Effective risk management is a cornerstone of good governance, particularly for local councils responsible for safeguarding public interests. Gunnedah Shire Council recently undertook a comprehensive risk management audit through CivicRisk Mutual’s Risk Enhance Program as a proactive step towards bolstering its internal processes.
From reviewing the risk management framework to creating a strategic risk register, the audit aimed to enhance the council’s resilience and responsiveness. In this spotlight, we explore the scope of the audit and how these reviews are critical for maintaining robust governance practices.
The Importance of Auditing Risk Management Processes
Risk management audits are necessary tools for local government bodies looking to strengthen their security against both known and unforeseen threats. These audits provide an opportunity to critically assess the effectiveness of existing risk management frameworks, ensuring your council remains resilient in the face of operational, financial and legislative risks.
By regularly auditing risk processes, you can address vulnerabilities before they become an issue, reinforcing your capacity to manage future risks more precisely.
The Audit’s Key Focus Areas
Gunnedah Shire Council hired a third-party auditor to ensure the audit was transparent and wide-ranging, covering several critical areas of risk management. Some current policies and procedures that are a part of the council’s governance and risk management framework include:
- Fraud and corruption prevention: Mechanisms in place to detect and prevent fraudulent activities and corruption within the organisation.
- Risk management practices: The existing risk management framework.
- Business continuity planning: Indicating how well-prepared the council is to continue operations during and after disruptive events.
- Legislative compliance: Ensuring adherence to all relevant laws and regulations.
- Public interest disclosure: The processes for managing disclosures that serve the public’s interest.
Each area was carefully analysed to ensure the council’s governance remains strong enough to stay prepared and resilient against future challenges.
Audit Process: Steps and Methodology
To kick off the audit process, the auditor held an engagement management session to minimise project management and delivery risks. This meeting involved defining the scope, timeframes and deliverables. They also exchanged necessary documentation to ensure a smooth process.
Risk Management Framework Review
Setting out to identify gaps in the council’s risk management framework, the auditor and Gunnedah Shire Council embarked on the review process. The teams analysed annual reports, strategic planning and organisational structure, evaluating key documents including the risk management procedures, risk culture surveys and periodic risk management. This helped both parties gain a birds-eye view of the current risk management status within the council.
Interviews with ARIC representatives illuminated strengths and areas for improvement within the current framework. Finally, the team drafted a Gap Analysis Report detailing actionable recommendations to mature risk management practices and present results.
Refining the Risk Appetite Statement (RAS)
To support decision-making in the risk assessment process, the council’s risk-taking preferences and parameters would need to be established. The purpose of the RAS is to achieve exactly that.
The Executive team participated in an hour-long risk appetite education session, followed by a series of interviews with Executives, the Audit, Risk and Improvement Committee (ARIC) representatives and Councillors to gauge risk perceptions, attitudes and tolerances.
The results of these interviews would inform an initial risk appetite statement draft. Next, the executive team held a workshop to review and align the abstract to Integrated Planning and Reporting, as well as run it through a scenario test. Once the results were finalised, the RAS was presented to ARIC.
Strategic Risk Register
A series of trainings and workshops helped identify the key strategic risks facing the council within the strategic planning horizon.
The workshops began with an educational overview. Next, the leadership team gathered to identify key emerging and strategic risks to complete the draft baseline strategic risk register. Following the workshops, the risk register was completed and a report was created for the Executive team.
Building a Culture of Risk Awareness
An audit’s effectiveness is only as strong as the people who implement its recommendations. Recognising this, Gunnedah Shire Council emphasised staff risk training, ensuring employees at all levels are well-versed in identifying and mitigating risks. By investing in continuous training, the council is building a culture where risk awareness is part of everyday operations.
Furthermore, the audit’s focus on reviewing operational risk processes equips the councils with the tools necessary to monitor risk continuously. Training staff and setting up continuous reviews demonstrates forward-thinking governance and this proactive approach embeds risk awareness into the council’s culture.
Developing a Risk Improvement Action Plan
As part of the audit, Gunnedah Shire Council began populating a Risk Improvement Action Plan. This plan outlines key activities that need to be undertaken to support the council’s risk management efforts, serving as a roadmap for future risk management activities.
These activities range from updating risk registers to refining procedures for fraud and corruption prevention. The action plan serves as a dynamic roadmap, helping the council prioritise meaningful risk performance indicators for reporting.
How Can I Create Meaningful Risk Performance Indicators?
Meaningful risk performance indicators provide stakeholders with clear and relevant information about the council’s risk exposure, management proficiency and overall risk performance. These move beyond basic compliance checks, providing data that helps decision-makers understand where risks lie, how well they are managed and whether further action is required.
To derive more meaningful performance indicators from your risk management framework, start by reviewing existing reports and performance indicators to ensure they are aligned with the council’s current risk landscape. Assess which information is available in your current risk management information systems to see what gaps may exist.
Key risk metrics that resonate with your council’s strategic objectives should reflect the types of risk you’re willing to take on and the ones you aim to avoid entirely. Keep your risk register updated with not only known risks but also emerging risks that your council could face within your risk landscape over the next few years.
A Commitment to Stronger Governance
While the outcomes of Gunnedah Shire Council’s risk management audit are still forthcoming, a commitment to a thorough review is already paying dividends. By identifying key risk areas and establishing an action plan for future improvements, the council has taken an important step toward stronger, more resilient governance.
Through continuous evaluation and refinement of its risk management practices, Gunnedah Shire Council is dedicated to remaining a responsible and forward-thinking entity in the face of evolving challenges.
If you want to learn more about how CivicRisk Mutual’s Risk Enhance Program can support your risk management initiatives, contact us today.