ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all...
Transcript of ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all...
![Page 1: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/1.jpg)
ENTERPRISE RISK MANAGEMENT
PROGRAM
Template Edition
June 2009
![Page 2: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/2.jpg)
![Page 3: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/3.jpg)
Table of Contents Enterprise Risk Management Program
Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template contents
Section One – Program Documents
1. Risk Management Plan ......................................................... 9 2. Enterprise Risk Management Framework ............................ 15 3. Council Risk Structure.......................................................... 16 4. Risk Oversight Framework................................................... 17 5. Implementation Schedule ..................................................... 18 6. Risk Category ...................................................................... 21 7. Stakeholders Register ........................................................... 22 8. Maturity Matrix .................................................................... 24 9. Implementation Approach .................................................... 26 10. Risk Management Policies Required.................................... 28 11. Appendix A - Definitions ..................................................... 30
Section Two – Handbook Instructions for Use............................................................................ 41 Division 1 - General
1. Risk Management Charter .................................................... 45 2. Risk Management Plan ......................................................... 46 3. Risk Management Process Flowchart................................... 52 4. Roles and Responsibilities .................................................... 62
Division 2 – Tools
1. Risk Management Tables....................................................... 65 2. Exposure Map ........................................................................ 68 3. Risk Management Structure................................................... 70
Division 3 – Templates
1. Method of Analysing the Cause of Risk ................................ 73 2. Risk Model............................................................................. 75 3. Inherent to Residual to Target Risk Rating............................ 77 4. Stakeholders Objectives and Risk Categories........................ 79 5. Risk Management Context..................................................... 81 6. Action plan and Risk register................................................. 84
Page 3
![Page 4: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/4.jpg)
Enterprise Risk Management Handbook
Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template Conditions of Use Handbook
Conditions of Use
This handbook has been designed by Members of the CENTROC ERM Project Team* for other Councils within the CENTROC Group of Councils to use as a starting point to construct an enterprise risk management system. This handbook should be used in conjunction with other documents available from the CENTROC ERM Project Team and, due to the dynamics of Local Government should not be relied upon as the “Bullet proof” solution to risk management. End users of this handbook are reminded that this document is for guidance only and must be adapted to reflect the risk appetite and work practices of the individual Council. The drafters of this document take no responsibility for the use or misuse of this, or other related documents produced by the Group. It is recommended that end users of this document seek training before attempting to implement a risk management system within their organisation. This Handbook and other related documents remain the property of the CENTROC ERM Project Team and as such are not to be used or reproduced without written permission of the Team. * Team members are listed on the acknowledgement page of this folder.
Page 4
![Page 5: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/5.jpg)
Acknowledgements
Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Acknowledgements
CENTROC ERM Project Team Orange City Council Michelle Catlin Charmaine Richey Bathurst Regional Council Brian Dwyer John Starr Wellington Council Bryson Rees David King Cabonne Council Barbara Hepworth Parkes Shire Council Bradley Byrnes Cowra Shire Council Harvey Nicholson Members of the ERM Project Team would like to acknowledge the following Councils for their participation in the program: Lithgow City Council Bland Shire Council Harden Shire Council Lachlan Sire Council Blayney Shire Council The ERM Team also acknowledges the assistance give to the project by the following organisations; TAFE NSW Sydney Institute PRUDENTIA CENTROC And STATEWIDE MUTUAL PTY LTD
Page 5
![Page 6: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/6.jpg)
Page 6
![Page 7: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/7.jpg)
Section One – Program Documents
Page 7
![Page 8: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/8.jpg)
Page 8
![Page 9: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/9.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 1 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Risk Management Plan Introduction XYZ Council is committed to the implementation of Enterprise Risk Management (ERM). ERM is defined as “an organisation-wide approach to developing techniques that assist to have the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects”1. Council recognises that risks are an integral part of normal everyday life that is unavoidable. Taking control of informed risks is part of good business practice, and allows for risks to be identified, analysed, evaluated and treated. The requirement to adopt a broad-brush risk management approach is likely to be mandated by the Department of Local Government in the near future. Council is adopting a proactive approach in committing resources and energy to implementing Enterprise Risk Management. The ultimate objective of this Risk Management Plan is to embed the principles of risk management in all aspects of Council’s operations. It is recognised this is a long-term goal, and will require a phased implementation to ensure that risk management is effective and sustained across all of Council’s operations. Enterprise Risk Management will require Council to consider the objectives of its internal and external stakeholders, and those factors that may impact on each stakeholder’s ability to achieve their own objectives, as they relate to XYZ Council. This Risk Management Plan provides the suite of tools to be used in applying risk management to XYZ Council. Pilot approach In the first stage of the process, Council adopted a “pilot” approach by applying risk management tools to a project. The benefits of adopting such an approach are outlined in the document “Implementation Approach” and include: Harnessing the support and commitment from middle management, first line
management and staff to the program Trialling the program on a small scale prior to large scale roll-out Auditing the success of the program Making any necessary adjustments or additions to the program Profiling the success of the program to the organisation Testing the theories, assumptions and calculations made in the program Reviewing and provide feedback to stakeholders Allowing for cost considerations to be determined and planned for
1 Enterprise Risk Management Handbook, Prudentia 2007
Page 9
![Page 10: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/10.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 2 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Encouraging multifunctional involvement across a range of areas and levels In implementing the pilot approach, there are a number of functions that may have involvement, including: Policy development Business/Strategic planning Asset Management Audit Business Continuity Management Environmental Management Human Resources Finance Project Management
Risk Management – What is it? Risk Management is the process of identifying potential negative events and the development of plans to mitigate or minimise the likelihood of the negative event occurring and/or the consequences if the risk does occur. Risk Management also involves the identification of potential positive events and their management to increase their likelihood and/or benefits2. Risk can also be described as: Any threat that can potentially prevent Council from meeting its objectives Any opportunity that is not being maximised by Council to meet its objectives3
It should be noted that risk management is to be applied at all levels of Council operations. Everyone has a responsibility in managing risks. Council has developed a detailed implementation framework, which provides a step-by-step outline for implementing ERM. There is a strong emphasis on training, education and communication, to ensure the skills of Councillors, managers and staff will be developed and maintained. The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk champions is to: Assist in the use of the risk management tools Provide support and advice to staff in relation to risk management
2 Enterprise Risk Management Handbook, Prudentia 2007, pg 102 3 City of Charles Sturt, Risk Management Framework 2005, pg 2
Page 10
![Page 11: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/11.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 3 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Ensure risk management responsibilities are being met in their respective work areas
Report to the risk management committee Assist in the development of a risk aware culture
Risk Management Charter Council has developed a Risk Management Charter (Page 45). The Charter states that Council, in line with best practice, will endeavour to control risks, both operational and strategic within the local government environment as dictated by available resources, through the implementation and maintenance of a strategic Risk Management Program at all levels of Council. The implementation framework sets out the actions to be taken to achieve the goals of the Risk Management Charter, and assigns responsibility for these goals. Organisation’s Strategic Goals and Objectives The Local Government Act 19934 sets out Council’s Strategic Goals and Objectives as:
a to provide directly or on behalf of other levels of government, after due consultation, adequate, equitable and appropriate services and facilities for the community and to ensure that those services and facilities are managed efficiently and effectively
b to exercise community leadership c to exercise its functions in a manner that is consistent with and actively
promotes the principles of multiculturalism d to promote and to provide and plan for the needs of children e to properly manage, develop, protect, restore, enhance and conserve the
environment of the area for which it is responsible, in a manner that is consistent with and promotes the principles of ecologically sustainable development
f to have regard to the long term and cumulative effects of its decisions g to bear in mind that it is the custodian and trustee of public assets and to
effectively account for and manage the assets for which it is responsible h to facilitate the involvement of councillors, members of the public, users of
facilities and services and council staff in the development, improvement and co-ordination of local government
4 Local Government Act 1993, Section 8 (1)
Page 11
![Page 12: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/12.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 4 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
i to raise funds for local purposes by the fair imposition of rates, charges and fees, by income earned from investments and, when appropriate, by borrowings and grants
j to keep the local community and the State government (and through it, the wider community) informed about its activities
k to ensure that, in the exercise of its regulatory functions, it acts consistently and without bias, particularly where an activity of the council is affected
l to be a responsible employer
These goals and objectives are at the macro level of Council operations, and incorporate Council’s Mission and Vision Statements. Council’s annual Management and Operational Plans provide the micro level goals and objectives. Identifying these macro and micro level goals assists in identifying risks that may impact on the achievement of these goals. Enterprise Risk Management Framework Council has developed a framework for Enterprise Risk Management (Refer Page 15). This Framework shows how risk management will be integrated across the organisation, and identifies the methodologies, tools and processes to be used to support this integrated approach. Risk Management Process The process for managing Council’s risks is consistent with the Australian Risk Management Standard AS/NZS4360:2004.
To support these processes, a range of templates have been established, including:
Risk Model (Page75-76) Risk Cause Analysis (Pages 73-74) Residual Rating Worksheet (Pages 77-78) Risk Exposure Map (Pages 68-69)
Communication Communication is required from all levels of the organisation. It should inform all about outcomes and progress and will be a vehicle to help manage change. Methods of communication will include: • Media (if required) • Staff meetings • Focus meetings
Page 12
![Page 13: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/13.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 5 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
• Newsletters and flyers • Workshops
Risk Management Policies Council will need to develop an overarching Risk Management Policy. (The requirements have been outlined in the document titled Risk Management Policies requirements). However, as part of the implementation and integration of Enterprise Risk Management (ERM) throughout the organisation many existing policies will need to be reviewed and updated to reflect ERM principles and procedures. Thus creating a synergy throughout the organisation. Roles and Responsibilities All levels of Council have a responsibility and a role to play in ERM. It is essential that the program be supported by Executive. A strong, visual commitment to the process will set the standard across the organisation, and encourage support from all levels. Development of a Risk Aware Culture The pilot approach is the first step in developing a risk aware culture, as those involved in the selected project will learn about ERM practices and actually implement what they have learned. It should be noted that the implementation of Enterprise Risk Management is a journey, involving organisational change on a broad scale so that risk management becomes as ingrained in Councils operations as occupational health and safety has become. Incremental change is likely to provide positive results, as small changes are reinforced and become “the norm”. The staged approach utilising Council projects allow these small changes to occur. The next phase should see ERM implemented in a particular program area, such as governance, human resources, finance, etc. Training strategy The following elements are integral parts of a training strategy for risk management: • Should be well planned and fit the needs of the organisation. • Should be tailored to different levels within the organisation • Should ensure communications tools are used at all stages of implementation. • Should be included in staff induction programs
Page 13
![Page 14: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/14.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 6 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Budgeting Council will allow for funds to be allocated for those controls that address the Very High and High level risks. This will be reviewed annually as part of Council’s Management Plan process. Risk treatment will depend on funds available within the Council budget. In considering allocations to preventive and corrective controls, Council staff will identify the indicative costs of the consequences if a particular risk event occurs. Reporting Council’s Risk Manager will be charged with developing and maintaining Council’s Risk System, including those documents supporting the system. Results of the program will be reported to Council annually, and to any external stakeholders as required. The Risk Action Plan will be updated monthly, and reviewed by the Risk Committee quarterly. Monitor and Review The Enterprise Risk Management Plan will be reviewed by the Risk Manager on a regular basis (timeframe to be decided by the organisation). The Action Plan will be updated monthly, and reported to the Risk Committee at least quarterly. Council will engage the services of its internal auditor to audit the risk processes and documents included in this Plan.
