1. No category

Corporate Services Risk Management Policy

RISK MANAGEMENT POLICY
Adopted 18 March 2013
Incorporating Annual Review (2014)
Incorporating Annual Review (2015)
RISK MANAGEMENT POLICY 2013
Contents of Risk Management Policy
Contents
1.0 INTRODUCTION
2.0 CONTEXT
3.0 POLICY STATEMENT
4.0 OBJECTIVES
5.0 DEFINITIONS
6.0 APPLICATION
6.1 Council
6.2 The Audit Committee
6.3 Chief Executive Officer
6.4 The Executive Management Team (EMT)
6.6 Managers
6.7 Coordinators
6.8 Risk Management Unit
6.9 Employees and Temporary Staff
6.10
Contractors
7.0 REFERENCES and SOURCE
8.0 THE RISK MANAGEMENT PROCESS
8.1 The Continuum of Assessment and Review
8.2 Communication and Consultation
8.3 Establishing the Context
8.4 Identification of Risks
8.5 Assessment
8.6 Risk Appetite
8.7 Treatment
8.8 Implementation
8.9 Performance Measuring
8.10
Monitoring and Review
8.11
Records
9.0 REVIEW
10.0
ATTACHMENTS
Attachment 1 – Risk Consequence Criteria
Attachment 2 – Risk Controls Criteria
Attachment 3 – Risk Likelihood Criteria
Attachment 4 – Risk Matrix
Attachment 5 – Risk Rating Definitions
Attachment 6 – Definition of Risk Status
Adopted by Council on 18 March 2013
3
3
4
4
5
7
7
7
7
8
8
9
9
10
11
11
12
12
14
14
14
15
16
17
18
18
19
20
20
20
21
22
23
24
25
26
2|Page
RISK MANAGEMENT POLICY 2013
1.0 INTRODUCTION
The management of risk is recognised as an integral part of good management practice.
Effective risk management supports informed decision making and encourages the
identification of opportunities for continuous improvement. Risk Management is no
longer accepted as only a process of good operating standards but rather, as a critical
element of sound governance across an organisation.
Council, through its management accountability systems, internal audit programs, Audit
Committee, risk assessment processes, occupational health & safety systems and
various other policies and procedures, has a strong commitment towards the principles
of risk identification, risk assessment and risk removal/minimisation or elimination.
This Policy and procedure formalises and details Council’s approach to organisational
risk management and provides a framework for the ongoing conduct of risk identification,
assessment and minimisation practices across the organisation.
The principles supporting this Policy are based on the International Standard for Risk
Management, ISO AS/NZS 31000 - 2009 Risk Management – Principles and Guidelines.
2.0 CONTEXT
The context within which this Policy is written is one of ongoing strong governance and
leadership. Since its formation in 1994, the City of Stonnington has continuously
delivered to its ratepayers and residents, stability in government, excellence in
service/facilities within a backdrop of growing prosperity. The City of Stonnington is a
Council within the meaning of the Local Government Act 1989 and has been given the
authority and guidance to raise revenue from rates and charges, adopt it own budget
independent of other governments or agencies and to adopt its own local laws to
uniquely regulate its district.
The determinations and considerations made in this Policy have been based on the
legislated framework within which the Council exists and operates. It is based on this
context that the risk appetite of Council has been declared.
Stonnington has achieved a significant place within Local Government in Victoria as a
stable and high performing Council. It guards its reputation conscientiously and invests
significant resources to maintain and improve it. This achievement is to be seen against
the backdrop of a business which is performing and delivering scores of diverse
functions any of which have the potential to impact negatively on this reputation with its
residents, visitors and the State Government.
As a consequence, Council’s Risk Appetite is variable and commensurate with the risk
being assessed. However, Council’s appetite to risks that encompasses corruption,
fraud, theft or personal harm or injury is zero. To accommodate this, Council has
established a program of continuous development and review of Policies, procedures,
organisational structures and systems that are all designed to mitigate the likelihood and
consequence of risk.
Adopted by Council on 18 March 2013
3|Page
RISK MANAGEMENT POLICY 2013
3.0 POLICY STATEMENT
CITY OF STONNINGTON
RISK MANAGEMENT POLICY STATEMENT
The City of Stonnington is actively committed to the management of risk
and reducing its exposure in all facets of its business. It endeavours to
ensure that all necessary practices and procedures are effective and fully
implemented to control any risks and thereby providing employees and the
community with services, facilities and an environment which are sound,
safe and inviting.
By this commitment to Risk Management, the City of Stonnington aims to:a)
Provide safe, quality facilities and environment for all stakeholders;
b)
Ensure there is an open and objective rationale for managing risk;
c)
Ensure that risk forms an integral part of all decision-making;
d)
Maintain appropriate budgetary levels to enable the effective
management of risks related to Council’s physical assets;
e)
Provide appropriate training and information to all employees and
contractors on risk management and risk reduction techniques;
f)
Ensure all employees are accountable for their actions including
compliance with policies and procedures; and
g)
Work in partnership with the community, employees and contractors
to identify, minimize, or eliminate potential and future risks.
Warren Roberts
Chief Executive Officer
4.0 OBJECTIVES
The objectives of the Risk Management Policy are to:







