Part 6: Risk management
6.1
In this Part, we discuss:
- why risk management is important for effective governance;
- the main findings from our work; and
- how well each entity performed against our expectations.
Why is risk management important for effective governance?
6.2
In the arts, culture, and heritage sector, understanding and mitigating risks is central to safeguarding New Zealand's most precious cultural assets.
6.3
Boards have a role in identifying, monitoring, and mitigating potential risks. This role includes establishing the organisation's overall understanding of risk, including its effect on the organisation's strategic, financial, operational, and reputational risks. It also covers the processes that are in place to identify, monitor, and manage risks.
6.4
Identifying, analysing, mitigating, monitoring, and communicating risks are important aspects of effective governance. Management teams and boards need to have a comprehensive understanding of risk and robust processes for identifying and managing risks. Good risk management also includes having clear roles for audit and risk committees.
6.5
To effectively manage risk, boards need a strong understanding of the major risks for the organisation and the processes for managing these. We expect to see a formal risk management framework and register that is formally defined, widely understood, and aligned to the organisation's strategy, risk appetite, objectives, business plan, and stakeholder expectations.
6.6
We expect a board to periodically review risk reports. The board needs to be satisfied that it is given accurate risk summaries that are a true reflection of the risks and issues facing the organisation.
Main findings about risk management
6.7
Of the five governance aspects that we looked at, risk management is where the entities were performing least well.
6.8
Although each of the entities had formal risk management frameworks and registers, risk management practices were variable and generally not strong. The entities' risk registers tended to focus on operational rather than strategic risks, and some risk registers had not been reviewed for some time. In our interviews, board members identified that they could improve their risk management processes.
6.9
Risk processes varied between the entities, from minimal discussion and infrequent updating of registers, to the board regularly engaging with risk reports and seeking additional detail when required. We saw examples where risks were discussed and considered in decisions – such as discussing the risk associated with funding an exhibition.
6.10
All the entities, apart from Creative New Zealand, have audit and risk committees that report on risks to their boards. However, those committees tended to focus on audit requirements and treat risk management as a compliance exercise.
6.11
In our interviews, board members were not always clear about the respective roles of the audit and risk committee and the board. For example, some of the board members we spoke to were not clear about whether risk management was the role of the audit and risk committee or the role of the board. Some entities were reviewing the role of their audit and risk committee to ensure that the responsibility and accountability of the committee is well understood. This will allow the committee to perform its role and allow the board to hold the committee to account if it does not perform well.
6.12
Boards should assess and improve their understanding of the importance and use of risk management frameworks and processes and there should be more focus on the risks to implementing strategy.
6.13
In our view, there is an opportunity for entities in the sector to work together to identify and understand risks and learn how others are mitigating them. There are opportunities for the chairpersons of audit and risk committees to meet regularly to discuss common sector risks, risk management practices, and mitigation strategies.
The entities' performance
6.14
Figure 5 sets out the criteria we have used to assess each entity's performance for the risk management aspect of governance.
Figure 5
Framework for assessing a board's performance – risk management
Assessment rating | Criteria |
---|---|
Leading | Risk management underpins the board's approach to achieving performance objectives and provides assurance that the organisation will achieve its goals with an acceptable degree of residual risk. The board's focus on risk management provides value that is wider than a compliance and loss-avoidance exercise. The risk management process yields benefits and builds the organisation's reputation. |
Comprehensive | The board has complete oversight of important risks facing the organisation and the processes needed to manage these risks. There is a formal risk management strategy agreed by the board that is aligned to the organisation's strategy, risk appetite, objectives, business plan, and stakeholder expectations. Risk management and reporting to the board is ongoing and consistent, and risks are effectively managed. Risk management processes allow the organisation to identify, analyse, mitigate/treat, monitor, and communicate risks throughout the organisation. There is significant evidence that these processes are consistently followed and fit for purpose. The board periodically reviews the risk register to make sure that it is being provided with accurate risk summaries of the risks and issues facing the organisation. |
Progressing | There are formal and well defined risk management process in place. These processes are understood by the board and management. Risk management processes are aligned to the organisation's strategy, risk appetite, objectives, business plan, and stakeholder expectations. Risk management is ongoing and consistent, and risks are continually identified and monitored by the board. There are some mechanisms for the board to evaluate the effectiveness of risk mitigation, and the board reports periodically on the effectiveness of the organisation's risk management system. The Board uses its shared understanding of important risks to inform its decisions. |
Developing | There is a formal risk management process in place that is communicated to the organisation and the board, but risk is only partially understood across the board and the organisation. There are risk management processes designed to reflect the organisation's strategy, risk appetite, and objectives. Risk management processes allow the organisation to identify, analyse, mitigate/treat, monitor, and communicate risks. There is periodical evaluation of the effectiveness of risk mitigation. |
Ad hoc and limited | Risk management processes are in place but they are not well explained, and the organisation and governance bodies have limited understanding of these processes. Risk management processes tend to be generic and not well aligned to the organisation's strategy, risk appetite, and objectives. Risk management processes allow the organisation to partially identify, analyse, mitigate/treat, monitor, and communicate some important risks. |
Auckland Art Gallery
6.15
We assessed Auckland Art Gallery's performance as "Comprehensive".
