Risk Management
Policy
Policy Owner
Financial Services
Record no.
Approved by:
EMT
Approval date:
28 April 2021
Endorsed by:
Audit and Risk Committee Date endorsed:
Adopted by:
Council
Adoption date:
Version
F
Last review date:
Adopted March 2020
Next review date:
May 2022
Prepared by
Riana Brims, Strategic Risk and Assurance Officer
Related document/s Risk Management Framework
21 May 2021
15 June 2021
21/239345
Risk
Management Policy
Page 2 of 10
Brimbank City Council’s Risk Management Policy (Policy) describes Council’s
commitment to managing risk. It enables the integration of risk management into the
organisations core business activities and decision making processes, and enables top
management and oversight bodies to ensure the allocation of appropriate resources
for managing risk. The Policy explains how responsibility for managing risk is
distributed between officers and committees of the organisation, and other personnel
engaged to conduct Council business.
The Policy is enacted through the Risk Management Framework (RMF) that articulates
how the intent of the Policy commitment is communicated and implemented
throughout the organisation.
Council acknowledges the moral, financial and legal responsibility for effectively
managing risks and opportunities in all areas of operations. The purpose of the Policy is
to ensure the efficient and ethical use of resources and services used by rate-payers,
residents, staff and visitors.
The Policy applies to councillors, council staff, volunteers, contractors and service
providers engaged to conduct authorised Council business.
2. Policy Statement
Council is committed to managing risk to maximise opportunities and minimise adverse
outcomes in all activities.
The objectives of the Policy are to:
•
effectively manage risks to minimise adverse outcomes and maximise opportunities
•
promote a culture of risk awareness throughout the organisation
•
protect and enhance Council’s assets, services and reputation
•
continue to strengthen Council’s controls and performance
•
contribute to more efficient use/allocation of resources within the organisation
•
reinforce that risk management is to be implemented consistently throughout the
organisation.
The Policy is consistent with AS
ISO 31000:2018 Risk Management – Guidelines
(Australian Standard)
.
3. Risk Management Principles
All levels of Council shall commit to incorporating the following principles from the
Australian Standard to create value and protection.
Risk management at Council will:
•
Be an integral part of all organisational processes
•
Aid in making informed decisions and identify effective actions
•
Contribute to efficient, consistent and comparable results
•
Align with the internal and external context related to Council objectives
1. Purpose
Risk Management Policy
Page 3 of 10
•
Be a timely and inclusive process for all relevant stakeholders
•
Anticipate, detect, acknowledge and respond to changes resulting in new and
emerging risks
•
Be based on historical and current information, and on future expectation
•
Recognise behaviour and culture that influences achievement of objectives
•
Continually improve through learning and experience
4. Risk Management Framework
•
Council will maintain a RMF to articulate how the intent of the Policy commitment is
to be communicated and implemented throughout the organisation.
•
The RMF will detail Council’s approach to risk management and provide a consistent
methodology to identify, assess, prioritise and manage risk.
•
Council requires all employees to work within the RMF and consistently comply with
the risk management process and risk reporting requirements as detailed in the RMF
document.
•
The RMF will be approved by the Executive Management Team (endorsed by the
Audit and Risk Committee and noted by Council), and reviewed at least every two
years.
•
The RMF will be aligned to the Australian Standard on risk management.
Risk Management Policy
Page 4 of 10
5. Risk Profile
Council’s risk profile considers matters emanating from within Council activities, and
those external matters that influence Council activities.
The Risk Team coordinates strategic and operational risk profiling activities every two
years. Projects outside of this undertake risk assessments on an as-needs basis.
5.1 Strategic risk management
•
Council will maintain a strategic risk register including key risks in the external and
internal operating environment that could materially impact the delivery of the
Council Plan.
•
A summary of strategic risks, controls and improvement actions will at a minimum:
o
be considered annually by the Audit and Risk Committee as part of
development of the Strategic Internal Audit Plan
o
be considered by the Executive Management Team and the Audit and Risk
Committee on a quarterly basis.
