Meeting of the Finance Audit & Risk Sub-committee
Date: Wednesday 3 June 2015
Time: 9.00am
Venue: |
Council Chamber Hawke's Bay Regional Council 159 Dalton Street NAPIER |
Attachments Excluded From Agenda
item subject page
8. HBRC Risk Assessment and Management
Draft Risk Management Policy and Framework |
Attachment 4 |
Definitions:
Council: means the nine elected members as a governing body of Hawke’s Bay Regional Council
HBRC: means Hawke’s Bay Regional Council
Audit and Risk Committee means the Finance Audit and Risk Committee of Hawke’s Bay Regional Council
Purpose of this document;
1. This document :
a. Sets out HBRC’s risk management policy and its approach to managing risk.
b. Sets out systems and processes HBRC has in place to ensure the prudent stewardship and the efficient and effective use of its resources.
c. Documents the roles and responsibilities of the Council, the Audit and Risk Management Committee, the Chief Executive and executive management team, and all staff.
d. Identifies reporting procedures.
2. The policy forms part of HBRC’s audit and risk management and corporate governance arrangements.
Approach to risk management and audit
1. The following key principles outline HBRC’s approach to risk management and audit:
· HBRC’s risk is to be managed, monitored and reported, in accordance with this policy adopted by Council.
· HBRC is a public organisation funded largely by money sourced from the Hawke’s Bay community. It must use that money wisely and carry out its duties cost effectively. HBRC must demonstrate it is a prudent manager and user of public funds.
· The Chief Executive has responsibility for overseeing risk, financial and operational management within the whole of HBRC and will report to the Risk and Audit Committee on these issues in accordance with this policy.
· The Chief Executive and Executive management team supports, advises and implements policies approved by Council, and is responsible for the management of operational risks, and for reporting to Council all new and emerging risks with the potential to significantly impact on Council.
· HBRC is conservative and prudent in its recognition and disclosure of the financial and non-financial implications of risks
· Management staff are responsible for encouraging good risk management practice within their groups and teams
Role of Council
2. Council as the governance body for HBRC has a fundamental governance role to play in financial and operational management and the management of risk. Its role is to:
a. Set the tone and influence the culture of risk management within HBRC. This includes:
· Understanding that there is risk in the activities undertaken to achieve or support the desired organisational outcomes.
· Providing clarity on the level of risk that HBRC should be exposed to in undertaking specific activities.
· Setting the standards and expectations of staff with respect to conduct and probity.
b. Adopt an audit and risk management policy and framework, monitor its effectiveness and review and revise this to ensure it remains fit for purpose.
c. Appoint the Audit and Risk Committee and continue to monitor its effectiveness.
d. Consider and monitor risks associated with achievement of HBRC strategic outcomes.
e. Approve major decisions that may affect HBRC’s risk profile or exposure.
Role of the Finance Audit and Risk Management Committee
3. The Audit and Risk Management Committee is set out in the Terms of Reference adopted by Council at its meeting on 25 February 2015.
Role of the Chief Executive and Executive Management Team
4. Key roles of the Chief Executive and the executive management team relevant to Audit and Risk policy are to:
a. Implement policies on audit and risk management and report on compliance and performance.
b. Identify, evaluate and manage (excluding governance risks) the risks faced by the Organisation.
c. Provide adequate information in a timely manner to Council and its committees on the status of significant risks to which the Organisation is exposed and the controls to manage those risks.
Risk management control system
5. The risk management control system encompasses a number of elements that together facilitate an effective and efficient risk assessment, enabling HBRC to consider a variety of strategic, operational, financial, and commercial risks. These elements include:
a. Policies and procedures
Many of the organisational risks are managed through policies and plans adopted by the Council. These include Regional Plans developed according to relevant legislation, their associated implementation plans, and policies or protocols specific to a particular issue. The policies adopted by Council are implemented and communicated through the Chief Executive to staff. Written procedures support the policies were appropriate.
b. Reporting
Comprehensive reporting is designed to communicate the monitoring of key risks and their controls. Decisions to rectify problems are generally made by staff, but may be at the direction of Council where a significant potential risk is identified.
c. Annual and 10 year planning and budgeting.