define risk in the context of Council;
articulate Council’s commitment to risk management;
provide broad guidance to Council’s General Managers, Managers and
Coordinators, to enable them to fulfil their Risk Management responsibilities;
introduce the fundamental principles and measures of risk;
promote and support risk management and hazard identification practices
throughout the organisation;
recognise that successful risk management relies on input from all employees;
and
protect Council’s corporate image.
Adopted by Council on 18 March 2013
4|Page
RISK MANAGEMENT POLICY 2013
5.0 DEFINITIONS
For the purpose of this Policy, the following definitions will apply.
Commercial Risk
Risk such as a failed contract or business relationship.
Compliance Risk
Risk of failing to meet statutory obligations.
Consequence
The impact on an organisation should an event occur. For
details refer Attachment 1.
Contractor
An independent entity that agrees to furnish a certain
number or quantity of goods, material, equipment,
personnel, and/or services that meet or exceed stated
requirements or specifications, at a mutually agreed upon
price and within a specified timeframe.
Co-ordinators
All fourth level managers. Usually in charge of a Service
Unit.
Employee
Includes all permanent and temporary employees of
Council within the meaning of the Industrial Relations Act
1996 and includes the Chief Executive Officer.
Executive Management
Team
Comprises the Chief Executive Officer and General
Managers
Financial & Systems
Risk
Risk posed to Council’s financial systems and controls
such as fraud.
General Manager
All second level managers. Usually in charge of a Division.
Hazard
A source of potential harm or a situation with a potential to
cause injury, damage or loss.
Likelihood
The probability of an event occurring.
Attachment 3.
Managers
All third level managers. Usually in charge of a
Department.
Monitor
To check, supervise, observe critically, or record the
progress of an activity, action or system on a regular basis
in order to identify change.
Operational Risk
Risk which occurs in, hampers or effects an individual
Division, Department, Service Unit or area of an
organisation.
Risk
The chance of an event occurring that will have an adverse
effect on business objectives. It is measured in terms of
consequences and likelihood. The consequent liability is
usually measure in financial terms, but may involve bodily
injury, financial loss or property damage.
Adopted by Council on 18 March 2013
For details refer
5|Page
RISK MANAGEMENT POLICY 2013
Risk Analysis
A systematic use of available information to determine how
often specified events may occur and the magnitude of
their consequences.
Risk Appetite
The amount and type of risk that an organisation is willing
to take in order to meet its strategic objectives. Risk
Appetite is best described as an organisation’s pursuit of
risk or its willingness to take risks as opposed to avoiding
them.
Risk Assessment
The overall process of risk analysis and risk evaluation.
Risk Control
That part of risk treatment which involves the
implementation of policies, standards, procedures and
physical changes to a thing, work process or system of
work to eliminate or minimise the impact of the risk.
Risk Evaluation
The process used to determine risk management priorities
by comparing the level of risk against predetermined
standards, target risk levels or other criteria.
Risk Identification
The process of determining what can happen, why and
how.
Risk Management
The culture, processes and structures that are directed
towards the effective management of potential
opportunities and adverse effects.
Risk Management
process
The systematic application of management policies,
procedures and practices to the tasks of establishing the
context, identifying, analysing, evaluating, treating,
monitoring and communicating risk.
Risk Minimisation
A selective application of appropriate control measures,
techniques and management principles to reduce either
likelihood of an occurrence or its consequences, or both.
Risk Rating
The level of severity applied to a risk based upon its impact
to the organisation. Refer Attachment 5.
Risk Tolerance
The level of risk that Council is prepared to accept, before
action is deemed necessary to reduce it and represents a
balance between the potential benefits of calculated risk
and the threats that it inevitably brings.
Risk to Public
Those risks that are created by the activities, actions or
inactions of Council in the delivery of services or works in
the public space that may result in bodily harm or damage
to property.
Strategic Risk
Risk which will effect or hamper across the organisation its
ability to operate or deliver its policy, strategy or services.
Technical Risk
Risk such as failed equipment and managing assets.
Adopted by Council on 18 March 2013
6|Page
RISK MANAGEMENT POLICY 2013
6.0 APPLICATION
This Policy applies equally to all employees and contractors.
Employees and contractors all have joint responsibility for ensuring risk management is
a key part of their approach to the delivery of the Council’s functions, operations and
services.
6.1
Council
will provide:
Guidance and governance to support significant and/or high profile elements of the
risk management spectrum; and

The support and basis upon which the Risk Management framework can be
established and developed including listing Risk Management as an element of the
Council Plan.
6.2
The Audit Committee
will provide:
Guidance and quality advice on existing Council processes and alternatives to
managing risks; and

Advice and guidance on effective industry standards for managing risks associated
with Council business.
6.3
Chief Executive Officer
is responsible for:
Providing direction and advice on the management of risks within Council and
ensuring that appropriate treatment measures are in place to mitigate Council’s
exposure;

Promoting a culture of risk management and ensuring that a strategic,
comprehensive and systematic risk management program operates throughout
Council;

Ensuring that the Council’s organisational vision and values (relative to risk) are
aligned and synchronised with its strategic direction and culture;

Making the case to the elected Council for budgetary consideration of additional risk
initiatives;