•
Any material changes in strategic risk will be reported to the Executive Management
Team and Audit and Risk Committee as soon as practicable.
5.2 Operational risk management
•
Council will maintain an operational risk register including key risks faced by each
department in the internal operating environment.
•
Managers are accountable for the management of operational risks within their
respective departments.
5.3 Emerging risk management
•
Consideration of emerging risks will be discussed and identified during strategic and
operational risk profiling activities every two years at a minimum.
•
Any material emerging risk identified will be reported to the Executive Management
Team and Audit and Risk Committee.
5.4 Project level risk management
•
Project level risks will be identified during the planning process but will also be added
during a project’s lifecycle if required.
•
Recording and reporting of project level risks rests with the identified project
owner/s.
•
The status of high priority projects will be reported to the Audit and Risk Committee
as often as requested or required.
Risk Management Policy
Page 5 of 10
6. Risk Appetite
The Vision for Brimbank City Council is ‘Brimbank - a vibrant, harmonious and
welcoming, a great place to live, work and grow’. The Council Plan identifies a series of
goals and strategic objectives that describe what Council is aiming for in order to achieve
the Vision for Brimbank.
The risk appetite of Brimbank City Council is driven by its vision and business strategies,
and is consistent with Council Plan objectives and stakeholder expectations.
Risk appetite represents the type and degree of risk that Council is willing to pursue,
retain or take to achieve its business objectives, while maintaining financial viability. Nine
key categories of risk have been identified based on Council’s risk profile, and areas that
pose the greatest potential impediment on achieving Council Plan objectives. Risk
appetite has been determined for each of those categories to guide Council and
management on how to approach the treatment of risk that is most significant to
Council’s operating environment.
If the risk appetite threshold is breached, risk management controls and actions are
required to bring the exposure level back within the accepted range.
7. Roles, responsibilities and accountabilities
In order for Council’s risk management practices to be effective, all Council employees,
Councillors and contractors must comply with the risk management principles in their
day to day activities, and are responsible for managing risks in their areas.
The Australian Standard emphasises the role of ‘Top Management’ (Chief Executive
Officer, Executive Management Team and the Business Leadership Team) and that they
are accountable for managing risk, while ‘Oversight Bodies’ (Council and Audit and Risk
Committee) are accountable for overseeing risk management.
Roles, responsibilities and accountabilities for risk management
Personnel
Accountabilities and responsibilities
Council
•
Reviews and adopts the Policy and applies risk management principles
to the decision making process
Chief Executive Officer
•
Promotes a strong risk management culture
•
Ensures a policy and RMF is in operation
•
Ensures adequate organisational structure and resourcing for risk
management.
Audit and Risk Committee
•
Monitors implementation of effective risk and opportunity management
controls and the effectiveness of the RMF through regular reviews and
reporting
•
Regularly reviews the strategic risk register and oversees that extreme
and high level risks are being managed in accordance with the RMF
Internal Audit
•
Periodically audits Council’s risk management practices and provides
recommendations for improvement.
Executive Management
Team
•
Approves, commits to, and promotes the Policy and RMF
•
Monitors Council’s overall risk profile and mitigation strategies
•
Ensures risk management is embedded into all critical functions and
activities
Risk Management Policy
Page 6 of 10
•
Empowers staff to actively participate in managing risk and to
encourage a proactive risk culture
•
Reviews strategic risks quarterly prior to each Audit and Risk Committee
meeting or as otherwise may be provided as part of other reporting
Strategic Risk and
Assurance Officer
•
Provides guidance and assistance to staff in relation to the application
of the RMF and reporting within the Strategic Risk Register
•
Ensures relevant risk information is reported and escalated to the
Executive Management Team and Audit and Risk Committee or
cascaded to staff, as relevant
•
Maintains the Risk Management Policy and RMF
Coordinator Risk and
Insurance
•
Provides guidance and assistance to staff in relation to the application
of the RMF and reporting within the Operational Risk Register
•
Provides support and advice to Managers and staff in the application
and use of the RMF as required.
