ENTERPRISE RISK MANAGEMENT handbook coverpage · The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk

ENTERPRISE RISK MANAGEMENT

PROGRAM

Template Edition

June 2009

Table of Contents Enterprise Risk Management Program

Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10

Operational Template contents

Section One – Program Documents

1. Risk Management Plan ......................................................... 9 2. Enterprise Risk Management Framework ............................ 15 3. Council Risk Structure.......................................................... 16 4. Risk Oversight Framework................................................... 17 5. Implementation Schedule ..................................................... 18 6. Risk Category ...................................................................... 21 7. Stakeholders Register ........................................................... 22 8. Maturity Matrix .................................................................... 24 9. Implementation Approach .................................................... 26 10. Risk Management Policies Required.................................... 28 11. Appendix A - Definitions ..................................................... 30

Section Two – Handbook Instructions for Use............................................................................ 41 Division 1 - General

1. Risk Management Charter .................................................... 45 2. Risk Management Plan ......................................................... 46 3. Risk Management Process Flowchart................................... 52 4. Roles and Responsibilities .................................................... 62

Division 2 – Tools

1. Risk Management Tables....................................................... 65 2. Exposure Map ........................................................................ 68 3. Risk Management Structure................................................... 70

Division 3 – Templates

1. Method of Analysing the Cause of Risk ................................ 73 2. Risk Model............................................................................. 75 3. Inherent to Residual to Target Risk Rating............................ 77 4. Stakeholders Objectives and Risk Categories........................ 79 5. Risk Management Context..................................................... 81 6. Action plan and Risk register................................................. 84

Page 3

Enterprise Risk Management Handbook

Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10

Operational Template Conditions of Use Handbook

Conditions of Use

This handbook has been designed by Members of the CENTROC ERM Project Team* for other Councils within the CENTROC Group of Councils to use as a starting point to construct an enterprise risk management system. This handbook should be used in conjunction with other documents available from the CENTROC ERM Project Team and, due to the dynamics of Local Government should not be relied upon as the “Bullet proof” solution to risk management. End users of this handbook are reminded that this document is for guidance only and must be adapted to reflect the risk appetite and work practices of the individual Council. The drafters of this document take no responsibility for the use or misuse of this, or other related documents produced by the Group. It is recommended that end users of this document seek training before attempting to implement a risk management system within their organisation. This Handbook and other related documents remain the property of the CENTROC ERM Project Team and as such are not to be used or reproduced without written permission of the Team. * Team members are listed on the acknowledgement page of this folder.

Page 4

Acknowledgements

Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10

Operational Template Acknowledgements

CENTROC ERM Project Team Orange City Council Michelle Catlin Charmaine Richey Bathurst Regional Council Brian Dwyer John Starr Wellington Council Bryson Rees David King Cabonne Council Barbara Hepworth Parkes Shire Council Bradley Byrnes Cowra Shire Council Harvey Nicholson Members of the ERM Project Team would like to acknowledge the following Councils for their participation in the program: Lithgow City Council Bland Shire Council Harden Shire Council Lachlan Sire Council Blayney Shire Council The ERM Team also acknowledges the assistance give to the project by the following organisations; TAFE NSW Sydney Institute PRUDENTIA CENTROC And STATEWIDE MUTUAL PTY LTD

Page 5

Page 6

Section One – Program Documents

Page 7

Page 8

XYZ Council Risk Management Plan


Operational Template Risk Management Plan

Risk Management Plan Introduction XYZ Council is committed to the implementation of Enterprise Risk Management (ERM). ERM is defined as “an organisation-wide approach to developing techniques that assist to have the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects”1. Council recognises that risks are an integral part of normal everyday life that is unavoidable. Taking control of informed risks is part of good business practice, and allows for risks to be identified, analysed, evaluated and treated. The requirement to adopt a broad-brush risk management approach is likely to be mandated by the Department of Local Government in the near future. Council is adopting a proactive approach in committing resources and energy to implementing Enterprise Risk Management. The ultimate objective of this Risk Management Plan is to embed the principles of risk management in all aspects of Council’s operations. It is recognised this is a long-term goal, and will require a phased implementation to ensure that risk management is effective and sustained across all of Council’s operations. Enterprise Risk Management will require Council to consider the objectives of its internal and external stakeholders, and those factors that may impact on each stakeholder’s ability to achieve their own objectives, as they relate to XYZ Council. This Risk Management Plan provides the suite of tools to be used in applying risk management to XYZ Council. Pilot approach In the first stage of the process, Council adopted a “pilot” approach by applying risk management tools to a project. The benefits of adopting such an approach are outlined in the document “Implementation Approach” and include: Harnessing the support and commitment from middle management, first line

management and staff to the program Trialling the program on a small scale prior to large scale roll-out Auditing the success of the program Making any necessary adjustments or additions to the program Profiling the success of the program to the organisation Testing the theories, assumptions and calculations made in the program Reviewing and provide feedback to stakeholders Allowing for cost considerations to be determined and planned for

1 Enterprise Risk Management Handbook, Prudentia 2007

Page 9




Encouraging multifunctional involvement across a range of areas and levels In implementing the pilot approach, there are a number of functions that may have involvement, including: Policy development Business/Strategic planning Asset Management Audit Business Continuity Management Environmental Management Human Resources Finance Project Management

Risk Management – What is it? Risk Management is the process of identifying potential negative events and the development of plans to mitigate or minimise the likelihood of the negative event occurring and/or the consequences if the risk does occur. Risk Management also involves the identification of potential positive events and their management to increase their likelihood and/or benefits2. Risk can also be described as: Any threat that can potentially prevent Council from meeting its objectives Any opportunity that is not being maximised by Council to meet its objectives3

It should be noted that risk management is to be applied at all levels of Council operations. Everyone has a responsibility in managing risks. Council has developed a detailed implementation framework, which provides a step-by-step outline for implementing ERM. There is a strong emphasis on training, education and communication, to ensure the skills of Councillors, managers and staff will be developed and maintained. The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk champions is to: Assist in the use of the risk management tools Provide support and advice to staff in relation to risk management

2 Enterprise Risk Management Handbook, Prudentia 2007, pg 102 3 City of Charles Sturt, Risk Management Framework 2005, pg 2

Page 10




Ensure risk management responsibilities are being met in their respective work areas

Report to the risk management committee Assist in the development of a risk aware culture

Risk Management Charter Council has developed a Risk Management Charter (Page 45). The Charter states that Council, in line with best practice, will endeavour to control risks, both operational and strategic within the local government environment as dictated by available resources, through the implementation and maintenance of a strategic Risk Management Program at all levels of Council. The implementation framework sets out the actions to be taken to achieve the goals of the Risk Management Charter, and assigns responsibility for these goals. Organisation’s Strategic Goals and Objectives The Local Government Act 19934 sets out Council’s Strategic Goals and Objectives as:

a to provide directly or on behalf of other levels of government, after due consultation, adequate, equitable and appropriate services and facilities for the community and to ensure that those services and facilities are managed efficiently and effectively

b to exercise community leadership c to exercise its functions in a manner that is consistent with and actively

promotes the principles of multiculturalism d to promote and to provide and plan for the needs of children e to properly manage, develop, protect, restore, enhance and conserve the

environment of the area for which it is responsible, in a manner that is consistent with and promotes the principles of ecologically sustainable development

f to have regard to the long term and cumulative effects of its decisions g to bear in mind that it is the custodian and trustee of public assets and to

effectively account for and manage the assets for which it is responsible h to facilitate the involvement of councillors, members of the public, users of

facilities and services and council staff in the development, improvement and co-ordination of local government

4 Local Government Act 1993, Section 8 (1)

Page 11




i to raise funds for local purposes by the fair imposition of rates, charges and fees, by income earned from investments and, when appropriate, by borrowings and grants

j to keep the local community and the State government (and through it, the wider community) informed about its activities

k to ensure that, in the exercise of its regulatory functions, it acts consistently and without bias, particularly where an activity of the council is affected

l to be a responsible employer

These goals and objectives are at the macro level of Council operations, and incorporate Council’s Mission and Vision Statements. Council’s annual Management and Operational Plans provide the micro level goals and objectives. Identifying these macro and micro level goals assists in identifying risks that may impact on the achievement of these goals. Enterprise Risk Management Framework Council has developed a framework for Enterprise Risk Management (Refer Page 15). This Framework shows how risk management will be integrated across the organisation, and identifies the methodologies, tools and processes to be used to support this integrated approach. Risk Management Process The process for managing Council’s risks is consistent with the Australian Risk Management Standard AS/NZS4360:2004.

To support these processes, a range of templates have been established, including:

Risk Model (Page75-76) Risk Cause Analysis (Pages 73-74) Residual Rating Worksheet (Pages 77-78) Risk Exposure Map (Pages 68-69)

Communication Communication is required from all levels of the organisation. It should inform all about outcomes and progress and will be a vehicle to help manage change. Methods of communication will include: • Media (if required) • Staff meetings • Focus meetings

Page 12




• Newsletters and flyers • Workshops

Risk Management Policies Council will need to develop an overarching Risk Management Policy. (The requirements have been outlined in the document titled Risk Management Policies requirements). However, as part of the implementation and integration of Enterprise Risk Management (ERM) throughout the organisation many existing policies will need to be reviewed and updated to reflect ERM principles and procedures. Thus creating a synergy throughout the organisation. Roles and Responsibilities All levels of Council have a responsibility and a role to play in ERM. It is essential that the program be supported by Executive. A strong, visual commitment to the process will set the standard across the organisation, and encourage support from all levels. Development of a Risk Aware Culture The pilot approach is the first step in developing a risk aware culture, as those involved in the selected project will learn about ERM practices and actually implement what they have learned. It should be noted that the implementation of Enterprise Risk Management is a journey, involving organisational change on a broad scale so that risk management becomes as ingrained in Councils operations as occupational health and safety has become. Incremental change is likely to provide positive results, as small changes are reinforced and become “the norm”. The staged approach utilising Council projects allow these small changes to occur. The next phase should see ERM implemented in a particular program area, such as governance, human resources, finance, etc. Training strategy The following elements are integral parts of a training strategy for risk management: • Should be well planned and fit the needs of the organisation. • Should be tailored to different levels within the organisation • Should ensure communications tools are used at all stages of implementation. • Should be included in staff induction programs

Page 13




Budgeting Council will allow for funds to be allocated for those controls that address the Very High and High level risks. This will be reviewed annually as part of Council’s Management Plan process. Risk treatment will depend on funds available within the Council budget. In considering allocations to preventive and corrective controls, Council staff will identify the indicative costs of the consequences if a particular risk event occurs. Reporting Council’s Risk Manager will be charged with developing and maintaining Council’s Risk System, including those documents supporting the system. Results of the program will be reported to Council annually, and to any external stakeholders as required. The Risk Action Plan will be updated monthly, and reviewed by the Risk Committee quarterly. Monitor and Review The Enterprise Risk Management Plan will be reviewed by the Risk Manager on a regular basis (timeframe to be decided by the organisation). The Action Plan will be updated monthly, and reported to the Risk Committee at least quarterly. Council will engage the services of its internal auditor to audit the risk processes and documents included in this Plan.

Page 14

Page 15

Risk Structure

Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR – Risk Management Version: 1 Review: Apr 10

Operational Template Risk Structure Example

Director/Mgr Corporate

Director/Mgr Environmental

Director /Mgr Engineers (2 x Opt)

Director/Mgr Culture or

Development (Opt)

RRRiiissskkk MMMaaannnaaagggeeemmmeeennnttt CCCooommmmmmiiitttttteeeeee

General Manager

Council

General Manager

Mayor or Cr Rep

Independent

Director Rep/s

Risk Manager

Dept Risk Representatives

Finance

Governance

Risk Mgt

I.T

Admin

Planning

Sustainability

Health

Environment

Operations

Design

Infrastructure

Asset Management

Economic Development

Cultural Development

HR

Community Services

Page 16

Risk Oversight Framework


Operational Template Risk Oversight Framework

Risk Committee

Directors/Executive Managers

ERM Working Party

Senior Managers

General Manager

Council

Supervisors

Staff

Risk Manager

Page 17

XYZ

Cou

ncil Risk M

anagem

ent Im

plem

entation

Sched

ule

Coun

cil Referen

ce:

Date: Apr 09

TBA

Page 1 of 3

Respon

sible Co

uncil Sectio

n: HR – Risk M

anagem

ent

Version: 1 Re

view

: Apr 10

Ope

ration

al Tem

plate

Implem

entation

Sched

ule

RISK

MANAGEM

ENT IM

PLEM

ENTA

TION SCH

EDULE

Timeline

HIGH‐LEV

EL TASK

S SU

B TA

SKS

STATU

S Jul 09

Aug

09

Sep 09

Oct 09

Dec 09

Mar 10

Jul 10

Und

ertake

Needs Assessm

ent

• Don

e

Develop

Risk Man

agem

ent Ch

arter (Refer Page 45)

• Don

e

• Ongoing

review

& im

provem

ent

Presen

tation

to Man

agem

ent

• Don

e

Obtain Man

agem

ent a

greemen

t for im

plem

entation

of ERM

P

• Don

e

Establish Risk M

anagem

ent Co

mmittee

• Define and do

cumen

t Roles

and Re

spon

sibilities for:

• Risk Com

mittee

•

Risk M

anager

• RM

Coo

rdinators

• Risk Owne

r •

Aud

it Co

mmittee

• Don

e

• Ongoing

review

& im

provem

ent

Develop

Risk Man

agem

ent Fram

ework (tem

plate

prov

ided

Page 15)

• Don

e

• Ongoing

review

& im

provem

ent

Develop

a Risk Man

agem

ent Maturity Matrix

(tem

plate prov

ided

Pages 24‐25)

• Project M

anagem

ent

• Division 1

• Division 2

• Division 3

• Don

e

• Ongoing

review

& Upd

ate

Docum

ent Organ

isation’s Strategic Goa

ls or

Objectives

• Project M

anagem

ent

• Division 1

• Division 2

• Division 3

• Don

e

• Ongoing

review

Page 18

XYZ

Cou

ncil Risk M

anagem

ent Im

plem

entation

Sched

ule

Coun

cil Referen

ce:

