Compliance and Risk Management Framework Version 1, October 2020
Compliance and Risk Management Framework
This Framework relates Risk Management Policy Document No: 6154088 to: Framework applies: All sites Target audience: All Staff Description: The Compliance and Risk Management Framework is designed to assist Councillors, employees and contractors of Logan City Council (Council) to achieve our strategic and operational goals and objectives with respect to Compliance and Risk Management. This framework articulates the requirement for Council to establish risk management practices in accordance with ISO 31000:2018 and AS/NZS 19600:2015. Subject: Compliance and Risk Management Keywords: Current Risk, Frequency, Hazard, Initial Risk Rating, Loss, Probability, Risk, Risk Analysis, Risk assessment, Risk identification, Risk evaluation, Compliance, Breach, Noncompliance Related Legislation (including OHS legislation), Australian Standards, QLD Policy or Circular, other Documents, Professional Guidelines, Codes of Practice or Ethics: ISO 31000:2018, Risk Management Guidelines AS/ISO 19600:2015 Compliance Management Guidelines Doc ID No: 5979417 Code of Conduct for Staff Doc ID No: 5992416 - Workplace and Safety Doc ID No: 13324550 – Audit and Risk Committee Policy Work Health and Safety Act 2011 Work Health and Safety Regulations 2011 Local Government Act 2009 Local Government Regulation 2012 Child Protection Act 1999 Privacy Act 1988 (Cth) Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth) Environmental Protection Act 1994 Business Continuity Institute Good Practice Guidelines 2018 Other state and federal legislation as applicable Director responsible for Director, Organisational Services Framework: Manager for Framework Administration and Corporate Governance Managers implementation: Framework Contact Person: Corporate Governance Manager
Framework Review Due Date: 2 years from date of adoption or date of last review. Document Control
File: 1186813‐1 Document Id: 14119488 Version Number Description of Change Author / Branch Date 1.0 Creation Corporate Governance October 2020
DM 14119488 Compliance and Risk Management Framework Page 2
Table of Contents 1 INTRODUCTION ...... 5 1.1 Structure of this Framework ...... 5 2 OBJECTIVES ...... 5 3 ROLES AND RESPONSIBILITIES ...... 6 3.1 Council...... 6 3.2 Audit and Risk Committee ...... 7 3.3 Chief Executive Officer ...... 7 3.4 Executive Leadership Team...... 8 3.5 Administration and Corporate Governance Managers ...... 8 3.6 Managers...... 8 3.7 Employees and Contractors ...... 9 4 COMMUNICATION...... 9 4.1 Internal stakeholders ...... 9 4.2 External stakeholders ...... 10 4.3 Reporting ...... 10 4.4 Management Review ...... 10 5 RISK MANAGEMENT ...... 12 5.1 Architecture of the risk management framework ...... 12 5.2 Overall process ...... 12 5.3 Risk Rating...... 13 5.4 Risk escalation ...... 14 5.5 Risk treatment ...... 14 5.6 Accountability...... 14 5.7 Integration into organisational processes ...... 15 5.8 Resources ...... 15 5.9 Reporting ...... 15 5.10 Monitoring and review of the framework ...... 15 6 COMPLIANCE MANAGEMENT ...... 16 6.1 Compliance Register ...... 16 6.2 Legislative Changes ...... 16 6.3 Compliance Breach Management ...... 16 6.4 Reporting to the Audit and Risk Committee and ELT ...... 18 6.5 Key Performance Indicators ...... 18 6.6 Compliance audits ...... 18 6.7 Change Management ...... 18 APPENDIX 1: RISK TREATMENT PLAN TEMPLATE...... 19 APPENDIX 2: NOTIFIABLE BREACH REQUIREMENTS ...... 20
DM 14119488 Compliance and Risk Management Framework Page 3
APPENDIX 3: RISK TOOLS ...... 22
DM 14119488 Compliance and Risk Management Framework Page 4
1 Introduction
The function of this Compliance and Risk Management Framework (CRMF) is to provide Logan City Council (LCC) Councillors, employees and contractors with guidance in how to apply consistent and comprehensive risk management and how to manage its compliance obligations. This document supports Council’s Risk Management and Compliance Policies.
It identifies key activities needed for an effective risk management approach and provides information on how to identify, analyse, assess and treat risks. The risk management process contained in this framework aligns with the ISO31000:2018 Risk Management.
The Compliance elements of this framework outline Council’s approach to managing its compliance obligations in accordance with the requirements of AS/ISO 19600:2015 Compliance Management Systems.
1.1 Structure of this Framework This CRMF recognises the common features and requirements of risk management and compliance in supporting good governance. Accordingly, this document has been structured to reflect this by using a common approach to risk and compliance in most areas apart from Sections 5 and 6 Risk Management and Compliance Management, which relate to Compliance and Risk separately.
