Part 2: What we mean by risk management

Our observations on local government risk management practices.

Councils should have a clearly defined framework for managing risk.3 A risk management framework supports a consistent approach to managing risks throughout a council. It also provides a way for a council to compare the different types of risk that it must deal with, whether they are project-based risks, day-to-day operational risks, or longer-term strategic risks.

We do not endorse a particular risk management framework – there are many available. However, based on well-recognised risk management frameworks4 we have identified some core elements a risk management framework should have, including:

  • a structure for the governance of risk management, with defined levels of accountability and reporting mechanisms. This includes appropriate involvement by audit and risk committees (see Part 4);
  • process(es) that are applied across a council to:
    • identify, analyse, and evaluate risks and their significance;
    • monitor and review risks to ensure that a council understands what could get in the way of achieving its strategic objectives;
    • treat risks to ensure that these are being appropriately managed; and
  • ongoing monitoring and review of the risk management process as a whole to ensure that it remains effective and councils continue to mature their risk management practices as planned (see Part 6).

The framework should be appropriate for the objectives the council is seeking to achieve and the main issues, drivers, and trends that could get in the way of it achieving them. It is important to have a risk management framework in place that is applied consistently and effectively. This will help council staff assure elected members that risk is being well managed. It will also better inform elected members' decision-making, which in turn enhances the community's trust and confidence in their council.

The Chief Executive of Environment Canterbury told us that "ultimately, risk is the language that helps staff and elected members make better decisions".

Not all councils have a risk management framework

Our survey of risk management practices asked whether councils have a clearly defined risk management framework. Of the 63 councils that answered this question, 55 said they had a risk management framework. Most of these said that their framework was based on the International Standard ISO 31000 (2009 or 2018). Of the eight councils that said they did not have a framework, seven said that they were preparing one (see Figure 1).

Figure 1
Whether councils we surveyed have a risk management framework

55 of the councils that responded to our survey have a risk management framework. Of these councils, most have frameworks based on International Standard ISO31000: 2009 or 2018. Most councils that said they do not have a framework are in the process of preparing one.

Source: Office of the Auditor-General.

Councils provide critical services to their communities. Because there are serious consequences if these services fail, it is imperative for all councils to have a formal risk management framework in place.

Recommendation 1
We recommend that councils prioritise putting in place a formal risk management framework if they do not have one.

Tailoring risk management to the needs of the council

There are many risk management frameworks that councils can base their framework on. Councils need to tailor their risk management framework to their circumstances – including their operating context, culture, strategic objectives, risk appetite,5 and risk tolerance. In Figure 2, we describe Environment Canterbury Regional Council's approach to managing its risks.

Figure 2
Environment Canterbury Regional Council's approach to risk management

Environment Canterbury Regional Council has a decentralised approach to risk management.

The Council adopted its formal Risk Management Policy and Framework in 2017. However, the Council's journey of risk management maturity and readiness started when it developed stronger project management processes in 2014. It then emphasised health and safety management in 2016.

The Council's Risk Management Policy and Framework does not mandate specific risk management processes. Instead, it encourages risk thinking.

Under the Council's model, elected members and senior management set the tone for what they expect for risk management. Each group in the Council is expected to take responsibility for its own risk management, and risks are managed throughout the organisation rather than centrally. In effect, elected members and senior management empower staff to identify, manage, and monitor risks.

The Council has organised its services into the following portfolios:
  • air quality;
  • biodiversity and biosecurity;
  • freshwater management;
  • climate change, hazards, risk, and resilience;
  • regional leadership; and
  • transport and urban development.
The Council also has functional areas, such as project management and health and safety. Risk management is carried out at each of these portfolio and functional areas. Relevant managers are responsible for managing the risks in their domains. The managers receive support to establish and strengthen their risk management practices when they need it.

This approach means staff can choose how to identify, assess, and respond to risks. This has been welcomed by staff, who can focus on their actual risks rather than the risk management tool given to them.

Elected members receive regular updates from management on how the Council is managing identified risks through portfolio committees and the performance, audit and risk committee.

The Covid-19 pandemic delayed a regular review of the Council's top risks by elected members. This had not been done when we completed our work.

Councils had appropriate policies and processes in place

The four councils we looked at had the policies and processes in place that we expected to see. These include:

  • a risk management policy;
  • appropriate processes and procedures to identify, analyse, and evaluate risks;
  • allocated responsibility for the overall leadership of risk management in the organisation; and
  • some way of distinguishing between strategic, operational, and projects risks to effectively oversee and monitor risks at the right level.

The four councils we looked at tailored their risk management policies to their needs. Council staff also actively considered these policies when carrying out their risk management roles and responsibilities, including when they managed projects and made decisions more generally.

In general, the four councils we looked at capture project risks on an ongoing basis. Strategic risks are usually reset on an annual basis through workshops with senior leadership teams and elected members.

For example, Auckland Council uses a variety of tools and approaches to identify risks. These include:

  • risk appetite statements, which are directives from the executive leadership team and endorsed by elected members, to indicate their comfort levels for risk;
  • brainstorming sessions with experienced and knowledgeable staff;
  • structured techniques (such as strengths, weaknesses, opportunities, and threats (SWOT) analysis; process mapping; and bow-tie analysis6);
  • annual strategic, council planning, budget, and risk identification workshops;
  • regular compliance reviews (internally and externally);
  • quarterly reassessment of top and emerging risks with the senior leadership team and the audit and risk committee;
  • assignment of ownership and accountability for top risks;
  • divisional and departmental risk registers in place; and
  • independent reviews of the council's actual risk maturity compared with its desired level of maturity.

Councils need to focus on achieving consistent risk management practices

Some staff we interviewed said that their council finds it challenging to achieve consistent risk management practices throughout the organisation. This is because different teams apply different risk management processes or apply the same processes inconsistently. This can affect the quality of advice provided to senior management and elected members, and the robustness of decisions made.

Waipā District Council provides Risk Management Guidelines, and staff training and support, to help improve the consistency of risk management practices throughout the organisation. The guidelines provide different approaches to identifying risks, tools for risk analysis, guidance on writing risk statements, and an explanation of the "likelihood" and "consequence" ratings and how these translate into inherent risk assessments and the suggested treatment options.

3: Our definitions of risk and risk management are from ISO 31000:2009: Risk Management. We define risk as the effect of uncertainty on objectives. We define risk management as the co-ordinated activities to direct and control an organisation with regard to risk.

4: For example, we looked at ISO 31000:2009: Risk Management (and its 2018 update) and the All-of-Government Enterprise Risk Maturity Assessment Framework.

5: Risk appetite is the amount or type of risk that an organisation is willing to pursue or retain.

6: Bow-tie analysis is a visual way of showing the effects of a hazard, the risk it presents, the consequences, and the controls that should be implemented.