Date: Apr 09

TBA

Page 2 of 3

Respon

sible Co

uncil Sectio

n: HR – Risk M

anagem

ent

Version: 1 Re

view

: Apr 10

Ope

ration

al Tem

plate

Implem

entation

Sched

ule

Develop

Risk Man

agem

ent Stakeh

olde

r Re

gister

(tem

plate prov

ided

Pages 79‐80)

• Don

e

• Ongoing

review

& im

provem

ent

Iden

tify the

Organ

isation’s Risk Con

text (tem

plate

prov

ided

Pages 81‐83)

• Don

e

• Ongoing

review

& im

provem

ent

Iden

tify the

Organ

isation’s Risk Category Fram

ework

(tem

plate prov

ided

Page 21)

• Don

e

• Ongoing

review

& im

provem

ent

Build

the Risk M

anagem

ent Structure (tem

plate

prov

ided

Page 70)

• Don

e

• Ongoing

review

& im

provem

ent

Page 19

XYZ

Cou

ncil Risk M

anagem

ent Im

plem

entation

Sched

ule

Coun

cil Referen

ce:

Date: Apr 09

TBA

Page 3 of 3

Respon

sible Co

uncil Sectio

n: HR – Risk M

anagem

ent

Version: 1 Re

view

: Apr 10

Ope

ration

al Tem

plate

Implem

entation

Sched

ule

Develop

the Oversight Framew

ork

• Directors

• Risk M

anagem

ent C

ommittee

• Risk M

anager

• Risk Coo

rdinators

• Risk Owne

rs

• Don

e • Im

plem

ented

• Ongoing

Re

view

Prep

are the Risk M

anagem

ent Plan

(Tem

plate

Provided

Pages 46‐51)

• Define approach to

Risk

Managem

ent Implem

entatio

n • Develop

Risk Managem

ent

Handb

ook

• Develop

Risk Managem

ent

Policies

• Develop

Processes and

Proced

ures:

• Risk Assessm

ents

• Risk Rep

ortin

g Detail

• Develop

Risk Re

porting

Requ

irem

ents

• Ongoing

Managem

ent

• Prep

are

Commun

ications Plan

• RM

Training

• Software Users Rule s

• Software User T

raining Plan

• Develop

‘Risk Aware’ culture:

• Education Program

• Co

mmun

ication – RM

Plan, Implem

entatio

n • Set K

PIs

• Co

ntinual Improvem

ent

Program

• Iden

tify Ke

y Risk Indicators

• Docum

ent

• Ongoing

review

& im

provem

ent

Page 20

XYZ

Cou

ncil

Ris

k C

ateg

ory

Fram

ewor

k

Cou

ncil

Ref

eren

ce:

Dat

e: A

pr 0

9 TB

A

Page

1 o

f 1

Res

pons

ible

Cou

ncil

Sect

ion:

HR

– R

isk

Man

agem

ent

Ver

sion

: 1

Rev

iew

: Apr

10

Ope

ratio

nal T

empl

ate

risk

cat

egor

y fr

ame

wor

k

11. C

ultu

ral &

C

omm

unity

Dev

elop

men

t •

Ade

quat

e Li

brar

y Se

rvic

es

• D

evel

op re

crea

tiona

l and

cul

tura

l op

portu

nitie

s •

Mai

ntai

n an

d de

velo

p sp

ortin

g/ c

ultu

ral

faci

litie

s •

Mai

ntai

n an

d de

velo

p pu

blic

ven

ues

10. I

nfra

stru

ctur

e •

Wat

er su

pply

•

Was

te w

ater

•

Man

age

stor

m w

ater

•

urba

n be

atifi

catio

n pr

ogra

m

• Fl

ood

miti

gatio

n •

Roa

ds a

nd fo

ot p

aths

•

Publ

ic v

enue

s 9.

Stra

tegi

c •

Cul

ture

•

Lead

ersh

ip

• St

rate

gy

• B

rand

pro

tect

ion

•

Com

mun

icat

ion

•

Cor

pora

te K

now

ledg

e m

anag

emen

t

8. In

tegr

ity &

Leg

al

• B

usin

ess a

nd g

over

nmen

t rul

es a

nd

Reg

ulat

ions

•

Con

tract

s and

litig

atio

n •

Insu

ranc

e •

Illeg

al a

cts

• D

elib

erat

e/in

adve

rtent

bre

ache

s •

Educ

atio

n an

d aw

aren

ess

7. F

inan

cial

& A

ccou

ntin

g •

Exte

rnal

inve

stm

ents

•

Bud

get&

cap

ital m

anag

emen

t •

Ass

et m

anag

emen

t •

Man

agem

ent r

epor

ting

•

Reg

ulat

ory

repo

rting

•

Acc

ount

ing

prin

cipl

es &

stan

dard

s •

Inte

rnal

and

exte

rnal

audi

t

6. T

echn

olog

y &

Dat

a M

anag

emen

t •

Tech

nolo

gy d

evel

opm

ent &

inte

grat

ion

• C

ontin

uity

pla

nnin

g &

skill

s ava

ilabi

lity

• In

form

atio

n se

curit

y •

Dat

a m

anag

emen

t •

Softw

are

and

hard

war

e in

tegr

ity

5. H

uman

Res

ourc

es

• Em

ploy

ee c

ompe

tenc

y

• Em

ploy

ee d

evel

opm

ent /

disc

iplin

e •

Con

sulta

nt m

anag

emen

t •

Lega

l Com

plia

nce

• In

dust

rial r

elat

ions

•

Succ

essi

on p

lann

ing

•

Rec

ruiti

ng

4. P

lann

ing

&

Envi

ronm

ent

• La

nd u

se p

lann

ing

•

Her

itage

Man

agem

ent

• B

uild

ing

Con

trol

• A

nim

al c

ontro

l •

Park

ing

man

agem

ent

• En

cour

age

use

of

rene

wab

le

3. E

xter

nal E

nviro

nmen

t •

Polit

ical

, St

ate/

Fed

eral

•

Com

mun

ity o

pini

on/d

emog

raph

ic

• C

ontra

ctor

s •

Supp

liers

•

Dev

elop

ers

• M

edia

•

Cou

ncill

ors

• Ec

onom

y

2. O

pera

tions

•

Proj

ects

•

Con

tract

man

agem

ent

• C

ostin

g Pe

ople

reso

urce

and

allo

catio

n

• N

ew b

usin

ess d

evel

opm

ent

• C

usto

mer

man

agem

ent

• Se

rvic

e pr

ovis

ion

•

Emer

genc

y m

anag

emen

t •

Bus

ines

sCon

tinui

ty

1. C

orpo

rate

Gov

erna

nce

• R

oles

and

resp

onsi

bilit

ies o

f GM

and

D

irect

ors

• C

ounc

illor

s •

Ethi

cal,

resp

onsi

ble,

and

tran

spar

ent

deci

sion

mak

ing

•

Rec

ogni

se a

nd m

anag

e ris

ks

• C

ompl

ianc

e w

ith le

gisl

ativ

e an

d re

gula

tory

requ

irem

ents

Fi

il&

Ei

tl

O

pera

tiona

l Ris

k C

ateg

orie

s

FY 0

9/10

Page 21

STAKE

HOLD

ERS OBJEC

TIVES, R

ISK CA

TEGORIES, R

ISKS

AND CAUSES (Stakeho

lder Register blan

k)

Coun

cil Referen

ce:

Date: Apr 09

TBA

Page 1 of 1

Respon

sible Co

uncil Sectio

n: HR – Risk M

anagem

ent

Version: 1 Re

view

: Apr 10

Ope

ration

al Tem

plate

Stakeh

olde

rObjective

blank

Sta

keho

lder

O

bjec

tive

Ris

k ca

tego

ry

Iden

tifie

d ris

k C

ause

s of

the

risk

•

•

•

Page 22

STAKE

HOLD

ERS OBJEC

TIVES, R

ISK CA

TEGORIES, R

ISKS

AND CAUSES (Stakeho

lder Register exam

ple)

Coun

cil Referen

ce:

Date: Apr 09

TBA

Page 1 of 1

Respon

sible Co

uncil Sectio

n: HR – Risk M

anagem

ent

Version: 1 Re

view

: Apr 10

Ope

ration

al Tem

plate

Stakeh

olde

rObjective

Sta

keho

lder

O

bjec

tive

Ris

k ca

tego

ry

Iden

tifie

d ris

k C

ause

s of

the

risk

Gen

eral

M

anag

er

To e

nsur

e co

unci

l com

plia

nce

with

sta

te a

nd fe

dera

l leg

isla

tion

Com

plia

nce

Non

-com

plia

nce

with

sta

te a

nd fe

dera

l le

gisl

atio

n •

Sta

ff kn

owle

dge

of le

gisl

atio

n is

def

icie

nt

due

to la

ck o

f tra

inin

g, p

roce

dure

s an

d su

perv

isio

n.

• In

suffi

cien

t aud

it co

ntro

ls

• R

espo

nsib

ilitie

s no

t allo

cate

d in

pos

ition

de

scrip

tions

•

To

ens

ure

finan

cial

via

bilit

y Fi

nanc

e Fi

nanc

ial l

oss

• B

ad in

vest

men

ts

• In

adeq

uate

deb

t rec

over

y pr

oced

ures

•

Frau

d •

Non

-adh

eren

ce to

bud

gets

•

Poo

r bud

getin

g •

Inad

equa

te c

ost c

ontro

l of p

roje

cts

To

ens

ure

envi

ronm

enta

l su

stai

nabi

lity

Env

ironm

enta

lEn

viro

nmen

tal d

amag

e •

Irres

pons

ible

dev

elop

men

t •

Pro

vide

eth

ical

, res

pons

ible

and

tra

nspa

rent

dec

isio

n m

akin

g R

eput

atio

n

Page 23

XYZ

Cou

ncil

Ris

k M

anag

emen

t Mat

urity

Mat

rix

Cou

ncil

Ref

eren

ce:

Dat

e: A

pr 0

9 TB

A

Page

1 o

f 2

Res

pons

ible

Cou

ncil

Sect

ion:

HR

– R

isk

Man

agem

ent

Ver

sion

: 1

Rev

iew

: Apr

10

Ope

ratio

nal T

empl

ate

Mat

urity

mat

rix

Cou

ncil-

wid

e Is

sue

Lev

el 1

L

evel

2

Lev

el 3

L

evel

4

Lev

el 5

C

ounc

il Po

licy/

st

rate

gy

Non

e ex

ists

Po

licy

unde

r de

velo

pmen

t Po

licy

writ

ten

Po

licy

writ

ten

and

circ

ulat

ed

Polic

y pr

omot

ed b

y al

l man

ager

s, us

e to

su

ppor

t goa

ls

Man

agem

ent

supp

ort

Not

on

the

agen

da

Som

e ef

fort

or

supp

ort i

n th

eory

So

me

info

rmal

ap

plic

atio

n of

are

as o

f po

licy

and

proc

edur

es

Act

ing

in c

ompl

ianc

e w

ith p

olic

y Is

olat

ed m

anag

ers

driv

ing

it

RM

use

to a

ssis

t in

oper

atio

nal g

oals

Su

ppor

ted

and

driv

en

by a

ll m

ange

rs

Res

pons

ibili

ties /

A

ccou

ntab

ilitie

s Fo

cus o

n op

erat

iona

l as

pect

s. A

ccou

ntab

ility

as

sign

ed to

staf

f

Req

uire

men

ts in

PD

at

man

ager

leve

l R

espo

nsib

ility

to

man

age

risks

fo

rmal

ised

in p

ositi

on

desc

riptio

ns

Som

e ac

cept

ance

of

resp

onsi

bilit

ies

Not

a p

erfo

rman

ce

indi

cato

r

All

man

ager

s and

su

perv

isor

s un

ders

tand

thei

r re

spon

sibi

litie

s R

espo

nsib

ilitie

s are

in

clud

ed in

key

pe

rfor

man

ce

indi

cato

rs

Staf

f Com

mitm

ent

Larg

ely

igno

rant

ab

out E

RM

A

war

e th

at c

ounc

il is

co

nsid

erin

g R

M

syst

em

Som

e st

aff i

n pi

lot

prog

ram

s or

cons

ulta

tion

Invo

lved

in in

itial

R

M ta

sks.