2 Objectives
Compliance and Risk Management are the responsibility of all Councillors, employees and contractors, with specific risk responsibilities being allocated to different groups and levels within the organisation.
Compliance and Risk Management will support Council in being able to meet our values and deliver upon our objectives, via a consistent and comprehensive process. It will:
Increase the likelihood of us achieving our strategic and business objectives; Encourage a high standard of integrity and accountability at all levels of the organisation; Support more effective decision making through better understanding of risk exposures; Create an environment that enables us to deliver timely services and meet performance objectives in an efficient and cost effective manner; Safeguard our assets – human, property and reputation; and Meet compliance and governance requirements.
In adopting a CRMF, Council has the following objectives:
Provide a consistent, systematic approach to the early identification and management of risks within an acceptable level; Make available accurate and concise risk information that informs decision making, including business direction;
DM 14119488 Compliance and Risk Management Framework Page 5
Adopt risk treatment strategies that are cost effective and efficient in reducing risk to an acceptable level; Monitor and review risk and compliance levels to ensure that risk exposure remains acceptable; and Ensure that the required compliance is maintained and is able to be demonstrated.
3 Roles and Responsibilities
Set out below is Council’s Compliance and Risk Management structure. This illustrates that compliance and risk management are not the sole responsibility of one individual but is supported at all levels in the organisation.
Compliance Risk Management
Council Provides strategic oversight and review Provides strategic oversight and review Approves Policy Approves Policy
Audit and Risk Committee Monitors and reviews Council on the Reviews risk management standard of its compliance and corporate performances governance Endorses risk management strategy
CEO Drives compliance culture and is Drives risk management culture responsible to Council for the management and is responsible to Council for of compliance obligations the management of risk
Directors Responsible to the CEO for the compliance Responsible to the CEO for the obligations within their directorate. Leading risk management within their by example and demonstrating their active directorate . Demonstrate support commitment to, and support for, the for the risk management culture compliance culture and performance targets Identify, assess and manage risks
Managers Responsible to their Director for the Responsible to their Director for compliance obligations within their branch. the risk management within their Leading by example and demonstrating branch . Demonstrate support for their active commitment to, and support for, the risk management culture the compliance culture and performance targets Identify, assess and manage risks relevant to their Branch
Program Leaders Identify and manage operational level Identify, assess and manage compliance obligations operational risks relevant to their Program
Staff Conscientiously seek to comply with Ensure risks are being identified, relevant obligations in the course of their assessed and controlled duties
Table 3-1: Compliance and Risk Management Responsibilities
3.1 Council Council is accountable for compliance and risk management, which includes providing direction and support on the CRMF. Council reviews, amends and approves the CRMF biennially. Council has delegated responsibility for the CRMF to the Chief Executive Officer (CEO). This is to ensure a robust CRMF and effective compliance and risk management
DM 14119488 Compliance and Risk Management Framework Page 6
processes are maintained. Delegated components include appropriate policies, procedures and systems which meet the requirements of International Standards ISO 31000:2018 and ISO 19600:2015.
The following activities are undertaken as Council responsibilities:
Establishing Compliance and Risk Management Policies; Ensuring that risks are adequately considered when setting Council’s objectives; Understanding the risks facing the organization in pursuit of its objectives; Ensuring that adequate systems and controls are in place and operating to manage compliance and risks (this will be achieved through ongoing review of the CRMF system and documented controls is undertaken, including an annual review); Monitoring the effectiveness of those systems and controls; Reviewing, assessing and approving the level of risk appetite and tolerance; Monitoring compliance with legal and regulatory duties and obligations e.g. via a Compliance Register and regular audits, as well as other relevant best practice standards; and Ensuring maintenance of an effective framework of compliance, risk management and internal controls through oversight and recommendations. Ensure adequate resourcing is available to reduce risk and address identified risks.
3.2 Audit and Risk Committee The Audit and Risk Committee is an advisory of the Council which provides advice in respect to:
Monitoring and reviewing Council’s compliance with its obligation to establish and maintain an internal control structure and systems of risk; Monitoring and reviewing of the establishment and implementation of CRMF; Advising Council on matters of compliance and risk management; Ensuring that adequate procedures are in place to effectively communicate information about risks and their management; and Reviewing the effectiveness of the CRMF in identifying and managing risks and controlling internal processes.
3.3 Chief Executive Officer The Chief Executive Officer has accountability for managing Council’s compliance and risk, and for implementing the CRMF by ensuring the following:
Adequate resources are allocated to maintain an effective CRMF; Regular reviews of the CRMF are undertaken to ensure risk management systems are adequate and fit for purpose; Leadership and commitment to the management of compliance and risk at Council is demonstrated; and Appropriate and timely remedial action is taken in response to risk issues and events.
