Compliance and risk management framework
Transcript of Compliance and risk management framework
Compliance and Risk Management Framework
Thisto:
Framework relates Risk Management Policy Document No: 6154088
Framework applies: Target audience:
All sites All Staff
Description: The Compliance and Risk Management Framework is designed to assist Councillors, employees and contractors of Logan City Council (Council) to achieve our strategic and operational goals and objectives with respect to Compliance and Risk Management. This framework articulates the requirement for Council to establish risk management practices in accordance with ISO 31000:2018 and AS/NZS 19600:2015.
Subject: Compliance and Risk Management
Keywords: Current Risk, Frequency, Hazard, Initial Risk Rating, Loss, Probability, Risk, Risk Analysis, Risk assessment, Risk identification, Risk evaluation, Compliance, Breach, Noncompliance
Related Legislation (including OHS legislation), Australian Standards, QLD Policy or Circular, other Documents, Professional Guidelines, Codes of Practice or Ethics:
ISO 31000:2018, Risk Management Guidelines AS/ISO 19600:2015 Compliance Management Guidelines Doc ID No: 5979417 Code of Conduct for Staff Doc ID No: 5992416 - Workplace and Safety Doc ID No: 13324550 – Audit and Risk Committee Policy Work Health and Safety Act 2011 Work Health and Safety Regulations 2011 Local Government Act 2009 Local Government Regulation 2012 Child Protection Act 1999 Privacy Act 1988 (Cth) Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth) Environmental Protection Act 1994 Business Continuity Institute Good Practice Guidelines 2018 Other state and federal legislation as applicable
Director responsible for Director, Organisational Services Framework:
Manager for Framework Administration and Corporate Governance Managers implementation:
Framework Contact Person: Corporate Governance Manager
Framework Review Due Date: 2 years from date of adoption or date of last review. Document Control
File: 1186813‐1 Document Id: 14119488 Version Number Description of Change Author / Branch Date 1.0 Creation Corporate Governance October 2020
DM 14119488 Compliance and Risk Management Framework Page 2
Table of Contents 1 INTRODUCTION......................................................................................................... 5
1.1 Structure of this Framework .......................................................................................... 5
2 OBJECTIVES ............................................................................................................. 5
3 ROLES AND RESPONSIBILITIES............................................................................. 6
3.1 Council .......................................................................................................................... 6
3.2 Audit and Risk Committee ............................................................................................ 7
3.3 Chief Executive Officer ................................................................................................. 7
3.4 Executive Leadership Team.......................................................................................... 8
3.5 Administration and Corporate Governance Managers .................................................. 8
3.6 Managers...................................................................................................................... 8
3.7 Employees and Contractors .......................................................................................... 9
4 COMMUNICATION..................................................................................................... 9
4.1 Internal stakeholders..................................................................................................... 9
4.2 External stakeholders ................................................................................................... 10
4.3 Reporting ...................................................................................................................... 10
4.4 Management Review .................................................................................................... 10
5 RISK MANAGEMENT ................................................................................................ 12
5.1 Architecture of the risk management framework ........................................................... 12
5.2 Overall process ............................................................................................................. 12
5.3 Risk Rating.................................................................................................................... 13
5.4 Risk escalation.............................................................................................................. 14
5.5 Risk treatment............................................................................................................... 14
5.6 Accountability................................................................................................................ 14
5.7 Integration into organisational processes ...................................................................... 15
5.8 Resources ..................................................................................................................... 15
5.9 Reporting ...................................................................................................................... 15
5.10 Monitoring and review of the framework ....................................................................... 15
6 COMPLIANCE MANAGEMENT ................................................................................. 16
6.1 Compliance Register..................................................................................................... 16
6.2 Legislative Changes ...................................................................................................... 16
6.3 Compliance Breach Management................................................................................. 16
6.4 Reporting to the Audit and Risk Committee and ELT.................................................... 18
6.5 Key Performance Indicators .......................................................................................... 18
6.6 Compliance audits ........................................................................................................ 18
6.7 Change Management ................................................................................................... 18
APPENDIX 1: RISK TREATMENT PLAN TEMPLATE...................................................... 19
APPENDIX 2: NOTIFIABLE BREACH REQUIREMENTS................................................. 20
DM 14119488 Compliance and Risk Management Framework Page 3
APPENDIX 3: RISK TOOLS .............................................................................................. 22
DM 14119488 Compliance and Risk Management Framework Page 4
1 Introduction
The function of this Compliance and Risk Management Framework (CRMF) is to provide Logan City Council (LCC) Councillors, employees and contractors with guidance in how to apply consistent and comprehensive risk management and how to manage its compliance obligations. This document supports Council’s Risk Management and Compliance Policies.
It identifies key activities needed for an effective risk management approach and provides information on how to identify, analyse, assess and treat risks. The risk management process contained in this framework aligns with the ISO31000:2018 Risk Management.
The Compliance elements of this framework outline Council’s approach to managing its compliance obligations in accordance with the requirements of AS/ISO 19600:2015 Compliance Management Systems.