Som

e cy

nici

sm a

nd

caut

ion

Parts

of o

rgan

isat

ion

invo

lved

in e

xten

sive

ris

k m

anag

emen

t ac

tiviti

es

Ben

efits

bec

omin

g co

mm

only

kno

wn

Hav

e be

en fu

lly

train

ed in

RM

staf

f sh

ow a

cul

ture

of r

isk

awar

enes

s

Form

al R

M

proc

esse

s and

Sy

stem

s

Onl

y in

form

al ri

sk

man

agem

ent i

n pl

ace

RM

pro

cess

und

er

deve

lopm

ent

Con

sulta

tion

with

Proc

ess

deve

lope

d/st

aff

train

ing

desi

gned

Proc

esse

s bei

ng

utili

sed

Dat

a sy

stem

in p

lace

All

area

s hav

e ap

plie

d R

M p

rinci

pals

D

ecis

ion

are

bein

g

Page 24

XYZ

Cou

ncil

Ris

k M

anag

emen

t Mat

urity

Mat

rix

Cou

ncil

Ref

eren

ce:

Dat

e: A

pr 0

9 TB

A

Page

2 o

f 2

Res

pons

ible

Cou

ncil

Sect

ion:

HR

– R

isk

Man

agem

ent

Ver

sion

: 1

Rev

iew

: Apr

10

Ope

ratio

nal T

empl

ate

Mat

urity

mat

rix

stak

e ho

lder

s und

er

way

R

esea

rch

star

ted

on

softw

are

syst

ems

Dat

a m

anag

emen

t sy

stem

bei

ng

intro

duce

d

and

bein

g po

pula

ted

base

d on

dat

a pr

oduc

ed fr

om R

M

syst

em

Res

ourc

e A

lloca

tion

No

reso

urce

s al

loca

ted

Som

e st

aff

time

allo

cate

d

Res

earc

h fo

r bud

get

subm

issi

on st

arte

d

Staf

f ass

igne

d to

pr

ogra

m

Fund

s allo

cate

d in

bu

dget

Ass

igne

d st

aff g

iven

go

als a

nd ta

rget

s Fu

nds a

vaila

ble

for

use

Bud

get i

nclu

ded

in

Cou

ncils

long

term

pl

an

Bud

gets

re

view

ed/in

crea

sed

Staf

f pos

ition

fo

rmal

ised

C

ounc

illor

s A

war

enes

s N

o aw

aren

ess

Hav

e re

ceiv

ed so

me

info

rmat

ion

Form

al p

aper

pr

ovid

ed to

C

ounc

illor

s

Hav

e re

ceiv

ed

pres

enta

tion

and

train

ing

is u

nder

take

n

Cou

ncill

ors b

ase

deci

sion

s on

data

pr

oduc

ed fr

om R

M

syst

em

App

ly R

M p

rinci

pals

to

all

deci

sion

s

Page 25

XYZ Council Implementation Approach


Operational Template Implementation Approach

The implementation of Enterprise Risk Management in an organisation can be done on an organisation wide basis or it can be specifically targeted. The targeted approach is called the pilot approach. It is suggested that councils use the pilot approach for initial implementation. This approach would be chosen for several reasons:-

• Limited resources available for enterprise risk management introduction in this financial year’s budget

• Easier to complete one smaller program in the first instance • Can select staff or area that is likely to embrace a small program and

this will give it a greater chance of success • If pilot is successful then it will be far easier to get organisation wide

acceptance • If the benefits of a program can be “seen” then more likely to be

embraced by other areas of the organisation • Also enables the risk management team to develop an approach and

fine tune it prior to releasing enterprise risk management on the whole organisation

Having selected the pilot approach it is suggested that councils choose the project based approach as the first area to be attempted i.e. select a project council is undertaking and use this as the pilot program. A project management based initial implementation should be selected for the following reasons:-

• Affords both a strategic and operational context • Involves all levels of council • Multi functional involvement i.e. finance, governance, planning, works • Defined timeframes and parameters (i.e. the project must be completed

in a certain timeframe) • More easily measured outcomes • Provides a means of marketing the approach and harnessing support • Easy to evaluate – gets runs on the board • Project management approach has natural “fit” to risk management

practices • Allows process to be tested prior to large scale roll-out

Page 26

XYZ Council Implementation Approach



The pilot implementation approach would include the following steps:- Action to be completed Approximate

Time for completion

Undertake a needs assessment for the risk management to ensure that there is a benefit for the organisation in undertaking enterprise risk management

first month

1. Develop DRAFT Risk Management Charter first month 2. Presentation to management and council outlining the benefits,

financial considerations, requirement for management commitment, the commitment of staff resources if it is to be successful and highlight the possibility that opportunities for the organisation may be identified

fist month

Management agreement to implement pilot based approach is attained third month Establishment of the implementation team (who will be on it, who will run it etc.,)

Fourth – eighth month

Develop risk context and framework (i.e. the environment in which the organisation operates)


Develop the organisation’s risk appetite. In conjunction with management and council the implementation team needs to establish what its appetite for risk is.


3. Develop tools for the implementation (procedures to be followed, forms to be used and also the communications strategy.


4. Design and conduct training for those staff that will be involved in the program


5. Risk management process for projects in use 18 -24 months 6. Risk Management Committee established (this committee

would undertake the audit role) 16th month

7. Ongoing identification of major threats and review of current priorities

Ongoing

8. Demonstrated integration of ERM in Council Management Plan subsequent Financial Year

9. Reporting of risk management process in Annual Report November following end of financial year

10. Monitor and review process implemented as integral part of Council culture

Ongoing

N.B. This timeline is based on an initial commencement date and calculated in months or years thereafter. However, the timeline would vary for each council depending upon the commencement date and commitment from the council’s senior management. With a reasonable degree of commitment it is believed that the projected steps are achievable.

Page 27

XYZ Council Risk Management Policies Required


Operational Template Risk Management Policies required

Risk Management Policies requirements Policy would need to identify:

1. Objectives and aim of policy: should list

• what policy wants to achieve • The extent of risks that need to be managed • Range of risks that need to be managed • Why we need to manage risk

2. Roles and Responsibilities for all levels of staff and councillors

e.g. Council:- • has ultimate responsibility for implementation and control of risk management • responsible to report to the community General Manager: • implementation of risk management • Reports to council, community and statutory bodies Executive managers/Directors • Overall department implementation • Reports to GM and council • Drive processes in their department

Others with responsibilities could include Risk management Committee, senior managers, risk manager, operational managers, operational risk representatives and general staff

3. Reporting Requirements:

• Who is responsible for reporting, when and how • What reporting requirements are

4. Auditing

• Whether internal or external • Frequency required • Establishment of an audit committee

5. Council’s risk appetite

• Based on consultation with stakeholders need to decide what is councils’ risk

appetite

6. Internal and external context

• Establish what is the context in which the council operates both internally and externally. i.e. what are the factors influencing the council operations

Page 28

XYZ Council Risk Management Policies Required


Operational Template Risk Management Policies required

7. Stakeholders

• Establish who are the council’s internal and external stakeholders and what their

requirements are

8. Links between policy and organisation’s strategic and corporate plans

• Establish the need for links between plans and the implementation of risk management

• Link risk management program to these plans

9. identify the support and expertise available to assist those responsible for managing risks

• resources available • staff expertise available • training to be undertaken

10. Methodology to be used

• What is the method of implementation e.g. pilot approach or an enterprise wide

approach

11. Risk assessment methods

• Should determine qualitative and quantitative risk assessment methods

12. Risk Assessment frequency

• Should determine frequency of risk assessment • Will different risk levels require different assessment frequencies • How will it be resourced

13. Ongoing risk identification

• How do we ensure that council is able to conduct ongoing risk identification after

the initial process is completed • Who will be responsible for this?

14. Long term approach to risk management

• Need to determine how to maintain the appetite for an organisation wide risk

management approach into the future • Instil it in the culture of the organisation

15. Monitoring and Review

• Should include who is responsible for monitoring, how it should be undertaken

and how it should be reported.

Page 29

Appendix A - Definitions

Page 30

XYZ Council Definitions

Council Reference: Date: Apr 09 TBA Page 1 of 8

Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10

Operational Template ERM handbook Definitions

Accident: (a) Unplanned injurious or damaging event which interrupts the normal

progress of an activity (b) An undesirable or unfortunate happening; casualty; mishap (c) Anything that happens unexpectedly, without design, or by chance. An accident may be seen as resulting from failure of hazard controls.

Action Plan: The work or tasks associated with implementing controls that reduce the likelihood of the risk and or the impact of the consequences is set‐out using an action plan. The action plan may typically show who is responsible for the control, describe the tasks to be performed and set start and finish dates. The action plan would be scheduled on a progressive basis until the implementation is complete. The action plan can continue in another form to monitor that the controls remain effective.

Business Unit: A business Unit may refer to a program, sub‐program, cost centre, area, division, branch, production unit or section located within the organisation.

Cause: The absence of a safeguard that leads to the occurrence of a risk. No or limited controls are in place. For example: lack of training can cause risks

Clients: Clients may include: • End users and sponsors • Potential end users and sponsors • Potential providers or suppliers • Current providers/suppliers • Technical or functional experts or advisers • Federal, State/Territory and/or Local Government • The organisation • Other public sector organisations • Employees • Unions or staff associations • Industry bodies • Local communities and society as a whole • Lobby groups • Special user groups

Compliance: The status of risk controls to be able to meet obligations to legislation or company policy and procedures. This compliance ought to be demonstrated if the control(s) is audited and in the event of an incident where protection from the impact is necessary.

Consequence: Outcome or impact of an event Note 1: There can be more than one consequence from one event. Note 2: Consequences can range from positive to negative. Note 3: Consequences can be expressed qualitatively or quantitatively. Note 4: Consequences are considered in relation to achievement of objectives.

Page 31





Context: A generic term that in effect places a boundary around the subject matter that makes it easier to identify the risks and follow a risk management process. Contexts can be business units, functions, projects, objectives and the like. For example: The accounts payable department is the context.

Control: An existing process, policy, device, practice or other action that acts to minimise negative risk or enhance positive opportunities. Note: The word ‘control’ may also be applied to a process designed to provide reasonable assurance regarding the achievement of objectives.

Control assessment: Systematic review of processes to ensure that controls are still effective and appropriate. Note: Periodic line management review of controls is often called ‘control self assessment’.

Control Measures: These may include hierarchy of controls, risk aversion, reduction in risk likelihood, reduction of consequences (impacts) of risk, transfer of responsibility (or ownership) of risk, retention of risks.

Dynamic risk: This is associated with a changing economy. Dynamic risks are speculative where both profit and loss are possible.

Event: Occurrence of a particular set of circumstances. Note 1: The event can be certain or uncertain. Note 2: The event can be a single occurrence or a series of occurrences. For example: A storm causes a power outage. The storm is the event.

External specialist assistance:

Any group or individual in the community who has the expertise to assist the organisation to deal with any event/incident which may occur.

Frequency: A measure of the number of occurrences per unit of time. Fundamental risk: Examples include inflation which relates to the entire economy or a

large number of persons or a group/s within the community. Hazard: A source of potential harm. Impact: The amount of loss or gain that is sustained from the consequence of a

risk. Incident: Untoward event which may or may not cause accidental loss, depending

on the particular circumstances of the event. An accident is a type of incident which results in accidental loss, but not all incidents are accidents. (Refer to the definition for accident)

Information sources: Information sources which may be used in risk assessment may include: • Computer modelling • Sensitivity analysis • Structured interviews • Statistical data • Questionnaires • Fault trees • Analysis of consequences – loss of money, time, labour,

intangibles Inherent risk: This is more commonly described as the inherent risk rating, which is a

subjective measure of the threat of a risk on a profile based on its

Page 32





inherent likelihood and inherent consequence measures, without considering the effectiveness of controls. This produces a score that indicates the worst‐case exposure range in the event that there are no controls in place, or the controls fail to take effect during a risk event. Note: Assess the likelihood and consequence of the risk occurring WITHOUT any controls in place. The inherent risk rating is thus calculated on these assumptions.

Legislation, codes and national standards:

These are relevant to the workplace and may include: • Commonwealth and State/Territory legislation • Award and enterprise agreements and relevant industrial

instruments • Relevant legislation from all levels of government that affects

business operation, especially in regard to Occupational Health and Safety and environmental issues, equal opportunity, industry relations and anti‐discrimination

• Relevant national and international (industry) codes of practice • The organisation’s policies and practices • Government policy • National competition policy

Likelihood: Used as a general description of probability or frequency. Note: Can be expressed qualitatively or quantitatively.

Loss: Any negative consequence or adverse effect, financial or otherwise. Measure of success: Such measures include costs, reductions impact and/or likelihood and

reductions in occurrence. Monitor: To check, supervise, observe critically or measure the progress of an

activity, action or system on a regular basis in order to identify change from the performance level required or expected.

Near Miss: An event or incident which, in other circumstances, may have resulted in an injury to a person, damage to property or some other negative impact on the organisation or the community.

Occupational Health and Safety considerations:

• Review and evaluation of previous OHS plans and programs • Implementation of OHS systems for projects • Use of participative arrangements for review of OHS in

operational performance • Development and review of OHS performance targets • Framework and components of OHS management system, its

structures and performance systematic review procedures Occurrence rate: Average number of times an event occurs per year, or the other time

interval. More useful than ‘probability’ if event is not rare. Probability and occurrence rate are taken into consideration when assessing the likelihood of the risk occurring.

Organisation: Group of people and facilities with an arrangement of responsibilities, authorities and relationships. Example: Includes company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or combination thereof.

Page 33





Note 1: The arrangement is generally orderly. Note 2: An organisation can be public or private. Note 3: This definition is valid for the purpose of quality management system standards. The term ‘organisation’ is defined differently in ISO/IEC guide 2.

Particular risk: Particular risk generally affects individuals and not the entire community or country.

Predicted risk: This is also described as the Target Risk Rating, which is a subjective measure of the threat of a risk on a profile based on adding to or instituting new controls, to those already documented that give the Residual Likelihood and Residual Consequence measures. Additional controls are usually called for if the Residual Likelihood and or Residual Consequence are still at unacceptable levels. Note: If the Residual is still no good, better controls will need to be added and the assessment to be re‐evaluated.

Probability: A number between 0 and 1, with 0 indicating that an event/outcome will not occur and 1 indicating that the event/outcome will occur, and numbers in between indicating the proportion of times that the event will occur, under given circumstances and a given period of time.

Profile: A profile holds a collection of risks in one place. A profile that has a related context makes it more straightforward to define risks that fit within the boundary of the context. For example: The context ‘Accounts Payable’ will be in the profile ‘Finance’.

Pure risk: Pure risk is a situation where there is only the possibility of loss or not loss. There is usually no opportunity to profit from the loss. These risks include personal risks, property risks and liability risks. The law of large numbers applies.

Relevant groups and individuals:

Those personnel who have knowledge about the issue being dealt with and the expertise to assist in the decision‐making process. Those personnel are often referred to as stakeholders.

Residual risk: This is more commonly described as the Residual Risk Rating, which is a subjective measure of the threat of a risk on a profile based on its Residual Likelihood and Residual Consequence measures, giving the remaining level of risk after risk treatment measures have been taken. Residual Risk can only be claimed if the controls are in place and work to reduce the risks and or consequences to the level that is expected. Note: Assess the likelihood and consequence of the risk occurring WITH controls in place. Therefore, the Residual Risk Rating should be lower than the Inherent Risk Rating.

Risk: The chance of something happening that will have an impact in objectives. It is measured as the product of the likelihood of occurrence and the impact amount, otherwise termed as exposure in quantitative terms. Risk may have a positive or negative impact. Risks may include:

• Commercial and legal relationships • Damage to property/equipment

Page 34





• Economic circumstances and scenarios • Environmental • Equipment/system failures • Financial/economic loss/failure • Human behaviour • Individual activities • Industrial disputation • Management activities and controls • Natural disasters/events • Occupational Health and Safety (including disease) • Political events/circumstances • Product failure • Professional incompetence • Security failure (including criminal or terrorist activities) • Technological issues

Risk Aggregation: Using this rating method, each consequence identified for a Risk Model can be rated separately, each Preventive Control and each Corrective Control identified for a Risk Model can be rated separately and the result can be ‘aggregated’ to the Risk level.

