the time progress is being monitored and reported on against the strategic plans.
2. STRATEGIC AND BUSINESS PLANNING
Understanding how risks align with the planning processes enables us to effectively integrate risk management into our governance and management structures.
Risks are addressed as part of any planning process including the Total Asset Management (TAM) Plan, Funding Plan submissions to the Treasury, the Corporate Plan, project and program plans, and any other strategic, business or operational plan. The integration of risk management into strategic and business planning processes is a key component of the Council’s risk governance and business improvement processes.
Strategic risk management applies to the process of considering and managing the strategic risks on the Executive Risk Profile (risks included on the Executive Risk Register) which may impact the Council as a whole. However, this process can also be generally applied to all business unit levels.
Strategic risks are those that may have a direct and significant impact on the organisation’s strategic objectives. The strategic risks are given formal consideration by the Executive collectively and the departmental heads individually.
Business plan risk management applies to the process of considering and managing risks to the delivery of major projects and services. Business plan risks include strategic and operational risks. Major projects and initiatives risks generally relate to the delivery of infrastructure projects.
The starting point for embedding risk management is to link the risk identification process to the corporate strategic and business plan objectives, using risk assessment as an input to the plans. Risk and performance are managed and monitored in an integrated manner to help achieve better overall governance.
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 38 of 45
Effective risk management provides increased confidence that we can deliver the desired outcomes, manage threats to an acceptable degree and make informed decisions about opportunities. Alignment of risk management to strategic planning, budgeting and performance management can deliver a range of benefits by:
a. Improving the quality of decision making (appropriate, fast, accurate, and effective)
b. Effective execution of decisions (improved confidence, known quantity)
c. Embedding risk management within the day-to-day operation of your organisation (part of business as usual, not additional task or process burden)
d. Integrating risk management with business strategy (help ensure decisions are informed and based on sound judgment)
e. Improving planning processes by enabling the key focus to remain on core business and helping ensure continuity of service delivery
f. Reducing the likelihood of potentially costly ‘surprises’
g. Preparing for challenging events and improving overall resilience
h. Prioritising budgeted resources
i. Optimising performance through efficiencies in service delivery, major change and quality assurance initiatives and
j. Contributing to the development of a positive organisational culture of improved governance, clear purpose, roles and accountabilities for all staff.
3. BUDGETING
Risk information provides an input to the identification of the resourcing requirements and assists in the prioritisation of available resources as follows:
Risk information and estimates of resource requirements for the treatment of major risks are included in program and project proposals and considered by senior management
Risk management resource implications are included in the appropriate approved plans
The budget prioritisation process takes into account the NLC-wide and departmental risk profiles.
The risk management framework allows escalation of risks throughout the year, with any financial considerations being subject to Council decision as appropriate. However, the identification and assessment of risks will not necessarily be a trigger for additional funding. If additional funding is available, then this can be used to accommodate the additional risk treatment activities required to manage the risk. In most cases however, the reduction of the risk exposure in a particular area, will be accommodated by reprioritising the available activities, resources, funds or other investment in that area.
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 39 of 45
4. THE ALIGNMENT PROCESS
Risk management is integrated in strategic and business planning and budgeting activities as follows:
Step Action
1 Review any current in-use planning policies, procedures and checklists to help ensure that content is aligned with these guidelines as well as any reference to the latest standards (e.g. risk matrix, consequence and likelihood tables). If inconsistencies exist, the appropriate action should be taken by either developing or updating risk related documentation/or references to risk terminology
2 Clearly state the strategic objective As you would normally do in your planning process
3 Describe the planned actions to achieve the objective
4 Clearly state all assumptions (e.g. market size, resources required, competition, safety, etc)
5 Identify the risks related to the objectives, planned actions, and the assumptions (are the assumptions correct? what if they’re not? what if the situation changes? etc)
6 Perform a high level assessment of the risks (consequence, likelihood, risk rating)
7 Describe a high level treatment strategy for the higher rated risks (treatment options, cost/benefit analysis, decide whether to proceed)
8 Undertake a detailed assessment and plan the management of the accepted risks as per Section 3 of these guidelines
9 Monitor the risks and the situation for changes
10 Monitor the plan to address the changes
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 40 of 45
5. STEPS TO INTEGRATE (EXAMPLE)
Integration of ERM into the Council’s strategic planning process (see Figure 4 below)