1.1 Structure of this Framework
This CRMF recognises the common features and requirements of risk management and compliance in supporting good governance. Accordingly, this document has been structured to reflect this by using a common approach to risk and compliance in most areas apart from Sections 5 and 6 Risk Management and Compliance Management, which relate to Compliance and Risk separately.
2 Objectives
Compliance and Risk Management are the responsibility of all Councillors, employees and contractors, with specific risk responsibilities being allocated to different groups and levels within the organisation.
Compliance and Risk Management will support Council in being able to meet our values and deliver upon our objectives, via a consistent and comprehensive process. It will:
Increase the likelihood of us achieving our strategic and business objectives;
Encourage a high standard of integrity and accountability at all levels of the organisation;
Support more effective decision making through better understanding of risk exposures;
Create an environment that enables us to deliver timely services and meet performance objectives in an efficient and cost effective manner;
Safeguard our assets – human, property and reputation; and
Meet compliance and governance requirements.
In adopting a CRMF, Council has the following objectives:
Provide a consistent, systematic approach to the early identification and management of risks within an acceptable level;
Make available accurate and concise risk information that informs decision making, including business direction;
DM 14119488 Compliance and Risk Management Framework Page 5
3
Adopt risk treatment strategies that are cost effective and efficient in reducing risk to an acceptable level;
Monitor and review risk and compliance levels to ensure that risk exposure remains acceptable; and
Ensure that the required compliance is maintained and is able to be demonstrated.
Roles and Responsibilities
Set out below is Council’s Compliance and Risk Management structure. This illustrates that compliance and risk management are not the sole responsibility of one individual but is supported at all levels in the organisation.
Compliance Risk Management
Council Provides strategic oversight and review
Approves Policy
Provides strategic oversight and review
Approves Policy
Audit and Risk Committee Monitors and reviews Council on the standard of its compliance and corporate governance
Reviews risk management performances
Endorses risk management strategy
CEO Drives compliance culture and is responsible to Council for the management of compliance obligations
Drives risk management culture and is responsible to Council for the management of risk
Directors Responsible to the CEO for the compliance obligations within their directorate. Leading by example and demonstrating their active commitment to, and support for, the compliance culture and performance targets
Responsible to the CEO for the risk management within their directorate . Demonstrate support for the risk management culture
Identify, assess and manage risks
Managers Responsible to their Director for the compliance obligations within their branch. Leading by example and demonstrating their active commitment to, and support for, the compliance culture and performance targets
Responsible to their Director for the risk management within their branch . Demonstrate support for the risk management culture
Identify, assess and manage risks relevant to their Branch
Program Leaders Identify and manage operational level compliance obligations
Identify, assess and manage operational risks relevant to their Program
Staff Conscientiously seek to comply with relevant obligations in the course of their duties
Ensure risks are being identified, assessed and controlled
Table 3-1: Compliance and Risk Management Responsibilities
3.1 Council
Council is accountable for compliance and risk management, which includes providing direction and support on the CRMF. Council reviews, amends and approves the CRMF biennially. Council has delegated responsibility for the CRMF to the Chief Executive Officer (CEO). This is to ensure a robust CRMF and effective compliance and risk management
DM 14119488 Compliance and Risk Management Framework Page 6
processes are maintained. Delegated components include appropriate policies, procedures and systems which meet the requirements of International Standards ISO 31000:2018 and ISO 19600:2015.
The following activities are undertaken as Council responsibilities:
Establishing Compliance and Risk Management Policies;
Ensuring that risks are adequately considered when setting Council’s objectives;
Understanding the risks facing the organization in pursuit of its objectives;
Ensuring that adequate systems and controls are in place and operating to manage compliance and risks (this will be achieved through ongoing review of the CRMF system and documented controls is undertaken, including an annual review);
Monitoring the effectiveness of those systems and controls;
Reviewing, assessing and approving the level of risk appetite and tolerance;
Monitoring compliance with legal and regulatory duties and obligations e.g. via a Compliance Register and regular audits, as well as other relevant best practice standards; and
Ensuring maintenance of an effective framework of compliance, risk management and internal controls through oversight and recommendations.
Ensure adequate resourcing is available to reduce risk and address identified risks.
3.2 Audit and Risk Committee
The Audit and Risk Committee is an advisory of the Council which provides advice in respect to:
Monitoring and reviewing Council’s compliance with its obligation to establish and maintain an internal control structure and systems of risk;
Monitoring and reviewing of the establishment and implementation of CRMF;
Advising Council on matters of compliance and risk management;
Ensuring that adequate procedures are in place to effectively communicate information about risks and their management; and
Reviewing the effectiveness of the CRMF in identifying and managing risks and controlling internal processes.
3.3 Chief Executive Officer
The Chief Executive Officer has accountability for managing Council’s compliance and risk, and for implementing the CRMF by ensuring the following:
Adequate resources are allocated to maintain an effective CRMF;
Regular reviews of the CRMF are undertaken to ensure risk management systems are adequate and fit for purpose;
Leadership and commitment to the management of compliance and risk at Council is demonstrated; and
Appropriate and timely remedial action is taken in response to risk issues and events.