Risk Analysis: A systematic use of available information to determine the occurrence rate of events and the magnitude of the consequence.

Risk appetite The tolerance of attitude that an Organisation, or part of (e.g. project) has for risk. How conservative is an organisation towards taking on new opportunities? What is the Organisation’s attitude in regards to the potential impacts of risk?

Risk Assessment: The overall process of risk identification, risk analysis and risk evaluation Risk Avoidance: A decision not to become involved in, or to withdraw from, a risk

situation. Risk categorisation: Risk is categorised within established guidelines, difference between

risks that have high impact/consequence/likelihood and those having low impact/consequence/likelihood.

Risk control: Part of risk management that involves the implementation of actions, policies, standards, procedures and physical changes to eliminate or minimise adverse risks. Controls can be distinguished into those that prevent the risk and those that assist in recovering from the adverse incident as quickly and effectively as possible. Note: There are two types of controls: Preventive Controls that are attached to the Risk, and Corrective Controls that are attached to the Consequence.

Risk criteria: Terms of reference by which the significance of risk is assessed. Note: Risk criteria can include associated cost and benefits, legal and statutory requirements, socioeconomic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.

Risk evaluation: Process of comparing the level of risk against risk criteria. Note 1: Risk evaluation assists in decisions about the risk treatment.

Page 35





Note 2: See ISO/IEC guide 51 for risk evaluation in the context of safety. Risk Identification: The process of determining what, where, when, why and how

something could happen. Risk management: Developing techniques that assist to have the culture, processes and

structures that are directed towards the effective management of potential opportunities and adverse effects.

Risk management framework:

Set of elements of an organisation’s management system concerned with managing risk. Note 1: Management system elements can include strategic planning, decision making, and other strategies, processes and practices for dealing with risk. Note 2: The culture of an organisation is reflected in its risk management system.

Risk management plan: A deliverable which describes how the risk management process will be structured and performed during a project or for a business initiative. It may include sections on the following topics:

• Methodology: defines the approaches, tools and data sources that may be used to perform risk management. Different types of assessments may be appropriate depending on business requirements and flexibility remaining in risk management.

• Roles and responsibilities: defines the lead, support and risk management team membership for each type of action in the risk management plan. Independent risk management teams may be able to perform unbiased risk analysis than the resources assigned to the area under consideration.

• Budgeting: establish a budget for risk management dependent on its scope of application

• Scoring and interpretation: the scoring and interpretation methods appropriate for the type and timing of the quantitative risk analysis being performed. Methods and scoring must be determined in advance to ensure consistency.

• Thresholds (risk appetite): the threshold criteria for risks that will be acted upon, by whom and in what manner. The owner, customer or sponsor may have a different risk appetite. The acceptable level of risk (threshold) forms the target against which the effectiveness of the risk action will be measured.

• Reporting formats: describes the content and format of the risk action plan. Defines how the result of the risk management processes will be documented, analysed and communicated to the key resources (e.g. project team), internal and external stakeholders, sponsors and others.

• Monitoring: documents how all facets of risk activities will be recorded for the benefit of the current initiative/project, future needs, and lessons learnt. Documents if and how risk processes will be audited.

Page 36





Risk management process:

The systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysis, evaluating, treating, monitoring and reviewing risk.

Risk priorities: Risk priorities include assigning a value to identify risk using available tools and an assessment of consequences and likelihoods.

Risk rating: Subjective measures of exposure, derived by assessing estimates of likelihood and consequences. Note: Relates to both Inherent Risk and Residual Risk.

Risk reduction: Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.

Risk register: A register of all identified risks and documentation of the strategies/plans in place to deal with any event/incident which might occur.

Risk retention: Acceptance of the burden of loss, or benefit of gain, from a particular risk. Note 1: Risk retention includes the acceptance of risks that have not been identified. Note 2: The level of risk retained may depend on risk criteria.

Risk sharing: Sharing with another party the burden of loss, or benefit of gain from a particular risk. Note 1: Legal or statutory requirements can limit, prohibit or mandate the sharing of some risks. Note 2: Risk sharing can be carried out through insurance or other agreements. Note 3: Risk sharing can create new risks or modify an existing risk.

Risk transfer: Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means. Note: Your company had a risk it couldn’t control or that was better controlled by another entity.

Risk treatment: Selection and implementation of appropriate options for dealing with risk. The most commonly used terms for these are avoid, reduce, transfer, accept and retain. They become tools for management to understand the spread of treatment options across the various controls of risks and consequences. Note: Part of your Risk Management Plan. Some risks are treated differently depending on tolerability and manageability.

Risk‐cost per annum: Expected number of events per year x $ cost per event. Note: A simple calculation taking into consideration the number of times the risk will occur in a year multiplied by the cost each time the risk occurs.

Samples testing: The act of carrying out checking of the adequacy or otherwise of the controls to prevent the risk from occurring, or the efficacy of the control(s) to assist in the recovery from an adverse incident. The testing of samples would follow some criteria, such as for higher risk exposure and selecting the key controls that are being relied upon. The test results may assist to form a view as to the actual level of control

Page 37





effectiveness and may be distinct from self assessments of the appropriateness of controls by the control owner. Note: Controls that are in place need to be tested regularly to see if they are still effective or not. Therefore, you carry out tests of each control and reassess accordingly.

Source: Sources of risk may be factors such as new technology, the size or complexity of the project, the experience of the personnel involved etc.

Speculative risk: Speculative risk is a situation where either a profit or loss is possible. It includes commercial and financial risks such as new product development, interest rate risk, foreign exchange risk, investment in share market, etc. Superannuation risk also includes gambling.

Stakeholders: Stakeholders may include all those individuals and groups both inside and outside the organisation, which have some direct interest in the organisation's behaviour, actions, products and services. They may include: • Employees at all levels of the Organisation • Other public sector Organisations • Union and association representatives • Boards of management • Government Ministers

Static risk: Static risks occur because of irregular actions by nature or individuals. Most static risks are pure risks.

Tools: Tools include: • Documentation to assist in process of identifying risk and

assessing impact and likelihood of occurrence • Standard instruments developed for the Organisation and

contextualised for sections of the workplace’s operations, such as checklists and testing procedures

• Tools to prioritise risk, including where relevant, numerical scoring systems for risks

Page 38

Section Two – Handbook

Page 39

Page 40

Enterprise Risk Management Handbook Instructions


Operational Template Instructions for Use handbook

Instructions for Use

1. Introduction Welcome to the CENTROC Enterprise Risk Management Handbook Template Edition. The purpose of this Handbook is to provide member councils with a defined starting point and a series of template tools to assist in transition into an enterprise risk management system. This handbook is designed to be used as part of an overall process and should not be used without employing the system completely.

2. Contents of the Handbook This handbook is broken into two major sections administrative and operational documents The administrative documents are designed as enablers for the operational documents and include

• The Enterprise Risk Management Charter, (Page 45) • The Enterprise Risk Management Plan, (Pages 46-51) and • The risk Management Process (Pages 52-61)

The operational documents include,

• Risk Register and Action plan, (Pages 84-85) • The risk Model (Page 75), and • Inherent to residual to target risk ratings (Pages 77-78)

3. Preliminaries before use

Its expected that users of this Handbook would have completed the following steps within their individual organisations before attempting to adapt and employ this document

• Identify objectives • Decide on method of adoption • Establish a risk framework and a risk category framework, • Decide on the risk appetite, • Prepare risk tables, • Prepare a training and communication plan, and • Adopt an implementation plan.

Page 41

Enterprise Risk Management Handbook Instructions


Operational Template Instructions for Use handbook

4. General Remarks

It is expected that each Council will take ownership and improve on this handbook. The handbook once adopted should be reviewed on a regular basis to reflect changes in legislation and work practices. This handbook has been designed in such a manner to allow for an “all of organisation” approach to risk management. End users are reminded that this document is provided for guidance only and, as such, must be adapted for use for each organisation individually.

5. Conclusion Even though all care was taken with this document it is not to be considered exhaustive and as such may need to be updated or may contain inaccuracies. If any faults in the document are found please contact the secretary of the Risk and OHS Group to allow for the updates to be distributed across the CENTROC Group. Any questions about the application of ownership of this program should be directed to the secretary of the Group.

Page 42

Division 1 - General

Page 43

Page 44

XYZ Risk Management Charter

Council Reference: Date: Apr 09 TBA Page 1 of 1 Responsible Council Section: HR - Risk Management Version: 1 Review: Apr 10

Operational Template Risk Management Charter

The General Manager and Executive are committed to and will ensure an enterprise-wide risk management approach so that XYZ Council will endeavour to manage risks, both operational and strategic, within the local government environment as dictated by available resources through the implementation and maintenance of a strategic risk management program at all levels of Council. XYZ Council will introduce an Enterprise Risk Management Program to allow:

• Council to meet ever increasing requirements for good corporate governance • The maintenance of public and employee confidence • The delivery of Council and community goals • The creation of a culture of cohesiveness within Council • For the provision of sustainable community services • For the provision of positive outcomes for Council and the community • An appropriate level of risk awareness within XYZ Council

XYZ Council will endeavour to achieve these aims by:

• An organisation-wide commitment to risk management discipline • Encouraging a risk aware culture within Council and the community • Adopting AS/NZS 4360 “Risk Management” • Empowering employees at all levels to take part in the risk assessment

process • Establishing and supporting a Risk Management Committee.

By adopting these measures XYZ Council will achieve the following outcomes:

• Limit Council’s Risk Profile • Achieve gains in efficiency at an operational and strategic level • Transparency and accountably within Council • A level of protection to Council by providing an auditable “paper trail” • A cultural shift within Council and the community • Foster best practice within the Local Government environment

General Manager Mayor May 2009 May 2009

Page 45




Risk Management Plan Introduction XYZ Council is committed to the implementation of Enterprise Risk Management (ERM). ERM is defined as “an organisation-wide approach to developing techniques that assist to have the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects”1. Council recognises that risks are an integral part of normal everyday life that is unavoidable. Taking control of informed risks is part of good business practice, and allows for risks to be identified, analysed, evaluated and treated. The requirement to adopt a broad-brush risk management approach is likely to be mandated by the Department of Local Government in the near future. Council is adopting a proactive approach in committing resources and energy to implementing Enterprise Risk Management. The ultimate objective of this Risk Management Plan is to embed the principles of risk management in all aspects of Council’s operations. It is recognised this is a long-term goal, and will require a phased implementation to ensure that risk management is effective and sustained across all of Council’s operations. Enterprise Risk Management will require Council to consider the objectives of its internal and external stakeholders, and those factors that may impact on each stakeholder’s ability to achieve their own objectives, as they relate to XYZ Council. This Risk Management Plan provides the suite of tools to be used in applying risk management to XYZ Council. Pilot approach In the first stage of the process, Council adopted a “pilot” approach by applying risk management tools to a project. The benefits of adopting such an approach are outlined in the document “Implementation Approach” and include: Harnessing the support and commitment from middle management, first line

management and staff to the program Trialling the program on a small scale prior to large scale roll-out Auditing the success of the program Making any necessary adjustments or additions to the program Profiling the success of the program to the organisation Testing the theories, assumptions and calculations made in the program Reviewing and provide feedback to stakeholders Allowing for cost considerations to be determined and planned for

1 Enterprise Risk Management Handbook, Prudentia 2007

Page 46




Encouraging multifunctional involvement across a range of areas and levels In implementing the pilot approach, there are a number of functions that may have involvement, including: Policy development Business/Strategic planning Asset Management Audit Business Continuity Management Environmental Management Human Resources Finance Project Management

Risk Management – What is it? Risk Management is the process of identifying potential negative events and the development of plans to mitigate or minimise the likelihood of the negative event occurring and/or the consequences if the risk does occur. Risk Management also involves the identification of potential positive events and their management to increase their likelihood and/or benefits2. Risk can also be described as: Any threat that can potentially prevent Council from meeting its objectives Any opportunity that is not being maximised by Council to meet its objectives3

It should be noted that risk management is to be applied at all levels of Council operations. Everyone has a responsibility in managing risks. Council has developed a detailed implementation framework, which provides a step-by-step outline for implementing ERM. There is a strong emphasis on training, education and communication, to ensure the skills of Councillors, managers and staff will be developed and maintained. The identification of risk champions within all Council functions is an integral part of the ERM process, and the role of these risk champions is to: Assist in the use of the risk management tools Provide support and advice to staff in relation to risk management

2 Enterprise Risk Management Handbook, Prudentia 2007, pg 102 3 City of Charles Sturt, Risk Management Framework 2005, pg 2

Page 47




Ensure risk management responsibilities are being met in their respective work areas

Report to the risk management committee Assist in the development of a risk aware culture

Risk Management Charter Council has developed a Risk Management Charter (Page 45). The Charter states that Council, in line with best practice, will endeavour to control risks, both operational and strategic within the local government environment as dictated by available resources, through the implementation and maintenance of a strategic Risk Management Program at all levels of Council. The implementation framework sets out the actions to be taken to achieve the goals of the Risk Management Charter, and assigns responsibility for these goals. Organisation’s Strategic Goals and Objectives The Local Government Act 19934 sets out Council’s Strategic Goals and Objectives as:

a to provide directly or on behalf of other levels of government, after due consultation, adequate, equitable and appropriate services and facilities for the community and to ensure that those services and facilities are managed efficiently and effectively

b to exercise community leadership c to exercise its functions in a manner that is consistent with and actively

promotes the principles of multiculturalism d to promote and to provide and plan for the needs of children e to properly manage, develop, protect, restore, enhance and conserve the

environment of the area for which it is responsible, in a manner that is consistent with and promotes the principles of ecologically sustainable development

f to have regard to the long term and cumulative effects of its decisions g to bear in mind that it is the custodian and trustee of public assets and to

effectively account for and manage the assets for which it is responsible h to facilitate the involvement of councillors, members of the public, users of

facilities and services and council staff in the development, improvement and co-ordination of local government

4 Local Government Act 1993, Section 8 (1)

Page 48




i to raise funds for local purposes by the fair imposition of rates, charges and fees, by income earned from investments and, when appropriate, by borrowings and grants

j to keep the local community and the State government (and through it, the wider community) informed about its activities

k to ensure that, in the exercise of its regulatory functions, it acts consistently and without bias, particularly where an activity of the council is affected

l to be a responsible employer

These goals and objectives are at the macro level of Council operations, and incorporate Council’s Mission and Vision Statements. Council’s annual Management and Operational Plans provide the micro level goals and objectives. Identifying these macro and micro level goals assists in identifying risks that may impact on the achievement of these goals. Enterprise Risk Management Framework Council has developed a framework for Enterprise Risk Management (Refer Page 15). This Framework shows how risk management will be integrated across the organisation, and identifies the methodologies, tools and processes to be used to support this integrated approach. Risk Management Process The process for managing Council’s risks is consistent with the Australian Risk Management Standard AS/NZS4360:2004.

