Part 1: Introduction

Our observations on local government risk management practices.

Our 2016 report Reflections from our audits: Governance and accountability noted that risk management is one of the least mature elements of governance in the public sector.

Effective risk management is a critical part of successfully delivering an organisation's strategy. Identifying, understanding, and managing risk is also a fundamental part of effective governance. When risk is not managed effectively, assets or projects can fail. This can erode the public's trust and confidence in an organisation.

Good governance that is informed by an understanding of risk tolerance not only avoids failures but can also mean that the organisation does not miss opportunities to improve its financial or operational performance.1 Governing bodies that think strategically and consider their organisation's role in a wide context are more likely to identify and be in a position to take opportunities to improve their performance or to achieve benefits faster.

The local government sector has recognised the need for improvement in risk management. In June 2016, Local Government New Zealand submitted a business case to central government to establish a local government risk agency. The agency would work with councils to achieve a more consistent and higher standard of risk management practice.2 To date, no such agency has been established.

In our audit work, we often see instances where councils do not have effective risk management.

Given this context, we carried out work to better understand the current state of councils' risk management, where the challenges and issues are, and what support councils need to improve how they manage risk.

What we expected to see

Effective risk management by public organisations involves identifying, analysing, mitigating, monitoring, and communicating risks as part of their business activities.

To determine what we should expect to see in council risk management, we looked at several risk management standards or frameworks. These included:

  • the Australia NZ International Standard ISO 31000:2009: Risk Management; and
  • the All-of-Government Enterprise Risk Maturity Assessment Framework.

Based on these and our own work, we identified four elements of risk management that we expect all councils to have. They are:

  • a risk management framework in place to identify, analyse, and monitor risks;
  • effective approaches in place to identify and manage risk, with effective oversight by elected members and appropriate involvement by their audit and risk committee;
  • regular formal reviews of their risk management practices that inform areas for improvement; and
  • mechanisms for communicating with their communities about the risks they face and how they are managing those risks.

How we carried out our work

The observations we make in this report are based on:

  • our observations of how Auckland Council, Waipā District Council, Environment Canterbury Regional Council, and Queenstown-Lakes District Council manage risk;
  • the results of a survey we sent to all councils (except the four councils listed above);
  • discussions we had with select audit and risk committee chairpersons; and
  • the knowledge we have developed through our work, which includes our audit work and discussions with council staff and elected members.

The survey questions are set out in Appendix 1.

Structure of our report

In Part 2, we set out what we mean by risk management.

In Part 3, we outline the importance of having a commitment to risk management.

In Part 4, we discuss the need for clear governance and management roles and responsibilities.

In Part 5, we summarise the top risks identified by councils.

In Part 6, we set out what councils should be doing to improve their risk management.

1: Risk tolerance is an organisation's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objective, see ISO Guide 73:2009(en) Risk management — Vocabulary at

2:For more information on the Local Government Risk Agency, see