The annual and 10 year planning and budgeting processes are used to set objectives, a performance framework through which to monitor progress towards achieving those objectives, develop and communicate work programmes, and allocate resources. A number of the work programmes are designed specifically to mitigate strategic risks. Progress towards meeting annual and 10 year plan objectives is monitored regularly.
d. Risk management framework
This framework helps to facilitate the identification, assessment and ongoing monitoring of risks to which HBRC is exposed. The framework is formally reviewed in accordance with the timelines set out in Table 1 below, with all existing risks reviewed and new and emerging risks added.
e. Risk review programme.
The risk review programme is an important element of the risk management process. Apart from its normal programme of work, each member of the executive management team is responsible for the review of the effectiveness of the risk management framework within HBRC as set out in Table 1 below.
f. Internal audit.
An internal review of risks may be requested by Council or commissioned by the Chief Executive from time to time as they deem appropriate. Such an external review may cover the risk framework and all of the risks to which HBRC is exposed, or may be restricted to specific risks or aspects of risk. This internal audit function may be contracted to an external audit provider.
g Audit of HBRC’s Long Term Plans and Annual Plans
These audits are carried out by Audit NZ on behalf of the Controller and Auditor General.
Review of effectiveness
6. The Chief Executive is responsible for reviewing the effectiveness of HBRC’s risk controls. The frequency and scope of such a review shall be dictated by the Audit and Risk Committee. The review may be required for all or part of HBRC’s activities. The outcome of such a review will be reported to the Audit and Risk Committee.
7. For each risk identified, the Chief Executive will:
· Review the previous risk review and examine HBRC’s record on risk assessment and control.
· Consider HBRC’s future risk profile and consider if current risk control arrangements are being effectively implemented.
8. In making his decision the Chief Executive will consider the following aspects:
a. Control environment:
· HBRC’s objectives and its financial and non-financial targets
· Organisational structure and caliber of the senior management team
· Culture, approach, and resources with respect to the management of risk
· Delegation of authority
· Reporting to Council
b. On-going identification and evaluation of risks:
· Timely identification and assessment of risks
· Prioritisation of risks and the allocation of resources to address areas of high exposure.
c. Information and communication:
· Quality and timeliness of information on risks
· Time it takes for control breakdowns to be recognised or new risks to be identified.
d. Monitoring and corrective action:
· Ability of the organisation to learn from its experiences
· Commitment and speed with which corrective actions are implemented.
Draft Risk Management Policy and Framework |
Attachment 4 |
RISK MANAGEMENT FRAMEWORK
Responsible Group |
Decisions areas |
Frequency of review/reporting |
Council (through Audit and Risk Committee) |
· Organisation risk profile · Top 10 residual risks · Top 10 controls · Significant new or emerging risks · Governance risks |
Annually Annually Annually As they arise Annually |
|
|
|
Chief Executive (together with Exec Managers) |
· Review and monitoring Organisational risks including controls · New and emerging risks reporting to Council |
6 monthly
As they arise
|
|
|
|
Group Managers (together with 3rd tier managers) |
· Review and monitoring of: - Risks associated with Group’s risks including controls - New and emerging risks within group |
6 monthly
As they arise |
|
|
|
Staff |
· Effective management of operational risks through implementation of controls · Reporting new or emerging risks as they arise |
Ongoing
As they arise |
Draft Risk Management Policy and Framework |
Attachment 4 |
Name |
Full Description |
Value |
Almost Certain |
Occurrence of the event within this 10-yearly LTCCP may be credibly regarded as a ‘real possibility’ i.e. the probability of occurrence is greater than non-occurrence. Documented and frequent incidents. Is likely to occur more than once in this 10-year LTCCP period. |
99 |
Likely |
