Review of a Risk Management Framework

The project

OCM completed a review of a Council’s risk management framework.  The objective of the review was to redevelop Council’s enterprise risk framework. The specific focus areas for the review included:

• Consideration of Council’s risk management policy and procedures against accepted industry standards
• Assess if Council has adopted a formal and systematic approach to the assessment of risks relevant to its operations
• Ascertain if Council has implemented appropriate processes to review the adequacy and effectiveness of risk management and control processes to ensure risk management practices are undertaken as intended
• Testing of the ongoing management, monitoring and review process to provide assurance over the administration of risk management policy, procedures and practices
• Consideration of the enterprise risk management framework contents, development and design (stakeholder consultation, roles and responsibilities definition, risk appetite, and that risk is considered when making key decisions
• Development of a Change Management Plan designed to embed risk management across Council’s operations

Our role

Our approach in undertaking this engagement included:

• Developing an understanding of Council’s current status and culture with regards to risk management through interviews with key Council stakeholders (Audit and Risk Management Committee members, Executive Leadership Team, Managers and Risk Management and Governance Team members), review of documentation, and force field analysis during workshops
• Undertaking a maturity assessment of the Council’s risk management approach using the QAO Risk Maturity tool
• Reviewing and recommending improvements to Council’s:
  • Policies and procedures related to risk management including assessing them against ISO 31000
  • Risk management process including assessing it against ISO 31000
  • Key risk registers including determining if Council’s core plans and objectives have been considered
  • Risk management training materials
  • Risk management reporting
• Assisting in the redevelopment of risk management reports provided to a variety of stakeholders and determining if they have been compiled in a complete, accurate and timely manner
• Facilitating workshops with Council Executives and Managers to:
  • Understand Council risk management maturity
  • Introduce the updated Risk Management Framework
  • Provide training on how to assess and evaluate risks
  • Update Council’s Strategic Risk Register
  • Update Council’s Risk Appetite Statement

Maturity Assessment

The approach that we took in undertaking the maturity risk assessment is that it is not practical or cost effective for an entity to be “Optimised” in all areas. Rather we worked with Council to identify where they sat in terms of maturity, established from the workshops and interviews where it is appropriate for them to sit, and recommended improvements to bridge the gap.

Deliverables and Outcomes

The agreed deliverables from the engagement included:

• An updated enterprise risk management framework including revised policy, procedures and risk matrices
• Risk management awareness training delivered to Executives and Managers
• Change management strategy including:
  • Articulation of goals for the Council to improve their risk management maturity, practices and culture including specific change management goals
  • Change implementation project plan, implementation roadmap and communication plan
  • Risk management maturity assessment results and recommendations to address identified gaps, and
  • Recommendations for an integrated risk management governance framework and structure including definition of key roles and responsibilities for the Audit Committee, Risk Management Group and operational management, risk registers and reports,
    risk champions and Governance and Risk functions’ role and responsibilities.

The final outcomes included:

• Clearer risk appetite aligned to the Council’s strategic objectives and risks
• Updated risk management policy, procedures and risk assessment matrices
• Improved reporting
• Improvement risk assessment quality
• Better accountability and delivery of management actions
• Targeted improvement on risk management framework (design, content and compliance), and
• Risk training provided to relevant staff.

For other Governance, Risk and Compliance case studies refer Development of an Assurance Map; Strategic Risk Assurance Mapping; Disaster Recovery Planning.