To support these processes, a range of templates have been established, including:

Risk Model (Page75-76) Risk Cause Analysis (Pages 73-74) Residual Rating Worksheet (Pages 77-78) Risk Exposure Map (Pages 68-69)

Communication Communication is required from all levels of the organisation. It should inform all about outcomes and progress and will be a vehicle to help manage change. Methods of communication will include: • Media (if required) • Staff meetings • Focus meetings

Page 49




• Newsletters and flyers • Workshops

Risk Management Policies Council will need to develop an overarching Risk Management Policy. (The requirements have been outlined in the document titled Risk Management Policies requirements). However, as part of the implementation and integration of Enterprise Risk Management (ERM) throughout the organisation many existing policies will need to be reviewed and updated to reflect ERM principles and procedures. Thus creating a synergy throughout the organisation. Roles and Responsibilities All levels of Council have a responsibility and a role to play in ERM. It is essential that the program be supported by Executive. A strong, visual commitment to the process will set the standard across the organisation, and encourage support from all levels. Development of a Risk Aware Culture The pilot approach is the first step in developing a risk aware culture, as those involved in the selected project will learn about ERM practices and actually implement what they have learned. It should be noted that the implementation of Enterprise Risk Management is a journey, involving organisational change on a broad scale so that risk management becomes as ingrained in Councils operations as occupational health and safety has become. Incremental change is likely to provide positive results, as small changes are reinforced and become “the norm”. The staged approach utilising Council projects allow these small changes to occur. The next phase should see ERM implemented in a particular program area, such as governance, human resources, finance, etc. Training strategy The following elements are integral parts of a training strategy for risk management: • Should be well planned and fit the needs of the organisation. • Should be tailored to different levels within the organisation • Should ensure communications tools are used at all stages of implementation. • Should be included in staff induction programs

Page 50




Budgeting Council will allow for funds to be allocated for those controls that address the Very High and High level risks. This will be reviewed annually as part of Council’s Management Plan process. Risk treatment will depend on funds available within the Council budget. In considering allocations to preventive and corrective controls, Council staff will identify the indicative costs of the consequences if a particular risk event occurs. Reporting Council’s Risk Manager will be charged with developing and maintaining Council’s Risk System, including those documents supporting the system. Results of the program will be reported to Council annually, and to any external stakeholders as required. The Risk Action Plan will be updated monthly, and reviewed by the Risk Committee quarterly. Monitor and Review The Enterprise Risk Management Plan will be reviewed by the Risk Manager on a regular basis (timeframe to be decided by the organisation). The Action Plan will be updated monthly, and reported to the Risk Committee at least quarterly. Council will engage the services of its internal auditor to audit the risk processes and documents included in this Plan.

Page 51

XYZ Council Risk Management Process


Operational Template Risk Management Process

ESTABLISH THE CONTEXT

The Internal Context The External Context The Risk Management Context Develop Criteria Define the Risk Management Structure

IDENTIFY RISK Establish Objectives Identify Risks and Causes What can happen, where, when, how

why?

ANALYSE RISKIdentify Existing Controls

Determine Determine Consequences Likelihood

Determine Level of Risk - Inherent &

Residual

EVALUATE RISK

Compare Against Criteria Set Priorities

Treat Risk

TREAT RISKS

Identify Options Assess Options Develop Action Plan Prepare and Implement Treatment

Plans

M O

N I T O

R A

N D

R E V I E W

C

O M

M U

N I

C A

T E

A

N D

C

O N

S U

L T

Risk Management (RM) Process The process for managing XYZ Council’s risks is consistent with the Australian Risk Management Standards AS/NZS 4360:2004. It involves five key steps and additional steps to ensure feedback and validation through a monitoring and review process and appropriate communication and consultation.

Page 52




Step 1 Communicate and Consult Communication and consultation are important elements in each step of the risk management process. Ongoing risk management stakeholder engagement is crucial for success in identification and management of risk. Effective communication will ensure that those responsible for implementing risk management and those with a vested interest, understand the basis on which risk management decisions are made and why particular actions are required. It is important that the communication approach recognises the need to promote risk management concepts across all management and staff. Step 2 Establish the Context Establish the context defines the basic parameters within which risks must be considered and managed and sets the scope for the rest of the risk management process. The context includes the Council’s external and internal environment. Reference should be made to the Risk Management Structure (see Division 2 – Tools)

External Context Establishing the External Context is not only about considering the external environment, but also includes the relationship or interface between the Council and its external environment. This may include: o Business, social, regulatory, cultural, competitive, financial and political

environment o Industry trends and practices o Council’s strengths, weaknesses, opportunities and threats o External stakeholders Establishing the external context is important to ensure that all relevant stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are properly taken into account.

Internal Context An understanding of Council is important prior to undertaking the risk management process, regardless of the level. Areas to consider include: o Culture o Strategic drivers o Internal stakeholders o Structure o Capabilities in terms of resources such as people, systems, processes, capital o Goals and objectives and the strategies that are in place to achieve them

Page 53




Risk Management Context The level of detail that will be entered into during the risk management process must be considered prior to commencement. The extent and scope of the risk management process will depend on the goals and objectives of the Council activity as well as the budget that has been allocated. In each instance, consideration must also be given to the roles and responsibilities for implementing and the undertaking of the risk management process.

Documentation Step 1: Communicate and Consult should be documented to demonstrate that all factors have been considered. Documentation may include: o Scope and intended outcomes of the risk management process o Success measures o Important elements of the internal and external environment o Relevant Stakeholders Step 3 Identify Risks The next step in the risk management process is to identify the risks to be managed. Comprehensive identification using a well-structured systematic process is critical, because a risk not identified at this stage may be excluded from further analysis. Identification should include risks whether or not they are under the control of the Council. A number of questions should be asked when attempting to identify risks. These include: o What can happen? o Where could it happen? o When could it happen? o Why would it happen? o How can it happen? It is important to consider relevant objectives when answering these questions.

Risk Identification Methods There are a number of different methods to identify risk, some of which may include: o Brainstorming sessions with all stakeholders o Checklists developed for similar events/projects/activities o An examination of previous events/projects/activities of this type Changes in the external and internal environments of local governments may present risks. Monitoring of such changes can facilitate the early identification of unforeseen risks.

AS/NZS 4360:2004 FOR FURTHER REFERENCE

Page 54




Documentation of Risks Where there are a number of risks identified within an activity, all identified risks should be documented in the Risk Register. Step 4 Analyse Risks Once all risks have been identified, the next step of the risk management process is to analyse the risks. This step involves considering the controls already in place that reduce the level of risk. These controls should be identified and documented in the Action Plan. Controls may include inspection regimes, Standard Operating Procedures (SOP’s), other documentation of work practices, defining responsibilities and accountabilities, and monitoring and reviewing processes. Notes on Analysing Risks • Risk Scenario 1 – No controls in place. The risk does not have any controls in

place yet and therefore you should determine the Inherent Risk Rating. This is achieved by referring to the ‘Risk Rating Table’ and mapping the Inherent Likelihood of the risk occurring against the Inherent Consequence of the risk if it did occur. The ‘Risk Rating Table’ will determine the level of ‘Inherent Risk’. Refer to ‘Step 5 – Evaluate Risk’ to determine what actions, if any are necessary according to the ‘Risk Criteria Table’ or according to management requirements.

• Risk Scenario 2 – Controls are already in place. The risk already has one or

more controls in place. First determine the Inherent Rating as if no controls are in place. Once that has been done then consider the effectiveness of the controls that are already in place and re-rate the risk by once again referring to the ‘Risk Rating Table’ but this time you will be mapping the ‘Residual Likelihood’ against the ‘Residual Consequence’. The ‘Risk Rating Table’ will determine the level of ‘Residual Risk’. Refer to ‘Step 5 – Evaluate Risk’ to determine what actions, if any are necessary according to the ‘Risk Criteria Table’ or according to management requirements in order to manage the risk rating level further.

Analysing the consequences of the risk and the likelihood that those consequences may occur:

Page 55




Consequence When scoring the consequence associated with a risk, consideration needs to be given at least, to its impact in terms of: o Socio-political and community issues o Business Impact (including Financial/Legal) o Customers o Reputation o Public safety o Environment/Compliance The impact scale is rated from “negligible” to “severe” as indicated in the Consequence Table. In determining the overall consequence score for each risk, the highest individual score should be applied. The Consequence Table provides specific examples on the types of incidents and their associated impact scale, to assist staff in determining the Consequence rating that applies to the identified risk. Consequence Table (Refer Table (b) – Division 2 - Tools Risk Management Tables)

Value Description Rank Financial/ Legal Customers Reputation Safety Environment/Compliance

Severe

Has major impact on Councils ability

to provide services, May threaten a

project or opportunity

5 > 10m Loss of

service for over 3 days

Severe loss of confidence, International and national

focus

1 or more deraths, serious

disability

Severe breach of legislation Fine major

public reaction

Major Threatens strategic

objectives in the medium term

4 >$1 m Loss of

services for 2-3 days

Significant Community

dissatisfaction State coverage

Serious injury (Major

surgery > 2 months

admission)

Major breach of regulation fine

complaints

Moderate Threatens strategic

objectives in the short term

3 $500k to $1M

Loss of service for 1-2 days

Expressed community

dissatisfaction local coverage

Significant injury 1 – 2

months absence

Moderate Breach of legislation

No fine, written reprimand from State

authority. Complaints

Minor The impact is seen as a minor threat to strategic objectives

2 $10k to $499k

Loss of service for

12 – 24 hours

May cause minor public

concern Minor injury

Minor breach of legislation

Verbal reprimand from State Authority.

Complaints

Negligible Seen as negligible threat to strategic

objectives 1 $0-$10 k

Loss of service for

0 – 12 hours

No public concern No absence

Negligible breach of legislation. No

complaints

Page 56




Likelihood For Council, likelihood is rated from rare to almost certain as indicated in the table below. Assessing the Likelihood of the risk occurring includes consideration of the ‘frequency’ i.e. how often the risk is likely to occur over a given time period (hour, week, month, year, 5 years etc): Likelihood Table (Refer Table (a) – Division 2 - Tools Risk Management Tables) Value Description Almost Certain Expected to occurs in most circumstances or occurs regularly Likely Will probably occur Possible May occur at some time Unlikely Could occur some time Rare Only Occur in exceptional circumstances

Inherent Risk Rating

The initial risk rating (assuming no controls in place) for each risk is calculated by plotting the inherent likelihood and inherent consequence response scores on the Risk Rating Table (refer below) to give an Inherent Risk Rating of “very high”, “high” “medium” or “low”. This rating provides a measure of the inherent level of risk and will assist in identifying the risks that require further treatment in Step 6: Treat Risks. Inherent and Residual Risk Rating Table (Refer Table (c) – Division 2 - Tools Risk Management Tables) Risk Rating Table (Matrix)

Likelihood Negligible Minor Moderate Major Severe

Almost Certain L M H VH VH

Likely L M H VH VH

Possible L L M VH VH

Unlikely L L M H H

Rare L L M H H

Residual Risk Rating

Any already existing controls or any additional controls already implemented, should then be assessed for their effectiveness in managing their particular risk. This is achieved by referring to the Effectiveness of Controls Table (d) as well the Residual Likelihood Table (e) and the Residual Consequence Table (f). This will establish the residual likelihood or the residual consequence of the risk. Now the residual risk rating can be determined by referring to the Inherent and Residual Risk Rating Table (c) once again and by plotting the residual likelihood and residual consequence response scores on the Risk Rating Table

Page 57




If controls are under development or being planned but not yet in place then their effectiveness should not be considered in evaluating the Residual Likelihood or Residual consequence levels. Only consider control effectiveness if the controls are in place and functional. Effectiveness of Controls Description Table (Refer Table (e) – Division 2 - Tools Risk Management Tables)

Control Effectiveness Description Reduction Value Damaging The controls in place actually increase

the risk not reduce it - 10%

None No controls are in place 0% Deficient The controls that have been applied are

not adequate for the job 10%

Marginal The controls that have been put in place go part of the way to reduce the risk or

impact

30%

Qualified The controls that have been put in place go a reasonable way to reducing the

risk or impact

50%

Effective The controls that have been applied go a reasonable way to reduce the risk or

impact

70%

Excessive The controls that have been applied are more that necessary to reduce the risk

or impact. There may be some over controls

90%

Residual Likelihood Table (Refer Table (f) – Division 2 - Tools Risk Management Tables)

←Residual Likelihood Rating→ Effectiveness of

Preventative Controls↓

Almost Certain Likely Possible Unlikely Rare

Damaging Almost Certain Likely Possible Unlikely Rare

None Almost Certain Likely Possible Unlikely Rare

Deficient Almost Certain Likely Possible Unlikely Rare

Marginal Likely Possible Unlikely Unlikely Rare Qualified Possible Unlikely Unlikely Rare Rare Effective Unlikely Unlikely Rare Rare Rare

Excessive Rare Rare Rare Rare Rare

Page 58




Residual Consequence Table (Refer Table (g) – Division 2 - Tools Risk Management Tables)

←Residual Consequence Rating→ Effectiveness of

Preventative Controls↓

Negligible Minor Moderate Major Severe

Damaging Negligible Minor Moderate Major Severe None Negligible Minor Moderate Major Severe

Deficient Negligible Minor Moderate Major Severe Marginal Negligible Minor Moderate Major Severe Qualified Negligible Negligible Minor Moderate Major Effective Negligible Negligible Minor Moderate Major

Excessive Negligible Negligible Minor Moderate Major Step 5 Evaluate Risks The next step in the risk management process is to evaluate whether to accept or manage the rated risks further. The process is carried out by comparing the determined risk ratings against a pre - defined risk criteria which will establish whether any further risk treatment is required A model of a Criteria based on a generic Centroc Council "Risk Appetite" has been developed below in the Risk Criteria Table (g). By referring to this Table one can determine what actions are required for both inherent risks (where no controls are in place) as well as for residual risks (where controls are already in place). Risk Criteria Table (Refer Table (d) – Division 2 - Tools Risk Management Tables)

Risk Rating Matrix Legend

Very High (VH)

Requires the immediate attention of key officers; • Where a possible fatality may occur • Major environmental event may occur • Major loss of plant may occur • Major financial loss may occur • Where a major amount of damage to reputation may occur

Detailed consultation, research, risk identification and reduction options to be investigated with a detailed action plan designed.