Occurrence of the event within this 10-yearly LTCCP may be credibly regarded as a ‘real possibility’ i.e. the probability of occurrence is similar to non-occurrence. Documented and regular incidents. Is likely to occur once in this 10-year LTCCP period. |
65 |
Unlikely |
Occurrence of the event within this 10-yearly LTCCP would be considered as having some potential to occur – ie, a reasonable probability of occurrence over time, but less than the probability of non- occurrence. Documented but infrequent incidents. Has less than 50% chance of occurrence in this 10-year LTCCP period. |
25 |
Highly Unlikely |
Whilst possible, occurrence of the event within this 10-yearly LTCCP would be regarded by most people as unlikely i.e. the probability of non-occurrence is somewhat larger than occurrence. Documented but few incidents. Has less than 10% chance of occurrence in this 10-year LTCCP period. |
12 |
Rare |
It is not expected that the event would occur within this 10-yearly LTCCP. Occurrence of the event would probably be regarded as unusual - (the probability of occurrence is quite small). Has less than 1% chance of occurrence in this 10 year LTCCP period. |
3 |
Consequence Tables
|
||||||||||||||||||||||||||||
Stakeholders/Reputation |
|
|||||||||||||||||||||||||||
Name |
Full Description |
|
||||||||||||||||||||||||||
Level 1 |
Extreme dissatisfaction and loss of confidence. Central government investigation and/or statutory management installed. Regulatory action resulting in major prosecution and conviction of council (eg - fine of >$100k).Note: ‘Stakeholder’ means clients, public, industry groups (such as forestry/agriculture), local government bodies, lobby groups, or Iwi. |
|
||||||||||||||||||||||||||
Level 2 |
Major loss of stakeholder confidence. Extensive stakeholder dissatisfaction expressed through media resulting in a long period of negative coverage (>2 months). Widespread, unified, coordinated revolt by consent holders and/or ratepayers against fees/conditions. Regulatory action resulting in moderate prosecution and conviction of council (eg - $25-$100k) |
|
||||||||||||||||||||||||||
Level 3 |
2-3 stakeholders sectors dissatisfaction expressed through media resulting in a long period of negative coverage (>2 months). Central Government impose statutory sanctions. Regulatory action resulting in prosecution but no conviction. |
|
||||||||||||||||||||||||||
Level 4 |
Single stakeholder sector express dissatisfaction through media for up to one month. Central Government – CEO MFE directed by Minister to make enquiries. Individual(s) express dissatisfaction through media or directly. |
|
||||||||||||||||||||||||||
Level 5 |
Individual(s) express dissatisfaction through media or directly. Individual(s) refuse to pay fees/rates as a stand against council activities. No significant impact on stakeholders or image |
|
||||||||||||||||||||||||||
No Impact |
No significant impact on stakeholders or image |
|
||||||||||||||||||||||||||
Operational Capability |
||
Name |
Full Description |
|
Level 1 |
Event results in management diversion from strategic objectives for a period of > 2 months. Delivery of LTCCP outcomes across work area significantly affected for greater than six months. Critically detrimental effects on stakeholders. Long term loss of capability (>2 months).Event results in management diversion from strategic objectives for a period of <2 months. |
|
Level 2 |
Event results in management diversion from strategic objectives for a period of <2 months. Delivery of LTCCP outcomes across work area significantly affected for up to six months. Moderate detrimental effects on stakeholders. Event results in loss of operational capability for up to 2 months. Event results in management diversion from strategic objectives for a period of a few days. |
|
Level 3 |
Event results in management diversion from strategic objectives for a period of a few days. Delivery of LTCCP outcomes across work area significantly affected for up to one month. Minor detrimental effects on stakeholders. Event affects limited efficiency or effectiveness of service. Managed internally. |
|
Level 4 |
Event affects limited efficiency or effectiveness of service. Managed internally. Moderate staff morale problems resulting in some staff resignations but managed through minor restructuring. |
|
Level 5 |
Event causes minor disruption felt by limited small group of stakeholders. Minor staff morale impact resulting in minor dissention but managed over a short period of time. |
|
No impact |
No impact on operational capability |
|