DM 14119488 Compliance and Risk Management Framework Page 7
3.4 Executive Leadership Team
The management of compliance and risk is an integral part of Council’s operations and not an add on activity. The Executive Leadership Team (ELT) member’s role includes:
Implement and maintain the CRMF;
Foster an environment in which adopting effective compliance and risk management is encouraged;
Build and maintain a proactive compliance and risk management culture within Council;
Design, operate and monitor a system of internal controls appropriate for the needs of Council, its directorates and functions;
Assign and embed control and compliance responsibilities;
Be responsible for identification of material risks (strategic), risk assessment, risk controls and determining the consequence and likelihood of residual risks; (N.B. To assist with this process Council has developed risk registers to capture information relating to risks, their consequences and controls);
Maintain an adequate system of risk management which assists in mitigating risks and ensures early detection of risk management issues and that ensures corrective action is taken; and
Take prompt action to mitigate risk exposure.
3.5 Administration and Corporate Governance Managers
The Administration and Corporate Governance Managers will be responsible for the administration of the risk and compliance management systems and provide advice to others for undertaking the following administrative matters in relation to the CRMF:
Ensure the CRMF remains appropriate for Council by updating as necessary;
Arrange for risk and compliance management training, as required;
Manage risk registers to ensure that they are updated by Managers, as per this CRMF;
Report to the Executive Leadership Team and the Audit and Risk Committee on compliance and risk management; and
Arrange annual risk workshops.
3.6 Managers
All Council Managers will be required to:
Promote and actively lead a culture of compliance and risk management within the workforce;
Ensure risks are identified, assessed and controlled in accordance with the CRMF;
Actively monitor and report on risk mitigation for identified risks and new risk exposures;
Comply with the CRMF; and
Lead or participate in risk assessments as required.
DM 14119488 Compliance and Risk Management Framework Page 8
3.7 Employees and Contractors
All Council employees and relevant Contractors will be required to:
Actively identify, assess, monitor and report on new risk exposures and risk mitigation for identified risks;
Comply with the CRMF;
Be aware of their compliance and risk management responsibilities under this framework to assist Council in achieving desired outcomes; and
Participate in risk assessments as required.
4 Communication
Council has a wide range of internal and external stakeholders whose requirements need to be taken into account during the compliance and risk management processes and to whom reports on the results of the compliance and risk management processes should be reported.
The main objectives of the communication and stakeholder engagement processes are to:
Ensure that the interests of stakeholders are understood and considered;
Ensure the stakeholders participate appropriately in the risk identification and rating process;
Ensure that different views are appropriately considered when evaluating risks; and
Ensure agreement with and support for the compliance and risk mitigation and management processes which are to be implemented.
4.1 Internal stakeholders
Internal stakeholders include the following:
Council (elected members);
Audit and Risk Committee;
Wholly owned subsidiaries (Invest Logan, Mayors Charity Trust);
Staff; and
Contractors
Internal stakeholders have a need for effective, consistent compliance and risk management processes to assist them in their day-to-day operations, as well as to guide Council itself in the more significant strategic decision making processes.
Sections 5
DM 14119488 Compliance and Risk Management Framework Page 9
Risk Management and 6 Compliance Management of this document detail their involvement in each of the processes.
4.2 External stakeholders
Council has a wide variety of external stakeholders including:
The Logan Community;
Community groups supported by Council;
Government agencies (State and Federal);
Regulators (State and Federal);
Developers; and
Contractors.
External stakeholders, being a diverse group, have a widely varied input in respect to compliance and risk management processes. All stakeholders though would seek to have confidence that the compliance and risk management processes were resulting in good governance practices being adopted by Council.
4.3 Reporting
Reporting is discussed in Sections 5 Risk Management and 6 Compliance Management of this document.
4.4 Management Review
The Executive Leadership Team shall review the Compliance and Risk Management Framework biennially to ensure its continuing suitability adequacy and effectiveness including:
consideration of previous actions;
policy;
objectives;
resourcing;
changes;
performance measures;
non-conformance;
audit results; and
stakeholder feedback.
Output of management reviews include:
recommendations on policies;
objectives;
structures;
personnel;
DM 14119488 Compliance and Risk Management Framework Page 10
changes to processes;
areas to be monitored;
corrective action to non-conformance;
gaps in systems; and
recognition of exemplary behaviour.
DM 14119488 Compliance and Risk Management Framework Page 11
5 Risk Management
The success of risk management at Council depends on the CRMF providing the foundations and arrangements that will embed the framework throughout the organisation. The framework assists in managing risks effectively through the application of the risk management process (see Section 5.1) at varying levels within the organisation. The framework ensures that information concerning risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant levels.
5.1 Architecture of the risk management framework
Council’s risk management system comprises two levels of risk registers – strategic and operational. Each considers risks in relation to the objectives of its own organisational context. Compliance related risks are included within each level of risk register. This is illustrated in Figure 5-1.Error! Reference source not found.: Architecture of the risk management framework
The Strategic Risk Register considers long term risks impacting on Council as a whole. The Strategic Risk Register is presented to the Executive Leadership Team and Audit and Risk Committee at least every quarter;
The Operational Risk Registers consider the risks associated with the day to day operational matters and generally those contained within a one year time horizon; and
Project Risk registers are developed per project as required to monitor and manage project related risks.