DM 14119488 Compliance and Risk Management Framework Page 7
3.4 Executive Leadership Team The management of compliance and risk is an integral part of Council’s operations and not an add on activity. The Executive Leadership Team (ELT) member’s role includes:
Implement and maintain the CRMF; Foster an environment in which adopting effective compliance and risk management is encouraged; Build and maintain a proactive compliance and risk management culture within Council; Design, operate and monitor a system of internal controls appropriate for the needs of Council, its directorates and functions; Assign and embed control and compliance responsibilities; Be responsible for identification of material risks (strategic), risk assessment, risk controls and determining the consequence and likelihood of residual risks; (N.B. To assist with this process Council has developed risk registers to capture information relating to risks, their consequences and controls); Maintain an adequate system of risk management which assists in mitigating risks and ensures early detection of risk management issues and that ensures corrective action is taken; and Take prompt action to mitigate risk exposure.
3.5 Administration and Corporate Governance Managers The Administration and Corporate Governance Managers will be responsible for the administration of the risk and compliance management systems and provide advice to others for undertaking the following administrative matters in relation to the CRMF:
Ensure the CRMF remains appropriate for Council by updating as necessary; Arrange for risk and compliance management training, as required; Manage risk registers to ensure that they are updated by Managers, as per this CRMF; Report to the Executive Leadership Team and the Audit and Risk Committee on compliance and risk management; and Arrange annual risk workshops.
3.6 Managers All Council Managers will be required to:
Promote and actively lead a culture of compliance and risk management within the workforce; Ensure risks are identified, assessed and controlled in accordance with the CRMF; Actively monitor and report on risk mitigation for identified risks and new risk exposures; Comply with the CRMF; and Lead or participate in risk assessments as required.
DM 14119488 Compliance and Risk Management Framework Page 8
3.7 Employees and Contractors All Council employees and relevant Contractors will be required to:
Actively identify, assess, monitor and report on new risk exposures and risk mitigation for identified risks; Comply with the CRMF; Be aware of their compliance and risk management responsibilities under this framework to assist Council in achieving desired outcomes; and Participate in risk assessments as required.
4 Communication
Council has a wide range of internal and external stakeholders whose requirements need to be taken into account during the compliance and risk management processes and to whom reports on the results of the compliance and risk management processes should be reported.
The main objectives of the communication and stakeholder engagement processes are to:
Ensure that the interests of stakeholders are understood and considered; Ensure the stakeholders participate appropriately in the risk identification and rating process; Ensure that different views are appropriately considered when evaluating risks; and Ensure agreement with and support for the compliance and risk mitigation and management processes which are to be implemented.
4.1 Internal stakeholders Internal stakeholders include the following:
Council (elected members); Audit and Risk Committee; Wholly owned subsidiaries (Invest Logan, Mayors Charity Trust); Staff; and Contractors
Internal stakeholders have a need for effective, consistent compliance and risk management processes to assist them in their day-to-day operations, as well as to guide Council itself in the more significant strategic decision making processes.
Sections 5
DM 14119488 Compliance and Risk Management Framework Page 9
Risk Management and 6 Compliance Management of this document detail their involvement in each of the processes.
4.2 External stakeholders Council has a wide variety of external stakeholders including:
The Logan Community; Community groups supported by Council; Government agencies (State and Federal); Regulators (State and Federal); Developers; and Contractors.
External stakeholders, being a diverse group, have a widely varied input in respect to compliance and risk management processes. All stakeholders though would seek to have confidence that the compliance and risk management processes were resulting in good governance practices being adopted by Council.
4.3 Reporting
Reporting is discussed in Sections 5 Risk Management and 6 Compliance Management of this document.
4.4 Management Review The Executive Leadership Team shall review the Compliance and Risk Management Framework biennially to ensure its continuing suitability adequacy and effectiveness including:
consideration of previous actions; policy; objectives; resourcing; changes; performance measures; non-conformance; audit results; and stakeholder feedback.
Output of management reviews include:
recommendations on policies; objectives; structures; personnel;
DM 14119488 Compliance and Risk Management Framework Page 10
changes to processes; areas to be monitored; corrective action to non-conformance; gaps in systems; and
recognition of exemplary behaviour.
DM 14119488 Compliance and Risk Management Framework Page 11
5 Risk Management
The success of risk management at Council depends on the CRMF providing the foundations and arrangements that will embed the framework throughout the organisation. The framework assists in managing risks effectively through the application of the risk management process (see Section 5.1) at varying levels within the organisation. The framework ensures that information concerning risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant levels.