High (H) Significant risks require the timely and appropriate attention of relevant key officers so that effective controls may be put in place . The manager responsible for the identified risk would need to monitor the implementation

Medium (M) Responsibility would fall with the relevant key officer and specific monitoring of response procedures would occur through the relevant manager or Risk Coordinator

Low (L)

Manage by routine procedures such as SWMS and SOP’s Allocation of additional resources may not be needed. May be managed on an ad hoc basis through risk assessment or tool box talk.

Page 59




Risks with an inherent/residual rating of very high or high will, in most cases, require treatment plans. Moderate and low risks may be excluded from the implementation of controls at management’s discretion. However, the rationale for not implementing controls for these risks as well as the monitoring and review regimes required should be documented to demonstrate the completeness of evaluation undertaken. Step 6 Treat Risks The next step of the risk management process involves, where required, identifying a range of options for treating risks, evaluating the options and developing additional controls for implementation. Selecting the most appropriate option involves balancing the costs of implementing each option against the benefits derived from it. It is important to consider all direct and indirect costs and benefits whether tangible or intangible. The objective is not to eliminate all risk but rather to ensure that the risk is maintained at a level tolerable to Council’s risk appetite and also in a cost effective manner. It should also be recognised that the risk treatment itself may introduce new risks that need to be identified, assessed, treated and monitored. The primary means of demonstrating the treatment of risk is via the Risk Action Plan. In the Centroc Model of the program this Action Plan has been amalgamated to form a part of the Risk Register. This document should clearly indicate the Action/Treatment being adopted and the person responsible. Where possible, time frames as well as cost budgets should be included in the Action Plan. Step 7 Monitor and Review It is important to understand that the risk management process is a continual one. It is essential to incorporate ongoing monitoring and review policies/procedures into all Council activities in order to capture any new risks arising from changing business circumstances, and to review any risk management implementations. Any risks rated as very high or high should be monitored on a regular basis to ensure that the rating assigned, controls identified, and treatment plans established remain valid. These risks as well as risks rated as less than high should have their monitoring and review regimes documented. Monitoring and review also involves learning lessons from the risk management process, by reviewing events, the treatment plans and their outcomes. Any ‘near-miss’ incidents that occur should immediately trigger a review of the existing risk profile and any action plans in progress. Usually the principal responsibility for risk monitoring and review is given to management in the particular business area.

Page 60




Step 8 Record the Risk Management Process Each stage of the risk management process should be recorded appropriately. Assumptions, methods, data sources, analyses, results and reasons for decisions should all be recorded. Any ‘Near-miss’ incidents should be documented too. The records of such processes are an important aspect of good corporate governance. Decisions concerning the making and capture of records should take into account: o The legal and business needs for records; o The cost of creating and maintaining records; and o The benefits of re-using information. (Refer AS ISO 15489) Example Documents (division three) o Method for Analysing the Cause of Risk o Risk Model o Inherent to Residual to Target Risk Rating o Stakeholders Objectives, Risk Categories, Risks and Causes o Risk Management Context o Council Action Plan and Risk Register

Page 61

XYZ Council Roles and Responsibilities

Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR - Risk Management Version: 1 Review: Apr 10


The roles and responsibilities relating to Council’s Enterprise Risk Management (ERM) are detailed below:- Council Approve program, allocate funding, ultimate responsibility, report to community. Liaise with General Manager General Manager Oversee program, maintain leadership, implementation, effectiveness of program, report to Council and statutory bodies Directors / Executive Managers Identify risk and best practice, overall department implementation, report to General Manager, drive processes, provide leadership and direction Risk Management Committee Oversee the implementation of the risk management process, decide direction in consultation with General Manager, monitor and review Risk Manager Monitor actions, implement systems, ensure compliance as required, provide leadership and direction Department Risk Representative Risk mentor, resource person, support role, assist committee or Risk Manager. Liaise with staff and supervisors Senior Managers Implement in own area, ensure training and resources available, provide leadership and support, report to executive managers Supervisors Implement and maintain compliance, maintain adherence to time frames, monitor and review, report to senior managers Staff Report unsafe acts or any conditions of risk, eg fraud, misappropriation. Work to time frames, comply with policies and procedures Refer also to the Risk Oversight Framework found in Section One – Program Documents.

Page 62

Division 2 - Tools

Page 63

Page 64

XYZ Council Risk Management Tables


Operational Template risk management tables

Likelihood Table (a) Value Description Ranking Almost Certain Expected to occur in most circumstances or occurs regularly 5 Likely Will probably occur 4 Possible May occur at some time 3 Unlikely Could occur some time 2 Rare Only Occur in exceptional circumstances 1 Consequence Table (b)

Value Description Rank Financial/Legal

Customers Reputation Safety Environment/Compliance

Severe

Has major impact on Councils ability

to provide services, May threaten a

project or opportunity

5 > 10m Loss of service for over 3 days

Severe loss of confidence, International and national

focus

1 or more deraths, serious

disability

Severe breach of legislation Fine major

public reaction

Major

Threatens strategic objectives in the

medium term

4 >$1 m Loss of services for

2-3 days

Significant Community

dissatisfaction State coverage

Serious injury (Major

surgery > 2 months

admission)

Major breach of regulation fine complaints

Moderate

Threatens strategic objectives in the

short term

3 $500k to $1M

Loss of service for 1-2 days

Expressed community

dissatisfaction local coverage

Significant injury 1 – 2

months absence

Moderate Breach of legislation

No fine, written reprimand from State authority.

Complaints

Minor

The impact is seen as a minor threat to strategic objectives

2 $10k to $499k

Loss of service for

12 – 24 hours

may cause minor public

concern

Minor injury

Minor breach of legislation Verbal reprimand from

State Authority.Complaints

Negligible

Seen as negligible threat to strategic

objectives

1 $0-$10 k Loss of service for

0 – 12 hours

No public concern

No absence

Negligible breach of legislation. No complaints

Inherent & Residual Risk Rating Table (c) Risk Rating Table (Matrix)

Likelihood Negligible Minor Moderate Major Severe

Almost Certain L M H VH VH

Likely L M H VH VH

Possible L L M VH VH

Unlikely L L M H H

Rare L L M H H

Page 65




Risk Criteria Table (d)

Risk Rating Matrix Legend Very High (VH) Requires the immediate attention of key officers;

• Where a possible fatality may occur • Major environmental event may occur • Major loss of plant may occur • Major financial loss may occur • Where a major amount of damage to reputation may occur

Detailed consultation, research, risk identification and reduction options to be investigation with a detailed action plan designed.

High (H) Significant risks require the timely and appropriate attention of relevant key officers so that effective controls may be put in place . The manager responsible for the identified risk would need to monitor the implementation

Medium (M) Responsibility would fall with the relative key officer and specific monitoring of response procedures would occur through the relevant manager or Risk Coordinator

Low (L) Manage by routine procedures such as SWMS and SOP’s Allocation of additional resources may not be needed. May be managed on an ad hoc basis through risk assessment or tool box talk.

Effectiveness of Controls Description Table (e)

Control Effectiveness Description Reduction Value Damaging The controls in place actually increase

the risk not reduce it - 10%

None No controls are in place 0%

Deficient The controls that have been applied are

not adequate for the job 10%

Marginal The controls that have been put in place go part of the way to reduce the risk or

impact

30%

Qualified The controls that have been put in place

go a reasonable way to reducing the risk or impact

50%

Effective The controls that have been applied go a reasonable way to reduce the risk or

impact

70%

Excessive

The controls that have been applied are more that necessary to reduce the risk

or impact. There may be some over controls

90%

Residual Likelihood Rating Table (f) Inherent Likelihood Rating Effectiveness of preventive controls

Almost Certain Likely Possible Unlikely Rare

Damaging Almost Certain Likely Possible Unlikely Rare None Almost Certain Likely Possible Unlikely Rare Deficient Almost Certain Likely Possible Unlikely Rare Marginal Likely Possible Unlikely Unlikely Rare Qualified Possible Unlikely Unlikely Rare Rare Effective Unlikely Unlikely Rare Rare Rare Excessive Rare Rare Rare Rare Rare

Page 66




Residual Consequence Rating Table (g)

Inherent Consequence Rating Effectiveness of

corrective controls


Damaging Negligible Minor Moderate Major Severe None Negligible Minor Moderate Major Severe

Deficient Negligible Minor Moderate Major Severe Marginal Negligible Minor Moderate Major Severe Qualified Negligible Negligible Minor Moderate Major Effective Negligible Negligible Minor Moderate Major

Excessive Negligible Negligible Minor Moderate Major

Page 67

XYZ Council Risk Exposure Map

Council Reference: Date: Apr 09 TBA Page 1 of 1Responsible Council Section: HR –Risk Management Version: 1 Review: Apr 10

Operational Template exposure map example

The risk rating has reduced from VH (Very High) to Medium (M) for R1 following the implementation of preventative and corrective controls.

RISK EXPOSURE MAP ←Consequences→


L M H VH VH

L M

H VH

VH

L L M VH VH

L L

M

H H

L L M H H

R1 (a)

R1 (b)

Page 68

Exposure Map



Operational Template Exposure Map

Note: (a) is the risk level before any controls are introduced (inherent rating) (b) is the risk level following the implementation of preventative and/or

corrective controls (c) is the target risk level It may not be possible to implement corrective or preventative controls for some risks.

RISK EXPOSURE MAP ←Consequences→ Likelihood↓

Negligible Minor Moderate Major Severe Almost Certain

L M H VH

VH

Likely

L M H

VH

VH

Possible

L L

M

VH

VH

Unlikely

L

Lvv

M

H

H

Rare

L L M H H

(a)

(b)

(a)

(b)

(c)

Page 69

Risk Management Structure (Internal & External Stakeholders)


Operational Template risk management structure

Council

Insurance Dept Infrastructure

Contractors/ Supplier

Media

Operations Design

Project Manager

Review

Community/ Users

Funding Bodies

Regulating Bodies

Unions

Engineers

Community Users

Regulators

Supervisors Managers

Contractors

Staff

Suppliers

Internal

External

Council

Project Group

Page 70

Division 3 - Templates

Page 71

Page 72


Operational Template Method Analysing Risk Cause Blank

Method for Analysing the Cause of Risk

Risk Description

Risk Description

Cause Description

Current Identified Risk Description:

Cause Description

Risk Description

Cause Description

Cause Description

What other risks can be created by cause

Risk Description

Cause Description

Page 73


Operational Template Method Analysing risk Cause example

Method for Analysing the Cause of Risk

Risk Description Engineers at Council with insufficient training/skills to adequately investigate archaeological matters

This occurs due to a lack of awareness by engineers of these types of implications

Risk Description The scope of the project was not managed through adequate Project Management Processes

Cause DescriptionCouncil does not have in place a project management policy recognising the need to address archaeological finds or similar.

This occurs due to the project not being properly surveyed and investigated

Current Identified Risk Description: The project fails to meet expectations, due to unplanned changes in project scope.

Cause Description Poor site preparations and the failure to identify archaeological artefacts on the site.

Risk Description Council will have difficulty in gaining an alternate use for the project in its present state.

Cause DescriptionThe change in scope required severely detracts for the useability of the project for users.

Cause DescriptionThe project was very user specific due to its location and function.

What other risks can be created by cause

Risk Description The user group are no longer willing to utilise the project due to changes in scope made.

Cause Description Lack of availability of courses/training in this specialist area.

Page 74

Risk Model


Operational Template Risk Model blank

R1 Risk

C(a) Causes

Q Consequence

C(c) Corrective Controls

C(p) Preventative

Controls

Page 75

Risk Model – Project


Operational Template Risk Model example

Risk

The project fails to meet expectations, due to poor project

quality

C(a) Causes

Q Consequence

• Negative media exposure • Poor public image • User dissatisfaction • Excessive maintenance • Lack of functionality • Possible cost over-runs

• Inadequate/poor design • Inferior quality resources (materials,

skilled staff, suitably qualified contractors)

• Unfavourable working conditions (inclement weather, latent site conditions)

C(c) Corrective Controls

C(p) Preventative

Controls

Develop a comprehensive project plan that includes: Consultation with key stakeholders Detailed tendering and contract

documentation Policies and procedures Selection of appropriately skilled staff

and contractors

Create and implement remedial action plan that includes: Obtaining legal advice in the instance of

poor contractor performance or inferior materials

Any remedial or repair work that can be undertaken, or re-doing the work

Identification of additional funding opportunities

Communication strategy for media and stakeholders

Page 76

© P

rude

ntia

Pty

Ltd

200

7. C

opyr

ight

- A

ll rig

hts

rese

rved

In

here

nt to

Res

idua

l to

Targ

et R

isk

Rat

ing

blan

k

Inhe

rent

to

Res

idua

l to

Tar

get

Ris

k R

atin

g

Ris

k:

Con

sequ

ence

:

Prev

enta

tive

Con

trol

s:

Cor

rect

ive

Con

trol

s:

Res

idua

l R

atin

g St

ep 4

Res

idua

l Lik

elih

ood

Res

idua

l Con

sequ

ence

s

Prev

enta

tive

Con

trol

(s)

Cor

rect

ive

Con

trol

(s)

Inhe

rent

Lik

elih

ood

Tar

get

Rat

ing

Inhe

rent

R

atin

g

Inhe

rent

Con

sequ

ence

s

Has

the

resi

dual

risk

ratin

g be

en re

duce

d su

ffici

ently

?

