Part 6: Improving risk management

Our observations on local government risk management practices.

An audit and risk committee chairperson we spoke to said that risk management is a journey, not a destination.

There are many risk management maturity assessment frameworks available, including the All-of-Government Enterprise Risk Maturity Assessment Framework.13 This covers:

  • Leadership and direction: governance, culture, and continuous improvement;
  • People and development: roles and responsibilities, resourcing, skills, and training;
  • Processes and tools: risk assessment and mitigation, assurance, and risk monitoring and reporting; and
  • Business performance: strategic risk management, managing risk in partnerships, business resilience, and change and transformation.

Councils can use the All-of-Government Enterprise Risk Maturity Assessment Framework to assess their current maturity and help determine what they need to do to improve maturity.

Approaches to improving risk management maturity are unique to each council

The four councils we looked at acknowledged they needed to improve their risk management maturity and are doing so.

Environment Canterbury Regional Council plans to continue further integrating its risk management thinking and processes into its organisational culture and practices. To date, the integration of risk management has been deliberately gradual. Environment Canterbury Regional Council has prioritised working with staff who are more receptive to improving their risk management practices in the first instance.

In Figure 13, we discuss Waipā District Council's approach to applying a change management lens to improving its risk management maturity.

Figure 13
Waipā District Council's approach to applying a change management lens

In 2018, Waipā District Council had external consultants complete a maturity assessment of its risk management framework and supporting processes. This work was part of the Council's internal audit plan. The aim was to identify areas for improvement.

The consultants rated the Council as having "sustainable" risk management. The ratings the consultants used were "weak", "sustainable", "mature", "integrated", and "advanced". The Council intends to move its rating from "sustainable" to "mature" over three years. The rating "mature" is considered best practice for the local government sector.

The consultants recommended that the Council:
  • develop a formal risk management strategy and processes for monitoring and reporting key risks;
  • consolidate key risks in the strategic risks register and avoid duplication of enterprise-wide risk registers;
  • clarify roles and responsibilities of the audit and risk committee and the finance and corporate committee for risk monitoring and oversight; and
  • develop more awareness, guidance, and uplift in ownership and capability of frontline staff to enable them to use risk management strategically.
The Council developed a three-year risk strategy that set out initiatives designed to achieve a "mature" rating:
  • In Year 1 (2019/20), the Council developed documents that provided the foundation for risk management in the Council.
  • In Year 2 (2020/21), the Council focused on organisation-wide awareness building and capability development to carry out risk management, making managing risk more systematic by building the risk management framework into the organisation.
  • In Year 3 (2021/22), the Council will re-evaluate the risk strategy.
The Council is implementing this strategy through a risk management improvement programme. It also has a change management plan to support implementing this programme.

Applying a change management lens has been core to the Council's risk management strategy.

The Council carried out a risk and compliance survey in January 2020 to gauge the level of awareness, knowledge, and understanding of business risk and compliance throughout the organisation. The results established a baseline and informed the content of the change management plan.

A key part of the Council's risk management strategy has been setting up a Risk and Compliance Oversight Group, which includes staff from the organisation. This Group supports the implementation of the risk management strategy, champions risk management, provides advice and support to staff, and provides a channel for communications.

To date, the Council has appointed a dedicated business resilience and risk advisor role and an independent chairperson of the audit and risk committee, and it has laid the foundations of its risk management framework.

Every council should assess the level of risk management maturity it needs and establish a formal plan to achieving that maturity. Councils should carry out progress reviews to inform progress.

Recommendation 4
We recommend that councils assess their desired level of risk management maturity and prepare a clear plan to achieve this. Regular formal reviews of their risk management practices should be carried out to inform progress and identify areas for improvement.

Aspects of risk management that councils need to improve

Based on the risk management practices of the four councils we looked at, the results of our survey, and our audit work more generally, we consider that most councils have a basic level of risk management maturity.

Throughout this report, we have identified key areas that councils should focus on to improve their risk management practices. They are:

  • someone in the council being responsible for enabling and driving good risk management practices throughout the organisation;
  • assessing the level of risk management maturity they currently have and the level they desire;
  • formally documenting the risk management practices they expect staff and elected members to apply;
  • integrating risk management into all council activities, particularly strategy-setting and decision-making, with a particular focus on embedding the coverage of risk in reports to elected members;
  • improving the training and support provided to staff and elected members on their risk management roles and responsibilities;
  • ensuring that their audit and risk committee is clear about its role in gaining assurance over the management of risk;
  • regularly reviewing risk management activity to inform progress and areas of improvement; and
  • making greater use of quantitative risk analysis or assessments to support relevant decision-making.

13: For more information about the framework, see