a. At the Management Planning Session in period 1 the broad strategy is set, providing a strategic direction for preparation of individual business plans, the management plan, and the development of future years’ budget requirements
b. Individual business streams begin drafting their business plans in period 2 to inform the management meeting (held in period 4). The following business plan risk assessment actions are carried out by the business streams:
i. Business streams articulate their objectives contributing to the overall strategy, describe the planned actions to achieve the objective, state the assumptions, and identify risks to achieving the business plan objectives
ii. Risks are identified by the business stream in the context of the business as usual (service delivery) objectives, and major projects and initiatives
iii. Risks are assessed by the business stream in accordance with the Enterprise Risk Management Guidelines
Figure 4: Integration of ERM into the NLC Strategic Planning Process
Business / Strategic Planning Process
Performance Management
Process
Risk Management Process Timeline
Period 1
Period 2
Period 3
Period 4
Responsibility for Carriage of Objectives & Strategies
Assigned
Develop KPI’s to Measure Achievement of Objectives
Management Performance Agreement Incorporate Risk
Management Objectives
Monitor, Review & Report Progress against the Plan
Identify risks to achieving strategic and operational objectives
Treatment Strategies
Determine Budget Implications
Detail Action Plans to Implement Treatment Strategy
Major Risks Considered in Identification of Priority Projects
Responsibilities Assigned to Action Plans
Develop High Level Risk Profile
Management Planning Session
to set broad strategy
Individual Business Plans
Management Strategy
Development of Budget
Requirements
Approval of Funding Plan
Working Draft of Strategy Endorsed by
Management
Priority Projects for Strategy
Implementation
Management Meeting to
Validate Strategy
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 41 of 45
iv. Treatment strategies required to manage the risks are developed
v. Budget implications (high level) are estimated for each high and extreme risk
vi. Risk treatment strategies and budget implications are documented in the risk records (refer to the Sample Risk Record template – Appendix 4)
vii. Risk treatment strategies and the budget implications are then prioritised taking into account the risk ratings
viii. Summary of high and extreme risks, treatment strategies and budget implications are documented in a prioritised order in the business plans
ix. Upon approval of the funding plan the detail action plans to implement risk treatment strategies are developed taking into account the available budget and the risk priority
x. Business plans are finalised to include detailed action plans for each risk including due dates
xi. Responsibilities are assigned after the strategy is validated in period 4
xii. Detailed action plans, due dates, associated costs and responsibilities are documented for each high and extreme risk (refer to the Sample Risk Record template – Appendix 2).
c. The management strategy is set, reflective of the strategic direction
d. Prioritised budget requirements in excess of available resources, are promoted to management for inclusion in the development of the next budget period
e. Major risks on the risk profile are considered in the identification of priority projects before a working draft of the strategy is endorsed by management in period 3.
The following risk related questions are considered during the strategy setting process:
i. What are the major assumptions to each of the strategic objectives?
ii. What are the strategic and operational risks inherent in the strategy, and are in accordance with our appetite to risk?
iii. Can we meet the resources requirements of this strategy and associated risks, now and in the foreseeable future?
iv. Will our values and ethics be compromised in any way by execution of this strategy?
v. Priority projects for the strategy are refined in period 2 taking into account the requirements to manage major risks on the risk profile
vi. Existing structures, resources and risk appetite are aligned to the strategy and the risk profile.
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 42 of 45
6. AN INTEGRATED FRAMEWORK
Risk Management is an integral part of the strategic planning and budgeting
processes. An integrated business planning and ERM framework should contain the
following elements:
a. Evidence of communication and consultation with key stakeholders in developing strategic plans
b. Objectives should be set so that achievement of them can be measured. Tools such as “SMART” criteria (i.e. objectives should be Specific, Measurable, Achievable, Relevant and Timely) reflect good practice in this regard (see Section 3.1.3)
c. Linking of operational plans back to higher level strategic plans to help ensure they are consistent with higher level vision/mission
d. Evidence of identification and consideration of risks that impact on the achievement of strategic and operational objectives
e. Evidence of strategies designed to achieve objectives and manage the risks that could affect the achievement of those objectives
f. Evidence of responsibilities for carriage of objectives and strategies having been assigned to portfolios/areas
g. Development of Key Performance Indicators to measure achievement of objectives
h. Evidence that operational plans include identification, appropriate costings and assignment of resources to undertake them
i. Evidence of formal processes for identification of emerging risks and issues that impact plans and mechanisms for implementation of remedial action as appropriate
j. Evidence of formal processes in place to monitor, review and report progress against plans
k. Evidence that the annual report includes reporting in terms of key risks identified for the Council and management of those risks and legislative requirements
l. Policy and guidelines to support the above processes.