6.16
Regional Facilities Auckland has implemented a new risk management framework, which includes quarterly reviews of the Regional Facilities Auckland risk register. We saw evidence that the board of Regional Facilities Auckland was engaged in this process and had asked for more detailed information on risks. We also saw evidence in the board papers that risks were considered as part of overall decision-making processes, not just through updating the risk register.
6.17
The Regional Facilities Auckland risk register is based on detailed operational reports provided by the Gallery to the Regional Facilities Auckland executive management team. This information is taken from Auckland Art Gallery's own risk register.
6.18
As well as the risk register, Auckland Art Gallery communicates risks to the board through different means – such as in business cases for exhibitions.
Creative New Zealand
6.19
We assessed Creative New Zealand's performance as "Progressing".
6.20
The Arts Council's governance manual clearly explains its risk management role and responsibilities. The manual provides information on delegations and how the level of potential risk associated with the decision influenced the delegation level.
6.21
Creative New Zealand has a risk management policy and framework. Meeting minutes show that the new Arts Council has reviewed the risk management policy and framework, and reviewed the risk register and risk treatment plan. Other papers submitted to the board for either noting or decisions included potential risks. Meeting minutes show that the board considers risks in its decision-making.
6.22
At the time of our audit, Creative New Zealand did not have an audit and risk committee. Risk management is considered the responsibility of all members of the Arts Council, and the external auditors are invited to discuss matters concerning risk at each meeting of the Council.
Govett-Brewster Art Gallery
6.23
We assessed Govett-Brewster Art Gallery's performance as "Developing".
6.24
New Plymouth District Council has a Risk and Audit Subcommittee, which is responsible for managing risks associated with all of the Council's activities and assets, including Govett-Brewster Art Gallery. The subcommittee has established a framework that holds the Gallery Director accountable for identifying and managing risks and action plans. High and extreme risks are reported to the Council.
6.25
We have not seen evidence of a comprehensive risk register that outlines the major strategic, financial, operational, and political risks that Govett-Brewster Art Gallery faces. Current risk reporting to New Plymouth District Council is focused on the operational risks associated with the development of the Len Lye Centre. While this may be appropriate at this time, we would expect to see more attention on strategic risks as the opening of the Len Lye Centre approaches.
Te Māngai Pāho
6.26
We assessed Te Māngai Pāho's performance as "Developing".
6.27
We have not seen evidence of a comprehensive risk register that outlines the major strategic, financial, operational, and political risks that Te Māngai Pāho faces. Current risk reporting to the board is focused on the operational and financial risks associated with current broadcasting contracts.
6.28
Te Māngai Pāho does not have an organisational risk management framework. The Audit and Risk Committee has identified that a risk management framework is required and was preparing one at the time of our audit.
Te Papa
6.29
We assessed Te Papa's performance as "Progressing".
6.30
Overall, interviewees had a shared understanding of risks facing Te Papa. Interviewees were aware of reputational risks and the risk of earthquakes damaging Te Papa's collections.
6.31
Some risk management processes are in place. For example, the Assurance and Risk Committee works with the senior management team to identify risks and develop risk mitigation strategies. Interviewees noted that the board acts swiftly to minimise the effect of financial risks, including changing financial delegations and using external advisors to identify the root cause of the issue and recommend changes.
6.32
We observed a lack of clarity about the Assurance and Risk Committee's roles and responsibilities. For example, it was not clear whether the Assurance and Risk Committee or the board were responsible for identifying and mitigating risks.
6.33
There was general acknowledgement from interviewees that more could be done to improve risk management processes. In particular, interviewees from the board and management said that senior management and the board could review and update risks more regularly.
6.34
Interviewees suggested that risk reporting was improving, with more focus on strategic risks. The board has started to have challenging conversations with management to understand risks and how these are being reduced (including defining the different roles of the board and management in reducing risks). This has not happened in the past.
Wellington Museums Trust
6.35
We assessed Wellington Museums Trust's performance as "Comprehensive".
6.36
The board members that we spoke to have a shared understanding of the risks facing the Trust. These include financial sustainability, business continuity, and the redevelopment of the Museum of Wellington City and Sea.
6.37
We did not see evidence of a formal risk management process. The Trust has a risk register, which is included in its Strategic Plan each year. We compared the 2012 and 2014 risk registers, and they were unchanged. The same risks, mitigations, impact ratings, and owners were noted. Interviewees said that the risk register was being reviewed and that this was likely to be completed soon after our audit.
6.38
Although the Trust does not have a formal risk management process, risk is discussed at every board meeting for specific agenda items where appropriate – for example, the Carter Observatory's dependence on non-Council revenue to break even. Specific projects or activities that might be seen as, or are, high risk are routinely reported on to ensure that risks are thoroughly assessed and, where possible, mitigated. We saw evidence of such discussions in board minutes and Audit and Risk Committee minutes.