Ensuring that the risk management program is intrinsic to everything Council
undertakes and is incorporated in the messages given to the organisation;

Ensuring that Council’s commitments support the risk management program;

Discussing and supporting the risk management program with Councillors; and

Considering the information and implications contained in the regular report provided
to the Executive on matters of risk that have been either reported to Council or are
considered to be strategic risks for Council including insurance claim management.
Adopted by Council on 18 March 2013
7|Page
RISK MANAGEMENT POLICY 2013
6.4
The Executive Management Team (EMT)
will provide:
Comment and feedback regarding the elements of risk as they apply to their specific
areas of responsibility;

Provide quality advice to the CEO on the elements of risk they may consider to be an
exposure to Council business.
6.5
General Managers
are responsible within their Divisions for:
Management of strategic risks that are directly related to their Division;

Maintaining the overall responsibility for the effective management of all types of
risks related to this Policy within their Division;

Ensuring that Council’s assets and operations, together with liability risks and
hazards, are adequately protected through appropriate risk budgeting, internal audit
processes, loss control programs and the development and application of
complementary practices and procedures;

Developing and fostering working relationships with other agencies with whom
Council has a shared risk;

Ensuring that assistance is provided to support the provision of requested
information in relation to an insurance claim or a risk management issue, in a timely
manner;

Advising of any risk management matter that should be referred for consideration for
incorporation into forthcoming budgets;

Ensuring that employees within their Division are adequately trained in the
identification, assessment and procedures available for the minimisation of risk;

Ensuring that performance measures are determined, to track progress in
implementing risk treatment plans; and

Acknowledging that the management of risk is an integral part of service delivery.
6.6
Managers
are responsible within their Departments for:
Management of risks that are directly related to their Department;

Ensuring that Council’s assets and operations, together with liability risks and
hazards within their areas of responsibility, are adequately protected through
appropriate risk budgeting, loss control programs and measures, and adherence to
Council’s various complementary practices and procedures;

Managing relationships with other agencies on shared risk issues;

Arranging for advice and assistance to be provided including the provision of
requested information, in relation to an insurance claim or a risk management issue,
in a timely manner;

Ensuring that Council responds immediately to the investigation of any report of a
hazard or incident received from a resident, employee, contractor or visitor;
Adopted by Council on 18 March 2013
8|Page
RISK MANAGEMENT POLICY 2013

Implementing risk control measures to mitigate exposure;

Advising their Divisional Manager of any risk management matter that should be
considered for incorporation into forthcoming budgets.

Ensuring that their employees and contractors within their Department are trained,
updated and undertake their duties in accordance with Council’s risk management
and other related policies and procedures;

Ensuring Council’s Risk Management Unit is advised immediately of any potential
insurance claims and ensure appropriate incident investigation has taken place;

Reporting to their Divisional Manager on a regular basis on risk management issues
including budget, programs, measures and incidents; and

Acknowledging that the management of risk is an integral part of service delivery.
6.7
Coordinators
are responsible within their Service Unit or area of responsibility for:
Management of risks that are directly related to their Unit;

Ensuring that Council’s assets and operations, together with liability risks and
hazards, are adequately protected through appropriate risk budgeting, loss control
programs and measures, and adherence to Council’s various complementary
policies and procedures;

Ensuring that their employees and contractors within their Unit are trained, updated
and undertake their duties in accordance with Council’s risk management and other
related policies and procedures;

Providing and arranging assistance and requested information in relation to an
insurance claim or a risk management issue, in a timely manner;

Ensuring that Council responds immediately to the investigation of any report of a
hazard or incident received from a resident, employee, contractor or visitor;

Implementing risk control measures to mitigate exposure;

Advising their Departmental Manager of any risk management matter that should be
considered for incorporation into forthcoming budgets;

Ensuring Council’s Risk Management Unit is advised immediately of any potential
insurance claims; and

Acknowledge that the management of risk is an integral part of service delivery.
6.8
Risk Management Unit
is responsible for supporting all Council Business Units in properly managing risk within
their units, and monitoring compliance with the risk management policy and processes.
The Risk Management Unit shall support the corporate risk initiatives by:
Ensure that Council’s assets and operations, together with liability risks and hazards
to the public, are adequately protected through appropriate risk budgeting, loss
control programs and measures, and adherence to Council’s various complementary
policies and procedures;

Reporting on high and extreme risks with existing control measures and
recommendations for further mitigation;
Adopted by Council on 18 March 2013
9|Page
RISK MANAGEMENT POLICY 2013

Documenting the Council risk management program through the compilation and
regular update of the Council risk management strategy;

Providing a platform to host Council’s Operational Risk Register which provides for
the recording and management of these risks by Divisions, Department and Service
Units;

Providing a platform to host and record Council’s Strategic Risks;

Ensuring that risk management platforms are functional and provide advice and
guidance to users;

Assisting in the planning, monitoring, and review of risk assessments for Council
assets and activities;

Ensuring that complementary policies and practices are implemented, periodically
reviewed and where required, updated;

Providing regular reporting through the Manager Risk Management and Contracts
Compliance to the Executive, the Audit Committee, and Council on risk
management issues, statistics and strategies including insurance claim
management;