Page 14
![Page 15: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/15.jpg)
Page 15
![Page 16: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/16.jpg)
Risk Structure
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Structure Example
Director/Mgr Corporate
Director/Mgr Environmental
Director /Mgr Engineers (2 x Opt)
Director/Mgr Culture or
Development (Opt)
RRRiiissskkk MMMaaannnaaagggeeemmmeeennnttt CCCooommmmmmiiitttttteeeeee
General Manager
Council
General Manager
Mayor or Cr Rep
Independent
Director Rep/s
Risk Manager
Dept Risk Representatives
Finance
Governance
Risk Mgt
I.T
Admin
Planning
Sustainability
Health
Environment
Operations
Design
Infrastructure
Asset Management
Economic Development
Cultural Development
HR
Community Services
Page 16
![Page 17: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/17.jpg)
Risk Oversight Framework
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Oversight Framework
Risk Committee
Directors/Executive Managers
ERM Working Party
Senior Managers
General Manager
Council
Supervisors
Staff
Risk Manager
Page 17
![Page 18: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/18.jpg)
XYZ
Cou
ncil Risk M
anagem
ent Im
plem
entation
Sched
ule
Coun
cil Referen
ce:
Date: Apr 09
TBA
Page 1 of 3
Respon
sible Co
uncil Sectio
n: HR – Risk M
anagem
ent
Version: 1 Re
view
: Apr 10
Ope
ration
al Tem
plate
Implem
entation
Sched
ule
RISK
MANAGEM
ENT IM
PLEM
ENTA
TION SCH
EDULE
Timeline
HIGH‐LEV
EL TASK
S SU
B TA
SKS
STATU
S Jul 09
Aug
09
Sep 09
Oct 09
Dec 09
Mar 10
Jul 10
Und
ertake
Needs Assessm
ent
• Don
e
Develop
Risk Man
agem
ent Ch
arter (Refer Page 45)
• Don
e
• Ongoing
review
& im
provem
ent
Presen
tation
to Man
agem
ent
• Don
e
Obtain Man
agem
ent a
greemen
t for im
plem
entation
of ERM
P
• Don
e
Establish Risk M
anagem
ent Co
mmittee
• Define and do
cumen
t Roles
and Re
spon
sibilities for:
• Risk Com
mittee
•
Risk M
anager
• RM
Coo
rdinators
• Risk Owne
r •
Aud
it Co
mmittee
• Don
e
• Ongoing
review
& im
provem
ent
Develop
Risk Man
agem
ent Fram
ework (tem
plate
prov
ided
Page 15)
• Don
e
• Ongoing
review
& im
provem
ent
Develop
a Risk Man
agem
ent Maturity Matrix
(tem
plate prov
ided
Pages 24‐25)
• Project M
anagem
ent
• Division 1
• Division 2
• Division 3
• Don
e
• Ongoing
review
& Upd
ate
Docum
ent Organ
isation’s Strategic Goa
ls or
Objectives
• Project M
anagem
ent
• Division 1
• Division 2
• Division 3
• Don
e
• Ongoing
review
Page 18
![Page 19: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/19.jpg)
XYZ
Cou
ncil Risk M
anagem
ent Im
plem
entation
Sched
ule
Coun
cil Referen
ce:
Date: Apr 09
TBA
Page 2 of 3
Respon
sible Co
uncil Sectio
n: HR – Risk M
anagem
ent
Version: 1 Re
view
: Apr 10
Ope
ration
al Tem
plate
Implem
entation
Sched
ule
Develop
Risk Man
agem
ent Stakeh
olde
r Re
gister
(tem
plate prov
ided
Pages 79‐80)
• Don
e
• Ongoing
review
& im
provem
ent
Iden
tify the
Organ
isation’s Risk Con
text (tem
plate
prov
ided
Pages 81‐83)
• Don
e
• Ongoing
review
& im
provem
ent
Iden
tify the
Organ
isation’s Risk Category Fram
ework
(tem
plate prov
ided
Page 21)
• Don
e
• Ongoing
review
& im
provem
ent
Build
the Risk M
anagem
ent Structure (tem
plate
prov
ided
Page 70)
• Don
e
• Ongoing
review
& im
provem
ent
Page 19
![Page 20: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/20.jpg)
XYZ
Cou
ncil Risk M
anagem
ent Im
plem
entation
Sched
ule
Coun
cil Referen
ce:
Date: Apr 09
TBA
Page 3 of 3
Respon
sible Co
uncil Sectio
n: HR – Risk M
anagem
ent
Version: 1 Re
view
: Apr 10
Ope
ration
al Tem
plate
Implem
entation
Sched
ule
Develop
the Oversight Framew
ork
• Directors
• Risk M
anagem
ent C
ommittee
• Risk M
anager
• Risk Coo
rdinators
• Risk Owne
rs
• Don
e • Im
plem
ented
• Ongoing
Re
view
Prep
are the Risk M
anagem
ent Plan
(Tem
plate
Provided
Pages 46‐51)
• Define approach to
Risk
Managem
ent Implem
entatio
n • Develop
Risk Managem
ent
Handb
ook
• Develop
Risk Managem
ent
Policies
• Develop
Processes and
Proced
ures:
• Risk Assessm
ents
• Risk Rep
ortin
g Detail
• Develop
Risk Re
porting
Requ
irem
ents
• Ongoing
Managem
ent
• Prep
are
Commun
ications Plan
• RM
Training
• Software Users Rule s
• Software User T
raining Plan
• Develop
‘Risk Aware’ culture:
• Education Program
• Co
mmun
ication – RM
Plan, Implem
entatio
n • Set K
PIs
• Co
ntinual Improvem
ent
Program
• Iden
tify Ke
y Risk Indicators
• Docum
ent
• Ongoing
review
& im
provem
ent
Page 20
![Page 21: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/21.jpg)
XYZ
Cou
ncil
Ris
k C
ateg
ory
Fram
ewor
k
Cou
ncil
Ref
eren
ce:
Dat
e: A
pr 0
9 TB
A
Page
1 o
f 1
Res
pons
ible
Cou
ncil
Sect
ion:
HR
– R
isk
Man
agem
ent
Ver
sion
: 1
Rev
iew
: Apr
10
Ope
ratio
nal T
empl
ate
risk
cat
egor
y fr
ame
wor
k
11. C
ultu
ral &
C
omm
unity
Dev
elop
men
t •
Ade
quat
e Li
brar
y Se
rvic
es
• D
evel
op re
crea
tiona
l and
cul
tura
l op
portu
nitie
s •
Mai
ntai
n an
d de
velo
p sp
ortin
g/ c
ultu
ral
faci
litie
s •
Mai
ntai
n an
d de
velo
p pu
blic
ven
ues
10. I
nfra
stru
ctur
e •
Wat
er su
pply
•
Was
te w
ater
•
Man
age
stor
m w
ater
•
urba
n be
atifi
catio
n pr
ogra
m
• Fl
ood
miti
gatio
n •
Roa
ds a
nd fo
ot p
aths
•
Publ
ic v
enue
s 9.
Stra
tegi
c •
Cul
ture
•
Lead
ersh
ip
• St
rate
gy
• B
rand
pro
tect
ion
•
Com
mun
icat
ion
•
Cor
pora
te K
now
ledg
e m
anag
emen
t
8. In
tegr
ity &
Leg
al
• B
usin
ess a
nd g
over
nmen
t rul
es a
nd
Reg
ulat
ions
•
Con
tract
s and
litig
atio
n •
Insu
ranc
e •
Illeg
al a
cts
• D
elib
erat
e/in
adve
rtent
bre
ache
s •
Educ
atio
n an
d aw
aren
ess
7. F
inan
cial
& A
ccou
ntin
g •
Exte
rnal
inve
stm
ents
•
Bud
get&
cap
ital m
anag
emen
t •
Ass
et m
anag
emen
t •
Man
agem
ent r
epor
ting
•
Reg
ulat
ory
repo
rting
•
Acc
ount
ing
prin
cipl
es &
stan
dard
s •
Inte
rnal
and
exte
rnal
audi
t
6. T
echn
olog
y &
Dat
a M
anag
emen
t •
Tech
nolo
gy d
evel
opm
ent &
inte
grat
ion
• C
ontin
uity
pla
nnin
g &
skill
s ava
ilabi
lity
• In
form
atio
n se
curit
y •
Dat
a m
anag
emen
t •
Softw
are
and
hard
war
e in
tegr
ity
5. H
uman
Res
ourc
es
• Em
ploy
ee c
ompe
tenc
y
• Em
ploy
ee d
evel
opm
ent /
disc
iplin
e •
Con
sulta
nt m
anag
emen
t •
Lega
l Com
plia
nce
• In
dust
rial r
elat
ions
•
Succ
essi
on p
lann
ing
•
Rec
ruiti
ng
4. P
lann
ing
&
Envi
ronm
ent
• La
nd u
se p
lann
ing
•
Her
itage
Man
agem
ent
• B
uild
ing
Con
trol
• A
nim
al c
ontro
l •
Park
ing
man
agem
ent
• En
cour
age
use
of
rene
wab
le
3. E
xter
nal E
nviro
nmen
t •
Polit
ical
, St
ate/
Fed
eral
•
Com
mun
ity o
pini
on/d
emog
raph
ic
• C
ontra
ctor
s •
Supp
liers
•
Dev
elop
ers
• M
edia
•
Cou
ncill
ors
• Ec
onom
y
2. O
pera
tions
•
Proj
ects
•
Con
tract
man
agem
ent
• C
ostin
g Pe
ople
reso
urce
and
allo
catio
n
• N
ew b
usin
ess d
evel
opm
ent
• C
usto
mer
man
agem
ent
• Se
rvic
e pr
ovis
ion
•
Emer
genc
y m
anag
emen
t •
Bus
ines
sCon
tinui
ty
1. C
orpo
rate
Gov
erna
nce
• R
oles
and
resp
onsi
bilit
ies o
f GM
and
D
irect
ors
• C
ounc
illor
s •
Ethi
cal,
resp
onsi
ble,
and
tran
spar
ent
deci
sion
mak
ing
•
Rec
ogni
se a
nd m
anag
e ris
ks
• C
ompl
ianc
e w
ith le
gisl
ativ
e an
d re
gula
tory
requ
irem
ents
Fi
il&
Ei
tl
O
pera
tiona
l Ris
k C
ateg
orie
s
FY 0
9/10
Page 21
![Page 22: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/22.jpg)
STAKE
HOLD
ERS OBJEC
TIVES, R
ISK CA
TEGORIES, R
ISKS
AND CAUSES (Stakeho
lder Register blan
k)
Coun
cil Referen
ce:
Date: Apr 09
TBA
Page 1 of 1
Respon
sible Co
uncil Sectio
n: HR – Risk M
anagem
ent
Version: 1 Re
view
: Apr 10
Ope
ration
al Tem
plate
Stakeh
olde
rObjective
blank
Sta
keho
lder
O
bjec
tive
Ris
k ca
tego
ry
Iden
tifie
d ris
k C
ause
s of
the
risk
•
•
•
Page 22
![Page 23: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/23.jpg)
STAKE
HOLD
ERS OBJEC
TIVES, R
ISK CA
TEGORIES, R
ISKS
AND CAUSES (Stakeho
lder Register exam
ple)
Coun
cil Referen
ce:
Date: Apr 09
TBA
Page 1 of 1
Respon
sible Co
uncil Sectio
n: HR – Risk M
anagem
ent
Version: 1 Re
view
: Apr 10
Ope
ration
al Tem
plate
Stakeh
olde
rObjective
Sta
keho
lder
O
bjec
tive
Ris
k ca
tego
ry
Iden
tifie
d ris
k C
ause
s of
the
risk
Gen
eral
M
anag
er
To e
nsur
e co
unci
l com
plia
nce
with
sta
te a
nd fe
dera
l leg
isla
tion
Com
plia
nce
Non
-com
plia
nce
with
sta
te a
nd fe
dera
l le
gisl
atio
n •
Sta
ff kn
owle
dge
of le
gisl
atio
n is
def
icie
nt
due
to la
ck o
f tra
inin
g, p
roce
dure
s an
d su
perv
isio
n.
• In
suffi
cien
t aud
it co
ntro
ls
• R
espo
nsib
ilitie
s no
t allo
cate
d in
pos
ition
de
scrip
tions
•
To
ens
ure
finan
cial
via
bilit
y Fi
nanc
e Fi
nanc
ial l
oss
• B
ad in
vest
men
ts
• In
adeq
uate
deb
t rec
over
y pr
oced
ures
•
Frau
d •
Non
-adh
eren
ce to
bud
gets
•
Poo
r bud
getin
g •
Inad
equa
te c
ost c
ontro
l of p
roje
cts
To
ens
ure
envi
ronm
enta
l su
stai
nabi
lity
Env
ironm
enta
lEn
viro
nmen
tal d
amag
e •
Irres
pons
ible
dev
elop
men
t •
Pro
vide
eth
ical
, res
pons
ible
and
tra
nspa
rent
dec
isio
n m
akin
g R
eput
atio
n
Page 23
![Page 24: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/24.jpg)
XYZ
Cou
ncil
Ris
k M
anag
emen
t Mat
urity
Mat
rix
Cou
ncil
Ref
eren
ce:
Dat
e: A
pr 0
9 TB
A
Page
1 o
f 2
Res
pons
ible
Cou
ncil
Sect
ion:
HR
– R
isk
Man
agem
ent
Ver
sion
: 1
Rev
iew
: Apr
10
Ope
ratio
nal T
empl
ate
Mat
urity
mat
rix
Cou
ncil-
wid
e Is
sue
Lev
el 1
L
evel
2
Lev
el 3
L
evel
4
Lev
el 5
C
ounc
il Po
licy/
st
rate
gy
Non
e ex
ists
Po
licy
unde
r de
velo
pmen
t Po
licy
writ
ten
Po
licy
writ
ten
and
circ
ulat
ed
Polic
y pr
omot
ed b
y al
l man
ager
s, us
e to
su
ppor
t goa
ls
Man
agem
ent
supp
ort
Not
on
the
agen
da
Som
e ef
fort
or
supp
ort i
n th
eory
So
me
info
rmal
ap
plic
atio
n of
are
as o
f po
licy
and
proc
edur
es
Act
ing
in c
ompl
ianc
e w
ith p
olic
y Is
olat
ed m
anag
ers
driv
ing
it
RM
use
to a
ssis
t in
oper
atio
nal g
oals
Su
ppor
ted
and
driv
en
by a
ll m
ange
rs
Res
pons
ibili
ties /
A
ccou
ntab
ilitie
s Fo
cus o
n op
erat
iona
l as
pect
s. A
ccou
ntab
ility
as
sign
ed to
staf
f
Req
uire
men
ts in
PD
at
man
ager
leve
l R
espo
nsib
ility
to
man
age
risks
fo
rmal
ised
in p
ositi
on
desc
riptio
ns
Som
e ac
cept
ance
of
resp
onsi
bilit
ies
Not
a p
erfo
rman
ce
indi
cato
r
All
man
ager
s and
su
perv
isor
s un
ders
tand
thei
r re
spon
sibi
litie
s R
espo
nsib
ilitie
s are
in
clud
ed in
key
pe
rfor
man
ce
indi
cato
rs
Staf
f Com
mitm
ent
Larg
ely
igno
rant
ab
out E
RM
A
war
e th
at c
ounc
il is
co
nsid
erin
g R
M
syst
em
Som
e st
aff i
n pi
lot
prog
ram
s or
cons
ulta
tion
Invo
lved
in in
itial
R
M ta
sks.
