Demystifying Risk Management

Councils have been managing insurable risks pretty well for a long time, but in recent times more councils have been shifting towards an approach known as Enterprise Risk Management and the elected Council needs to have input. Tony Harb and Mitchell Morley, risk management, audit and governance specialists from InConsult, attempt to demystify risk management and outline strategies to help councillors and senior management play a positive, pro-active role in the process.

After the collapse of HIH insurance, the insurance regulator (APRA) mandated risk management, internal audit and many other risk management related activities for insurers and made oversight of these the board’s responsibility.

Australian stock exchange listed companies have also adopted principles of good corporate governance which include managing risk.

Whilst managing risk is not a mandated requirement for elected councils, good practice suggests councillor involvement is important.  Why?

Councils across NSW face a myriad of challenges.  Aging infrastructure, cost shifting, impact of carbon tax, rate pegging and financial sustainability, just to name a few.  Dealing with each one of these issues is complicated enough. The last thing a council needs is a major incident or issue that should have been better managed, better controlled or simply should have never happened at all.

In recent years, there have been a number of incidents involving corruption, fraud, major project failures, council sackings and significant investment losses that could have been prevented or at least better managed.

What is a risk?

The management of risk is a relatively simple and uncomplicated process.  In fact, each one of us manages risk daily and often subconsciously.  For example, in order to get to a very important meeting on time (your objective), you undertake a series of activities (controls) to ensure you’re not late.  You schedule the meeting in your diary, you prepare for your meeting, you set an automatic reminder (if you use an electronic diary), you leave home a little earlier etc.  These activities are all designed to ensure you get to your meeting on time.  If you have meetings regularly, these activities are practiced frequently and refined again and again…all this is “risk management”

Risk is defined by an international standard known as ISO 31000 as the “effect of uncertainty on objectives”.

As every council, councillor, manager and person working in local government has objectives and we live in an uncertain world that can impact our objectives – then every council, councillor, manager and person is exposed to risk.

How much risk is council exposed to?

The answer to this question will depend on the council’s risk profile, i.e. the type and nature of risks council is exposed to.

The best way to determine your risk exposure is to know your risks very well…or at least the major ones. The approach and process you go through to understand and manage your risks is risk management.

What is risk management?

ISO 31000 defines risk management as “coordinated activities to direct and control an organisation with regard to risk”.

Unlike our personal risk management approach that we practice daily, local government risks can be more complex; involve different people, different stakeholders, different suppliers, different processes and different legislation.   So don’t assume the management of risk will automatically happen or is simple.  Sure, people will do their best to implement controls and procedures to protect council assets…but how do you know that these are in place and are effective? How can you be sure? Have you just been lucky? Is it a matter of time? Is your risk management sound?

Where should council focus risk management efforts?

Until around 2005, most councils’ risk management efforts were predominantly focused on insurable risks; specifically occupational health and safety and public liability.

Over recent years, councils have shifted their risk management approach towards Enterprise Risk Management (ERM) to broaden the context of risk management activities in an attempt to understand their risk exposure and ensure appropriate controls exist across all key activities.

The investment losses experienced by some NSW councils have reaffirmed the need to manage council-wide risks and this is in line with best practice in risk management.

Some coastal councils are working closely with their insurers to model the impact of climate change on sea level rises.  Other councils in high flood risk areas are focusing on improving flood risk management and planning.

How much should we spend on risk management?

Like it or not, every council is spending money on risk management already.  Cross checking vouchers, training, insurance premiums, performing reconciliations, developing policies, following procedures, communicating with stakeholders, development committee meetings and council meetings are all examples of activities that are, to varying degrees, managing risks.

So the question is how effective are these controls? Are they working effectively? Are we over-controlling?

More importantly, are their risks that we are not managing? How large or small are these risks? Can we control these risks with existing controls? How much should we spend on new controls?

Just like any other activity, risk management requires management commitment, planning, scheduling, co-ordination, monitoring and resources to be effective.

The amount of money and resources devoted to risk management will be driven by council’s risk profile and risk attitude.

What value can risk management add to Council?

  • Because the definition of risk focuses on objectives, good risk management will increase the likelihood of achieving council objectives.
  • Because risk management activities are coordinated, it will encourage proactive management and provide greater awareness of risks and their inter-related nature.
  • If managers are proactively managing risk, then governance is improved and stakeholders will have greater confidence and trust in council.
  • Councils practicing ERM will broaden their risk management focus and improve the identification of opportunities and threats.
  • Because risks need to managed, managers will focus on effectiveness and efficiency of controls and strengthen council’s resilience to significant risk exposures.

However, risk management is not a panacea for all hazards.  It will never guarantee things won’t go wrong.

What things should Councillors look for?

Risk management is something that you should be able to see and feel.  Key elements that should be in place include:

  • Risk management policy that sets council’s general approach to managing risk and defines risk appetite.
  • Risk management plan that details specific approach, risk rating criteria, activities, responsibilities and timeframes.
  • Risk management committee to oversee risk management activities, help set and monitor the risk agenda.
  • Quarterly risk management reports including risk register and risk heat maps.
  • Trained staff with skills and confidence in undertaking risk assessments.
  • Risk register that details risk, causes, inherent risk level (likelihood and consequence), controls, control effectiveness, residual risk level, risk treatment plans and risk owner.
  • An assessment of the risks involved in major projects and initiatives that are submitted to Council for approval.

The bottom line is,  that councillors should not only get a sense that risks are being managed proactively, they should see evidence through regular reporting of risks and confirmation from sources such as internal audit that controls are working effectively.   If you are not getting this level of comfort then it may be time to start asking why.