Auditor General's overview
E ngā mana, e ngā reo, e ngā karangarangatanga maha o te motu, tēnā koutou.
The Covid-19 pandemic is a stark reminder for all organisations about the need for appropriate risk management practices. However, even before Covid-19, councils were operating in a complex environment that was becoming more challenging and uncertain.
We have recently seen service disruptions from core council infrastructure failures, the impacts of climate change with more frequent droughts and flooding, increasing pressures from growth, and financial pressures associated with all of these.
Councils are also grappling with meeting increasing standards and the uncertainties of proposed regulatory changes, such as the resource management reforms and the Three Waters Reform programme.
As councils seek to achieve their objectives and meet the needs and expectations of their communities in an increasingly complex environment, it is essential that they clearly understand the risks they face and how to manage those risks.
My Office has previously reported that risk management was one of the least mature elements of governance in the public sector. Therefore, I wanted to know about councils' current risk management practices.
Councils provide a wide range of critical services to their communities. Given the consequences if these services fail, I expected that all councils would have a formal risk management framework in place that is fully integrated into their strategies, business activities, and decision-making.
I also expected risk management to be supported by appropriate resourcing and training. I expected this to cover:
- governance;
- processes to identify, analyse, and monitor risks;
- effective approaches in place to manage risk; and
- regular formal reviews of risk management practices to identify areas for improvement.
Some councils do not currently have a formal risk management framework. In my view, those councils should prioritise putting a formal risk management framework in place. Councils also need to consider whether risk management is part of their organisational culture and integrated into the decisions they make.
We saw several positive examples of a strong risk culture in the councils we looked at. These councils had an appropriate focus on, and a maturing approach to, risk management.
That every council now has an audit and risk committee (or similar), with most having some level of independent membership, is a step in the right direction. Although audit and risk committees have a role in setting up and monitoring risk frameworks, elected members are ultimately responsible for their council's risk management.
This report describes some positive examples that we saw during our work. These include:
- establishing the desired risk management maturity level, with a clear plan to achieve this;
- developing risk management guidelines to support greater consistency of practice throughout the council;
- using risk champions to help embed a risk management culture and support staff in their roles;
- embedding risk management into reporting to elected members to improve advice from staff, which provides elected members with greater confidence in their decision-making; and
- embedding climate risks into their overall risk context to make it a consideration for all strategic decision-making.
Despite this, the councils we looked at are still largely using basic risk management practices. However, they plan to improve their risk management practices over time.
To support good governance, elected members need to maintain an overall view of their council's strategic objectives, be aware of obstacles to achieving those objectives, and receive assurance that their council is managing risks well. In my view, more could be done to support elected members as they consider the risks faced by their council, particularly how they factor this into their decision-making.
Risk management should not be viewed as a separate process but integrated into all decision-making.
To improve their risk management practices, I expect councils to:
- have someone who is responsible for enabling and driving good risk management practices throughout the council;
- integrate risk management into all council activities, particularly strategy-setting and decision-making. As an example, some councils that have declared climate emergencies do not identify climate-related risks as a separate key risk for the council;
- improve the training and support provided to elected members, particularly in their roles and responsibilities for effective risk management; and
- carry out regular reviews of risk management activity to inform progress and areas of improvement.
Specialist tools, such as quantitative risk assessment, could also be more widely applied. This would give managers and governors a better understanding of the risks to delivering complex programmes of work and how they could reduce their exposure to those risks.
I encourage chief executives and elected members to consider the maturity of their existing risk management practices and prepare a clear plan for improving that maturity. We provide examples in this report to help with this.
I acknowledge that implementing risk management practices takes time and resourcing. However, the consequences of not adequately managing risk are significant. They can often result in large and unexpected expenditure, service failure, and a loss of public trust and confidence.
I acknowledge the work that organisations such as Taituarā – Local Government Professionals Aotearoa do in fostering networks to improve risk management practices in councils (for example, through its annual risk management forum). Grassroots sharing is important, and fostering networks is fundamental to learning and improving.
I thank the councils that responded to our risk management survey and the staff of Auckland Council, Environment Canterbury Regional Council, Queenstown-Lakes District Council, and Waipā District Council for their openness and co-operation during our consideration of their risk management practices. All these councils have shown strong improvements in their risk management processes and practices during the past few years, and I commend them for this.
Nāku noa, nā
John Ryan
Controller and Auditor General
18 October 2021