Som
e cy
nici
sm a
nd
caut
ion
Parts
of o
rgan
isat
ion
invo
lved
in e
xten
sive
ris
k m
anag
emen
t ac
tiviti
es
Ben
efits
bec
omin
g co
mm
only
kno
wn
Hav
e be
en fu
lly
train
ed in
RM
staf
f sh
ow a
cul
ture
of r
isk
awar
enes
s
Form
al R
M
proc
esse
s and
Sy
stem
s
Onl
y in
form
al ri
sk
man
agem
ent i
n pl
ace
RM
pro
cess
und
er
deve
lopm
ent
Con
sulta
tion
with
Proc
ess
deve
lope
d/st
aff
train
ing
desi
gned
Proc
esse
s bei
ng
utili
sed
Dat
a sy
stem
in p
lace
All
area
s hav
e ap
plie
d R
M p
rinci
pals
D
ecis
ion
are
bein
g
Page 24
![Page 25: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/25.jpg)
XYZ
Cou
ncil
Ris
k M
anag
emen
t Mat
urity
Mat
rix
Cou
ncil
Ref
eren
ce:
Dat
e: A
pr 0
9 TB
A
Page
2 o
f 2
Res
pons
ible
Cou
ncil
Sect
ion:
HR
– R
isk
Man
agem
ent
Ver
sion
: 1
Rev
iew
: Apr
10
Ope
ratio
nal T
empl
ate
Mat
urity
mat
rix
stak
e ho
lder
s und
er
way
R
esea
rch
star
ted
on
softw
are
syst
ems
Dat
a m
anag
emen
t sy
stem
bei
ng
intro
duce
d
and
bein
g po
pula
ted
base
d on
dat
a pr
oduc
ed fr
om R
M
syst
em
Res
ourc
e A
lloca
tion
No
reso
urce
s al
loca
ted
Som
e st
aff
time
allo
cate
d
Res
earc
h fo
r bud
get
subm
issi
on st
arte
d
Staf
f ass
igne
d to
pr
ogra
m
Fund
s allo
cate
d in
bu
dget
Ass
igne
d st
aff g
iven
go
als a
nd ta
rget
s Fu
nds a
vaila
ble
for
use
Bud
get i
nclu
ded
in
Cou
ncils
long
term
pl
an
Bud
gets
re
view
ed/in
crea
sed
Staf
f pos
ition
fo
rmal
ised
C
ounc
illor
s A
war
enes
s N
o aw
aren
ess
Hav
e re
ceiv
ed so
me
info
rmat
ion
Form
al p
aper
pr
ovid
ed to
C
ounc
illor
s
Hav
e re
ceiv
ed
pres
enta
tion
and
train
ing
is u
nder
take
n
Cou
ncill
ors b
ase
deci
sion
s on
data
pr
oduc
ed fr
om R
M
syst
em
App
ly R
M p
rinci
pals
to
all
deci
sion
s
Page 25
![Page 26: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/26.jpg)
XYZ Council Implementation Approach
Council Reference: Date: Apr 09 TBA Page 1 of 2Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Implementation Approach
The implementation of Enterprise Risk Management in an organisation can be done on an organisation wide basis or it can be specifically targeted. The targeted approach is called the pilot approach. It is suggested that councils use the pilot approach for initial implementation. This approach would be chosen for several reasons:-
• Limited resources available for enterprise risk management introduction in this financial year’s budget
• Easier to complete one smaller program in the first instance • Can select staff or area that is likely to embrace a small program and
this will give it a greater chance of success • If pilot is successful then it will be far easier to get organisation wide
acceptance • If the benefits of a program can be “seen” then more likely to be
embraced by other areas of the organisation • Also enables the risk management team to develop an approach and
fine tune it prior to releasing enterprise risk management on the whole organisation
Having selected the pilot approach it is suggested that councils choose the project based approach as the first area to be attempted i.e. select a project council is undertaking and use this as the pilot program. A project management based initial implementation should be selected for the following reasons:-
• Affords both a strategic and operational context • Involves all levels of council • Multi functional involvement i.e. finance, governance, planning, works • Defined timeframes and parameters (i.e. the project must be completed
in a certain timeframe) • More easily measured outcomes • Provides a means of marketing the approach and harnessing support • Easy to evaluate – gets runs on the board • Project management approach has natural “fit” to risk management
practices • Allows process to be tested prior to large scale roll-out
Page 26
![Page 27: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/27.jpg)
XYZ Council Implementation Approach
Council Reference: Date: Apr 09 TBA Page 2 of 2Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Implementation Approach
The pilot implementation approach would include the following steps:- Action to be completed Approximate
Time for completion
Undertake a needs assessment for the risk management to ensure that there is a benefit for the organisation in undertaking enterprise risk management
first month
1. Develop DRAFT Risk Management Charter first month 2. Presentation to management and council outlining the benefits,
financial considerations, requirement for management commitment, the commitment of staff resources if it is to be successful and highlight the possibility that opportunities for the organisation may be identified
fist month
Management agreement to implement pilot based approach is attained third month Establishment of the implementation team (who will be on it, who will run it etc.,)
Fourth – eighth month
Develop risk context and framework (i.e. the environment in which the organisation operates)
Fourth – eighth month
Develop the organisation’s risk appetite. In conjunction with management and council the implementation team needs to establish what its appetite for risk is.
Fourth – eighth month
3. Develop tools for the implementation (procedures to be followed, forms to be used and also the communications strategy.
Fourth – eighth month
4. Design and conduct training for those staff that will be involved in the program
Fourth – eighth month
5. Risk management process for projects in use 18 -24 months 6. Risk Management Committee established (this committee
would undertake the audit role) 16th month
7. Ongoing identification of major threats and review of current priorities
Ongoing
8. Demonstrated integration of ERM in Council Management Plan subsequent Financial Year
9. Reporting of risk management process in Annual Report November following end of financial year
10. Monitor and review process implemented as integral part of Council culture
Ongoing
N.B. This timeline is based on an initial commencement date and calculated in months or years thereafter. However, the timeline would vary for each council depending upon the commencement date and commitment from the council’s senior management. With a reasonable degree of commitment it is believed that the projected steps are achievable.
Page 27
![Page 28: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/28.jpg)
XYZ Council Risk Management Policies Required
Council Reference: Date: Apr 09 TBA Page 1 of 2Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Policies required
Risk Management Policies requirements Policy would need to identify:
1. Objectives and aim of policy: should list
• what policy wants to achieve • The extent of risks that need to be managed • Range of risks that need to be managed • Why we need to manage risk
2. Roles and Responsibilities for all levels of staff and councillors
e.g. Council:- • has ultimate responsibility for implementation and control of risk management • responsible to report to the community General Manager: • implementation of risk management • Reports to council, community and statutory bodies Executive managers/Directors • Overall department implementation • Reports to GM and council • Drive processes in their department
Others with responsibilities could include Risk management Committee, senior managers, risk manager, operational managers, operational risk representatives and general staff
3. Reporting Requirements:
• Who is responsible for reporting, when and how • What reporting requirements are
4. Auditing
• Whether internal or external • Frequency required • Establishment of an audit committee
5. Council’s risk appetite
• Based on consultation with stakeholders need to decide what is councils’ risk
appetite
6. Internal and external context
• Establish what is the context in which the council operates both internally and externally. i.e. what are the factors influencing the council operations
Page 28
![Page 29: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/29.jpg)
XYZ Council Risk Management Policies Required
Council Reference: Date: Apr 09 TBA Page 2 of 2Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Policies required
7. Stakeholders
• Establish who are the council’s internal and external stakeholders and what their
requirements are
8. Links between policy and organisation’s strategic and corporate plans
• Establish the need for links between plans and the implementation of risk management
• Link risk management program to these plans
9. identify the support and expertise available to assist those responsible for managing risks
• resources available • staff expertise available • training to be undertaken
10. Methodology to be used
• What is the method of implementation e.g. pilot approach or an enterprise wide
approach
11. Risk assessment methods
• Should determine qualitative and quantitative risk assessment methods
12. Risk Assessment frequency
• Should determine frequency of risk assessment • Will different risk levels require different assessment frequencies • How will it be resourced
13. Ongoing risk identification
• How do we ensure that council is able to conduct ongoing risk identification after
the initial process is completed • Who will be responsible for this?
14. Long term approach to risk management
• Need to determine how to maintain the appetite for an organisation wide risk
management approach into the future • Instil it in the culture of the organisation
15. Monitoring and Review
• Should include who is responsible for monitoring, how it should be undertaken
and how it should be reported.
Page 29
![Page 30: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/30.jpg)
Appendix A - Definitions
Page 30
![Page 31: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/31.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 1 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
Accident: (a) Unplanned injurious or damaging event which interrupts the normal
progress of an activity (b) An undesirable or unfortunate happening; casualty; mishap (c) Anything that happens unexpectedly, without design, or by chance. An accident may be seen as resulting from failure of hazard controls.
Action Plan: The work or tasks associated with implementing controls that reduce the likelihood of the risk and or the impact of the consequences is set‐out using an action plan. The action plan may typically show who is responsible for the control, describe the tasks to be performed and set start and finish dates. The action plan would be scheduled on a progressive basis until the implementation is complete. The action plan can continue in another form to monitor that the controls remain effective.
Business Unit: A business Unit may refer to a program, sub‐program, cost centre, area, division, branch, production unit or section located within the organisation.
Cause: The absence of a safeguard that leads to the occurrence of a risk. No or limited controls are in place. For example: lack of training can cause risks
Clients: Clients may include: • End users and sponsors • Potential end users and sponsors • Potential providers or suppliers • Current providers/suppliers • Technical or functional experts or advisers • Federal, State/Territory and/or Local Government • The organisation • Other public sector organisations • Employees • Unions or staff associations • Industry bodies • Local communities and society as a whole • Lobby groups • Special user groups
Compliance: The status of risk controls to be able to meet obligations to legislation or company policy and procedures. This compliance ought to be demonstrated if the control(s) is audited and in the event of an incident where protection from the impact is necessary.
Consequence: Outcome or impact of an event Note 1: There can be more than one consequence from one event. Note 2: Consequences can range from positive to negative. Note 3: Consequences can be expressed qualitatively or quantitatively. Note 4: Consequences are considered in relation to achievement of objectives.
Page 31
![Page 32: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/32.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 2 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
Context: A generic term that in effect places a boundary around the subject matter that makes it easier to identify the risks and follow a risk management process. Contexts can be business units, functions, projects, objectives and the like. For example: The accounts payable department is the context.
Control: An existing process, policy, device, practice or other action that acts to minimise negative risk or enhance positive opportunities. Note: The word ‘control’ may also be applied to a process designed to provide reasonable assurance regarding the achievement of objectives.
Control assessment: Systematic review of processes to ensure that controls are still effective and appropriate. Note: Periodic line management review of controls is often called ‘control self assessment’.
Control Measures: These may include hierarchy of controls, risk aversion, reduction in risk likelihood, reduction of consequences (impacts) of risk, transfer of responsibility (or ownership) of risk, retention of risks.
Dynamic risk: This is associated with a changing economy. Dynamic risks are speculative where both profit and loss are possible.
Event: Occurrence of a particular set of circumstances. Note 1: The event can be certain or uncertain. Note 2: The event can be a single occurrence or a series of occurrences. For example: A storm causes a power outage. The storm is the event.
External specialist assistance:
Any group or individual in the community who has the expertise to assist the organisation to deal with any event/incident which may occur.
Frequency: A measure of the number of occurrences per unit of time. Fundamental risk: Examples include inflation which relates to the entire economy or a
large number of persons or a group/s within the community. Hazard: A source of potential harm. Impact: The amount of loss or gain that is sustained from the consequence of a
risk. Incident: Untoward event which may or may not cause accidental loss, depending
on the particular circumstances of the event. An accident is a type of incident which results in accidental loss, but not all incidents are accidents. (Refer to the definition for accident)
Information sources: Information sources which may be used in risk assessment may include: • Computer modelling • Sensitivity analysis • Structured interviews • Statistical data • Questionnaires • Fault trees • Analysis of consequences – loss of money, time, labour,
intangibles Inherent risk: This is more commonly described as the inherent risk rating, which is a
subjective measure of the threat of a risk on a profile based on its
Page 32
![Page 33: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/33.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 3 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
inherent likelihood and inherent consequence measures, without considering the effectiveness of controls. This produces a score that indicates the worst‐case exposure range in the event that there are no controls in place, or the controls fail to take effect during a risk event. Note: Assess the likelihood and consequence of the risk occurring WITHOUT any controls in place. The inherent risk rating is thus calculated on these assumptions.
Legislation, codes and national standards:
These are relevant to the workplace and may include: • Commonwealth and State/Territory legislation • Award and enterprise agreements and relevant industrial
instruments • Relevant legislation from all levels of government that affects
business operation, especially in regard to Occupational Health and Safety and environmental issues, equal opportunity, industry relations and anti‐discrimination
• Relevant national and international (industry) codes of practice • The organisation’s policies and practices • Government policy • National competition policy
Likelihood: Used as a general description of probability or frequency. Note: Can be expressed qualitatively or quantitatively.
Loss: Any negative consequence or adverse effect, financial or otherwise. Measure of success: Such measures include costs, reductions impact and/or likelihood and
reductions in occurrence. Monitor: To check, supervise, observe critically or measure the progress of an
activity, action or system on a regular basis in order to identify change from the performance level required or expected.
Near Miss: An event or incident which, in other circumstances, may have resulted in an injury to a person, damage to property or some other negative impact on the organisation or the community.
Occupational Health and Safety considerations:
• Review and evaluation of previous OHS plans and programs • Implementation of OHS systems for projects • Use of participative arrangements for review of OHS in
operational performance • Development and review of OHS performance targets • Framework and components of OHS management system, its
structures and performance systematic review procedures Occurrence rate: Average number of times an event occurs per year, or the other time
interval. More useful than ‘probability’ if event is not rare. Probability and occurrence rate are taken into consideration when assessing the likelihood of the risk occurring.
Organisation: Group of people and facilities with an arrangement of responsibilities, authorities and relationships. Example: Includes company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or combination thereof.
Page 33
![Page 34: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/34.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 4 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
Note 1: The arrangement is generally orderly. Note 2: An organisation can be public or private. Note 3: This definition is valid for the purpose of quality management system standards. The term ‘organisation’ is defined differently in ISO/IEC guide 2.
Particular risk: Particular risk generally affects individuals and not the entire community or country.
Predicted risk: This is also described as the Target Risk Rating, which is a subjective measure of the threat of a risk on a profile based on adding to or instituting new controls, to those already documented that give the Residual Likelihood and Residual Consequence measures. Additional controls are usually called for if the Residual Likelihood and or Residual Consequence are still at unacceptable levels. Note: If the Residual is still no good, better controls will need to be added and the assessment to be re‐evaluated.
Probability: A number between 0 and 1, with 0 indicating that an event/outcome will not occur and 1 indicating that the event/outcome will occur, and numbers in between indicating the proportion of times that the event will occur, under given circumstances and a given period of time.
Profile: A profile holds a collection of risks in one place. A profile that has a related context makes it more straightforward to define risks that fit within the boundary of the context. For example: The context ‘Accounts Payable’ will be in the profile ‘Finance’.
Pure risk: Pure risk is a situation where there is only the possibility of loss or not loss. There is usually no opportunity to profit from the loss. These risks include personal risks, property risks and liability risks. The law of large numbers applies.
Relevant groups and individuals:
Those personnel who have knowledge about the issue being dealt with and the expertise to assist in the decision‐making process. Those personnel are often referred to as stakeholders.
Residual risk: This is more commonly described as the Residual Risk Rating, which is a subjective measure of the threat of a risk on a profile based on its Residual Likelihood and Residual Consequence measures, giving the remaining level of risk after risk treatment measures have been taken. Residual Risk can only be claimed if the controls are in place and work to reduce the risks and or consequences to the level that is expected. Note: Assess the likelihood and consequence of the risk occurring WITH controls in place. Therefore, the Residual Risk Rating should be lower than the Inherent Risk Rating.
Risk: The chance of something happening that will have an impact in objectives. It is measured as the product of the likelihood of occurrence and the impact amount, otherwise termed as exposure in quantitative terms. Risk may have a positive or negative impact. Risks may include:
• Commercial and legal relationships • Damage to property/equipment
Page 34
![Page 35: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/35.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 5 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
• Economic circumstances and scenarios • Environmental • Equipment/system failures • Financial/economic loss/failure • Human behaviour • Individual activities • Industrial disputation • Management activities and controls • Natural disasters/events • Occupational Health and Safety (including disease) • Political events/circumstances • Product failure • Professional incompetence • Security failure (including criminal or terrorist activities) • Technological issues
Risk Aggregation: Using this rating method, each consequence identified for a Risk Model can be rated separately, each Preventive Control and each Corrective Control identified for a Risk Model can be rated separately and the result can be ‘aggregated’ to the Risk level.