Risks may pass from one register to another via the escalation process which is detailed in Section 5.3.
Within Council there are other risk management practices in use. These relate to:
the assessment of Work Health and Safety (WHS) risks;
Individual risks within WHS or Project Risk Registers should be managed within their own risk systems, however where multiple reoccurrences (which may indicate a systemic issue, or an issue of high organisational importance) arise, these should be identified as a single risk in the Operational System, as detailed in Section 5.3.
5.2 Overall process
The process of how a risk progresses from identification through treatment and recording to Council notification is illustrated in Figure 5-1.
DM 14119488 Compliance and Risk Management Framework Page 12
NoMatter raised as a risk
Is it a risk?
Yes
Normal admin. procedures
Manage at Operational
Level
High / Extreme
Should risk be included at the Strategic
Level?
No
Yes
Manage at Strategic Level
High / Extreme
Risk rated at Operational
Level
Advise Council
Figure 5-1: Risk management process
5.3 Risk Rating
The Risk Tools in Appendix 3: Risk Tools define the criteria to evaluate the significance of risk at Council.
Once risks have been identified, clearly defined and documented they must be rated to understand the implications of each risk and which ones need to become the focus of the risk management process. It is important to first assess the most credible level of consequence (not the worst case) and then determine the likelihood that the event will occur at that level of consequence. These should be considered in relation to the controls that are in place and
DM 14119488 Compliance and Risk Management Framework Page 13
their current effectiveness. As an example, the risk of asset failure from lack of maintenance should be assessed given the conditions and controls currently in place in Council with its asset management procedures and inspections, rather than in isolation with no controls.
5.4 Risk escalation
Where risks are rated on the Branch or Directorate Operational Risk Register as “high” or “extreme”, they should be elevated to the Strategic Risk Register for consideration by ELT. The ELT should consider if the risk is of sufficient significance at the strategic level to warrant inclusion in that risk register and if it is, then accept it, rate it against the objectives at the strategic level and then allocate it to a member of the ELT for mitigation, as necessary. Alternatively, the Operational group should be informed that they are to deal with the risk at their own level. As risks are mitigated, they may be “passed back” to the operational management level for routine management.
Where risks have been assessed as high or extreme at the Strategic level, the Chief Executive Officer shall notify Council.
5.5 Risk treatment
5.5.1 Preparing and implementing risk treatment plans
The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include:
Those who are accountable for approving the plan and those responsible for implementing the plan;
Proposed actions;
Resource requirements including contingencies;
Performance measures and constraints;
Reporting and monitoring requirements; and
Timing and schedule.
Treatment plans should be integrated with the management processes of Council and discussed with appropriate stakeholders. Decision makers and other stakeholders should be aware of the nature and extent of the residual risk after treatment. The residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. A template for Risk Treatment Plans is included in Appendix 1: Risk Treatment Plan Template.
5.6 Accountability
Council ensures that there is accountability, authority and appropriate competence for managing risk, including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficiency of any controls by:
Allocating risk owners, that have the accountability and authority, to manage risks;
Including responsibility for risk management at all levels in the organisation ensuring Councillors, employees and contractors understand their responsibility for risk management; and
Establishing performance measurement and external and/or internal reporting and escalation processes.
DM 14119488 Compliance and Risk Management Framework Page 14
5.7 Integration into organisational processes
Risk management is embedded in all of Council’s practices and processes. The risk management process is part of, and not separate from, those organisational processes. In particular, risk management is embedded within framework development, business and strategic planning and review, and change management.
Council requires that employees assess risk in accordance with Council’s risk management approach.
5.8 Resources
Council has allocated the following resources to risk management:
Audit and Risk Committee;
Chief Executive Officer;
Directors
Managers;
Staff;
Budgets to facilitate risk assessment and management processes, including the development of the CRMF; and
Budgets to facilitate risk and compliance management training and ongoing improvements to risk management within Council.
5.9 Reporting
Reporting on risk will occur on a quarterly basis, other than where projects require more regular reporting on their specific project risk registers:
Project Managers will report to Branch Managers on specific project risk registers;
Branch Managers will report to Directors on their branch risk register;
Directors will report to ELT on their directorate risk register; and
ELT will report on the strategic risk register to Council via the Audit and Risk Committee
5.10 Monitoring and review of the framework
In order to ensure that risk and compliance management is effective and continues to support organisational performance, Council will:
Measure and evaluate risk management performance against indicators, which are annually reviewed for appropriateness;
Biennially review whether the CRMF is still appropriate and suitable to support achieving the objectives of the organisation;
Annually report on risk and how well the CRMF is being followed; and
Annually review the effectiveness of the CRMF.
