Part 3: Committing to risk management

Our observations on local government risk management practices.

3.1
Council staff and elected members need to understand the importance of managing risk and having a strong and sustained commitment to effective risk management.

3.2
Council staff and elected members should express this commitment by:

  • setting the tone from the top and expressing a commitment to risk management through a risk policy;
  • integrating risk management throughout the council ‒ particularly in its setting of strategic priorities and decision-making processes;
  • being appropriately resourced with staff who are adequately trained and experienced in risk management; and
  • elected members having a shared understanding of their roles and responsibilities in risk management (see Part 4).

3.3
The four councils we looked at are strongly committed to risk management and recognise its importance to achieving their objectives.

Councils should have someone responsible for leading risk management

3.4
Our survey asked councils whether they had a dedicated risk manager. If they did not have a dedicated risk manager, we asked why. If they did have a dedicated risk manager, we asked who the risk manager reported to (see Figure 3).

Figure 3
Whether the councils we surveyed had a dedicated risk manager

Of the councils that responded, 34 said they had a dedicated risk manager. Of the 25 councils that said they did not have one, 15 said that it was because they were too small and/or because it was unaffordable.

Source: Office of the Auditor-General.

3.5
Of the councils that did have a dedicated risk manager, seven risk managers reported to their chief executive.

3.6
Although not all councils can afford to have a dedicated risk manager, they should have someone responsible for enabling and encouraging good risk management practices.7 The risk manager is not responsible for managing risk but helps lead and monitor risk management processes throughout the council.

3.7
If a council has an internal audit function, then the internal auditor should not be responsible for risk management decisions. Internal audits provide assurance that risk management activities are appropriately designed and implemented, and that they are operating effectively.

3.8
Internal audits are risk based, which means internal auditors need access to risk information. Sometimes, the internal auditor is asked to co-ordinate or aggregate risk intelligence. However, if the internal auditor is seen to have responsibility for risk management, then their independence might be questioned.

Councils need to improve the integration of risk management into council activities

3.9
From the councils we looked at, we saw that it can be challenging for councils to integrate risk management into their activities, particularly when making decisions about operational risks.

3.10
Figure 4 describes how, to support effective decision-making, Auckland Council includes a risk section in all governance reports.

Figure 4
Auckland Council includes a risk section in all governance reports

Auckland Council includes a risk section in its report for governors (including local boards). The report template provides report writers with guidance on how to fill out the risk section. This section must be populated.

The Council also runs an ongoing quality advice programme. As part of the programme, training and guidance is provided to report writers who advise decision-makers about risks and mitigations.

Having a risk section means that staff are prompted for their consideration and management of risk. Staff we spoke to said that there has been an increased commitment and understanding of what risk management is and why it is important.

Auckland Council has enforced this discipline for some time. This and its other initiatives, which include increasing risk management conversations throughout the Council, have improved the quality of reports going to the governing body.

Culture is critical to integrating risk management

3.11
Effective risk management is not just about the systems and processes in place (the "architecture") – it is also about how staff implement it in their day-to-day work. Councils should consider how to implement an appropriate culture in their organisation that would best support integrating risk management into all their activities.

3.12
Hastings District Council's Chief Executive expressed a commitment to risk management in the Council's Enterprise Risk Management Policy and Framework. In that commitment, the Chief Executive notes:

Risk management enhances our service culture and should be engrained in our DNA. Risk management is a continuous journey of learning and its application underpins our ability to deliver positive outcomes for our community.

3.13
As Figure 5 shows, Hastings District Council's framework describes guiding behaviours (such as "we openly and constructively engage in risk discussion at all levels") and how success will be measured (such as "staff know how and when to discuss risk with management based on good process and a supportive environment").

Figure 5
Hastings District Council's Risk Management Policy and Framework

Hastings District Council’s Risk Management Policy and Framework has a set of guiding behaviours, which includes statements like “We ensure that staff are equipped with the skills and guidance needed” and “We integrate risk management into all decision making and planning.” The guiding behaviours lead to another set of statements that are how the Council measures its success. These include “Risk roles and responsibilities are well understood” and “All Groups speak the same risk language and respond to risk in a consistent way.”