Risk Analysis: A systematic use of available information to determine the occurrence rate of events and the magnitude of the consequence.
Risk appetite The tolerance of attitude that an Organisation, or part of (e.g. project) has for risk. How conservative is an organisation towards taking on new opportunities? What is the Organisation’s attitude in regards to the potential impacts of risk?
Risk Assessment: The overall process of risk identification, risk analysis and risk evaluation Risk Avoidance: A decision not to become involved in, or to withdraw from, a risk
situation. Risk categorisation: Risk is categorised within established guidelines, difference between
risks that have high impact/consequence/likelihood and those having low impact/consequence/likelihood.
Risk control: Part of risk management that involves the implementation of actions, policies, standards, procedures and physical changes to eliminate or minimise adverse risks. Controls can be distinguished into those that prevent the risk and those that assist in recovering from the adverse incident as quickly and effectively as possible. Note: There are two types of controls: Preventive Controls that are attached to the Risk, and Corrective Controls that are attached to the Consequence.
Risk criteria: Terms of reference by which the significance of risk is assessed. Note: Risk criteria can include associated cost and benefits, legal and statutory requirements, socioeconomic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.
Risk evaluation: Process of comparing the level of risk against risk criteria. Note 1: Risk evaluation assists in decisions about the risk treatment.
Page 35
![Page 36: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/36.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 6 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
Note 2: See ISO/IEC guide 51 for risk evaluation in the context of safety. Risk Identification: The process of determining what, where, when, why and how
something could happen. Risk management: Developing techniques that assist to have the culture, processes and
structures that are directed towards the effective management of potential opportunities and adverse effects.
Risk management framework:
Set of elements of an organisation’s management system concerned with managing risk. Note 1: Management system elements can include strategic planning, decision making, and other strategies, processes and practices for dealing with risk. Note 2: The culture of an organisation is reflected in its risk management system.
Risk management plan: A deliverable which describes how the risk management process will be structured and performed during a project or for a business initiative. It may include sections on the following topics:
• Methodology: defines the approaches, tools and data sources that may be used to perform risk management. Different types of assessments may be appropriate depending on business requirements and flexibility remaining in risk management.
• Roles and responsibilities: defines the lead, support and risk management team membership for each type of action in the risk management plan. Independent risk management teams may be able to perform unbiased risk analysis than the resources assigned to the area under consideration.
• Budgeting: establish a budget for risk management dependent on its scope of application
• Scoring and interpretation: the scoring and interpretation methods appropriate for the type and timing of the quantitative risk analysis being performed. Methods and scoring must be determined in advance to ensure consistency.
• Thresholds (risk appetite): the threshold criteria for risks that will be acted upon, by whom and in what manner. The owner, customer or sponsor may have a different risk appetite. The acceptable level of risk (threshold) forms the target against which the effectiveness of the risk action will be measured.
• Reporting formats: describes the content and format of the risk action plan. Defines how the result of the risk management processes will be documented, analysed and communicated to the key resources (e.g. project team), internal and external stakeholders, sponsors and others.
• Monitoring: documents how all facets of risk activities will be recorded for the benefit of the current initiative/project, future needs, and lessons learnt. Documents if and how risk processes will be audited.
Page 36
![Page 37: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/37.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 7 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
Risk management process:
The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysis, evaluating, treating, monitoring and reviewing risk.
Risk priorities: Risk priorities include assigning a value to identify risk using available tools and an assessment of consequences and likelihoods.
Risk rating: Subjective measures of exposure, derived by assessing estimates of likelihood and consequences. Note: Relates to both Inherent Risk and Residual Risk.
Risk reduction: Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.
Risk register: A register of all identified risks and documentation of the strategies/plans in place to deal with any event/incident which might occur.
Risk retention: Acceptance of the burden of loss, or benefit of gain, from a particular risk. Note 1: Risk retention includes the acceptance of risks that have not been identified. Note 2: The level of risk retained may depend on risk criteria.
Risk sharing: Sharing with another party the burden of loss, or benefit of gain from a particular risk. Note 1: Legal or statutory requirements can limit, prohibit or mandate the sharing of some risks. Note 2: Risk sharing can be carried out through insurance or other agreements. Note 3: Risk sharing can create new risks or modify an existing risk.
Risk transfer: Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means. Note: Your company had a risk it couldn’t control or that was better controlled by another entity.
Risk treatment: Selection and implementation of appropriate options for dealing with risk. The most commonly used terms for these are avoid, reduce, transfer, accept and retain. They become tools for management to understand the spread of treatment options across the various controls of risks and consequences. Note: Part of your Risk Management Plan. Some risks are treated differently depending on tolerability and manageability.
Risk‐cost per annum: Expected number of events per year x $ cost per event. Note: A simple calculation taking into consideration the number of times the risk will occur in a year multiplied by the cost each time the risk occurs.
Samples testing: The act of carrying out checking of the adequacy or otherwise of the controls to prevent the risk from occurring, or the efficacy of the control(s) to assist in the recovery from an adverse incident. The testing of samples would follow some criteria, such as for higher risk exposure and selecting the key controls that are being relied upon. The test results may assist to form a view as to the actual level of control
Page 37
![Page 38: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/38.jpg)
XYZ Council Definitions
Council Reference: Date: Apr 09 TBA Page 8 of 8
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template ERM handbook Definitions
effectiveness and may be distinct from self assessments of the appropriateness of controls by the control owner. Note: Controls that are in place need to be tested regularly to see if they are still effective or not. Therefore, you carry out tests of each control and reassess accordingly.
Source: Sources of risk may be factors such as new technology, the size or complexity of the project, the experience of the personnel involved etc.
Speculative risk: Speculative risk is a situation where either a profit or loss is possible. It includes commercial and financial risks such as new product development, interest rate risk, foreign exchange risk, investment in share market, etc. Superannuation risk also includes gambling.
Stakeholders: Stakeholders may include all those individuals and groups both inside and outside the organisation, which have some direct interest in the organisation's behaviour, actions, products and services. They may include: • Employees at all levels of the Organisation • Other public sector Organisations • Union and association representatives • Boards of management • Government Ministers
Static risk: Static risks occur because of irregular actions by nature or individuals. Most static risks are pure risks.
Tools: Tools include: • Documentation to assist in process of identifying risk and
assessing impact and likelihood of occurrence • Standard instruments developed for the Organisation and
contextualised for sections of the workplace’s operations, such as checklists and testing procedures
• Tools to prioritise risk, including where relevant, numerical scoring systems for risks
Page 38
![Page 39: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/39.jpg)
Section Two – Handbook
Page 39
![Page 40: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/40.jpg)
Page 40
![Page 41: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/41.jpg)
Enterprise Risk Management Handbook Instructions
Council Reference: Date: Apr 09 TBA Page 1 of 2 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Instructions for Use handbook
Instructions for Use
1. Introduction Welcome to the CENTROC Enterprise Risk Management Handbook Template Edition. The purpose of this Handbook is to provide member councils with a defined starting point and a series of template tools to assist in transition into an enterprise risk management system. This handbook is designed to be used as part of an overall process and should not be used without employing the system completely.
2. Contents of the Handbook This handbook is broken into two major sections administrative and operational documents The administrative documents are designed as enablers for the operational documents and include
• The Enterprise Risk Management Charter, (Page 45) • The Enterprise Risk Management Plan, (Pages 46-51) and • The risk Management Process (Pages 52-61)
The operational documents include,
• Risk Register and Action plan, (Pages 84-85) • The risk Model (Page 75), and • Inherent to residual to target risk ratings (Pages 77-78)
3. Preliminaries before use
Its expected that users of this Handbook would have completed the following steps within their individual organisations before attempting to adapt and employ this document
• Identify objectives • Decide on method of adoption • Establish a risk framework and a risk category framework, • Decide on the risk appetite, • Prepare risk tables, • Prepare a training and communication plan, and • Adopt an implementation plan.
Page 41
![Page 42: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/42.jpg)
Enterprise Risk Management Handbook Instructions
Council Reference: Date: Apr 09 TBA Page 2 of 2 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Instructions for Use handbook
4. General Remarks
It is expected that each Council will take ownership and improve on this handbook. The handbook once adopted should be reviewed on a regular basis to reflect changes in legislation and work practices. This handbook has been designed in such a manner to allow for an “all of organisation” approach to risk management. End users are reminded that this document is provided for guidance only and, as such, must be adapted for use for each organisation individually.
5. Conclusion Even though all care was taken with this document it is not to be considered exhaustive and as such may need to be updated or may contain inaccuracies. If any faults in the document are found please contact the secretary of the Risk and OHS Group to allow for the updates to be distributed across the CENTROC Group. Any questions about the application of ownership of this program should be directed to the secretary of the Group.
Page 42
![Page 43: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/43.jpg)
Division 1 - General
Page 43
![Page 44: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/44.jpg)
Page 44
![Page 45: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/45.jpg)
XYZ Risk Management Charter
Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR - Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Charter
The General Manager and Executive are committed to and will ensure an enterprise-wide risk management approach so that XYZ Council will endeavour to manage risks, both operational and strategic, within the local government environment as dictated by available resources through the implementation and maintenance of a strategic risk management program at all levels of Council. XYZ Council will introduce an Enterprise Risk Management Program to allow:
• Council to meet ever increasing requirements for good corporate governance • The maintenance of public and employee confidence • The delivery of Council and community goals • The creation of a culture of cohesiveness within Council • For the provision of sustainable community services • For the provision of positive outcomes for Council and the community • An appropriate level of risk awareness within XYZ Council
XYZ Council will endeavour to achieve these aims by:
• An organisation-wide commitment to risk management discipline • Encouraging a risk aware culture within Council and the community • Adopting AS/NZS 4360 “Risk Management” • Empowering employees at all levels to take part in the risk assessment
process • Establishing and supporting a Risk Management Committee.
By adopting these measures XYZ Council will achieve the following outcomes:
• Limit Council’s Risk Profile • Achieve gains in efficiency at an operational and strategic level • Transparency and accountably within Council • A level of protection to Council by providing an auditable “paper trail” • A cultural shift within Council and the community • Foster best practice within the Local Government environment
General Manager Mayor May 2009 May 2009
Page 45
![Page 46: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/46.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 1 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Risk Management Plan Introduction XYZ Council is committed to the implementation of Enterprise Risk Management (ERM). ERM is defined as “an organisation-wide approach to developing techniques that assist to have the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects”1. Council recognises that risks are an integral part of normal everyday life that is unavoidable. Taking control of informed risks is part of good business practice, and allows for risks to be identified, analysed, evaluated and treated. The requirement to adopt a broad-brush risk management approach is likely to be mandated by the Department of Local Government in the near future. Council is adopting a proactive approach in committing resources and energy to implementing Enterprise Risk Management. The ultimate objective of this Risk Management Plan is to embed the principles of risk management in all aspects of Council’s operations. It is recognised this is a long-term goal, and will require a phased implementation to ensure that risk management is effective and sustained across all of Council’s operations. Enterprise Risk Management will require Council to consider the objectives of its internal and external stakeholders, and those factors that may impact on each stakeholder’s ability to achieve their own objectives, as they relate to XYZ Council. This Risk Management Plan provides the suite of tools to be used in applying risk management to XYZ Council. Pilot approach In the first stage of the process, Council adopted a “pilot” approach by applying risk management tools to a project. The benefits of adopting such an approach are outlined in the document “Implementation Approach” and include: Harnessing the support and commitment from middle management, first line
management and staff to the program Trialling the program on a small scale prior to large scale roll-out Auditing the success of the program Making any necessary adjustments or additions to the program Profiling the success of the program to the organisation Testing the theories, assumptions and calculations made in the program Reviewing and provide feedback to stakeholders Allowing for cost considerations to be determined and planned for
1 Enterprise Risk Management Handbook, Prudentia 2007
Page 46
![Page 47: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/47.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 2 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Encouraging multifunctional involvement across a range of areas and levels In implementing the pilot approach, there are a number of functions that may have involvement, including: Policy development Business/Strategic planning Asset Management Audit Business Continuity Management Environmental Management Human Resources Finance Project Management
Risk Management – What is it? Risk Management is the process of identifying potential negative events and the development of plans to mitigate or minimise the likelihood of the negative event occurring and/or the consequences if the risk does occur. Risk Management also involves the identification of potential positive events and their management to increase their likelihood and/or benefits2. Risk can also be described as: Any threat that can potentially prevent Council from meeting its objectives Any opportunity that is not being maximised by Council to meet its objectives3
It should be noted that risk management is to be applied at all levels of Council operations. Everyone has a responsibility in managing risks. Council has developed a detailed implementation framework, which provides a step-by-step outline for implementing ERM. There is a strong emphasis on training, education and communication, to ensure the skills of Councillors, managers and staff will be developed and maintained. The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk champions is to: Assist in the use of the risk management tools Provide support and advice to staff in relation to risk management
2 Enterprise Risk Management Handbook, Prudentia 2007, pg 102 3 City of Charles Sturt, Risk Management Framework 2005, pg 2
Page 47
![Page 48: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/48.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 3 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Ensure risk management responsibilities are being met in their respective work areas
Report to the risk management committee Assist in the development of a risk aware culture
Risk Management Charter Council has developed a Risk Management Charter (Page 45). The Charter states that Council, in line with best practice, will endeavour to control risks, both operational and strategic within the local government environment as dictated by available resources, through the implementation and maintenance of a strategic Risk Management Program at all levels of Council. The implementation framework sets out the actions to be taken to achieve the goals of the Risk Management Charter, and assigns responsibility for these goals. Organisation’s Strategic Goals and Objectives The Local Government Act 19934 sets out Council’s Strategic Goals and Objectives as:
a to provide directly or on behalf of other levels of government, after due consultation, adequate, equitable and appropriate services and facilities for the community and to ensure that those services and facilities are managed efficiently and effectively
b to exercise community leadership c to exercise its functions in a manner that is consistent with and actively
promotes the principles of multiculturalism d to promote and to provide and plan for the needs of children e to properly manage, develop, protect, restore, enhance and conserve the
environment of the area for which it is responsible, in a manner that is consistent with and promotes the principles of ecologically sustainable development
f to have regard to the long term and cumulative effects of its decisions g to bear in mind that it is the custodian and trustee of public assets and to
effectively account for and manage the assets for which it is responsible h to facilitate the involvement of councillors, members of the public, users of
facilities and services and council staff in the development, improvement and co-ordination of local government
4 Local Government Act 1993, Section 8 (1)
Page 48
![Page 49: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/49.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 4 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
i to raise funds for local purposes by the fair imposition of rates, charges and fees, by income earned from investments and, when appropriate, by borrowings and grants
j to keep the local community and the State government (and through it, the wider community) informed about its activities
k to ensure that, in the exercise of its regulatory functions, it acts consistently and without bias, particularly where an activity of the council is affected
l to be a responsible employer
These goals and objectives are at the macro level of Council operations, and incorporate Council’s Mission and Vision Statements. Council’s annual Management and Operational Plans provide the micro level goals and objectives. Identifying these macro and micro level goals assists in identifying risks that may impact on the achievement of these goals. Enterprise Risk Management Framework Council has developed a framework for Enterprise Risk Management (Refer Page 15). This Framework shows how risk management will be integrated across the organisation, and identifies the methodologies, tools and processes to be used to support this integrated approach. Risk Management Process The process for managing Council’s risks is consistent with the Australian Risk Management Standard AS/NZS4360:2004.
To support these processes, a range of templates have been established, including:
Risk Model (Page75-76) Risk Cause Analysis (Pages 73-74) Residual Rating Worksheet (Pages 77-78) Risk Exposure Map (Pages 68-69)
Communication Communication is required from all levels of the organisation. It should inform all about outcomes and progress and will be a vehicle to help manage change. Methods of communication will include: • Media (if required) • Staff meetings • Focus meetings
Page 49
![Page 50: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/50.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 5 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
• Newsletters and flyers • Workshops
Risk Management Policies Council will need to develop an overarching Risk Management Policy. (The requirements have been outlined in the document titled Risk Management Policies requirements). However, as part of the implementation and integration of Enterprise Risk Management (ERM) throughout the organisation many existing policies will need to be reviewed and updated to reflect ERM principles and procedures. Thus creating a synergy throughout the organisation. Roles and Responsibilities All levels of Council have a responsibility and a role to play in ERM. It is essential that the program be supported by Executive. A strong, visual commitment to the process will set the standard across the organisation, and encourage support from all levels. Development of a Risk Aware Culture The pilot approach is the first step in developing a risk aware culture, as those involved in the selected project will learn about ERM practices and actually implement what they have learned. It should be noted that the implementation of Enterprise Risk Management is a journey, involving organisational change on a broad scale so that risk management becomes as ingrained in Councils operations as occupational health and safety has become. Incremental change is likely to provide positive results, as small changes are reinforced and become “the norm”. The staged approach utilising Council projects allow these small changes to occur. The next phase should see ERM implemented in a particular program area, such as governance, human resources, finance, etc. Training strategy The following elements are integral parts of a training strategy for risk management: • Should be well planned and fit the needs of the organisation. • Should be tailored to different levels within the organisation • Should ensure communications tools are used at all stages of implementation. • Should be included in staff induction programs
Page 50
![Page 51: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/51.jpg)
XYZ Council Risk Management Plan
Council Reference: Date: Apr 09 TBA Page 6 of 6 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Plan
Budgeting Council will allow for funds to be allocated for those controls that address the Very High and High level risks. This will be reviewed annually as part of Council’s Management Plan process. Risk treatment will depend on funds available within the Council budget. In considering allocations to preventive and corrective controls, Council staff will identify the indicative costs of the consequences if a particular risk event occurs. Reporting Council’s Risk Manager will be charged with developing and maintaining Council’s Risk System, including those documents supporting the system. Results of the program will be reported to Council annually, and to any external stakeholders as required. The Risk Action Plan will be updated monthly, and reviewed by the Risk Committee quarterly. Monitor and Review The Enterprise Risk Management Plan will be reviewed by the Risk Manager on a regular basis (timeframe to be decided by the organisation). The Action Plan will be updated monthly, and reported to the Risk Committee at least quarterly. Council will engage the services of its internal auditor to audit the risk processes and documents included in this Plan.
Page 51
![Page 52: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/52.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 1 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
ESTABLISH THE CONTEXT
The Internal Context The External Context The Risk Management Context Develop Criteria Define the Risk Management Structure
IDENTIFY RISK Establish Objectives Identify Risks and Causes What can happen, where, when, how
why?
ANALYSE RISKIdentify Existing Controls
Determine Determine Consequences Likelihood
Determine Level of Risk - Inherent &
Residual
EVALUATE RISK
Compare Against Criteria Set Priorities
Treat Risk
TREAT RISKS
Identify Options Assess Options Develop Action Plan Prepare and Implement Treatment
Plans
M O
N I T O
R A
N D
R E V I E W
C
O M
M U
N I
C A
T E
A
N D
C
O N
S U
L T
Risk Management (RM) Process The process for managing XYZ Council’s risks is consistent with the Australian Risk Management Standards AS/NZS 4360:2004. It involves five key steps and additional steps to ensure feedback and validation through a monitoring and review process and appropriate communication and consultation.
Page 52
![Page 53: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/53.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 2 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Step 1 Communicate and Consult Communication and consultation are important elements in each step of the risk management process. Ongoing risk management stakeholder engagement is crucial for success in identification and management of risk. Effective communication will ensure that those responsible for implementing risk management and those with a vested interest, understand the basis on which risk management decisions are made and why particular actions are required. It is important that the communication approach recognises the need to promote risk management concepts across all management and staff. Step 2 Establish the Context Establish the context defines the basic parameters within which risks must be considered and managed and sets the scope for the rest of the risk management process. The context includes the Council’s external and internal environment. Reference should be made to the Risk Management Structure (see Division 2 – Tools)
External Context Establishing the External Context is not only about considering the external environment, but also includes the relationship or interface between the Council and its external environment. This may include: o Business, social, regulatory, cultural, competitive, financial and political
environment o Industry trends and practices o Council’s strengths, weaknesses, opportunities and threats o External stakeholders Establishing the external context is important to ensure that all relevant stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are properly taken into account.
Internal Context An understanding of Council is important prior to undertaking the risk management process, regardless of the level. Areas to consider include: o Culture o Strategic drivers o Internal stakeholders o Structure o Capabilities in terms of resources such as people, systems, processes, capital o Goals and objectives and the strategies that are in place to achieve them
Page 53
![Page 54: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/54.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 3 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Risk Management Context The level of detail that will be entered into during the risk management process must be considered prior to commencement. The extent and scope of the risk management process will depend on the goals and objectives of the Council activity as well as the budget that has been allocated. In each instance, consideration must also be given to the roles and responsibilities for implementing and the undertaking of the risk management process.
Documentation Step 1: Communicate and Consult should be documented to demonstrate that all factors have been considered. Documentation may include: o Scope and intended outcomes of the risk management process o Success measures o Important elements of the internal and external environment o Relevant Stakeholders Step 3 Identify Risks The next step in the risk management process is to identify the risks to be managed. Comprehensive identification using a well-structured systematic process is critical, because a risk not identified at this stage may be excluded from further analysis. Identification should include risks whether or not they are under the control of the Council. A number of questions should be asked when attempting to identify risks. These include: o What can happen? o Where could it happen? o When could it happen? o Why would it happen? o How can it happen? It is important to consider relevant objectives when answering these questions.
Risk Identification Methods There are a number of different methods to identify risk, some of which may include: o Brainstorming sessions with all stakeholders o Checklists developed for similar events/projects/activities o An examination of previous events/projects/activities of this type Changes in the external and internal environments of local governments may present risks. Monitoring of such changes can facilitate the early identification of unforeseen risks.
AS/NZS 4360:2004 FOR FURTHER REFERENCE
Page 54
![Page 55: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/55.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 4 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Documentation of Risks Where there are a number of risks identified within an activity, all identified risks should be documented in the Risk Register. Step 4 Analyse Risks Once all risks have been identified, the next step of the risk management process is to analyse the risks. This step involves considering the controls already in place that reduce the level of risk. These controls should be identified and documented in the Action Plan. Controls may include inspection regimes, Standard Operating Procedures (SOP’s), other documentation of work practices, defining responsibilities and accountabilities, and monitoring and reviewing processes. Notes on Analysing Risks • Risk Scenario 1 – No controls in place. The risk does not have any controls in
place yet and therefore you should determine the Inherent Risk Rating. This is achieved by referring to the ‘Risk Rating Table’ and mapping the Inherent Likelihood of the risk occurring against the Inherent Consequence of the risk if it did occur. The ‘Risk Rating Table’ will determine the level of ‘Inherent Risk’. Refer to ‘Step 5 – Evaluate Risk’ to determine what actions, if any are necessary according to the ‘Risk Criteria Table’ or according to management requirements.
• Risk Scenario 2 – Controls are already in place. The risk already has one or
more controls in place. First determine the Inherent Rating as if no controls are in place. Once that has been done then consider the effectiveness of the controls that are already in place and re-rate the risk by once again referring to the ‘Risk Rating Table’ but this time you will be mapping the ‘Residual Likelihood’ against the ‘Residual Consequence’. The ‘Risk Rating Table’ will determine the level of ‘Residual Risk’. Refer to ‘Step 5 – Evaluate Risk’ to determine what actions, if any are necessary according to the ‘Risk Criteria Table’ or according to management requirements in order to manage the risk rating level further.
Analysing the consequences of the risk and the likelihood that those consequences may occur:
Page 55
![Page 56: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/56.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 5 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Consequence When scoring the consequence associated with a risk, consideration needs to be given at least, to its impact in terms of: o Socio-political and community issues o Business Impact (including Financial/Legal) o Customers o Reputation o Public safety o Environment/Compliance The impact scale is rated from “negligible” to “severe” as indicated in the Consequence Table. In determining the overall consequence score for each risk, the highest individual score should be applied. The Consequence Table provides specific examples on the types of incidents and their associated impact scale, to assist staff in determining the Consequence rating that applies to the identified risk. Consequence Table (Refer Table (b) – Division 2 - Tools Risk Management Tables)
Value Description Rank Financial/ Legal Customers Reputation Safety Environment/Compliance
Severe
Has major impact on Councils ability
to provide services, May threaten a
project or opportunity
5 > 10m Loss of
service for over 3 days
Severe loss of confidence, International and national
focus
1 or more deraths, serious
disability
Severe breach of legislation Fine major
public reaction
Major Threatens strategic
objectives in the medium term
4 >$1 m Loss of
services for 2-3 days
Significant Community
dissatisfaction State coverage
Serious injury (Major
surgery > 2 months
admission)
Major breach of regulation fine
complaints
Moderate Threatens strategic
objectives in the short term
3 $500k to $1M
Loss of service for 1-2 days
Expressed community
dissatisfaction local coverage
Significant injury 1 – 2
months absence
Moderate Breach of legislation
No fine, written reprimand from State
authority. Complaints
Minor The impact is seen as a minor threat to strategic objectives
2 $10k to $499k
Loss of service for
12 – 24 hours
May cause minor public
concern Minor injury
Minor breach of legislation
Verbal reprimand from State Authority.
Complaints
Negligible Seen as negligible threat to strategic
objectives 1 $0-$10 k
Loss of service for
0 – 12 hours
No public concern No absence
Negligible breach of legislation. No
complaints
Page 56
![Page 57: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/57.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 6 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Likelihood For Council, likelihood is rated from rare to almost certain as indicated in the table below. Assessing the Likelihood of the risk occurring includes consideration of the ‘frequency’ i.e. how often the risk is likely to occur over a given time period (hour, week, month, year, 5 years etc): Likelihood Table (Refer Table (a) – Division 2 - Tools Risk Management Tables) Value Description Almost Certain Expected to occurs in most circumstances or occurs regularly Likely Will probably occur Possible May occur at some time Unlikely Could occur some time Rare Only Occur in exceptional circumstances
Inherent Risk Rating
The initial risk rating (assuming no controls in place) for each risk is calculated by plotting the inherent likelihood and inherent consequence response scores on the Risk Rating Table (refer below) to give an Inherent Risk Rating of “very high”, “high” “medium” or “low”. This rating provides a measure of the inherent level of risk and will assist in identifying the risks that require further treatment in Step 6: Treat Risks. Inherent and Residual Risk Rating Table (Refer Table (c) – Division 2 - Tools Risk Management Tables) Risk Rating Table (Matrix)
Likelihood Negligible Minor Moderate Major Severe
Almost Certain L M H VH VH
Likely L M H VH VH
Possible L L M VH VH
Unlikely L L M H H
Rare L L M H H
Residual Risk Rating
Any already existing controls or any additional controls already implemented, should then be assessed for their effectiveness in managing their particular risk. This is achieved by referring to the Effectiveness of Controls Table (d) as well the Residual Likelihood Table (e) and the Residual Consequence Table (f). This will establish the residual likelihood or the residual consequence of the risk. Now the residual risk rating can be determined by referring to the Inherent and Residual Risk Rating Table (c) once again and by plotting the residual likelihood and residual consequence response scores on the Risk Rating Table
Page 57
![Page 58: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/58.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 7 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
If controls are under development or being planned but not yet in place then their effectiveness should not be considered in evaluating the Residual Likelihood or Residual consequence levels. Only consider control effectiveness if the controls are in place and functional. Effectiveness of Controls Description Table (Refer Table (e) – Division 2 - Tools Risk Management Tables)
Control Effectiveness Description Reduction Value Damaging The controls in place actually increase
the risk not reduce it - 10%
None No controls are in place 0% Deficient The controls that have been applied are
not adequate for the job 10%
Marginal The controls that have been put in place go part of the way to reduce the risk or
impact
30%
Qualified The controls that have been put in place go a reasonable way to reducing the
risk or impact
50%
Effective The controls that have been applied go a reasonable way to reduce the risk or
impact
70%
Excessive The controls that have been applied are more that necessary to reduce the risk
or impact. There may be some over controls
90%
Residual Likelihood Table (Refer Table (f) – Division 2 - Tools Risk Management Tables)
←Residual Likelihood Rating→ Effectiveness of
Preventative Controls↓
Almost Certain Likely Possible Unlikely Rare
Damaging Almost Certain Likely Possible Unlikely Rare
None Almost Certain Likely Possible Unlikely Rare
Deficient Almost Certain Likely Possible Unlikely Rare
Marginal Likely Possible Unlikely Unlikely Rare Qualified Possible Unlikely Unlikely Rare Rare Effective Unlikely Unlikely Rare Rare Rare
Excessive Rare Rare Rare Rare Rare
Page 58
![Page 59: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/59.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 8 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Residual Consequence Table (Refer Table (g) – Division 2 - Tools Risk Management Tables)
←Residual Consequence Rating→ Effectiveness of
Preventative Controls↓
Negligible Minor Moderate Major Severe
Damaging Negligible Minor Moderate Major Severe None Negligible Minor Moderate Major Severe
Deficient Negligible Minor Moderate Major Severe Marginal Negligible Minor Moderate Major Severe Qualified Negligible Negligible Minor Moderate Major Effective Negligible Negligible Minor Moderate Major
Excessive Negligible Negligible Minor Moderate Major Step 5 Evaluate Risks The next step in the risk management process is to evaluate whether to accept or manage the rated risks further. The process is carried out by comparing the determined risk ratings against a pre - defined risk criteria which will establish whether any further risk treatment is required A model of a Criteria based on a generic Centroc Council "Risk Appetite" has been developed below in the Risk Criteria Table (g). By referring to this Table one can determine what actions are required for both inherent risks (where no controls are in place) as well as for residual risks (where controls are already in place). Risk Criteria Table (Refer Table (d) – Division 2 - Tools Risk Management Tables)
Risk Rating Matrix Legend
Very High (VH)
Requires the immediate attention of key officers; • Where a possible fatality may occur • Major environmental event may occur • Major loss of plant may occur • Major financial loss may occur • Where a major amount of damage to reputation may occur
Detailed consultation, research, risk identification and reduction options to be investigated with a detailed action plan designed.
High (H) Significant risks require the timely and appropriate attention of relevant key officers so that effective controls may be put in place . The manager responsible for the identified risk would need to monitor the implementation
Medium (M) Responsibility would fall with the relevant key officer and specific monitoring of response procedures would occur through the relevant manager or Risk Coordinator
Low (L)
Manage by routine procedures such as SWMS and SOP’s Allocation of additional resources may not be needed. May be managed on an ad hoc basis through risk assessment or tool box talk.
Page 59
![Page 60: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/60.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 9 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Risks with an inherent/residual rating of very high or high will, in most cases, require treatment plans. Moderate and low risks may be excluded from the implementation of controls at management’s discretion. However, the rationale for not implementing controls for these risks as well as the monitoring and review regimes required should be documented to demonstrate the completeness of evaluation undertaken. Step 6 Treat Risks The next step of the risk management process involves, where required, identifying a range of options for treating risks, evaluating the options and developing additional controls for implementation. Selecting the most appropriate option involves balancing the costs of implementing each option against the benefits derived from it. It is important to consider all direct and indirect costs and benefits whether tangible or intangible. The objective is not to eliminate all risk but rather to ensure that the risk is maintained at a level tolerable to Council’s risk appetite and also in a cost effective manner. It should also be recognised that the risk treatment itself may introduce new risks that need to be identified, assessed, treated and monitored. The primary means of demonstrating the treatment of risk is via the Risk Action Plan. In the Centroc Model of the program this Action Plan has been amalgamated to form a part of the Risk Register. This document should clearly indicate the Action/Treatment being adopted and the person responsible. Where possible, time frames as well as cost budgets should be included in the Action Plan. Step 7 Monitor and Review It is important to understand that the risk management process is a continual one. It is essential to incorporate ongoing monitoring and review policies/procedures into all Council activities in order to capture any new risks arising from changing business circumstances, and to review any risk management implementations. Any risks rated as very high or high should be monitored on a regular basis to ensure that the rating assigned, controls identified, and treatment plans established remain valid. These risks as well as risks rated as less than high should have their monitoring and review regimes documented. Monitoring and review also involves learning lessons from the risk management process, by reviewing events, the treatment plans and their outcomes. Any ‘near-miss’ incidents that occur should immediately trigger a review of the existing risk profile and any action plans in progress. Usually the principal responsibility for risk monitoring and review is given to management in the particular business area.
Page 60
![Page 61: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/61.jpg)
XYZ Council Risk Management Process
Council Reference: Date: Apr 09 TBA Page 10 of 10Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Management Process
Step 8 Record the Risk Management Process Each stage of the risk management process should be recorded appropriately. Assumptions, methods, data sources, analyses, results and reasons for decisions should all be recorded. Any ‘Near-miss’ incidents should be documented too. The records of such processes are an important aspect of good corporate governance. Decisions concerning the making and capture of records should take into account: o The legal and business needs for records; o The cost of creating and maintaining records; and o The benefits of re-using information. (Refer AS ISO 15489) Example Documents (division three) o Method for Analysing the Cause of Risk o Risk Model o Inherent to Residual to Target Risk Rating o Stakeholders Objectives, Risk Categories, Risks and Causes o Risk Management Context o Council Action Plan and Risk Register
Page 61
![Page 62: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/62.jpg)
XYZ Council Roles and Responsibilities
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR - Risk Management Version: 1 Review: Apr 10
Operational Template Implementation Approach
The roles and responsibilities relating to Council’s Enterprise Risk Management (ERM) are detailed below:- Council Approve program, allocate funding, ultimate responsibility, report to community. Liaise with General Manager General Manager Oversee program, maintain leadership, implementation, effectiveness of program, report to Council and statutory bodies Directors / Executive Managers Identify risk and best practice, overall department implementation, report to General Manager, drive processes, provide leadership and direction Risk Management Committee Oversee the implementation of the risk management process, decide direction in consultation with General Manager, monitor and review Risk Manager Monitor actions, implement systems, ensure compliance as required, provide leadership and direction Department Risk Representative Risk mentor, resource person, support role, assist committee or Risk Manager. Liaise with staff and supervisors Senior Managers Implement in own area, ensure training and resources available, provide leadership and support, report to executive managers Supervisors Implement and maintain compliance, maintain adherence to time frames, monitor and review, report to senior managers Staff Report unsafe acts or any conditions of risk, eg fraud, misappropriation. Work to time frames, comply with policies and procedures Refer also to the Risk Oversight Framework found in Section One – Program Documents.
Page 62
![Page 63: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/63.jpg)
Division 2 - Tools
Page 63
![Page 64: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/64.jpg)
Page 64
![Page 65: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/65.jpg)
XYZ Council Risk Management Tables
Council Reference: Date: Apr 09 TBA Page 1 of 3 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template risk management tables
Likelihood Table (a) Value Description Ranking Almost Certain Expected to occur in most circumstances or occurs regularly 5 Likely Will probably occur 4 Possible May occur at some time 3 Unlikely Could occur some time 2 Rare Only Occur in exceptional circumstances 1 Consequence Table (b)
Value Description Rank Financial/Legal
Customers Reputation Safety Environment/Compliance
Severe
Has major impact on Councils ability
to provide services, May threaten a
project or opportunity
5 > 10m Loss of service for over 3 days
Severe loss of confidence, International and national
focus
1 or more deraths, serious
disability
Severe breach of legislation Fine major
public reaction
Major
Threatens strategic objectives in the
medium term
4 >$1 m Loss of services for
2-3 days
Significant Community
dissatisfaction State coverage
Serious injury (Major
surgery > 2 months
admission)
Major breach of regulation fine complaints
Moderate
Threatens strategic objectives in the
short term
3 $500k to $1M
Loss of service for 1-2 days
Expressed community
dissatisfaction local coverage
Significant injury 1 – 2
months absence
Moderate Breach of legislation
No fine, written reprimand from State authority.
Complaints
Minor
The impact is seen as a minor threat to strategic objectives
2 $10k to $499k
Loss of service for
12 – 24 hours
may cause minor public
concern
Minor injury
Minor breach of legislation Verbal reprimand from
State Authority.Complaints
Negligible
Seen as negligible threat to strategic
objectives
1 $0-$10 k Loss of service for
0 – 12 hours
No public concern
No absence
Negligible breach of legislation. No complaints
Inherent & Residual Risk Rating Table (c) Risk Rating Table (Matrix)
Likelihood Negligible Minor Moderate Major Severe
Almost Certain L M H VH VH
Likely L M H VH VH
Possible L L M VH VH
Unlikely L L M H H
Rare L L M H H
Page 65
![Page 66: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/66.jpg)
XYZ Council Risk Management Tables
Council Reference: Date: Apr 09 TBA Page 2 of 3 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template risk management tables
Risk Criteria Table (d)
Risk Rating Matrix Legend Very High (VH) Requires the immediate attention of key officers;
• Where a possible fatality may occur • Major environmental event may occur • Major loss of plant may occur • Major financial loss may occur • Where a major amount of damage to reputation may occur
Detailed consultation, research, risk identification and reduction options to be investigation with a detailed action plan designed.
High (H) Significant risks require the timely and appropriate attention of relevant key officers so that effective controls may be put in place . The manager responsible for the identified risk would need to monitor the implementation
Medium (M) Responsibility would fall with the relative key officer and specific monitoring of response procedures would occur through the relevant manager or Risk Coordinator
Low (L) Manage by routine procedures such as SWMS and SOP’s Allocation of additional resources may not be needed. May be managed on an ad hoc basis through risk assessment or tool box talk.
Effectiveness of Controls Description Table (e)
Control Effectiveness Description Reduction Value Damaging The controls in place actually increase
the risk not reduce it - 10%
None No controls are in place 0%
Deficient The controls that have been applied are
not adequate for the job 10%
Marginal The controls that have been put in place go part of the way to reduce the risk or
impact
30%
Qualified The controls that have been put in place
go a reasonable way to reducing the risk or impact
50%
Effective The controls that have been applied go a reasonable way to reduce the risk or
impact
70%
Excessive
The controls that have been applied are more that necessary to reduce the risk
or impact. There may be some over controls
90%
Residual Likelihood Rating Table (f) Inherent Likelihood Rating Effectiveness of preventive controls
Almost Certain Likely Possible Unlikely Rare
Damaging Almost Certain Likely Possible Unlikely Rare None Almost Certain Likely Possible Unlikely Rare Deficient Almost Certain Likely Possible Unlikely Rare Marginal Likely Possible Unlikely Unlikely Rare Qualified Possible Unlikely Unlikely Rare Rare Effective Unlikely Unlikely Rare Rare Rare Excessive Rare Rare Rare Rare Rare
Page 66
![Page 67: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/67.jpg)
XYZ Council Risk Management Tables
Council Reference: Date: Apr 09 TBA Page 3 of 3 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template risk management tables
Residual Consequence Rating Table (g)
Inherent Consequence Rating Effectiveness of
corrective controls
Negligible Minor Moderate Major Severe
Damaging Negligible Minor Moderate Major Severe None Negligible Minor Moderate Major Severe
Deficient Negligible Minor Moderate Major Severe Marginal Negligible Minor Moderate Major Severe Qualified Negligible Negligible Minor Moderate Major Effective Negligible Negligible Minor Moderate Major
Excessive Negligible Negligible Minor Moderate Major
Page 67
![Page 68: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/68.jpg)
XYZ Council Risk Exposure Map
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template exposure map example
The risk rating has reduced from VH (Very High) to Medium (M) for R1 following the implementation of preventative and corrective controls.
RISK EXPOSURE MAP ←Consequences→
Negligible Minor Moderate Major Severe
L M H VH VH
L M
H VH
VH
L L M VH VH
L L
M
H H
L L M H H
R1 (a)
R1 (b)
Page 68
![Page 69: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/69.jpg)
Exposure Map
Council Reference: Date: Apr 09 TBA Page 1 of 1
Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10
Operational Template Exposure Map
Note: (a) is the risk level before any controls are introduced (inherent rating) (b) is the risk level following the implementation of preventative and/or
corrective controls (c) is the target risk level It may not be possible to implement corrective or preventative controls for some risks.
RISK EXPOSURE MAP ←Consequences→ Likelihood↓
Negligible Minor Moderate Major Severe Almost Certain
L M H VH
VH
Likely
L M H
VH
VH
Possible
L L
M
VH
VH
Unlikely
L
Lvv
M
H
H
Rare
L L M H H
(a)
(b)
(a)
(b)
(c)
Page 69
![Page 70: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/70.jpg)
Risk Management Structure (Internal & External Stakeholders)
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template risk management structure
Council
Insurance Dept Infrastructure
Contractors/ Supplier
Media
Operations Design
Project Manager
Review
Community/ Users
Funding Bodies
Regulating Bodies
Unions
Engineers
Community Users
Regulators
Supervisors Managers
Contractors
Staff
Suppliers
Internal
External
Council
Project Group
Page 70
![Page 71: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/71.jpg)
Division 3 - Templates
Page 71
![Page 72: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/72.jpg)
Page 72
![Page 73: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/73.jpg)
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Method Analysing Risk Cause Blank
Method for Analysing the Cause of Risk
Risk Description
Risk Description
Cause Description
Current Identified Risk Description:
Cause Description
Risk Description
Cause Description
Cause Description
What other risks can be created by cause
Risk Description
Cause Description
Page 73
![Page 74: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/74.jpg)
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Method Analysing risk Cause example
Method for Analysing the Cause of Risk
Risk Description Engineers at Council with insufficient training/skills to adequately investigate archaeological matters
This occurs due to a lack of awareness by engineers of these types of implications
Risk Description The scope of the project was not managed through adequate Project Management Processes
Cause DescriptionCouncil does not have in place a project management policy recognising the need to address archaeological finds or similar.
This occurs due to the project not being properly surveyed and investigated
Current Identified Risk Description: The project fails to meet expectations, due to unplanned changes in project scope.
Cause Description Poor site preparations and the failure to identify archaeological artefacts on the site.
Risk Description Council will have difficulty in gaining an alternate use for the project in its present state.
Cause DescriptionThe change in scope required severely detracts for the useability of the project for users.
Cause DescriptionThe project was very user specific due to its location and function.
What other risks can be created by cause
Risk Description The user group are no longer willing to utilise the project due to changes in scope made.
Cause Description Lack of availability of courses/training in this specialist area.
Page 74
![Page 75: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/75.jpg)
Risk Model
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Model blank
R1 Risk
C(a) Causes
Q Consequence
C(c) Corrective Controls
C(p) Preventative
Controls
Page 75
![Page 76: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/76.jpg)
Risk Model – Project
Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10
Operational Template Risk Model example
Risk
The project fails to meet expectations, due to poor project
quality
C(a) Causes
Q Consequence
• Negative media exposure • Poor public image • User dissatisfaction • Excessive maintenance • Lack of functionality • Possible cost over-runs
• Inadequate/poor design • Inferior quality resources (materials,
skilled staff, suitably qualified contractors)
• Unfavourable working conditions (inclement weather, latent site conditions)
C(c) Corrective Controls
C(p) Preventative
Controls
Develop a comprehensive project plan that includes: Consultation with key stakeholders Detailed tendering and contract
documentation Policies and procedures Selection of appropriately skilled staff
and contractors
Create and implement remedial action plan that includes: Obtaining legal advice in the instance of
poor contractor performance or inferior materials
Any remedial or repair work that can be undertaken, or re-doing the work
Identification of additional funding opportunities
Communication strategy for media and stakeholders
Page 76
![Page 77: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/77.jpg)
© P
rude
ntia
Pty
Ltd
200
7. C
opyr
ight
- A
ll rig
hts
rese
rved
In
here
nt to
Res
idua
l to
Targ
et R
isk
Rat
ing
blan
k
Inhe
rent
to
Res
idua
l to
Tar
get
Ris
k R
atin
g
Ris
k:
Con
sequ
ence
:
Prev
enta
tive
Con
trol
s:
Cor
rect
ive
Con
trol
s:
Res
idua
l R
atin
g St
ep 4
Res
idua
l Lik
elih
ood
Res
idua
l Con
sequ
ence
s
Prev
enta
tive
Con
trol
(s)
Cor
rect
ive
Con
trol
(s)
Inhe
rent
Lik
elih
ood
Tar
get
Rat
ing
Inhe
rent
R
atin
g
Inhe
rent
Con
sequ
ence
s
Has
the
resi
dual
risk
ratin
g be
en re
duce
d su
ffici
ently
?
Do
we
need
to s
et a
Tar
get
Rat
ing
Valu
e?
Step
2
Step
3
Step
1
Page 77
![Page 78: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/78.jpg)
© P
rude
ntia
Pty
Ltd
200
7. C
opyr
ight
- A
ll rig
hts
rese
rved
Inhe
rent
to R
esid
ual t
o Ta
rget
Ris
k R
atin
g ex
ampl
e
Inhe
rent
to
Res
idua
l to
Tar
get
Ris
k R
atin
g
Ris
k: –
An
inju
ry to
a s
taff
mem
ber o
r con
trac
tor o
ccur
s, d
ue to
non
-com
plia
nce
with
saf
e w
ork
proc
edur
es
Con
sequ
ence
: In
jury
to s
taff
mem
ber o
r con
trac
tor
Prev
enta
tive
Con
trol
s: S
truc
ture
d im
plem
enta
tion
and
educ
atio
n pr
oces
s fo
r pol
icie
s an
d pr
oced
ures
C
orre
ctiv
e C
ontr
ols:
Inte
rnal
inve
stig
atio
n an
d re
view
of p
olic
ies
and
proc
edur
es
Res
idua
l R
atin
g
Med
ium
Step
4
Res
idua
l Lik
elih
ood
Poss
ible
Res
idua
l Con
sequ
ence
s M
ajor
Prev
enta
tive
Con
trol
(s)
Stru
ctur
ed im
plem
enta
tion
and
educ
atio
n pr
oces
s fo
r pol
icie
s an
d pr
oced
ures
:
Con
sulta
tion
with
sta
ff
Dev
elop
men
t of p
olic
ies
and
proc
edur
es
In
duct
ion
of s
taff
and
cont
ract
ors
O
n-th
e-jo
b m
onito
ring
of c
ompl
ianc
e
Cor
rect
ive
Con
trol
(s)
Inte
rnal
inve
stig
atio
n an
d re
view
of
polic
ies
and
proc
edur
es:
C
ondu
ct in
tern
al in
vest
igat
ion
R
epor
t to
man
agem
ent,
OH
S
Ctte
e
Mon
itor,
revi
ew
polic
ies/
proc
edur
es
C
omm
unic
ate
any
chan
ges
to
staf
f and
con
tract
ors
Inhe
rent
Lik
elih
ood
Like
ly
Tar
get
Rat
ing
Med
ium
Inhe
rent
R
atin
g
Ver
y H
igh
Inhe
rent
Con
sequ
ence
s M
ajor
Step
1
Has
the
resi
dual
risk
ratin
g be
en re
duce
d su
ffici
ently
?
Do
we
need
to s
et a
Tar
get
Rat
ing
Valu
e?
Step
2 Step
3
Page 78
![Page 79: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/79.jpg)
STAKE
HOLD
ERS OBJEC
TIVES, R
ISK CA
TEGORIES, R
ISKS
AND CAUSES (Stakeho
lder Register blan
k)
Coun
cil Referen
ce:
Date: Apr 09
TBA
Page 1 of 1
Respon
sible Co
uncil Sectio
n: HR – Risk M
anagem
ent
Version: 1 Re
view
: Apr 10
Ope
ration
al Tem
plate
Stakeh
olde
rObjective
blank
Sta
keho
lder
O
bjec
tive
Ris
k ca
tego
ry
Iden
tifie
d ris
k C
ause
s of
the
risk
•
•
•
Page 79
![Page 80: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/80.jpg)
STAKE
HOLD
ERS OBJEC
TIVES, R
ISK CA
TEGORIES, R
ISKS
AND CAUSES (Stakeho
lder Register exam
ple)
Coun
cil Referen
ce:
Date: Apr 09
TBA
Page 1 of 1
Respon
sible Co
uncil Sectio
n: HR – Risk M
anagem
ent
Version: 1 Re
view
: Apr 10
Ope
ration
al Tem
plate
Stakeh
olde
rObjective
Sta
keho
lder
O
bjec
tive
Ris
k ca
tego
ry
Iden
tifie
d ris
k C
ause
s of
the
risk
Gen
eral
M
anag
er
To e
nsur
e co
unci
l com
plia
nce
with
sta
te a
nd fe
dera
l leg
isla
tion
Com
plia
nce
Non
-com
plia
nce
with
sta
te a
nd fe
dera
l le
gisl
atio
n •
Sta
ff kn
owle
dge
of le
gisl
atio
n is
def
icie
nt
due
to la
ck o
f tra
inin
g, p
roce
dure
s an
d su
perv
isio
n.
• In
suffi
cien
t aud
it co
ntro
ls
• R
espo
nsib
ilitie
s no
t allo
cate
d in
pos
ition
de
scrip
tions
•
To
ens
ure
finan
cial
via
bilit
y Fi
nanc
e Fi
nanc
ial l
oss
• B
ad in
vest
men
ts
• In
adeq
uate
deb
t rec
over
y pr
oced
ures
•
Frau
d •
Non
-adh
eren
ce to
bud
gets
•
Poo
r bud
getin
g •
Inad
equa
te c
ost c
ontro
l of p
roje
cts
To
ens
ure
envi
ronm
enta
l su
stai
nabi
lity
Env
ironm
enta
lEn
viro
nmen
tal d
amag
e •
Irres
pons
ible
dev
elop
men
t •
Pro
vide
eth
ical
, res
pons
ible
and
tra
nspa
rent
dec
isio
n m
akin
g R
eput
atio
n
Page 80
![Page 81: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/81.jpg)
Ris
k M
anag
emen
t Con
text
Cou
ncil
Ref
eren
ce:
Dat
e: A
pr 0
9 TB
A
Pag
e 1
of 1
Res
pons
ible
Cou
ncil
Sec
tion:
HR
– R
isk
Man
agem
ent
Ver
sion
: 1
R
evie
w: A
pr 1
0 O
pera
tiona
l Tem
plat
e ris
k m
anag
emen
t con
text
bla
nk
Dat
e of
orig
inal
doc
umen
tatio
n
Dat
es d
ocum
ent u
pdat
ed &
by
who
m
N
ame
of p
erso
n re
spon
sibl
e fo
r ris
k an
alys
is &
ass
essm
ent
Bus
ines
s ar
ea th
at o
wns
this
risk
an
alys
is &
ass
essm
ent
Writ
e a
shor
t des
crip
tion
of th
e in
tern
al/e
xter
nal c
onte
xt (e
nviro
nmen
t) of
the
risk
man
agem
ent s
cena
rio
Des
crib
e yo
ur o
bjec
tives
in re
latio
n to
th
is a
bove
sce
nario
Doc
umen
t any
ass
umpt
ions
or
com
men
ts b
eing
mad
e in
rega
rd to
the
abov
e sc
enar
io
•
Doc
umen
t the
nam
es o
f peo
ple
who
ha
ve c
ontri
bute
d to
this
risk
ana
lysi
s an
d A
sses
smen
t
Page 81
![Page 82: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/82.jpg)
Ris
k M
anag
emen
t Con
text
Cou
ncil
Ref
eren
ce:
Dat
e: A
pr 0
9 TB
A
Pag
e 1
of 2
Res
pons
ible
Cou
ncil
Sec
tion:
HR
– R
isk
Man
agem
ent
Ver
sion
: 1
R
evie
w: A
pr 1
0 O
pera
tiona
l Tem
plat
e ris
k m
anag
emen
t con
text
D
ate
of o
rigin
al
docu
men
tatio
n 20
Feb
ruar
y 20
09
Dat
es d
ocum
ent
upda
ted
& b
y w
hom
TB
A
Nam
e of
per
son
resp
onsi
ble
for r
isk
anal
ysis
& a
sses
smen
t
Man
ager
Cor
pora
te G
over
nanc
e/ A
dmin
istra
tion
Man
ager
Bus
ines
s ar
ea th
at
owns
this
risk
ana
lysi
s &
ass
essm
ent
Cor
pora
te S
ervi
ces
Writ
e a
shor
t des
crip
tion
of th
e in
tern
al/e
xter
nal
cont
ext (
envi
ronm
ent)
of
the
risk
man
agem
ent
scen
ario
XY
Z C
ounc
il is
a lo
cal g
over
nmen
t bod
y th
at p
rovi
des
num
erou
s se
rvic
es to
its
stak
ehol
ders
. The
requ
irem
ent f
or c
orpo
rate
gov
erna
nce
in lo
cal g
over
nmen
t is
driv
en
by th
e ob
ligat
ion
to p
rovi
de e
vide
nce
that
cou
ncils
are
del
iver
ing
thei
r exp
ecte
d ou
tcom
es w
ith in
tegr
ity a
nd a
ccou
ntab
ility.
The
gov
ernm
ent a
nd th
e pu
blic
nee
d as
sura
nces
that
cou
ncils
are
act
ing
in a
resp
onsi
ble,
effe
ctiv
e, e
ffici
ent a
nd s
ocia
lly
acce
ptab
le m
anne
r. Lo
cal g
over
nmen
t is
ultim
atel
y an
swer
able
to th
e pu
blic
who
ha
ve p
ut th
em in
to o
ffice
. The
y go
vern
on
beha
lf of
the
publ
ic.
D
escr
ibe
your
ob
ject
ives
in re
latio
n to
th
is a
bove
sce
nario
To e
nsur
e go
od c
orpo
rate
gov
erna
nce.
To
do th
is c
ounc
il m
ust u
nder
stan
d, id
entif
y,
asse
ss, e
valu
ate
and
man
age
its ri
sk w
ithin
the
loca
l gov
ernm
ent e
nviro
nmen
t by
esta
blis
hing
a g
ood
syst
em o
f gov
erna
nce
and
setti
ng in
pla
ce a
fram
ewor
k th
at w
ill m
inim
ise
the
oppo
rtuni
ty fo
r und
erpe
rform
ance
in th
e de
liver
y of
thei
r man
date
. Thi
s in
clud
es o
utco
mes
in re
gard
to th
e la
w, r
egul
ator
y au
thor
ities
as
wel
l as
inte
grity
, ac
coun
tabi
lity,
cul
ture
, rep
utat
ion
and
soci
al re
spon
sibi
lity.
.
Page 82
![Page 83: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/83.jpg)
Ris
k M
anag
emen
t Con
text
Cou
ncil
Ref
eren
ce:
Dat
e: A
pr 0
9 TB
A
Pag
e 2
of 2
Res
pons
ible
Cou
ncil
Sec
tion:
HR
– R
isk
Man
agem
ent
Ver
sion
: 1
R
evie
w: A
pr 1
0 O
pera
tiona
l Tem
plat
e ris
k m
anag
emen
t con
text
D
ocum
ent a
ny
assu
mpt
ions
or
com
men
ts b
eing
mad
e in
rega
rd to
the
abov
e sc
enar
io
• Th
is o
bjec
tive
has
been
tailo
red
spec
ifica
lly to
war
ds th
e go
vern
ance
are
a of
th
e co
unci
l. •
Ass
umed
man
agem
ent a
ckno
wle
dge
and
fully
sup
port
the
prog
ram
. •
Ass
umed
that
reso
urce
s w
ill be
mad
e av
aila
ble
to a
llow
cou
ncil
to a
chie
ve th
e ob
ject
ives
out
lined
. D
ocum
ent t
he n
ames
of
peop
le w
ho h
ave
cont
ribut
ed to
this
risk
an
alys
is a
nd
Ass
essm
ent
Bar
b H
epw
orth
, Lea
nne
Ritc
hie,
Joh
n S
tarr
, Chr
is H
odge
and
Bria
n D
wye
r
Page 83
![Page 84: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/84.jpg)
XYZ
Cou
ncil
Ris
k R
egis
ter a
nd A
ctio
n Pl
an
Like
lihoo
dC
onse
quen
ceR
atin
gC
omm
ent
Prev
enta
tive
Rat
ing
Cor
rect
ive
Like
lihoo
dC
onse
quen
ceR
atin
gA
ctio
n R
equi
red
Con
trol
sR
esid
ual
Ris
kR
isk
#R
isk
Cat
egor
ySt
akeh
olde
rC
onse
quen
ceR
isk
Ow
ner
Inhe
rent
actio
n pl
an R
isk
Reg
iste
r bla
nk1
Page 84
![Page 85: ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk](https://reader033.fdocuments.us/reader033/viewer/2022042110/5e8a9465700dc019c34043c4/html5/thumbnails/85.jpg)
XYZ
Cou
ncil
Act
ion
Plan
and
Ris
k R
egis
ter
Like
lihoo
dC
onse
quen
ceR
atin
gC
omm
ent
Prev
enta
tive
Rat
ing
Cor
rect
ive
Rat
ing
Like
lihoo
dC
onse
quen
ceR
atin
gA
ctio
n R
equi
red
The
proj
ect f
ails
to m
eet e
xpec
tatio
ns, d
ue to
poo
r pr
ojec
t qua
lity
1Q
ualit
yU
sers
Pro
ject
Man
ager
Exp
ress
ed u
ser d
issa
tisfa
ctio
n w
ith fa
cilit
yLi
kely
Maj
orV
ery
Hig
hN
eeds
act
ion
Dev
elop
a c
ompr
ehen
sive
pro
ject
pla
n th
at in
clud
es c
onsu
ltatio
n w
ith k
ey s
take
hold
ers,
det
aile
d te
nder
ing
and
cont
ract
doc
umen
tatio
n, p
olic
ies
and
proc
edur
es a
nd s
elec
tion
of a
ppro
pria
tely
sk
illed
sta
ff an
d co
ntra
ctor
sE
ffect
ive
Cre
ate
and
impl
emen
t rem
edia
l act
ion
plan
that
incl
udes
obt
aini
ng le
gal a
dvic
e (in
the
inst
ance
of p
oor c
ontra
ctor
per
form
ance
), an
y re
med
ial o
r rep
air w
ork
that
can
be
unde
rtake
n, o
r re-
doin
g th
e w
ork,
iden
tific
atio
n of
add
ition
al fu
ndin
g op
portu
nitie
s an
d co
mm
unic
atio
n st
rate
gy fo
r med
ia a
nd s
take
hold
ers
Effe
ctiv
eU
nlik
ely
Mod
erat
eM
ediu
mA
chie
ved
targ
et ra
ting
The
proj
ect f
ails
to m
eet e
xpec
ted
com
plet
ion
date
, due
to
del
ays
2Ti
min
gM
anag
emen
tP
roje
ct M
anag
erIn
abili
ty to
pro
vide
fini
shed
pro
duct
to u
sers
and
the
com
mun
ityA
lmos
t Cer
tain
Maj
orV
ery
Hig
hN
eeds
act
ion
Dev
elop
com
preh
ensi
ve s
cope
of w
orks
that
incl
udes
qua
lity
chec
ks, a
udits
, ins
pect
ions
, al
loca
tion
for w
et w
eath
er d
ays,
con
tract
or p
enal
ties
for d
elay
s, h
uman
reso
urce
s pl
anni
ng (s
kills
re
quire
d, jo
b de
scrip
tions
, pol
icie
s - l
eave
, occ
upat
iona
l hea
lth a
nd s
afet
y)
Effe
ctiv
eD
evel
op a
ctio
n pl
an to
incl
ude
the
revi
sed
com
plet
ion
date
, com
mun
icat
ion
stra
tegy
w
ith m
edia
and
sta
keho
lder
s, e
ngag
e al
tern
ate
cont
ract
ors
and/
or s
taff,
see
k ad
ditio
nal
fund
ing,
see
k le
gal a
dvic
e, s
ubm
it an
insu
ranc
e cl
aim
Effe
ctiv
eP
ossi
ble
Mod
erat
eM
ediu
mA
chie
ved
targ
et ra
ting
The
proj
ect r
uns
over
bud
get e
stim
ates
, due
to
inac
cura
te c
ost a
nd p
rice
fore
cast
s3
Cos
t ove
r-ru
nsM
anag
emen
tG
ener
al M
anag
erC
ost o
f pro
ject
runs
ove
r and
abo
ve c
urre
nt b
udge
tLi
kely
Mod
erat
eH
igh
Nee
ds a
ctio
nC
ompr
ehen
sive
pro
ject
cos
ting,
incl
udin
g in
depe
nden
t pro
ject
cos
t rev
iew
s, h
edgi
ng p
rices
, in
clus
ion
of s
peci
fic c
ontra
ct c
ondi
tions
rela
ting
to s
ubm
itted
pric
ing
Effe
ctiv
eR
evie
w p
roje
ct b
udge
t, in
clud
ing
exha
ustin
g ad
ditio
nal f
undi
ng o
ppor
tuni
ties,
revi
ewin
g on
goin
g pr
ojec
t cos
ts, i
nstig
atin
g le
gal a
ctio
n to
reco
ver a
dditi
onal
cos
t of m
ater
ials
an
d/or
con
tract
ors
Effe
ctiv
eP
ossi
ble
Mod
erat
eM
ediu
mA
chie
ved
targ
et ra
ting
The
proj
ect f
ails
to m
eet e
xpec
tatio
ns d
ue to
unp
lann
ed
chan
ges
in p
roje
ct s
cope
(dis
cove
ry o
f arc
heol
ogic
al
arte
fact
s)4
Qua
lity
Man
agem
ent
Pro
ject
Man
ager
Inab
ility
to c
ompl
ete
proj
ect t
o ex
pect
ed s
cope
and
dea
dlin
e (r
esul
ting
in
com
mun
ity a
nd u
ser d
issa
tisfa
ctio
n an
d ne
gativ
e m
edia
exp
osur
e)Li
kely
Mod
erat
eH
igh
Nee
ds a
ctio
nE
ngag
e su
itabl
y qu
alifi
ed c
ontra
ctor
s to
und
erta
ke (p
rior t
o pr
ojec
t des
ign)
com
preh
ensi
ve s
ite
surv
eys,
site
ana
lysi
s, h
isto
rical
and
any
oth
er re
leva
nt in
vest
igat
ions
Effe
ctiv
eR
evie
w P
roje
ct S
cope
by
dete
rmin
ing
impl
icat
ions
for p
roje
ct o
f arc
haeo
logi
cal
disc
over
y; e
ngag
ing
suita
bly
qual
ified
con
tract
or to
ass
ist i
n al
terin
g pr
ojec
t des
ign
in
conj
unct
ion
with
use
rs, a
nd c
omm
unic
atin
g ch
ange
s to
sta
keho
lder
s an
d m
edia
Effe
ctiv
eR
are
Mod
erat
eM
ediu
mA
chie
ved
targ
et ra
ting
The
proj
ect f
ails
to m
eet e
xpec
tatio
ns, d
ue to
a la
ck o
f in
tegr
atio
n (b
etw
een
desi
gner
s an
d us
ers)
5Q
ualit
yD
esig
ners
Gen
eral
Man
ager
Exp
ress
ed u
ser d
issa
tisfa
ctio
n w
ith d
esig
n of
pro
ject
, res
ultin
g in
poo
r ut
ilisa
tion
and
publ
ic a
nd m
edia
crit
icis
m o
f the
pro
ject
and
Cou
ncil
Alm
ost C
erta
inM
ajor
Ver
y H
igh
Nee
ds a
ctio
nE
stab
lish
and
impl
emen
t det
aile
d co
mm
unic
atio
n pr
otoc
ols
and
polic
y in
clud
ing
plan
ned
regu
lar
mee
tings
bet
wee
n de
sign
ers
and
user
s; jo
int s
ite in
spec
tions
with
use
rs a
t key
inte
rval
s du
ring
desi
gn p
hase
and
regu
lar p
rogr
ess
repo
rts to
use
rsE
ffect
ive
Inst
igat
e co
nflic
t res
olut
ion
tech
niqu
es, i
nclu
ding
inde
pend
ent m
edia
tion,
inde
pend
ent
revi
ew o
f des
ign
and
unde
rtake
rem
edia
l act
ion
Effe
ctiv
eU
nlik
ely
Min
orLo
wA
chie
ved
targ
et ra
ting
The
proj
ect f
ails
to m
eet u
ser e
xpec
tatio
ns d
ue to
in
adeq
uate
des
ign
6Q
ualit
yU
sers
Gen
eral
Man
ager
Exp
ress
ed u
ser d
issa
tisfa
ctio
n re
sulti
ng in
poo
r util
isat
ion,
pol
itica
l ra
mifi
catio
ns, a
nd p
ossi
ble
cost
-ove
rrun
sLi
kely
Mod
erat
eH
igh
Nee
ds a
ctio
n
Dev
elop
com
preh
ensi
ve p
roje
ct p
lan
incl
udin
g id
entif
ying
and
con
sulti
ng w
ith u
sers
, est
ablis
hing
co
mm
unic
atio
n pr
otoc
ols,
allo
win
g pu
blic
com
men
t on
plan
s, in
clus
ion
of c
ontra
ct c
ondi
tion
allo
win
g fo
r min
or a
men
dmen
ts to
des
ign
with
out p
enal
ty, a
nd e
ncou
ragi
ng u
ser g
roup
s to
exp
lor e
all f
undr
aisi
ng o
ppor
tuni
ties
Effe
ctiv
e
Dev
elop
rem
edia
l act
ion
plan
to in
clud
e w
orki
ng w
ith u
sers
to in
vest
igat
e co
rrec
tive
optio
ns, r
evie
win
g pr
ojec
t sco
pe, e
xplo
ring
alte
rnat
e fu
ndin
g op
portu
nitie
s (in
tern
al a
nd
exte
rnal
), in
vest
igat
ing
alte
rnat
e us
e fo
r site
and
issu
ing
med
ia re
leas
es.
Effe
ctiv
eP
ossi
ble
Mod
erat
eM
ediu
mA
chie
ved
targ
et ra
ting
The
proj
ect f
ails
to m
eet e
xpec
tatio
ns, d
ue to
m
isco
mm
unic
atio
n w
ith c
ontra
ctor
7Ti
min
gC
ontra
ctor
Pro
ject
Man
ager
Inab
ility
to fi
nalis
e pr
ojec
t to
expe
cted
sta
ndar
d, re
sulti
ng in
pub
lic
diss
atis
fact
ion
and
polit
ical
and
med
ia ra
mifi
catio
nsP
ossi
ble
Mod
erat
eM
ediu
mN
eeds
act
ion
Dev
elop
def
inite
com
mun
icat
ions
pro
toco
ls, i
nclu
ding
con
tract
con
ditio
ns, r
egul
ar s
ite in
spec
tions
an
d re
gula
r pro
gres
s re
ports
Effe
ctiv
eR
evie
w p
rogr
ess
to d
ate
and
dete
rmin
e ac
tion
plan
in c
onju
nctio
n w
ith c
ontra
ctor
, and
en
gage
alte
rnat
e co
ntra
ctor
or s
taff
to fi
nalis
e pr
ojec
tE
ffect
ive
Rar
eM
inor
Low
Ach
ieve
d ta
rget
ratin
g
The
deat
h of
a c
ontra
ctor
/sta
ff m
embe
r occ
urs,
due
to a
la
ck o
f com
plia
nce
with
saf
e w
ork
proc
edur
es8
Com
plia
nce
Sta
ff, C
ontra
ctor
Gen
eral
Man
ager
Dea
th o
f a s
taff
mem
ber o
r con
tract
orP
ossi
ble
Sev
ere
Ver
y H
igh
Nee
ds a
ctio
n
Ens
ure
train
ing
and
indu
ctio
n of
sta
ff an
d co
ntra
ctor
s; d
evel
op p
olic
ies
and
proc
edur
es in
co
nsul
tatio
n w
ith s
take
hold
ers;
ens
ure
stru
ctur
ed im
plem
enta
tion
and
educ
atio
n pr
oces
s fo
r po
licie
s an
d pr
oced
ures
; sch
edul
e eq
uipm
ent a
nd s
afet
y eq
uipm
ent c
heck
s on
a s
truct
ured
and
ra
ndom
bas
is; i
nclu
de c
ontra
ctua
l ter
ms
rela
ting
to s
afet
y, tr
aini
ng o
f sta
ff an
d po
licie
s an
d pr
oced
ures
.
Effe
ctiv
e
Com
men
ce in
sura
nce
clai
m fo
r any
insu
rabl
e ev
ent;
unde
rtake
imm
edia
te re
view
of
wor
king
pro
cedu
res
and
safe
wor
k pr
actic
es; i
nstig
ate
exte
rnal
inve
stig
atio
n, m
ake
reco
mm
ende
d ch
ange
s to
pol
icie
s an
d pr
oced
ures
; con
duct
cou
nsel
ling
and
train
ing
o f
staf
f and
con
tract
ors;
issu
e m
edia
rele
ase
Effe
ctiv
eR
are
Sev
ere
Hig
hA
chie
ved
targ
et ra
ting
An
inju
ry to
a s
taff
mem
ber o
r con
tract
or o
ccur
s, d
ue to
a
lack
of c
ompl
ianc
e w
ith s
afe
wor
k pr
oced
ures
9C
ompl
ianc
eS
taff,
Con
tract
orG
ener
al M
anag
erIn
jury
to s
taff
mem
ber o
r con
tract
orLi
kely
Maj
orV
ery
Hig
hN
eeds
act
ion
Dev
elop
a s
truct
ured
impl
emen
tatio
n an
d ed
ucat
ion
proc
ess
for s
afet
y po
licie
s an
d pr
oced
ures
th
at in
corp
orat
es: c
onsu
ltatio
n w
ith s
taff;
dev
elop
men
t of p
olic
ies
and
proc
edur
es; i
nduc
tion
of
staf
f and
con
tract
ors;
on-
the-
job
mon
itorin
g of
com
plia
nce
via
spot
-che
cks,
insp
ectio
ns, a
udits
an
d pr
ojec
t rep
ortin
g
Effe
ctiv
e
Und
erta
ke a
n in
tern
al in
vest
igat
ion
and
revi
ew o
f pol
icie
s an
d pr
oced
ures
; rep
ort i
njur
y to
insu
rers
; con
duct
inte
rnal
inve
stig
atio
n; re
port
to m
anag
emen
t and
OH
S C
omm
ittee
; m
onito
r and
revi
ew p
olic
ies
and
proc
edur
es; a
nd c
omm
unic
ate
any
chan
ges
to p
olic
ies
and
proc
edur
es to
sta
ff an
d co
ntra
ctor
s
Effe
ctiv
eP
ossi
ble
Maj
orM
ediu
mA
chie
ved
targ
et ra
ting
The
proj
ect f
ails
to m
eet r
egul
atio
ns d
ue to
m
isco
mm
unic
atio
n w
ith re
gula
tors
10C
ompl
ianc
eR
egul
ator
sG
ener
al M
anag
erB
reac
h of
regu
latio
nU
nlik
ely
Mod
erat
eM
ediu
mN
eeds
act
ion
Dev
elop
com
preh
ensi
ve c
omm
unic
atio
ns p
roto
cols
, inc
ludi
ng c
omm
on la
ngua
ge a
nd d
efin
ition
s;
wor
ksho
ping
with
con
tract
ors
and
staf
f the
requ
irem
ents
of t
he re
gula
tors
; inc
ludi
ng re
quire
men
ts
of re
gula
tor i
n co
ntra
ct o
r sta
ff pe
rform
ance
targ
ets
for t
he p
roje
ct; a
nd o
btai
ning
app
rova
l of
proj
ect p
lann
ing
etc
from
regu
lato
r
Effe
ctiv
eR
evie
w o
f pro
ject
sco
pe in
line
with
regu
lato
r req
uire
men
ts; u
nder
take
any
rem
edia
l ac
tion
requ
ired
by re
gula
tor;
inst
igat
e an
y co
ntra
ct p
enal
ties
in th
e ca
se o
f con
tract
or
erro
r; co
nsid
er a
ltern
ate
fund
ing
sour
ces
and
issu
e a
med
ia re
leas
eE
ffect
ive
Rar
eM
inor
Low
Ach
ieve
d ta
rget
ratin
g
Con
trol
sR
esid
ual
Ris
kR
isk
#R
isk
Cat
egor
ySt
akeh
olde
rC
onse
quen
ceR
isk
Ow
ner
Inhe
rent
actio
n pl
an R
isk
Reg
iste
r exa
mpl
e1
Page 85