Providing advice and educational material on industry trends and legal
developments; and

Placing and managing of Council’s insurance portfolio, ensuring that adequate
insurance coverage exists for all classes of insurable risk.
The Risk Management Unit provides guidance and advice on risk exposure issues as
required by all Council Divisions and service areas. The risk owners (General
Managers, Managers and Coordinators) are responsible for managing the risks of their
areas and should seek assistance from the Risk Management Unit as soon as an
exposure or an emerging risk becomes known or suspected.
6.9
Employees and Temporary Staff
are responsible for:
Reporting any risk, potential risk or incident immediately it is brought to their
attention, to their Team Leader/Coordinator;

Ensuring that they conduct their daily duties in a manner that does not expose
Council to loss or risk, and that these duties are conducted in accordance with the
relevant policies, procedures and legislative requirements;

Assisting in the investigation of any incident that may have occurred and for which
they were involved or have knowledge of, as a result of a risk or hazard;

Acting in a pro-active manner to control and prevent risk, injury or harm to the
Council or any person;

Reporting either through a corporate recording system or to their Supervisor, any
notification of a hazard or incident received from a resident, employee or visitor, in
order to allow Council to respond immediately;

Managing risk (including OHS risk) and, participate in risk management and OHS
processes by encouraging all individuals to take responsibility for managing risks
associated with their official duties. This is to be achieved through the observance
of Council Policy, following lawful direction of their Supervisors and ensuring they
Adopted by Council on 18 March 2013
10 | P a g e
RISK MANAGEMENT POLICY 2013
carry out their tasks properly and safely, utilising the correct equipment for the task;
and

Acknowledging that they all have a part to play in managing risk.
6.10 Contractors
are responsible for:
Ensuring that Council’s assets and operations, together with liability risks and
hazards to the public, are adequately protected through appropriate loss control
programs and measures, and adherence to Council’s various complementary
policies and procedures;

Responding immediately to the investigation of any report of a hazard or incident
received from an employee, resident or visitor;

Maintaining appropriate and adequate insurances as required under their contract;
and

Ensuring that they conduct their daily duties in a manner that does not expose
Council to loss or risk and that these duties are performed in accordance with the
relevant policies, procedures and legislative requirements.
7.0 REFERENCES and SOURCE
The references and sources for the content of this Policy have been derived from the
following documents;
1. International Standard – ISO AS/NZS 31000 – 2009 Risk Management
2. Council’s Occupational Health & Safety Policy and Manual
3. Occupational Health and Safety Act (Vic) 2004
4. Managing Risk Cross the Public Sector 2004
5. Implementation of Government Risk Control Framework 2013;
6. Delivering Assurance on Risk Management ISO 31000 - 2009 (HB158/2010)
7. Risk Assessment Techniques (HB89/2012)
8. Fraud Prevention Strategies in Local Government 2012
Adopted by Council on 18 March 2013
11 | P a g e
RISK MANAGEMENT POLICY 2013
8.0 THE RISK MANAGEMENT PROCESS
8.1
The Continuum of Assessment and Review
For the Risk
be:



Management process to be successful and effective within Council, it must
an integral part of management;
embedded in the culture and practices; and
tailored to the processes of the organisation.
The process comprises a number of logical and distinct steps which are necessary to not
only establish the specifics of the risk but to also engage it into the continuum of control
and review.
The steps are detailed in the flow chart below.
ANALYSE RISKS
EVALUATE RISKS
COMMUNICATE AND CONSULT
IDENTIFY RISKS
RISK ASSESSMENT
MONITOR AND REVIEW
ESTABLISH THE CONTEXT
TREAT RISKS
* Source ISO AS/NZS 31000 - 2009 Risk Management - Principles and Guidelines
Adopted by Council on 18 March 2013
12 | P a g e
RISK MANAGEMENT POLICY 2013
To apply the assessment and review continuum into a City of Stonnington context, the
following flowchart details the process.
KEY
Cycle
Commences
Identifying Risk
Analysis & Treatment
Monitor & Review
Regular
Departmental
Managers/
Coordinators
meetings to
discuss
operational risks
Regular Divisional
Managers/
Departmental
Managers meet to
discuss operational
risks
Divisions advise Risk
Management of
exposure. RM
analyse, evaluate,
provide treatment
advice and record in
Risk Register.
All risks are monitored,
reviewed and reassessed as
required (special focus on
High and Extreme risks)
Risk Management Unit
operates ongoing training and
awareness workshops.
Monthly Risk Management
reports to the Executive
regarding High and Extreme
Risks.
Adopted by Council on 18 March 2013
Training & Awareness
Reporting
Quarterly the Risk
Management Coordinator
revises the Risk
Management Strategy,
Action Plan and Strategic
Audit Plan.
Quarterly the Audit
Committee reviews the Risk
Management issues
presented in the Risk
Management report.
Half yearly, Council review
Risk Management issues
presented in a Risk
Management Report.
Annually, the Risk
Management Policy is
reviewed and updated.
Cycle
Recommences
13 | P a g e
RISK MANAGEMENT POLICY 2013
8.2
Communication and Consultation
Communication and consultation with internal and external stakeholders should take
place during all stages of the risk management process.
Risk ownership is integral to its successful management and therefore, all risk creations
and reviews are to involve the areas or key individuals who will effectively manage and
control the risk exposure to Council throughout its life cycle. Relevant people will be
involved in the consultation process and contribution into the various aspects of the
process will be encouraged and acknowledged.
8.3
Establishing the Context
The establishment of the context (or parameter of reference) is an integral element
within the process of risk management as it establishes and defines the various
environments in which risk is to be considered, assessed and managed.
The level of contextual relevance should be considered on;

