This policy establishes the approach to risk management at Sunshine Coast Council (Council) and outlines the guiding principles and framework.

Transcription

1 Organisational policy Risk Management Policy Corporate Plan reference: Endorsed by Chief Executive Officer: Manager responsible for policy: A strong community In all our communitites, people are included, treated with respect and opportunities are available to all - Safe and healthy communities Service excellence Positive experiences for our customers, great services to our community - Service quality assessed by our performance and value to customers An outstanding organisation A high performing, customer-focused organisation marked by great people, good governance and regional leadership - Strong accountable leadership enabling Councillors, individuals and teams to be their best - Information, systems and process underpin quality decisions and ehance the customer experience Date: July 2015 Manager Corporate Governance, Office of the Mayor & CEO Policy purpose This policy establishes the approach to risk management at Sunshine Coast Council (Council) and outlines the guiding principles and framework. Policy outcome Council aspires to be a reputable and highly regarded organisation that focuses on maximising opportunities, managing risks and improving quality of service. Policy scope This policy applies to Council s operations, including administration, service delivery and performance. This policy also applies to all staff, contractors, consultants, suppliers and volunteers. Risk Management Policy 1

2 This policy should be read in conjunction with the Sunshine Coast Council Risk Management Guideline. Policy statement Council is committed to applying a risk management approach that is consistent with AS/NZS ISO 31000:2009, Risk management Principles and guidelines. Guiding principles AS/NZS ISO 31000:2009, Risk management Principles and guidelines apply. That is: a) Risk management creates and protects value Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation. b) Risk management is an integral part of all organisational processes Risk management is not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and an integral part of all organisational processes, including strategic planning and all project and change management processes. c) Risk management is part of decision making Risk management helps decision makers make informed choices, prioritise actions and distinguish among alternative courses of action. d) Risk management explicitly addresses uncertainty Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. e) Risk management is systematic, structured and timely A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. f) Risk management is based on the best available information The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement, however, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts. g) Risk management is tailored Risk management is aligned with the organisation s external and internal context and risk profile. h) Risk management takes human and cultural factors into account Risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organisation s objectives. i) Risk management is transparent and inclusive Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organisation, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. Risk Management Policy 2

3 j) Risk management is dynamic, iterative and responsive to change Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. k) Risk management facilitates continual improvement of the organisation Organisations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organisation. Risk Management Framework The Risk Management Framework comprises four elements that guide the application of risk management at Council. The framework provides the mechanism for the organisation to commit to an approach, determine how risks and opportunities will be identified and managed, implementation and review and improvement. Risk Levels Council recognises there are different levels of risk and identifies and manages risks at the following levels: Strategic risk likely to impact on the delivery of Council s vision Operational risk considers risks associated with the delivery of services Project risk specific to the delivery of a project or event. Risk Management Policy 3

4 Risk Appetite Council makes every effort to be a risk aware organisation, not a risk averse organisation and calculated risk taking is part of service delivery. Council s attitude to risk will vary depending on the level and type of risk, and Council accepts that it will be more tolerant of some risks than others. Strategic, Operational and Project risks are assessed to determine the net risk rating. All extreme risks (rated E-84 to E-100) must be mitigated and reported to the CEO immediately. Strategic risks The risk appetite for strategic risks will vary dependent on the nature of the risk being managed. The level of acceptable risk is determined by the CEO. Operational risks High net risks (rated H-56 to H-72) are required to be reduced and are only accepted at this level with the CEO or Director approval. Medium and low net risks (rated up to M52) are acceptable if within the tolerance range set - refer to the Risk Tolerance Range table in the Risk Management Guideline. Details on tolerance ranges and risk assessment methodology are contained in the Risk Management Guideline. Roles and responsibilities All staff, Councillors and the Audit Committee have a role in risk management. Risk management responsibilities differ based on the risk level and are detailed in the Risk Management Guidelines. Measurement of success Results from the implementation of this policy include: improved planning, particularly in regard to continuity of service delivery improved financial planning and resource allocation through a reduction in the likelihood of surprises and proactive management of challenges and undesirable events greater understanding of roles and responsibilities for risk, contributing to the development of a positive organisational culture risks incorporated in decision making by Executive Leadership Team and Councillors. Definitions Risk the chance of something happening that will have an impact on objectives. Risk Appetite (or attitude) is accepting, increasing or reducing the level of risk. Risk Management is the culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects. It relates to all aspects of the organisation s operations and practice. Risk Management Framework set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. Risk Tolerance describes the acceptable range or maximum rating for a net risk. Risk Management Policy 4

5 Related policies and legislation Sunshine Coast Council Fraud and Corruption Prevention Policy Sunshine Coast Council Health & Safety Policy Local Government Act 2009 and Regulations Work Health and Safety Act 2011 and Regulation Version control: Version Reason/ Trigger Change (Y/N) Endorsed/ Reviewed by Date 1.0 New risk management policy and process Y CEO 23/07/ Updated with new structure Next Steps Corporate Governance 22/02/2018 Sunshine Coast Regional Council 2009-current. Sunshine Coast Council is a registered trademark of Sunshine Coast Regional Council. Risk Management Policy 5