7. RISK MANAGEMENT AND PERFORMANCE MANAGEMENT
Risk management objectives are linked with performance management at all levels
of the organisation. Appropriate risk culture is supported by ensuring that risk
management objectives and overall performance objectives are aligned. This is
supported in the following ways:
Management’s individual Performance Agreements incorporate risk management objectives such as high and extreme risks, target (or acceptable) risk ratings, risk management strategies, KPIs and due dates
Identification of the people component of major business risks: leadership, knowledge, capabilities, behaviour, staff turnover, succession planning, training and development, and culture. Relevant risk management strategies are developed to address root causes of these risks.
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 43 of 45
8. RECORDING RISK INFORMATION
For each individual risk, the risk information is documented on a risk record (see
sample in Appendix 2) which incorporates links to the strategic management,
budgeting and performance management processes as follows:
Reference to a strategic area/objective
Risk management accountability which indicates an overall responsibility for managing a particular risk
Risk triggers - an event, activity or early warning signal or indicator likely to highlight or result in an emerging risk occurring
Key performance indicators (KPIs) for future treatment strategies which are included in the individual performance agreements
Budget required to implement the risk treatment strategies.
See also the Risk Register – Appendix 1
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 44 of 45
APPENDIX 4 – DEFINITION OF TERMS Acceptable level of risk
The acceptable level of risk reflects the decision by management to accept the likelihood and consequences of a risk. This is also known as the organisation’s risk appetite. This is articulated in the consequence tables, the risk matrix, and the risk treatment and escalation/delegation guidelines (see Section 3.2.2).
Consequence
The outcome or impact associated with a risk occurring eg the loss, injury, disadvantage or gain.
Control
Any measure or action that changes the consequence or likelihood of a risk materialising.
Likelihood
Likelihood is the qualitative description of the probability or frequency of a risk occurring.
Operational Risks
Operational risks are those that may have a direct and significant impact on the organisation’s business as usual activities, functions, roles and/or operations.
Residual Risk Level
The level of risk calculated using likelihood and consequence criteria after treatments have been put in place.
Risk
Risk is the effect of uncertainty on objectives. The chance of something happening that will have an impact (positive or negative) on achieving the organisation’s objectives. It is measured in terms of the likelihood of occurrence and the magnitude of the consequences.
Risk Appetite
The risk appetite reflects the acceptable level of risk. This is articulated in the consequence tables, the risk matrix, the risk treatment and escalation/delegation guidelines (see Section 3.2.2) and the Executive Risk Register as the acceptable risk rating for each of the risks.
Risk Register
The documented repository of risk information gained from risk assessments.
Risk Level
The risk rating calculated using likelihood and consequence criteria after considering the existing control environment.
Risk Management
Co-ordinated activities to direct and control an organisation with regard to risk.
Stakeholders
Stakeholders are those people and organisations who may affect, be affected by, or perceive themselves to be affected by, a decision or activity of NLC.
Strategic Risks
Strategic risks are those that may have a direct and significant impact on the organisation’s strategic objectives.
NLC Enterprise Risk Management Guidelines v.1.0 August 2013 Policy document reference: C1.10 45 of 45
APPENDIX 5 – ROLES AND RESPONSIBILITIES
ROLE OF DIRECTORS AND DEPARTMENT MANAGERS
Consistent with the NLC Risk Management Principles, Departments will
Identify, assess, develop and rate success indicators and treatment strategies for risks to be included in the Organisational Risk Register
Help ensure major risks align with policy, budgets, business plans and performance management arrangements
Help ensure risks and issues are escalated (on a needs basis) for management consideration when there is danger of a risk not being appropriately managed by existing strategies, treatments and resource allocation
Provide recommendations for dealing with escalated risks and issues (escalated risks and issues will procedurally progress to the Audit Committee and Council).
ROLE OF THE MANAGEMENT TEAM Help ensure ERM is embedded in NLC budget and planning processes and
appropriately monitored
Formal consideration of risk will be facilitated through biennial Management Team meetings taking place as part of the annual work program
Two of these meetings designated for annual and half yearly review of risks on the Organisational Risk Register
Risk Management will be standing item for Management Team meetings as part of issues management.
Consideration will be given to organisational risks and a risk owner designated (e.g. governance, ERM, business continuity, procurement etc.)
The designated risk owner will help ensure that cross departmental risks are effectively managed.