External context – the external environment in which the organisation seeks to
achieve its objectives;

Internal context – the internal environment in which the organisation seeks to
achieve its objectives;

Context of the risk management process – the objectives, strategies, scope and
parameters of the organisation should be established; and

Defining the risk criteria – the organisation should define criteria to be used to
evaluate the significance of risk.
8.4
Identification of Risks
The effective identification of risk exposures to which Council may be subjected, is a
foundation element of establishing the basis of effective mitigation, control and review.
As various levels of assumptions are made during this process, it is essential to remain
grounded in establishing the likelihood, consequence and realism of such a risk
occurring.
Unrealistically assessed events, impacts or consequences undermine the validly and
credibility of the risk management process and its relevance to the organisation’s
business rapidly becomes irrelevant as people disengage from the process.
The primary questions must be based on;

The current environment in which the activity is undertaken (political, financial etc);

The past history or experience of the organisation;

Any known or suspected threats;

Recent experience of other like industries; or

Other relevant knowledge, local or otherwise, to risk exposures that may also impact
on Council.
Adopted by Council on 18 March 2013
14 | P a g e
RISK MANAGEMENT POLICY 2013
The key elements of Council’s risk identification processes are:

The cyclical ‘whole-of-organisation’ risk assessments undertaken by Council’s
internal auditors;

Risk assessments undertaken within individual Divisions, Departments and Units by
key personnel on a regular basis that are both supported by the Risk Management
Unit and form part of Council’s Risk Registers (Strategic and Operational);

The annual liability risk assessment undertaken by Council’s Public Liability insurer;
and

Key industry information derived from various sources.
In managing organisational risk, Council will focus on the following major areas of risk
exposure:
















Human Resources;
Occupational Health & Safety;
Legislative Compliance;
Internal Controls;
Contract Management;
Insurance Liability;
Corporate Governance;
Information Technology;
Asset Management;
Security;
Professional Advice;
Records Management;
Systems – Efficiency and Effectiveness;
Financial Management;
Reputational exposure; and
Management Reporting.
This list is not exhaustive and will be complemented through the normal risk review
processes undertaken by General Managers and Managers as part of Council’s annual
budget development, as well as the service reviews undertaken as part of Council’s Best
Value program. Identified risks will be recorded on the Strategic and Operational Risk
Registers, managed by the Risk Management and OHS Units.
Employees and members of the public are also to be encouraged to report potential risk
exposures.
8.5
Assessment
A full, accurate and objective assessment of any identified risk must be undertaken to:



Evaluate existing controls;
Determine the likelihood of an incident;
Determine the consequences of the risk;
Establish the risk rating;
Adopted by Council on 18 March 2013
15 | P a g e
RISK MANAGEMENT POLICY 2013
 Identify any physical hazards; and
 Develop remedial actions.
These assessments may be undertaken by Council’s Risk Management Unit, Council’s
Internal Auditors, Council Managers and Coordinators, Designated Workgroups or by
external consultants.
Risk assessments will be undertaken by using the assessment criteria and matrix shown
in Attachment 1.
An assessment of risks should be carried out three times during the life of the risk:
Stage 1 - Inherent risk (Absolute) – the risk exposure prior to management
controls being put in place;
Stage 2 - Managed risk – the risk exposure with the current level of
management controls; and
Stage 3 - Residual risk – when no further controls are required and the level of
residual risk is tolerable.
8.6
Risk Appetite
The City of Stonnington determines its risk appetite across four distinct areas of its
operations and performance namely Cultural, Outcome, Expectation and Liability.
8.6.1
Cultural
Our cultural risk appetite defines our behaviour and the principles to be applied
across Council but is not necessarily measurable or actionable. The Cultural
Risk Appetite is:
a) Council has a very low tolerance for reputational risk exposure that
negatively impacts on its standing or image. Steps to minimize the
likelihood of adverse reputational impact should always be taken;
b) Council will promptly take action to address ratepayer/customer complaints
and regulatory concerns;
c) Council will not engage in any activity that will put its long-term values or
reputation at risk. The Council will meet the ratepayers’/customers’
expectations of providing efficient, considerate and cost-effective services;
and
d) Council is an equal opportunity employer that employs skilled and
experienced employees in positions with clearly defined roles and
responsibilities.
8.6.2
Outcome
Our outcome risk appetite specifies the limits or maximum impact/outcome within
Council which is considered to be reasonable and acceptable where such risk is
measurable. The Outcome Risk Appetite is defined by compliance to:
a) Council’s Business and Strategic Plan;
b) Council’s annual budget; and
c) defined Divisional, Departmental and Unit Business Plans.
Adopted by Council on 18 March 2013
16 | P a g e
RISK MANAGEMENT POLICY 2013
8.6.3
Expectation
Council’s expectation risk appetite defines its tolerance for strategic and
operational actions. These risks, specific to activities or known risks, are
measurable and supported by mitigation controls and actions. The Expectation
Risk Appetite is:
a) Council has a low tolerance for Strategic Risks. These risks are to be
mitigated and controlled as far as practicable down to a low or medium
risk rating.
b) Council has zero tolerance for harm or injury to its employees or visitors
and these harms will be mitigated and controlled down to a low risk;
c) Council has zero tolerance for internal/external fraud or deception
activities;
d) Council has a low tolerance for operational risk. These risks will be
mitigated and controlled to where the cost of control is equal to the
marginal cost of the risk;
e) Council has a low tolerance for information technology outages. There
is no tolerance for outages that exceed one week.
8.6.4
Liability
Council’s liability risk appetite defines the level of liability for which it is prepared
to accept using internal mitigations or management processes before it seeks
external support or remedies to resolve matters. Such risks are measurable and
reportable.
The Liability Risk Appetite is restricted to the deductible excess as stated on each
of the insurance policies as issued by each insurer and may be adjusted as
required from time to time against Council’s tolerance for risk exposure.
8.7
Treatment
To control a risk, there is a need for it to be correctly and realistically evaluated to
determine the best option for risk removal or minimisation, with plans prepared and
implemented to rectify or mitigate any problem areas.
Risk control options (which are not necessarily mutually exclusive or appropriate in all
circumstances) include the following:

