An external consultant has reviewed Council-under-administration’s Enterprise Risk Management Framework – ERMF.
It found the ERMF has a number of gaps and is not embedded at an enterprise-wide level across Council.
This has created inconsistencies in the management of risks across the organisation.
The findings included:
# A disconnect between Council’s documented Risk Appetite Statement and what is practised in the field of operations.
# Inconsistency in aptitude, appetite, and engagement on risk assessment across Council’s operations.
# No defined risk appetite statements or key risk indicators.
0/ The need to develop a Strategic Risk Register
The report says it is conventional for mature organisations to develop a Strategic Risk Register, so critical and material risks can be monitored with greater attention.
Council adopted such a register in May 2023 but council said it “may not” entirely reflect the true position of council.
0/ Design a Consistent Methodology for Risk Identification and Assessment
“The importance of this recommendation cannot be overstated,” one report stated.
“Council suffers from inconsistency in aptitude, appetite, and engagement on risk assessment across its operations.
“Significant work is required to set a satisfactory baseline of competence, compounded by a prevailing view that this would be another task added to already full lists.
“The tone from the top would be critical, in driving the culture that risk assessment is simply the way we work, and not a new task superimposed on top of existing duties.
“Identifying and utilising therefore a simple but effective risk identification and assessment tool would be of paramount importance.”
The consultant’s Report made 24 recommendations across 9 action areas:
– Risk Strategy and Governance
– Risk Appetite
– Risk Culture
– Risk Identification and Assessment
– Risk Response
– Risk Monitoring and Reporting
– Risk Tools and Technologies
– Risk Data Modelling and Analytics
– Resourcing and Capabilities
Council presented the consultant’s final report to the Audit, Risk and Improvement (ARIC) Committee’s December meeting but a link to an implementation plan was not public.