Do

we

need

to s

et a

Tar

get

Rat

ing

Valu

e?

Step

2

Step

3

Step

1

Page 77

© P

rude

ntia

Pty

Ltd

200

7. C

opyr

ight

- A

ll rig

hts

rese

rved

Inhe

rent

to R

esid

ual t

o Ta

rget

Ris

k R

atin

g ex

ampl

e

Inhe

rent

to

Res

idua

l to

Tar

get

Ris

k R

atin

g

Ris

k: –

An

inju

ry to

a s

taff

mem

ber o

r con

trac

tor o

ccur

s, d

ue to

non

-com

plia

nce

with

saf

e w

ork

proc

edur

es

Con

sequ

ence

: In

jury

to s

taff

mem

ber o

r con

trac

tor

Prev

enta

tive

Con

trol

s: S

truc

ture

d im

plem

enta

tion

and

educ

atio

n pr

oces

s fo

r pol

icie

s an

d pr

oced

ures

C

orre

ctiv

e C

ontr

ols:

Inte

rnal

inve

stig

atio

n an

d re

view

of p

olic

ies

and

proc

edur

es

Res

idua

l R

atin

g

Med

ium

Step

4

Res

idua

l Lik

elih

ood

Poss

ible

Res

idua

l Con

sequ

ence

s M

ajor

Prev

enta

tive

Con

trol

(s)

Stru

ctur

ed im

plem

enta

tion

and

educ

atio

n pr

oces

s fo

r pol

icie

s an

d pr

oced

ures

:

Con

sulta

tion

with

sta

ff

Dev

elop

men

t of p

olic

ies

and

proc

edur

es

In

duct

ion

of s

taff

and

cont

ract

ors

O

n-th

e-jo

b m

onito

ring

of c

ompl

ianc

e

Cor

rect

ive

Con

trol

(s)

Inte

rnal

inve

stig

atio

n an

d re

view

of

polic

ies

and

proc

edur

es:

C

ondu

ct in

tern

al in

vest

igat

ion

R

epor

t to

man

agem

ent,

OH

S

Ctte

e

Mon

itor,

revi

ew

polic

ies/

proc

edur

es

C

omm

unic

ate

any

chan

ges

to

staf

f and

con

tract

ors

Inhe

rent

Lik

elih

ood

Like

ly

Tar

get

Rat

ing

Med

ium

Inhe

rent

R

atin

g

Ver

y H

igh

Inhe

rent

Con

sequ

ence

s M

ajor

Step

1

Has

the

resi

dual

risk

ratin

g be

en re

duce

d su

ffici

ently

?

Do

we

need

to s

et a

Tar

get

Rat

ing

Valu

e?

Step

2 Step

3

Page 78

STAKE

HOLD

ERS OBJEC

TIVES, R

ISK CA

TEGORIES, R

ISKS

AND CAUSES (Stakeho

lder Register blan

k)

Coun

cil Referen

ce:

Date: Apr 09

TBA

Page 1 of 1

Respon

sible Co

uncil Sectio

n: HR – Risk M

anagem

ent

Version: 1 Re

view

: Apr 10

Ope

ration

al Tem

plate

Stakeh

olde

rObjective

blank

Sta

keho

lder

O

bjec

tive

Ris

k ca

tego

ry

Iden

tifie

d ris

k C

ause

s of

the

risk

•

•

•

Page 79

STAKE

HOLD

ERS OBJEC

TIVES, R

ISK CA

TEGORIES, R

ISKS

AND CAUSES (Stakeho

lder Register exam

ple)

Coun

cil Referen

ce:

Date: Apr 09

TBA

Page 1 of 1

Respon

sible Co

uncil Sectio

n: HR – Risk M

anagem

ent

Version: 1 Re

view

: Apr 10

Ope

ration

al Tem

plate

Stakeh

olde

rObjective

Sta

keho

lder

O

bjec

tive

Ris

k ca

tego

ry

Iden

tifie

d ris

k C

ause

s of

the

risk

Gen

eral

M

anag

er

To e

nsur

e co

unci

l com

plia

nce

with

sta

te a

nd fe

dera

l leg

isla

tion

Com

plia

nce

Non

-com

plia

nce

with

sta

te a

nd fe

dera

l le

gisl

atio

n •

Sta

ff kn

owle

dge

of le

gisl

atio

n is

def

icie

nt

due

to la

ck o

f tra

inin

g, p

roce

dure

s an

d su

perv

isio

n.

• In

suffi

cien

t aud

it co

ntro

ls

• R

espo

nsib

ilitie

s no

t allo

cate

d in

pos

ition

de

scrip

tions

•

To

ens

ure

finan

cial

via

bilit

y Fi

nanc

e Fi

nanc

ial l

oss

• B

ad in

vest

men

ts

• In

adeq

uate

deb

t rec

over

y pr

oced

ures

•

Frau

d •

Non

-adh

eren

ce to

bud

gets

•

Poo

r bud

getin

g •

Inad

equa

te c

ost c

ontro

l of p

roje

cts

To

ens

ure

envi

ronm

enta

l su

stai

nabi

lity

Env

ironm

enta

lEn

viro

nmen

tal d

amag

e •

Irres

pons

ible

dev

elop

men

t •

Pro

vide

eth

ical

, res

pons

ible

and

tra

nspa

rent

dec

isio

n m

akin

g R

eput

atio

n

Page 80

Ris

k M

anag

emen

t Con

text

Cou

ncil

Ref

eren

ce:

Dat

e: A

pr 0

9 TB

A

Pag

e 1

of 1

Res

pons

ible

Cou

ncil

Sec

tion:

HR

– R

isk

Man

agem

ent

Ver

sion

: 1

R

evie

w: A

pr 1

0 O

pera

tiona

l Tem

plat

e ris

k m

anag

emen

t con

text

bla

nk

Dat

e of

orig

inal

doc

umen

tatio

n

Dat

es d

ocum

ent u

pdat

ed &

by

who

m

N

ame

of p

erso

n re

spon

sibl

e fo

r ris

k an

alys

is &

ass

essm

ent

Bus

ines

s ar

ea th

at o

wns

this

risk

an

alys

is &

ass

essm

ent

Writ

e a

shor

t des

crip

tion

of th

e in

tern

al/e

xter

nal c

onte

xt (e

nviro

nmen

t) of

the

risk

man

agem

ent s

cena

rio

Des

crib

e yo

ur o

bjec

tives

in re

latio

n to

th

is a

bove

sce

nario

Doc

umen

t any

ass

umpt

ions

or

com

men

ts b

eing

mad

e in

rega

rd to

the

abov

e sc

enar

io

•

Doc

umen

t the

nam

es o

f peo

ple

who

ha

ve c

ontri

bute

d to

this

risk

ana

lysi

s an

d A

sses

smen

t

Page 81

Ris

k M

anag

emen

t Con

text

Cou

ncil

Ref

eren

ce:

Dat

e: A

pr 0

9 TB

A

Pag

e 1

of 2

Res

pons

ible

Cou

ncil

Sec

tion:

HR

– R

isk

Man

agem

ent

Ver

sion

: 1

R

evie

w: A

pr 1

0 O

pera

tiona

l Tem

plat

e ris

k m

anag

emen

t con

text

D

ate

of o

rigin

al

docu

men

tatio

n 20

Feb

ruar

y 20

09

Dat

es d

ocum

ent

upda

ted

& b

y w

hom

TB

A

Nam

e of

per

son

resp

onsi

ble

for r

isk

anal

ysis

& a

sses

smen

t

Man

ager

Cor

pora

te G

over

nanc

e/ A

dmin

istra

tion

Man

ager

Bus

ines

s ar

ea th

at

owns

this

risk

ana

lysi

s &

ass

essm

ent

Cor

pora

te S

ervi

ces

Writ

e a

shor

t des

crip

tion

of th

e in

tern

al/e

xter

nal

cont

ext (

envi

ronm

ent)

of

the

risk

man

agem

ent

scen

ario

XY

Z C

ounc

il is

a lo

cal g

over

nmen

t bod

y th

at p

rovi

des

num

erou

s se

rvic

es to

its

stak

ehol

ders

. The

requ

irem

ent f

or c

orpo

rate

gov

erna

nce

in lo

cal g

over

nmen

t is

driv

en

by th

e ob

ligat

ion

to p

rovi

de e

vide

nce

that

cou

ncils

are

del

iver

ing

thei

r exp

ecte

d ou

tcom

es w

ith in

tegr

ity a

nd a

ccou

ntab

ility.

The

gov

ernm

ent a

nd th

e pu

blic

nee

d as

sura

nces

that

cou

ncils

are

act

ing

in a

resp

onsi

ble,

effe

ctiv

e, e

ffici

ent a

nd s

ocia

lly

acce

ptab

le m

anne

r. Lo

cal g

over

nmen

t is

ultim

atel

y an

swer

able

to th

e pu

blic

who

ha

ve p

ut th

em in

to o

ffice

. The

y go

vern

on

beha

lf of

the

publ

ic.

D

escr

ibe

your

ob

ject

ives

in re

latio

n to

th

is a

bove

sce

nario

To e

nsur

e go

od c

orpo

rate

gov

erna

nce.

To

do th

is c

ounc

il m

ust u

nder

stan

d, id

entif

y,

asse

ss, e

valu

ate

and

man

age

its ri

sk w

ithin

the

loca

l gov

ernm

ent e

nviro

nmen

t by

esta

blis

hing

a g

ood

syst

em o

f gov

erna

nce

and

setti

ng in

pla

ce a

fram

ewor

k th

at w

ill m

inim

ise

the

oppo

rtuni

ty fo

r und

erpe

rform

ance

in th

e de

liver

y of

thei

r man

date

. Thi

s in

clud

es o

utco

mes

in re

gard

to th

e la

w, r

egul

ator

y au

thor

ities

as

wel

l as

inte

grity

, ac

coun

tabi

lity,

cul

ture

, rep

utat

ion

and

soci

al re

spon

sibi

lity.

.

Page 82

Ris

k M

anag

emen

t Con

text

Cou

ncil

Ref

eren

ce:

Dat

e: A

pr 0

9 TB

A

Pag

e 2

of 2

Res

pons

ible

Cou

ncil

Sec

tion:

HR

– R

isk

Man

agem

ent

Ver

sion

: 1

R

evie

w: A

pr 1

0 O

pera

tiona

l Tem

plat

e ris

k m

anag

emen

t con

text

D

ocum

ent a

ny

assu

mpt

ions

or

com

men

ts b

eing

mad

e in

rega

rd to

the

abov

e sc

enar

io

• Th

is o

bjec

tive

has

been

tailo

red

spec

ifica

lly to

war

ds th

e go

vern

ance

are

a of

th

e co

unci

l. •

Ass

umed

man

agem

ent a

ckno

wle

dge

and

fully

sup

port

the

prog

ram

. •

Ass

umed

that

reso

urce

s w

ill be

mad

e av

aila

ble

to a

llow

cou

ncil

to a

chie

ve th

e ob

ject

ives

out

lined

. D

ocum

ent t

he n

ames

of

peop

le w

ho h

ave

cont

ribut

ed to

this

risk

an

alys

is a

nd

Ass

essm

ent

Bar

b H

epw

orth

, Lea

nne

Ritc

hie,

Joh

n S

tarr

, Chr

is H

odge

and

Bria

n D

wye

r

Page 83

XYZ

Cou

ncil

Ris

k R

egis

ter a

nd A

ctio

n Pl

an

Like

lihoo

dC

onse

quen

ceR

atin

gC

omm

ent

Prev

enta

tive

Rat

ing

Cor

rect

ive

Like

lihoo

dC

onse

quen

ceR

atin

gA

ctio

n R

equi

red

Con

trol

sR

esid

ual

Ris

kR

isk

#R

isk

Cat

egor

ySt

akeh

olde

rC

onse

quen

ceR

isk

Ow

ner

Inhe

rent

actio

n pl

an R

isk

Reg

iste

r bla

nk1

Page 84

XYZ

Cou

ncil

Act

ion

Plan

and

Ris

k R

egis

ter

Like

lihoo

dC

onse

quen

ceR

atin

gC

omm

ent

Prev

enta

tive

Rat

ing

Cor

rect

ive

Rat

ing

Like

lihoo

dC

onse

quen

ceR

atin

gA

ctio

n R

equi

red

The

proj

ect f

ails

to m

eet e

xpec

tatio

ns, d

ue to

poo

r pr

ojec

t qua

lity

1Q

ualit

yU

sers

Pro

ject

Man

ager

Exp

ress

ed u

ser d

issa

tisfa

ctio

n w

ith fa

cilit

yLi

kely

Maj

orV

ery

Hig

hN

eeds

act

ion

Dev

elop

a c

ompr

ehen

sive

pro

ject

pla

n th

at in

clud

es c

onsu

ltatio

n w

ith k

ey s

take

hold

ers,

det

aile

d te

nder

ing

and

cont

ract

doc

umen

tatio

n, p

olic

ies

and

proc

edur

es a

nd s

elec

tion

of a

ppro

pria

tely

sk

illed

sta

ff an

d co

ntra

ctor

sE

ffect

ive

Cre

ate

and

impl

emen

t rem

edia

l act

ion

plan

that

incl

udes

obt

aini

ng le

gal a

dvic

e (in

the

inst

ance

of p

oor c

ontra

ctor

per

form

ance

), an

y re

med

ial o

r rep

air w

ork

that

can

be

unde

rtake

n, o

r re-

doin

g th

e w

ork,

iden

tific

atio

n of

add

ition

al fu

ndin

g op

portu

nitie

s an

d co

mm

unic

atio

n st

rate

gy fo

r med

ia a

nd s

take

hold

ers

Effe

ctiv

eU

nlik

ely

Mod

erat

eM

ediu

mA

chie

ved

targ

et ra

ting

The

proj

ect f

ails

to m

eet e

xpec

ted

com

plet

ion

date

, due

to

del

ays

2Ti

min

gM

anag

emen

tP

roje

ct M

anag

erIn

abili

ty to

pro

vide

fini

shed

pro

duct

to u

sers

and

the

com

mun

ityA

lmos

t Cer

tain

Maj

orV

ery

Hig

hN

eeds

act

ion

Dev

elop

com

preh

ensi

ve s

cope

of w

orks

that

incl

udes

qua

lity

chec

ks, a

udits

, ins

pect

ions

, al

loca

tion

for w

et w

eath

er d

ays,

con

tract

or p

enal

ties

for d

elay

s, h

uman

reso

urce

s pl

anni

ng (s

kills

re

quire

d, jo

b de

scrip

tions

, pol

icie

s - l

eave

, occ

upat

iona

l hea

lth a

nd s

afet

y)