Risk Avoidance – avoid the identified risk by deciding not to proceed with the
activity likely to generate risk (where this is practicable);

Risk Transfer – reducing exposure by transferring the risk to another party e.g.
contracting to a business that has the requisite qualifications and skills;

Reduce the likelihood of occurrence through measures such as audit compliance
programs, contract conditions, preventative maintenance, engineering controls,
inspections, process policies and procedures; and

Reduce the consequences through measures such as contingency planning,
disaster recovery plans, contractual arrangements, financial management controls
and risk exposure minimisation plans.
Adopted by Council on 18 March 2013
17 | P a g e
RISK MANAGEMENT POLICY 2013
8.8
Implementation
Risk Management across the Council will be implemented and managed through
effective governance controls including:

Monitoring of adherence to internal controls;

Conducting risk assessments of Council assets and activities;

Applying a corporate risk management strategy;

Promoting adherence to this Policy and related Policies by all employees and
contractors;

Providing employee training opportunities on relevant risk issues;

Providing induction training and ongoing workshop sessions;

Instructional information available to employees upon request;

Providing adequate funding for risk reduction initiatives in Council’s budget; and

Undertaking an annual review of identified risks.
The Risk Management Unit is part of the Risk Management and Contract Compliance
Department and is available for advice and guidance on risk and insurance matters.
8.9
Performance Measuring
Performance measures to track progress in implementing risk treatment plans within
Divisions, Departments and Business Units should be established and reviewed by the
relevant area Managers and reported to the Risk Management Unit annually.
The tracking process should include;

The inherent risks;

The existing control measures;

Actions to be undertaken;

Due date of the actions;

Outcomes to be achieved;

Responsible officer; and

Acceptance of the residual risk.
A risk profile for each Department will be established and implemented as a live working
document that will provide a clear snapshot of the actual risk position and of the possible
or likely future risks.
The progress of implementing the treatment plans will form part of the reporting structure
of the Risk Management Unit on an exception basis via the process listed in 8.10 of this
Policy.
Adopted by Council on 18 March 2013
18 | P a g e
RISK MANAGEMENT POLICY 2013
8.10 Monitoring and Review
Monitoring of risk is the responsibility of the respective General Manager, Manager and
Coordinator, as an element of their overall responsibilities.
Monitoring of risk, with the support of the Risk Management Unit, will include, but not be
limited to:

the analysis of insurance claims;

on-going risk assessment and risk minimisation as part of standard management
practice;

advice and input into contract specifications and documentation;

advice and input into risk assessments of new Council programs;

on-going review of existing Council programs and facilities, as required;

reviewing documentation of inventories, hall or facility hire agreements, Committees
of Management Deeds of Delegation;

compliance with all complementary Council Policies and Procedures; and

periodic review of Council’s complementary Policies and Procedures.
The Risk Management Unit via the Risk Management & Contracts Compliance
Department will report as follows:
Reporting To
Items of Report
Frequency
Executive
Statistics regarding incidents, activities, training and Monthly
insurance claims and advice and analysis of risk
trends.
Executive
Report on High and Extreme risks with existing Quarterly
control measures and recommendations for further
mitigation.
Audit
Committee
Statistics regarding incidents, activities, training, Quarterly
insurance claims, analysis of risks trends.
Report on High and Extreme risks with existing
control measures and recommendations for further
mitigation.
Status Report of internal audit recommendations.
Council
Statement of position regarding the Council’s Risk Bi Annual
Management program and management of High and
Extreme Risks.
Significant risk issues will be brought to the attention of the Chief Executive Officer and
the relevant General Manager and, where required, Council.
Risk reviews formally undertaken by Council’s internal auditors, will be reported to
Council’s Audit Committee as part of its charter.
Adopted by Council on 18 March 2013
19 | P a g e
RISK MANAGEMENT POLICY 2013
8.11 Records
Reference to the records relating to the management of Risks will be maintained in;

the Division, Department or Unit where the risk resides;