DM 14119488 Compliance and Risk Management Framework Page 15
6 Compliance Management
6.1 Compliance Register
Council has developed a Compliance Register identifying areas of compliance and allocating responsibility:
The register provides all Councillors, employees and contractors with an awareness and understanding of legislations that are relevant to their functions; and
It allocates accountability with regards to legislative compliance.
The Compliance Register contains the following information:
Name of the Act;
Corresponding Regulation;
The purpose of the Act;
Relevance to Council with reference to specific sections;
Corresponding Council policies, plans and publications, including plans that may be needed to ensure proper compliance to specific instruments;
Directorate(s) and Branch(es) impacted by the Act; and
The relevant Manager responsible for overseeing the compliance of the Act.
Corresponding Council policies, plans and publications shall be reviewed by the responsible Manager detailing that Council is meeting its obligations.
6.2 Legislative Changes
The requirements for managing Legislative changes shall be documented in a procedure that sets out the required processes and responsibilities for:
Receipt of change alert or equivalent;
Initial recording of legislative amendment in the Legislative register;
Assessment of the impact on Council;
Allocation of designated lead to coordinate further actions;
Update to policies / procedures / other documentation;
Development of required communication for change;
Release and distribution of communication; and
Tabling at Audit and Risk Committee.
6.3 Compliance Breach Management
A breach is defined as a non-compliance with a legislative, regulatory, standard or Council compliance obligation.
Compliance Breaches may either result from:
Breaches of Council Policies and/or;
DM 14119488 Compliance and Risk Management Framework Page 16
Breaches in legislation.
6.3.1 Internal Reporting and Investigation
The Director is the representative of the CEO in their Directorate;
Breaches in compliance with any legislative, regulatory, standard or Council compliance requirement must be reported to the Corporate Governance Manager. ;
The Corporate Governance Manager is to report all compliance breaches with a potential consequence of ‘Major’ or ‘Catastrophic’ to the Executive Leadership Team and Audit and Risk Committee in line with Council’s Risk Matrix. See Table 6-1 below,
A breach may also be reported by a finding in a review or audit;
A reported breach shall be risk assessed for importance and consequence to Council;
The Manager of each relevant Branch, in consultation with the Corporate Governance Manager, shall recommend treatment for restoring compliance;
All breaches shall have a Risk Treatment Plan provided by the Corporate Governance Manager and endorsed by the Director Organisational Services; and
Consultation shall occur to ensure negative effects are not produced in other areas or Departments.
Negligible Minor Moderate Major Catastrophic
Politics, Leadership and Governance Examples: compliance with
legislation, directives, delegations, policies, local laws, code of conduct – staff and councillors, governance
Compliance with legislation, regulations, directives, policies, code of conduct, procedures etc.
A “working” relationship exists between Council and other levels of government. Non-compliance is managed internally without penalties or prosecution.
Non-compliance or policy failure is investigated (internally/externally) and is resolved without financial penalties or prosecution. Decision made re individual consequences.
Non-compliance requires formal, external investigation. High possibility of financial penalties and/or prosecution (individual/corporate ). Decision made re individual suspension or termination.
Formal, external investigation of non-compliance results in financial penalties and prosecution (individual or corporate), including imprisonment. Termination of individual.
Reputation Examples: media exposure, social media, political influences
Predominantly local publicity.
Positive reputation maintained.
Positive relationships with media stakeholders.
Isolated social media communications
Periodic, local, adverse publicity
Identified that service delivery may be impacted by media scrutiny.
Reputation variances within the community.
Positive relationships with media stakeholders maintained.
May cause some social media or formal complaints (justified or unjustified)
Increasing and broadening adverse publicity at local and state level.
Service delivery may be impacted by media scrutiny.
Sustained reputation variances within the community.
Relationships with media stakeholders may be strained.
Significant social media and / or formal complaints
Sustained, adverse publicity at local and state level.
Media scrutiny impacts service delivery.
Damage to reputation within the community.
Publicity may lead to an audit, inquiry, or other legal proceedings.
Impact of strained relationships with media stakeholders known.
Mass and extended adverse social media coverage.
Sustained, adverse media attention at local, state and nation level.
Possibility of worldwide media exposure.
Media scrutiny adversely impacts service delivery.
Sustained damage to reputation within the community.
Ongoing exposure may lead to audit, inquiry, or legal proceedings.
Irreparable damage to relationships with media stakeholders.
‘Viral’ adverse social media coverage (e.g. (hashtag on twitter).
DM 14119488 Compliance and Risk Management Framework Page 17
Table 6-1: Compliance Breach Consequences
6.3.2 External Notification
Notifiable breaches in compliance within Council are to be reported to the relevant regulatory authorities in accordance with Appendix 2: Notifiable breach requirements.
6.4 Reporting to the Audit and Risk Committee and ELT
Reporting to the Audit and Risk Committee and ELT shall include:
Compliance breaches;
Compliance levels;
Significant changes to legislation or regulation and effect to Council;
Compliance improvement activities and recommendations; and
Key performance indicators for compliance management.