3.14
The way that risk is considered by elected members, at a council's audit and risk committee, and by management (collectively and individually), creates a culture. That culture has a significant bearing on whether a council will successfully identify and manage risks.

3.15
In Figure 6, we describe Auckland Council's use of risk champions to support its risk management culture.

Figure 6
Auckland Council's use of risk champions

Auckland Council has designated between 50 and 60 staff as risk champions. The risk champions are important for embedding good risk management culture and good practice throughout the Council.

One risk champion we spoke to described their work as an advocacy role, promoting good practice in risk management. They saw the value of their role in increasing the conversation about risk management throughout the Council and, in particular, supporting their department to improve how it considers and manages risks.

Before Covid-19, the risk champions met every two months to look at risks throughout the Council. Risk kōrero were reinstated in January 2021. The January meeting discussed how to effectively integrate risk management into everything the Council does. The risk champions were briefed on the Council's latest reassessment of its top risks, and they provided feedback on the likelihood and impacts of each risk at a divisional and departmental level.

This information has been recorded and informs the assessment and management of the Council's top risks. The Council continues to develop a programme for the risk champions, including holding regular meetings.

Staff and elected members need more support and training

3.16
Staff and elected members need to understand why risk management is important to their council's business, how it relates to their roles, and the part it plays in good decision-making.

3.17
We found that councils in general recognise that they need to do more in respect of training and development, and have ongoing conversations, so that elected members and staff understand their role in managing risk. This would help them more consistently consider and discuss risks and their impact on the council's decision-making.

3.18
Elected members often receive information about a council's risk management activities and their role in risk management as part of their post-election induction. However, we found that subsequent workshops or training sessions often did not happen. One council scheduled a follow-up forum that only a small number of elected members attended.

3.19
Queenstown-Lakes District Council has a risk management intranet page with links to relevant resources. The Council also provides internal training on new aspects of its risk management processes to some staff. Staff with stronger risk management backgrounds run the training.

3.20
Auckland Council identified four high-risk areas needing consistent training (cyber security, integrity, health and safety, and privacy). The Council made online learning modules mandatory for all staff and included them in the onboarding programme for new staff. Overall, about 80% of all Auckland Council staff have completed the training to date.

3.21
Auckland Council also provides risk management training and "how to" guidance to staff and elected members in conjunction with its organisational development programmes. These include the Kura Kawa (elected member development programme) and the staff quality advice and risk champions programmes.

Risk aware versus risk averse

3.22
Risk management practices are not usually designed to eliminate all of an organisation's exposure to risk.

3.23
We heard through our work that councils can have a risk averse8 culture across both elected members and staff, which reflects a conservative risk appetite. Because of councils' obligations to be financially prudent and accountable to their communities, this is not surprising.

3.24
Councils are also at times subject to significant scrutiny not just from their communities but also central government and interest groups, such as residents' or ratepayers' associations.

3.25
However, risk management is not just about avoiding or reducing the impact of bad outcomes. Risk management is also about supporting an organisation to succeed.

3.26
As well as posing a threat, risk can be an opportunity for developing innovative ways of working. Not looking for or not taking opportunities when they arise also has risks. There is a difference between being "risk aware" and "risk averse".

3.27
Councils need to understand and be transparent about the risks they take on and the benefits they seek. Not all initiatives will succeed, and sometimes the speed of implementation can deliver benefits quickly but put the cost or quality of those benefits at risk. Using reliable information to balance risk and return is part of good risk management.

3.28
Councils need to consider value creation and the potential for innovation when setting their risk appetite. The need for innovation has never been more important given the challenges councils are facing to deliver services to communities within budgetary pressures.

7: The International Standard ISO 31000 (2018) discusses leadership and commitment in Part 5.2.

8: According to the Cambridge Dictionary, being risk averse means being unwilling to take risks or wanting to avoid risks as much as possible.