Council’s Records Management System;

Council’s relevant Risk Register; and

Council’s insurance portfolio where relevant.
9.0 REVIEW
This document is to be reviewed by the Risk Management Coordinator every year from
date of adoption by Council, with each review to be approved via the CEO Notice Paper.
10.0 ATTACHMENTS
This Policy is supported by detailed attachments that further define graphically the
methods and process of risk management.
The attachments are;






Attachment 1.
Attachment 2.
Attachment 3.
Attachment 4.
Attachment 5.
Attachment 6.
Risk Consequence Criteria
Risk Controls Criteria
Risk Likelihood Criteria
Risk Matrix
Risk Ratings Definitions
Definition of Risk Status
Adopted by Council on 18 March 2013
20 | P a g e
RISK MANAGEMENT POLICY 2013
Attachment 1 – Risk Consequence Criteria
City of Stonnington - RISK CONSEQUENCE CRITERIA
CONSEQUENCE
CONSEQUENCE
RATING
Description
Safety
Financial
Environmental
Outrage & Media
Regulatory
Business
Continuity
INSIGNIFICANT
• Effect is minimal
No Treatment
Applied
• Up to $10k
financial loss
(.007% of
Budget)
• No detrimental
environmental effect
• Issue raised by
residents and/or
local press
• Activity does not
follow established
industry standards
• Business
disruption, but
no loss of
service delivery
MINOR
• Event requiring
moderate levels
of resources and
input
• First-Aid
Treatment
Only
• >$10 k - $50k
financial loss
(.037% of
Budget)
• Environmental
discharge controlled,
and of a minor nature
• Resident and/or
media
concern/local
media coverage
• Activity does not
follow "Best Practice"
• Brief service
loss
• Significant event
with long reaching
effect
Medical
treatment,
Ambulance, or
admission to
hospital of less
than 2 days
• >$50 k - $500k
financial loss
(.37% of
Budget)
• Localised
environmental impact,
causing community
annoyance, and
requiring remedial
action
• Embarrassment
for Council,
including adverse
media coverage
• Activity does not
meet all of the
requirements of the
relevant Australian
Standards
• Productivity
loss for up to 5
days
• >$500 k - $5 m
financial loss
(3.75% of
Budget)
• Long-term
detrimental
environmental or
social impact
• Reputation of
Council severely
affected in the
long-term.
• Activity does not
meet all of the
requirements of
relevant legislation
• Critical service
loss for up to 1
month
• >$5 m financial
loss
(>3.75% of
Budget)
• Long-term
environmental or
social impact on
community
• Government
intervention
required
• Activity does not
meet any of the
requirements of
relevant legislation
and Regulations
• Loss of service
for a critical
period of time
MODERATE