6.5 Key Performance Indicators
Key Performance Indicators (KPI) shall be established at Branch and Directorate levels and adopted by the Executive Leadership Team.. The KPIs on compliance shall be communicated to the Corporate Governance Manager. Suggested KPIs include:
Relevant policies and procedures exist to detect and prevent bribery;
Annual review of Compliance Management undertaken;
Induction training includes Compliance – number of staff trained;
Breaches reported vs breaches investigated and resolved;
Internal Audits conducted; and
Internal audit Findings / Improvement Opportunities Implemented (percentage of total findings).
6.6 Compliance audits
Audits of the Compliance Management System are conducted in accordance with the Internal Audit Schedule with audit reports submitted to the Audit and Risk Committee.
6.7 Change Management
Council’s Change Management Process shall ensure that all applicable changes are planned and reviewed to identify and mitigate any unintended consequences relevant to compliance obligations.
DM 14119488 Compliance and Risk Management Framework Page 18
Appendix 1: Risk Treatment Plan Template
Risk No.
Risk: Risk Owner:
Risk Rating
Consequence (C) Likelihood (L) Residual Risk Level
Causation:
TREATMENT:
Existing Controls:
New Treatments: WHAT do you intend to do (i.e. general strategy)?
Control Expected benefits Expected constraints
New Treatments: HOW do you intend to do it (i.e. specific actions)? Addresses C or L or both (tick)
RESOURCES required for implementation?
WHERE will new treatments be incorporated (e.g. business plan, operational plan, budget etc.)?
WHO is the Risk Owner (accountable officer)?
WHO will implement the new treatments?
WHEN will the new treatments be developed?
WHEN will you review new treatments for effectiveness?
HOW will you know when it’s done (i.e. what are the measurable indications that the planned new treatments have been implemented)?
Performance
Indicators:
CLOSE OUT: The above treatment plan has been fully implemented
(signed) Risk Owner Date
DM 14119488 Compliance and Risk Management Framework Page 19
Appendix 2: Notifiable breach requirements
Category Legislation Breach / Notifiable Incident
LCC Person Responsible for notifying regulator
Further Information
Existing Council Document (Policy,Procedure, Guide etc)
WHS Work Health and Safety Act 2011 (Qld)
Electrical Safety Regulation 2013 9Qld)
Death, serious injury or serious illness of a person or involves a dangerous incident.
Serious electrical incident or dangerous electrical event
https://www.worksafe.qld.gov .au/injury-prevention-safety/incidents-and-notifications/what-is-an-incident#incident
Environment Environmental Protection Act 1994 (Qld) s 320
environmental harm.
serious environmental harm
material environmental
https://environment.des.qld.g ov.au/management/complian ce-enforcement/obligations-duties
Information Privacy Act 1988 (Cth)
Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth)
Information Privacy Act 2009 (Qld)
Eligible data breach where;
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal informationheld by LCC; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals whom the information relates.
https://www.oaic.gov.au/priva cy-law/privacy-act/notifiable-data-breaches-scheme
Child Child Protection Act 1999 Reasonable suspicion that a child has https://www.csyw.qld.gov.au/ Protection (Qld) s13E(2) suffered, is suffering, or is at
unacceptable risk of
suffering, significant harm caused by physical or sexual abuse; and may not have a parent
able and willing to protect them from harm
child-family/protecting-children/about-child-protection/mandatory-reporting
DM 14119488 Compliance and Risk Management Framework Page 20
Category Legislation Breach / Notifiable Incident
LCC Person Responsible for notifying regulator
Further Information
Existing Council Document (Policy,Procedure, Guide etc)
Financial & Procurement
Local Government Act 2009 (Qld)
Local Government Regulation 2012. (Qld) s 307a
Material loss of asset
Reportable loss of asset
https://www.dlgrma.qld.gov.a u/local-government/accountability/fra ud-management.html
DM 14119488 Compliance and Risk Management Framework Page 21
Appendix 3: Risk Tools
Consequence Table Negligible Minor Moderate Major Catastrophic
Service DeliveryExamples: communication, data, technology software, hardware, records,
assets, property, buildings, equipment, plant, fleet, supplies, human resources
injury prevention, workplace relations
recruitment, retention, succession staff, contractors, volunteers project management: scope
quality, risk management, stakeholder consultation and communication, procurement, governance
Minor issue with communication, information systems, technology, records, assets, facilities or infrastructure.
Service interrupted briefly. No impact on external
customers. Minor, localised workforce
issues. All requirements of effective
project management are in place.
Temporary restriction of access or disruption to essential services or critical business functions (< 1 day or < Maximum Allowable Outage).
Localised workforce issues. Business Continuity
Directorate Recovery Plan is reviewed.
Effective project management is in place, with internal and external stakeholder consultation required.
Restriction of access or disruption to essential services or critical business functions (< 24 hours or Maximum Allowable Outage).
Multiple sites impacted by workforce issues.
Business Continuity Directorate Recovery Plan is referenced.
Project management is in place with multiple internal and external stakeholders consulted.
Inadequate scoping may lead to partial completion of project or achievement of outcomes.
Restriction of access or disruption to essential services or critical business functions < 48 hours or Maximum Allowable Outage plus 12hours.
Temporary damage to property, assets, facilities or infrastructure.
Multiple sites impacted by significant workforce issues.
Master business continuity plan may be enacted.
Completion/success of the project could be impacted by time or cost increases 15% – 25%.
Loss of access or disruption to essential services or critical business functions > 1 week or Maximum Allowable Outage plus 1 week.
Permanent damage to property, assets, facilities or infrastructure.
Ongoing, significant workforce issues at multiple sites.
Master business continuity plan enacted. Completion/success of the project adversely
impacted by time or cost increases 25% – 50%.
RISK
CAT
EGO
RIES
Finance and Legal Examples: fraud, corruption, litigation, claims,
contract management, intellectual property, operational budgets, procurement, contracts management, public liability, professional indemnity, insurance
Loss of or unplanned expenditure of < 1% of budget.
Loss < 1K. Budget variation manageable
in the short term.
Loss of or unplanned expenditure of < 5% of budget.
Loss between 1K and 10K. Budget variation manageable,
absorbed over current financial year.
Loss of or unplanned expenditure of 5-10% of budget.
Loss between 10K and 100K. Impact on budget beyond
current financial year, but manageable within the next financial year.
Loss of or unplanned expenditure of > 10-20% of budget. Loss of 100K to 500K.
Impact on budget with recovery over proceeding 2 or 3 financial year.
Loss of or unplanned expenditure of >20% of budget.
Loss of 500K or more. Impact on budget with recovery over
proceeding 3 or more financial years.
Health and Safety Examples: injuries and illness to staff,
contractors and the public such as exposure to chemicals, vehicles, falls, and other workplace hazards
Report Only – Minor incidents where no injury was sustained.
Injury or illness where First Aid treatment is required (can be administered by a GP, First Aider or co-worker).
Injury or illness requiring treatment by a medical practitioner (MTI) .
Injury or illness requiring treatment by a medical practitioner or hospitalisation, AND where a full work shift or more is lost (LTI).
Any Notifiable Event to the WHS/ESO Regulator.
Permanent disability
Long term hospitalisation
Life threatening event / Death.
DM 14119488 Compliance and Risk Management Framework Page 22
Negligible Minor Moderate Major Catastrophic
–
Politics, Leadership and Governance Examples: political influence, governance,
management, complaints, auditing, performance, resource accountability, service level agreements, strategic and operational planning, compliance with legislation, directives, delegations, policies, local laws, code of conduct
staff and
councillors, governance
Community Expectation Examples: expectations, feedback,
stakeholder engagement
Internal political/leadership issues. Community is unconcerned.
Effective governance and decision making.
Positive working relationships with other levels of government.
Compliance with legislation, regulations, directives, policies, code of conduct, procedures etc.
Stakeholder engagement occurs.
Community expectations known.
Minimal local feedback .
Political or leadership issues result in community concern.
Challenges identified with leadership and governance.
Decision making has potential to disrupt service delivery in 1 branch.
Introduction of new legislation impacts service delivery in 1 branch. A “working” relationship exists between Council and other levels of government.
Non-compliance is managed internally without penalties or prosecution.
Active stakeholder engagement.
Community expectations not fully known or understood.
Divergence between policy and public opinion identified.
Political or leadership/management issues result in ongoing community concern.
Ongoing challenges with leadership/management.
Decision making has potential to disrupt service delivery in multiple branches.
Introduction of new legislation impacts service delivery of multiple Branches.
Disagreement between Council and other levels of government.
Non-compliance or policy failure is investigated (internally/externally) and is resolved without financial penalties or prosecution. Decision made re individual consequences.
Unsuccessful stakeholder engagement.
Community expectations are not fully known or understood.
Clear divergence between policy and public opinion.
Political or leadership/management issues result in escalation of community concerns.
Instability recognised in leadership/management.
Decision making causes disruption to service delivery of 1 branch.
Introduction of new legislation impacts service delivery across Council. Ongoing disagreement between Council and other levels of government.
Non-compliance requires formal, external investigation. High possibility of financial penalties and/or prosecution (individual/corporate). Decision made re individual suspension or termination.
Stakeholder engagement fails. Community expectations are
not known or understood. Escalating community
concerns or complaints. Community campaigning may
occur. Major divergence between
policy and public opinion.
Ongoing political or leadership/management issues result in escalation of community concern for a sustained period of time.
Ongoing instability in leadership/management.
Decision making causes disruption to service delivery across Council.
Introduction of new legislation significantly impacts service delivery and capacity to ensure compliance across Council.
Ongoing disagreement results in irreparable damage between Council and other levels of government.
Formal, external investigation of non-compliance results in financial penalties and prosecution (individual or corporate), including imprisonment. Termination of individual.
No stakeholder engagement. Escalating, ongoing community concerns or
complaints. Active community campaigning. Loss of community support. Total divergence between policy and public
opinion.
DM 14119488 Compliance and Risk Management Framework Page 23
Negligible Minor Moderate Major Catastrophic
Reputation Examples: media exposure, social media,
political influences
Predominantly local publicity. Positive reputation maintained. Positive relationships with
media stakeholders. Isolated social media
communications.
Periodic, local, adverse publicity
Identified that service delivery may be impacted by media scrutiny.
Reputation variances within the community.
Positive relationships with media stakeholders maintained.
May cause some social media or formal complaints (justified or unjustified).
Increasing and broadening adverse publicity at local and state level.
Service delivery may be impacted by media scrutiny.
Sustained reputation variances within the community.
Relationships with media stakeholders may be strained.
Significant social media and / or formal complaints.
Sustained, adverse publicity at local and state level.
Media scrutiny impacts service delivery.
Damage to reputation within the community.
Publicity may lead to an audit, inquiry, or other legal proceedings.
Impact of strained relationships with media stakeholders known.
Mass and extended adverse social media coverage.
Sustained, adverse media attention at local, state and nation level.
Possibility of worldwide media exposure. Media scrutiny adversely impacts service
delivery. Sustained damage to reputation within the
community. Ongoing exposure may lead to audit,
inquiry, or legal proceedings. Irreparable damage to relationships with
media stakeholders. ‘Viral’ adverse social media coverage (e.g.
(hashtag on twitter).
Emergency and Disaster Response Examples: pandemic, terrorism,
environmental spills, hazardous substances, evacuations, fire, flood, storms, threats, toxic releases, chemical spills
No emergency or disaster response required by Council.
Emergency or disaster response required by Council results in disruption to service delivery of 1 branch for < 1 week or <MAO.
Review of business continuity plan recommended.
Emergency or disaster response required by Council resulting in disruption to service delivery for multiple branches for < 1 week or MAO.
Reference to Master Business Continuity Plan required.
Emergency or disaster response required by Council resulting in disruption to service delivery for multiple branches > 1 week or MAO plus 12hours
Master Business Continuity Plan may be enacted.
Emergency or disaster response required by Council resulting in disruption to service delivery for multiple branches > MAO plus 1 week.
Master Business Continuity Plan enacted.
Environment Examples: environment, bushland, parks,
creeks and waterways, wildlife habitat, preservation
Minor breach of policy or procedures.
Minor environmental damage is immediately remediated with minimal resources.
Minor localised impact; one-off situation easily remedied.
Moderate impact on the environment; no long term or irreversible damage.
May incur cautionary notice or infringement notice.
Severe impact requiring remedial action and review of processes to prevent reoccurrence.
Penalties and / or direction or compliance order incurred.
Long-term, large-scale damage to habitat or environment.
Serious / repeated breach of legislation / licence conditions.
Cancellation of licence and / or prosecution.
DM 14119488 Compliance and Risk Management Framework Page 24
Effectiveness of Controls Rating Description
1 Fully Effective (Prevents the risk from being realised)
2 Substantially Effective (Mostly prevents the risk from being realised)
3 Partially Effective (Sometimes prevents the risk from being realised)
4 Ineffective (Does not prevent the risk from being realised)
Likelihood Table LIKELIHOOD PROBABILITY FREQUENCY
AND/OR EXPOSURE ANECDOTAL EXAMPLES
Almost certain > 95% to 100% Several times a week Most people are strongly aware of the risk occurring on several occasions
Likely > 70% to 95% Monthly or several times a year Several people have recollections of a similar event occurring several times over the years
Possible > 30 – 70 % Once every 1 -2 years Several people have recollections of a similar event occurring, but are not really sure where or when, and on more than one occasion
Unlikely > 5% - 30% Once every 2 – 5 years Never heard of it, but it sounds like something that we know has happened elsewhere before
Rare > 5% Greater than every 5 years Nobody has ever heard of it happening
DM 14119488 Compliance and Risk Management Framework Page 25
=
=
Risk Matrix CONSEQUENCE RATINGS
LIKE
LIHO
OD
Negligible Minor Moderate Major Catastrophic
Almost certain M7 H9 H6 E3 E1
Likely M8 M5 H7 H4 E2
Possible L3 M6 H8 H5 H1
Unlikely L4 L1 M3 M1 H2
Rare L5 L2 M4 M2 H3
Response RISK RATING ACTION REQUIRED H&S RESPONSE and RISK OWNER
Green Low (L: 1-5) Risk may be managed by routine operations or procedures with ongoing monitoring. Implement controls and undertake tasks.
Yellow = Medium (M: 1-8) Risk is managed by routine operations with ongoing monitoring. Implement controls and additional treatments and undertake task with approval from Task/Site Supervisor.
A detailed action plan must be implemented and monitored to reduce risk rating.
Approval from Branch Manager required before commencing task.
Orange = High (H: 1-9) Risk Owner authorises and approves further treatments.
Escalation is required to the Director, through the Manager for further review and approval.
A detailed action plan must be implemented and monitored to reduce risk rating. Do not commence task.
Escalation is required to the CEO, (Branch Manager > Director > CEO) for approval.
Red Extreme (E: 1- 3) Risk Owner* authorises and approves further treatments.
Escalation is required to the CEO, (Manager > Director > CEO) for further review and approval. CEO may escalate to Council if required.
DM 14119488 Compliance and Risk Management Framework Page 26