Senior Occupational Health
and Safety Advisor
•
Provides guidance and assistance to staff in relation to the
identification, assessment and control of hazards and risks
•
Monitors OHS performance and ensures relevant OHS information is
reported and escalated to relevant Directorates.
Managers and Coordinators
•
Commits to, and promotes the Policy and RMF, ensuring risk
management is embedded into all critical functions and activities
•
Ensures ongoing and regular reviews of the risk registers including the
actioning of any overdue risk treatments
•
Empowers staff to actively be involved in managing risk, and promotes a
proactive risk culture
All staff, volunteers and
contractors
•
Understands the risk management processes that are integrated into all
Council activities
•
Identifies, evaluates, reports and manages risks in daily activities and
projects.
Full detail of roles, responsibilities and accountabilities for risk management at Council
are specified in the RMF, Audit and Risk Committee Charter, and individual position
descriptions.
8. Risk Performance Measures
Measuring performance is a key monitoring activity to assess how effective Council’s risk
management is at supporting strategic objectives. Council’s risk management
performance indicators include:
•
the number of internal audits completed per annum,
•
the number of internal audit findings accepted by management
•
the timeliness of remediating internal audit findings
•
progress against, and deviation from, the risk management plan or treatment
plans
•
the reduction in the number of extreme and high risks in the risk registers
•
review the effectiveness of the RMF.
Measures of the effectiveness of risk controls and treatments are defined, agreed and
formalised with risk and control owners. Indicators and measures of risks are in place for
Occupational Health and Safety risks and are developed for specific risks as required.
Risk Management Policy
Page 7 of 10
9. Monitoring and reporting
Council has establishment ongoing monitoring and reporting processes to ensure that:
•
Treatment plans are meeting milestones and are effective
•
Risk levels remain relevant
•
Controls continue to operate effectively
•
New emerging risks are recorded
•
Risk information is up to date
The monitoring components are essential to sound governance and are applied
systematically to strategic, operational and project level risk.
The following table illustrates Council’s risk reporting requirements:
Activity/ Report
Frequency
Accountability
Audit and Risk Committee
strategic risk reporting:
•
Strategic Risk Report
•
Strategic Risk Register
Quarterly
Audit and Risk Committee
Executive Management Team
Manager Finance
Strategic Risk & Assurance Officer
Risk owners
EMT strategic risk reporting:
•
Strategic Risk Report
•
Strategic Risk Register
Quarterly
Executive Management Team
Manager Finance
Risk owners
Strategic Risk & Assurance Officer
Update the status of risk
ratings, mitigations and add
new risks
Ongoing, as
needs
Business Leadership Team
Risk owners
Strategic Risk & Assurance Officer
Review of:
Risk Management Policy
Risk Management Framework
Biennially
Council
Audit and Risk Committee
Executive Management Team
Manager Finance
Strategic Risk & Assurance Officer
Review Strategic Risk Register
Review Operational Risk
Register
Biennially
Executive Management Team
Brimbank Leadership Team
Manager Finance
Strategic Risk & Assurance Officer
Coordinator Risk & Insurance
Risk owners
Staff awareness training
Biennially or as
otherwise required
Chief Strategist Financial &
Organisational Excellence
Manager Finance
Strategic Risk & Assurance Officer
Coordinator Risk & Insurance
Learning & Development Coordinator
Risk Management Policy
Page 8 of 10
10. Continual improvement
•
Every two years Council conducts a Risk Awareness Program (Program). The
Program involves a comprehensive review of the Policy, RMF and strategic and
operational risk registers, and a risk awareness training component for all Council
staff to improve transparency and increase Council’s risk management culture.
•
Outcomes of the Program are reported to the Executive Management Team and the
Audit and Risk Committee.