MAJOR
• Critical event
Hospitalisation
of more than 2
days, or long
term injury or
disability
CATASTROPHIC
• Disaster with
potential to lead
to collapse or to
have a profound
effect
• Single or
multiple
fatalities
1. Consider the consequence for each category i.e.; Safety, Financial, Environmental, outrage and Media, Regulatory and Business Continuity.
2. Determine the CONSEQUENCE RATING based on overriding definition i.e.; “worst” (or highest) category.
Adopted by Council on 18 March 2013
21 | P a g e
RISK MANAGEMENT POLICY 2013
Attachment 2 – Risk Controls Criteria
City of Stonnington - RISK CRITERIA
Measuring Risk: CONTROLS
CONTROL RATING
DESCRIPTION
SYSTEM CONTROL/DESIGN
CONTINGENCY PLAN
INFORMATION
SYSTEM
Effectiveness of existing
control measures
Affects frequency of occurrence
Reduces severity of consequence of
an event
Supports the action and
capability for monitoring
Significant control over the
risk.
Total confidence.
Excellent system with total
implementation.
No variance in control quality.
Total confidence in an effective plan.
Fully tested and documented.
Well proven data base,
robust system, very user
friendly.
VERY EFFECTIVE
Substantial reduction in risk.
Improvements are possible.
Very confident.
Full system with effective
implementation.
Little or no variance in control quality.
Very confident.
Fully tested and documented.
Mainly as above but
improvements are
possible.
EFFECTIVE
Satisfactory risk reduction.
Improvements are possible.
Quite confident.
Satisfactorily implemented.
Some variance in control quality.
Just effective - open to some
weaknesses.
Not fully tested, quite good
documentation.
Mostly good but not yet
robust. Some flaws in
supporting effective risk
action.
Marginal risk reduction.
Improvements should be
considered.
Moderately confident.
Fair implementation only.
Quite a degree of variance in
performance.
Not really effective plan.
Not tested – open to substantial
problems.
Fair to poor database /
performance in risk
reduction. Not very user
friendly.
Minimal risk reduction, if any.
Improvements required.
Not confident.
Only partly introduced or no attempt.
Substantial variance.
No plan at all or very inadequate
preparation.
Very poor / inadequate /
nonexistent.
TOTALLY EFFECTIVE
PARTIALLY EFFECTIVE
INEFFECTIVE
Process
Consider the effectiveness of current controls when determining the three levels of risk. The rating given should be based on the lowest of control ratings applied.
Adopted by Council on 18 March 2013
22 | P a g e
RISK MANAGEMENT POLICY 2013
Attachment 3 – Risk Likelihood Criteria
Measuring Risk : LIKELIHOOD
LIKELIHOOD
RATING
CRITERIA
RARE
Event MAY occur only in EXCEPTIONAL circumstances. There is LITTLE opportunity for the event to
recur. Chance of risk occurring is 0-10%
UNLIKELY
Event COULD occur at SOME time. There is a REASONABLE opportunity for the event to recur.
POSSIBLE
Event SHOULD occur at SOME time. There is SOME opportunity for the event to recur.
Chance of risk occurring is 11-40%
Chance of risk occurring is 41-60%
LIKELY
Event will PROBABLY occur in MOST circumstances. There is CONSIDERABLE opportunity for the
event to recur. Chance of risk occurring is 61-90%
ALMOST CERTAIN
Event is EXPECTED to occur in MOST circumstances. There is a STRONG likelihood of the event
recurring. Chance of risk occurring is 91-100%
Process
1. Determine the LIKELIHOOD RATING based on the overriding criteria definition
Adopted by Council on 18 March 2013
23 | P a g e
RISK MANAGEMENT POLICY 2013
Attachment 4 – Risk Matrix
Consequence for Organisation
Likelihood
Insignificant
Minor
Moderate
Major
Catastrophic
Almost Certain
Moderate
11.00
High
16.00
High
20.00
Extreme
23.00
Extreme
25.00
Likely
Moderate
7.00
Moderate
13.00
High
17.00
High
22.00
Extreme
24.00
Possible
Low
4.00
Moderate
8.00
Moderate
15.00
High
19.00
High
21.00
Unlikely
Low
2.00
Low
5.00
Moderate
9.00
Moderate
14.00
High
18.00
Rare
Low
1.00
Low
3.00
Low
6.00
Moderate
10.00
Moderate
12.00
Process:
Plot the rating box for each of Absolute, Managed and Residual risk.
Adopted by Council on 18 March 2013
24 | P a g e
RISK MANAGEMENT POLICY 2013
Attachment 5 – Risk Rating Definitions
RISK CATEGORY
LOW
Descriptor
Manage by routine procedures and be mindful of changes to nature of risks.
implementation of any cost effective internal controls.
Consider the
MODERATE
Management to ensure that the control environment, consequence and likelihood do not
substantially change. Consider the implementation of any additional cost effective controls.
HIGH
Executive attention required to assess the acceptability of remaining net risk or required/planned
mitigation measures. Management to ensure that necessary mitigation actions are carried out and
the risk does not increase by actively monitoring any changes to the control environment,
consequence and likelihood.
EXTREME
Extreme risk is generally unacceptable. Comprehensive consideration by the Executive is required
to ensure that the net risk remaining is consistent with Council’s objectives and acceptance of risk.
If not, detailed research and planning is required to mitigate risk.
Process
1. Choose appropriate CONSEQUENCE RATING
2. Determine appropriate CONTROL RATING
3. Choose appropriate LIKELIHOOD RATING
Ascertain risk category
Adopted by Council on 18 March 2013
25 | P a g e
RISK MANAGEMENT POLICY 2013
Attachment 6 – Definition of Risk Status
Definition of Risk Status
Operational
Strategic
Commercial
Technical
Risk which occurs in, hampers, or impacts upon an individual
Division, Department, Service Unit or area of an organisation.
Risk which will impact upon or hamper across the organisation its
ability to operate or deliver its policy, strategy or services.
Risk such as a failed contract or business relationship.
Risk such as failed equipment and managing assets.
Financial &
Systems
Risk posed to Council’s financial systems and controls such as fraud.
Compliance
Risks to meeting regulatory obligations.
Source: Managing Risk Across the Public Sector - Good Practice Guide – Auditor General Vic 2004
Adopted by Council on 18 March 2013
26 | P a g e
RISK MANAGEMENT POLICY 2013
Document Control
Version:
3.0
Date:
17 November 2015
Author:
Manager, Risk Management &
Contracts Compliance
Risk, Coordinator
Risk Management and Contracts
Compliance Department
QA:
Business Support
Officer
Review
Period:
Annual
Owner:
Revision Details
Date
Update Details
18 March
2013
Adoption of Policy
23
September
2014
Annual administrative
review of document and
insertion of Internal Audit
recommendations
regarding Risk Tolerance
and the roles of the Audit
Committee and EMT.
Annual administrative
review.
17
November
2015
Adopted by Council on 18 March 2013
Reviewed
QA
Approved
Risk
Manager,
Coordinator Risk
Management
& Contracts
Compliance
Risk
Manager,
Coordinator Risk
Management
& Contracts
Compliance
Council
Risk
Manager,
Coordinator Risk
Management
& Contracts
Compliance
Chief
Executive
Officer
Chief
Executive
Officer
27 | P a g e

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz