Agenda Items
10. Updated Risk Management Report
|
Type of Report: |
Operational |
|
Legal Reference: |
N/A |
|
Document ID: |
1748900 |
|
Reporting Officer/s & Unit: |
Dave Jordison, Risk and Assurance Lead Alister Edie, Business Improvement Manager |
10.1 Purpose of Report
To update the Committee on current developments and workstreams within the risk management framework and inform on the status of Council’s strategic and operational risk profile and any emerging risks.
|
|
Officer’s Recommendation The Audit and Risk Committee: a. Receive the report titled “Risk Management Report” dated 4 April 2024.
|
We have yet to complete a full review of the recommendations from the previous strategic risk workshop. New strategic risks were proposed, and various further actions and reviews of risk appetites were recommended. We will workshop these recommendations further with ELT, check our updated strategic priorities have sufficient risk assignment, before reporting back to this Committee.
A review of our risk management framework and risk maturity level is also being carried out by our internal audit provider. We will assess those recommendations when available and propose required improvements.
Various operational risks are currently out of appetite because sufficient review work has not been undertaken. We have reviewed the extreme revised risks ourselves, decreasing them where we believe controls are more sufficient or likelihood is less than reported. We will complete this review with risk owners and further review the high operational risks.
We will also report regularly into ELT meetings to drive risk review processes and capture emerging risks.
10.3 Issues
N/A
10.4 Significance and Engagement
N/A
10.5 Implications
Financial
N/A
Social & Policy
N/A
Risk
Strategic Risks
At the meeting in September 2023 the Committee approved moving the following risks from strategic to operational:
- SR 14 Work Health & Safety - Failure to maintain a safe and healthy workplace and safe systems of work,
- SR24 Compliance & Liability – Failure to comply with legislation and other requirements, and
- SR27 The Council does not have the right people with the right capabilities.
Strategic Risk SR14 Work Health & Safety - Failure to maintain a safe and healthy workplace and safe systems of work (i.e. we do not proactively navigate H&S threats) has also been increased to a high revised risk level. This was agreed with the chairman of the Audit and Risk committee because of the outcome of the internal audit of the Health and Safety activities. This now indicates that the level of effectiveness of controls need to be improved to meet our risk appetite level.
Operational Risks
A total of 81 operational risks exist, with 61 at high and 20 at extreme revised risk levels. This compares to the previous quarter’s total of 87, where 70 were high and 17 were extreme.
The primary cause of this increase is that additional risks have been created but the analysis and set up, including documenting the controls and revised risk level, has not been completed. Most of these new high and extreme risks are categorised as risks with no controls (40), so their revised risk level is equal to their inherent risk level e.g. extreme.
We have reviewed the extreme operational risks further for this report, decreasing the revised risk level where we believe this is the underlying situation. 3 operational risks remain at extreme with 5 moving to lower revised risk levels – the remaining 11 indicate the set-up of the risks is incomplete. We will check our review with risk owners and undertake the same exercise for high operational risks.
28% of risk reviews are showing as overdue because of staff not prioritizing the risk management process - or in some instances not understanding the process of amending dates for the risk review, the control review, and adherence to the treatment action due dates.
To reduce overdue risk reviews and the overall usability of risk metrics, we are planning further training for Directors and tier 3 & 4 managers and are improving the documentation of the risk review process and procedures. We will also report regularly into ELT meetings.
Two Operational risk reviews have resulted in an escalation of risk level:
- Operational risk OR332 Napier Aquatic Centre - Member of the public drowning, and
- OR316 Ocean spa - Member of the public drowning.
Both risks have been revised from a low to medium risk rating, resulting in an escalation through the director to the Chief Executive to accept the increased revised risk level. We are currently working through the risk analysis for the Kennedy Park pool, and this may also produce similar revised risk results.
There are also several instances where risk owners are creating new operational risks with the view of consolidating existing ones. The previous risks remain active until the setup of the new risks is complete, decreasing the useability of risk metrics.
Out of Appetite
There are currently 50 Operational risks showing as out of appetite, down from 120 in the previous period. This improvement is due to the required risk reviews taking place and the revised risk rating moving within appetite.
There are currently 6 strategic risks showing a revised risk level of out of appetite, predominantly due to the risk analysis being incomplete – this needs attention.
Emerging Risks
The following emerging risk has been added during the period:
- OR 334 Serious harm or fatality of Staff and/or Public from trade waste non-compliance.
The risk analysis for this operational risk is yet to be concluded, but currently the controls are showing very ineffective and require further work.
10.6 Preferred Option
Receive this risk management report