Effe

ctiv

eD

evel

op a

ctio

n pl

an to

incl

ude

the

revi

sed

com

plet

ion

date

, com

mun

icat

ion

stra

tegy

w

ith m

edia

and

sta

keho

lder

s, e

ngag

e al

tern

ate

cont

ract

ors

and/

or s

taff,

see

k ad

ditio

nal

fund

ing,

see

k le

gal a

dvic

e, s

ubm

it an

insu

ranc

e cl

aim

Effe

ctiv

eP

ossi

ble

Mod

erat

eM

ediu

mA

chie

ved

targ

et ra

ting

The

proj

ect r

uns

over

bud

get e

stim

ates

, due

to

inac

cura

te c

ost a

nd p

rice

fore

cast

s3

Cos

t ove

r-ru

nsM

anag

emen

tG

ener

al M

anag

erC

ost o

f pro

ject

runs

ove

r and

abo

ve c

urre

nt b

udge

tLi

kely

Mod

erat

eH

igh

Nee

ds a

ctio

nC

ompr

ehen

sive

pro

ject

cos

ting,

incl

udin

g in

depe

nden

t pro

ject

cos

t rev

iew

s, h

edgi

ng p

rices

, in

clus

ion

of s

peci

fic c

ontra

ct c

ondi

tions

rela

ting

to s

ubm

itted

pric

ing

Effe

ctiv

eR

evie

w p

roje

ct b

udge

t, in

clud

ing

exha

ustin

g ad

ditio

nal f

undi

ng o

ppor

tuni

ties,

revi

ewin

g on

goin

g pr

ojec

t cos

ts, i

nstig

atin

g le

gal a

ctio

n to

reco

ver a

dditi

onal

cos

t of m

ater

ials

an

d/or

con

tract

ors

Effe

ctiv

eP

ossi

ble

Mod

erat

eM

ediu

mA

chie

ved

targ

et ra

ting

The

proj

ect f

ails

to m

eet e

xpec

tatio

ns d

ue to

unp

lann

ed

chan

ges

in p

roje

ct s

cope

(dis

cove

ry o

f arc

heol

ogic

al

arte

fact

s)4

Qua

lity

Man

agem

ent

Pro

ject

Man

ager

Inab

ility

to c

ompl

ete

proj

ect t

o ex

pect

ed s

cope

and

dea

dlin

e (r

esul

ting

in

com

mun

ity a

nd u

ser d

issa

tisfa

ctio

n an

d ne

gativ

e m

edia

exp

osur

e)Li

kely

Mod

erat

eH

igh

Nee

ds a

ctio

nE

ngag

e su

itabl

y qu

alifi

ed c

ontra

ctor

s to

und

erta

ke (p

rior t

o pr

ojec

t des

ign)

com

preh

ensi

ve s

ite

surv

eys,

site

ana

lysi

s, h

isto

rical

and

any

oth

er re

leva

nt in

vest

igat

ions

Effe

ctiv

eR

evie

w P

roje

ct S

cope

by

dete

rmin

ing

impl

icat

ions

for p

roje

ct o

f arc

haeo

logi

cal

disc

over

y; e

ngag

ing

suita

bly

qual

ified

con

tract

or to

ass

ist i

n al

terin

g pr

ojec

t des

ign

in

conj

unct

ion

with

use

rs, a

nd c

omm

unic

atin

g ch

ange

s to

sta

keho

lder

s an

d m

edia

Effe

ctiv

eR

are

Mod

erat

eM

ediu

mA

chie

ved

targ

et ra

ting

The

proj

ect f

ails

to m

eet e

xpec

tatio

ns, d

ue to

a la

ck o

f in

tegr

atio

n (b

etw

een

desi

gner

s an

d us

ers)

5Q

ualit

yD

esig

ners

Gen

eral

Man

ager

Exp

ress

ed u

ser d

issa

tisfa

ctio

n w

ith d

esig

n of

pro

ject

, res

ultin

g in

poo

r ut

ilisa

tion

and

publ

ic a

nd m

edia

crit

icis

m o

f the

pro

ject

and

Cou

ncil

Alm

ost C

erta

inM

ajor

Ver

y H

igh

Nee

ds a

ctio

nE

stab

lish

and

impl

emen

t det

aile

d co

mm

unic

atio

n pr

otoc

ols

and

polic

y in

clud

ing

plan

ned

regu

lar

mee

tings

bet

wee

n de

sign

ers

and

user

s; jo

int s

ite in

spec

tions

with

use

rs a

t key

inte

rval

s du

ring

desi

gn p

hase

and

regu

lar p

rogr

ess

repo

rts to

use

rsE

ffect

ive

Inst

igat

e co

nflic

t res

olut

ion

tech

niqu

es, i

nclu

ding

inde

pend

ent m

edia

tion,

inde

pend

ent

revi

ew o

f des

ign

and

unde

rtake

rem

edia

l act

ion

Effe

ctiv

eU

nlik

ely

Min

orLo

wA

chie

ved

targ

et ra

ting

The

proj

ect f

ails

to m

eet u

ser e

xpec

tatio

ns d

ue to

in

adeq

uate

des

ign

6Q

ualit

yU

sers

Gen

eral

Man

ager

Exp

ress

ed u

ser d

issa

tisfa

ctio

n re

sulti

ng in

poo

r util

isat

ion,

pol

itica

l ra

mifi

catio

ns, a

nd p

ossi

ble

cost

-ove

rrun

sLi

kely

Mod

erat

eH

igh

Nee

ds a

ctio

n

Dev

elop

com

preh

ensi

ve p

roje

ct p

lan

incl

udin

g id

entif

ying

and

con

sulti

ng w

ith u

sers

, est

ablis

hing

co

mm

unic

atio

n pr

otoc

ols,

allo

win

g pu

blic

com

men

t on

plan

s, in

clus

ion

of c

ontra

ct c

ondi

tion

allo

win

g fo

r min

or a

men

dmen

ts to

des

ign

with

out p

enal

ty, a

nd e

ncou

ragi

ng u

ser g

roup

s to

exp

lor e

all f

undr

aisi

ng o

ppor

tuni

ties

Effe

ctiv

e

Dev

elop

rem

edia

l act

ion

plan

to in

clud

e w

orki

ng w

ith u

sers

to in

vest

igat

e co

rrec

tive

optio

ns, r

evie

win

g pr

ojec

t sco

pe, e

xplo

ring

alte

rnat

e fu

ndin

g op

portu

nitie

s (in

tern

al a

nd

exte

rnal

), in

vest

igat

ing

alte

rnat

e us

e fo

r site

and

issu

ing

med

ia re

leas

es.

Effe

ctiv

eP

ossi

ble

Mod

erat

eM

ediu

mA

chie

ved

targ

et ra

ting

The

proj

ect f

ails

to m

eet e

xpec

tatio

ns, d

ue to

m

isco

mm

unic

atio

n w

ith c

ontra

ctor

7Ti

min

gC

ontra

ctor

Pro

ject

Man

ager

Inab

ility

to fi

nalis

e pr

ojec

t to

expe

cted

sta

ndar

d, re

sulti

ng in

pub

lic

diss

atis

fact

ion

and

polit

ical

and

med

ia ra

mifi

catio

nsP

ossi

ble

Mod

erat

eM

ediu

mN

eeds

act

ion

Dev

elop

def

inite

com

mun

icat

ions

pro

toco

ls, i

nclu

ding

con

tract

con

ditio

ns, r

egul

ar s

ite in

spec

tions

an

d re

gula

r pro

gres

s re

ports

Effe

ctiv

eR

evie

w p

rogr

ess

to d

ate

and

dete

rmin

e ac

tion

plan

in c

onju

nctio

n w

ith c

ontra

ctor

, and

en

gage

alte

rnat

e co

ntra

ctor

or s

taff

to fi

nalis

e pr

ojec

tE

ffect

ive

Rar

eM

inor

Low

Ach

ieve

d ta

rget

ratin

g

The

deat

h of

a c

ontra

ctor

/sta

ff m

embe

r occ

urs,

due

to a

la

ck o

f com

plia

nce

with

saf

e w

ork

proc

edur

es8

Com

plia

nce

Sta

ff, C

ontra

ctor

Gen

eral

Man

ager

Dea

th o

f a s

taff

mem

ber o

r con

tract

orP

ossi

ble

Sev

ere

Ver

y H

igh

Nee

ds a

ctio

n

Ens

ure

train

ing

and

indu

ctio

n of

sta

ff an

d co

ntra

ctor

s; d

evel

op p

olic

ies

and

proc

edur

es in

co

nsul

tatio

n w

ith s

take

hold

ers;

ens

ure

stru

ctur

ed im

plem

enta

tion

and

educ

atio

n pr

oces

s fo

r po

licie

s an

d pr

oced

ures

; sch

edul

e eq

uipm

ent a

nd s

afet

y eq

uipm

ent c

heck

s on

a s

truct

ured

and

ra

ndom

bas

is; i

nclu

de c

ontra

ctua

l ter

ms

rela

ting

to s

afet

y, tr

aini

ng o

f sta

ff an

d po

licie

s an

d pr

oced

ures

.

Effe

ctiv

e

Com

men

ce in

sura

nce

clai

m fo

r any

insu

rabl

e ev

ent;

unde

rtake

imm

edia

te re

view

of

wor

king

pro

cedu

res

and

safe

wor

k pr

actic

es; i

nstig

ate

exte

rnal

inve

stig

atio

n, m

ake

reco

mm

ende

d ch

ange

s to

pol

icie

s an

d pr

oced

ures

; con

duct

cou

nsel

ling

and

train

ing

o f

staf

f and

con

tract

ors;

issu

e m

edia

rele

ase

Effe

ctiv

eR

are

Sev

ere

Hig

hA

chie

ved

targ

et ra

ting

An

inju

ry to

a s

taff

mem

ber o

r con

tract

or o

ccur

s, d

ue to

a

lack

of c

ompl

ianc

e w

ith s

afe

wor

k pr

oced

ures

9C

ompl

ianc

eS

taff,

Con

tract

orG

ener

al M

anag

erIn

jury

to s

taff

mem

ber o

r con

tract

orLi

kely

Maj

orV

ery

Hig

hN

eeds

act

ion

Dev

elop

a s

truct

ured

impl

emen

tatio

n an

d ed

ucat

ion

proc

ess

for s

afet

y po

licie

s an

d pr

oced

ures

th

at in

corp

orat

es: c

onsu

ltatio

n w

ith s

taff;

dev

elop

men

t of p

olic

ies

and

proc

edur

es; i

nduc

tion

of

staf

f and

con

tract

ors;

on-

the-

job

mon

itorin

g of

com

plia

nce

via

spot

-che

cks,

insp

ectio

ns, a

udits

an

d pr

ojec

t rep

ortin

g

Effe

ctiv

e

Und

erta

ke a

n in

tern

al in

vest

igat

ion

and

revi

ew o

f pol

icie

s an

d pr

oced

ures

; rep

ort i

njur

y to

insu

rers

; con

duct

inte

rnal

inve

stig

atio

n; re

port

to m

anag

emen

t and

OH

S C

omm

ittee

; m

onito

r and

revi

ew p

olic

ies

and

proc

edur

es; a

nd c

omm

unic

ate

any

chan

ges

to p

olic

ies

and

proc

edur

es to

sta

ff an

d co

ntra

ctor

s

Effe

ctiv

eP

ossi

ble

Maj

orM

ediu

mA

chie

ved

targ

et ra

ting

The

proj

ect f

ails

to m

eet r

egul

atio

ns d

ue to

m

isco

mm

unic

atio

n w

ith re

gula

tors

10C

ompl

ianc

eR

egul

ator

sG

ener

al M

anag

erB

reac

h of

regu

latio

nU

nlik

ely

Mod

erat

eM

ediu

mN

eeds

act

ion

Dev

elop

com

preh

ensi

ve c

omm

unic

atio

ns p

roto

cols

, inc

ludi

ng c

omm

on la

ngua

ge a

nd d

efin

ition

s;

wor

ksho

ping

with

con

tract

ors

and

staf

f the

requ

irem

ents

of t

he re

gula

tors

; inc

ludi

ng re

quire

men

ts

of re

gula

tor i

n co

ntra

ct o

r sta

ff pe

rform

ance

targ

ets

for t

he p

roje

ct; a

nd o

btai

ning

app

rova

l of

proj

ect p

lann

ing

etc

from

regu

lato

r

Effe

ctiv

eR

evie

w o

f pro

ject

sco

pe in

line

with

regu

lato

r req

uire

men

ts; u

nder

take

any

rem

edia

l ac

tion

requ

ired

by re

gula

tor;

inst

igat

e an

y co

ntra

ct p

enal

ties

in th

e ca

se o

f con

tract

or

erro

r; co

nsid

er a

ltern

ate

fund

ing

sour

ces

and

issu

e a

med

ia re

leas

eE

ffect

ive

Rar

eM

inor

Low

Ach

ieve

d ta

rget

ratin

g

Con

trol

sR

esid

ual

Ris

kR

isk

#R

isk

Cat

egor

ySt

akeh

olde

rC

onse

quen

ceR

isk

Ow

ner

Inhe

rent

actio

n pl

an R

isk

Reg

iste

r exa

mpl

e1

Page 85