•
Improvements made to the Policy and RMF are presented to Council for adoption
considering any recommendations of the Audit and Risk Committee.
11. Definitions and key terms used in this Policy
Control:
Measurable activity that is intended to modify the
level of risk
Risk:
Effect of uncertainty on objectives. Risk is measured
in terms of the likelihood of an event occurring and
the consequence (impact) if it does
Risk appetite:
The type and amount of risk Council is prepared to
pursue, retain or take to achieve its objectives
Risk management:
Coordinated activities (culture, processes, and
systems) to direct and control an organisation with
regard to risk
Risk Management Framework: Set of components that provide the foundations and
organisational arrangements for designing,
implementing, monitoring, reviewing and
continually improving risk management throughout
the organisation
Risk management process:
Systematic process of identifying, analysing,
evaluating, treating, monitoring and reviewing a risk
Risk Management Policy
Page 9 of 10
Local Government Act 2020
Compliance Statement
Section 9(1) of the
Local Government Act 2020
(Act)
requires Council to give effect to
the overarching governance principles, in the performance of its role. Section 9(2) of the
Act specifies the governance principles as follows:
a) Council decisions are to be made and actions taken in accordance with the
relevant law
(Compliance with the law)
;
b) Priority is to be given to achieving the best outcomes for the municipal
community, including future generations
(Achieve best outcomes for the
community)
;
c) The economic, social and environmental sustainability of the municipal district,
including mitigation and planning for climate change risks, is to be promoted
(Promote the sustainability of the municipality)
;
d) The municipal community is to be engaged in strategic planning and strategic
decision making
(Engage the community in strategic planning and decision
making)
;
e) Innovation and continuous improvement is to be pursued
(Strive for innovation
and continuous improvement)
;
f) Collaboration with other Councils and Governments and statutory bodies is to be
sought
(Collaborate with all other levels of government and government
agencies)
;
g) The ongoing financial viability of the Council is to be ensured
(Secure the
ongoing financial viability of Council)
;
h) Regional, state and national plans and policies are to be taken into to account in
strategic planning and decision making
(Strategic planning and decision
making must take into account plans and policies in operation at all
levels)
;
i) The transparency of Council decisions, actions and information is to be ensured
(Council decisions, actions and information must be transparent).
Risk Management Policy
Page 10 of 10
In reviewing the Risk Management Policy, Council has considered and given
effect to the overarching governance principles, as summarised below:
Governance Principle
Considerations
(a) Compliance with the law
There is no legal requirement to implement a Policy.
However the effect of the Policy promotes compliance with
relevant obligations and seeks to ensure effective
monitoring of compliance with relevant laws.
(b) Achieve best outcomes for the
community
The Policy enables risks and opportunities to be identified
and managed appropriately to ensure strategic objectives
are met and best outcomes for the community are
achieved.
(c) Promote the sustainability of
the municipality
Economic, social and environmental sustainability was
considered in developing the Policy that provides risk
registers are to be implemented for ongoing monitoring of
risks including mitigation and planning for climate change.
(d) Engage the community in
strategic planning and
decision making
Not applicable for the Policy.
(e) Strive for innovation and
continuous improvement
Council will review the Policy on a no less than biennial
basis, and pursue innovation and continuous improvement
during every review.
(f) Collaborate with all other
levels of government and
government agencies
Not applicable for the Policy.
(g) Secure the ongoing financial
viability of Council
The Policy:
•
is designed to create and protect value by targeting
effort and resources to areas of highest priority;
•
supports Council’s commitment to its financial
responsibility for effectively managing risks and
opportunities in all areas of operations;
•
supports the protection of Council assets and finances;
•
promotes efficient and ethical use of resources and
services.
(h) Strategic planning and
decision making must take
into account plans and policies
in operation at all levels
Not applicable for the Policy.
(i) Council decisions, actions and
information must be
transparent
Not applicable for the Policy.