5.1 Architecture of the risk management framework
Council’s risk management system comprises two levels of risk registers – strategic and operational. Each considers risks in relation to the objectives of its own organisational context. Compliance related risks are included within each level of risk register. This is illustrated in Figure 5-1.Error! Reference source not found.: Architecture of the risk management framework
The Strategic Risk Register considers long term risks impacting on Council as a whole. The Strategic Risk Register is presented to the Executive Leadership Team and Audit and Risk Committee at least every quarter; The Operational Risk Registers consider the risks associated with the day to day operational matters and generally those contained within a one year time horizon; and Project Risk registers are developed per project as required to monitor and manage project related risks.
Risks may pass from one register to another via the escalation process which is detailed in Section 5.3.
Within Council there are other risk management practices in use. These relate to:
the assessment of Work Health and Safety (WHS) risks;
Individual risks within WHS or Project Risk Registers should be managed within their own risk systems, however where multiple reoccurrences (which may indicate a systemic issue, or an issue of high organisational importance) arise, these should be identified as a single risk in the Operational System, as detailed in Section 5.3.
5.2 Overall process The process of how a risk progresses from identification through treatment and recording to Council notification is illustrated in Figure 5-1.
DM 14119488 Compliance and Risk Management Framework Page 12
Matter raised Is it a No Normal admin. as a risk risk? procedures
Yes
Risk rated at Manage at Operational Operational Level Level
High / Extreme
Should risk No be included at the Strategic Level?
Yes
Manage at High / Strategic Level Extreme Advise Council
Figure 5-1: Risk management process
5.3 Risk Rating
The Risk Tools in Appendix 3: Risk Tools define the criteria to evaluate the significance of risk at Council.
Once risks have been identified, clearly defined and documented they must be rated to understand the implications of each risk and which ones need to become the focus of the risk management process. It is important to first assess the most credible level of consequence (not the worst case) and then determine the likelihood that the event will occur at that level of consequence. These should be considered in relation to the controls that are in place and
DM 14119488 Compliance and Risk Management Framework Page 13
their current effectiveness. As an example, the risk of asset failure from lack of maintenance should be assessed given the conditions and controls currently in place in Council with its asset management procedures and inspections, rather than in isolation with no controls.
5.4 Risk escalation Where risks are rated on the Branch or Directorate Operational Risk Register as “high” or “extreme”, they should be elevated to the Strategic Risk Register for consideration by ELT. The ELT should consider if the risk is of sufficient significance at the strategic level to warrant inclusion in that risk register and if it is, then accept it, rate it against the objectives at the strategic level and then allocate it to a member of the ELT for mitigation, as necessary. Alternatively, the Operational group should be informed that they are to deal with the risk at their own level. As risks are mitigated, they may be “passed back” to the operational management level for routine management.
Where risks have been assessed as high or extreme at the Strategic level, the Chief Executive Officer shall notify Council.
5.5 Risk treatment
5.5.1 Preparing and implementing risk treatment plans The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include:
Those who are accountable for approving the plan and those responsible for implementing the plan; Proposed actions; Resource requirements including contingencies; Performance measures and constraints; Reporting and monitoring requirements; and Timing and schedule.
Treatment plans should be integrated with the management processes of Council and discussed with appropriate stakeholders. Decision makers and other stakeholders should be aware of the nature and extent of the residual risk after treatment. The residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. A template for Risk Treatment Plans is included in Appendix 1: Risk Treatment Plan Template.
5.6 Accountability Council ensures that there is accountability, authority and appropriate competence for managing risk, including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficiency of any controls by:
Allocating risk owners, that have the accountability and authority, to manage risks; Including responsibility for risk management at all levels in the organisation ensuring Councillors, employees and contractors understand their responsibility for risk management; and Establishing performance measurement and external and/or internal reporting and escalation processes.
DM 14119488 Compliance and Risk Management Framework Page 14
5.7 Integration into organisational processes Risk management is embedded in all of Council’s practices and processes. The risk management process is part of, and not separate from, those organisational processes. In particular, risk management is embedded within framework development, business and strategic planning and review, and change management.
Council requires that employees assess risk in accordance with Council’s risk management approach.
5.8 Resources Council has allocated the following resources to risk management: Audit and Risk Committee; Chief Executive Officer; Directors Managers; Staff; Budgets to facilitate risk assessment and management processes, including the development of the CRMF; and Budgets to facilitate risk and compliance management training and ongoing improvements to risk management within Council.
5.9 Reporting Reporting on risk will occur on a quarterly basis, other than where projects require more regular reporting on their specific project risk registers:
Project Managers will report to Branch Managers on specific project risk registers; Branch Managers will report to Directors on their branch risk register; Directors will report to ELT on their directorate risk register; and ELT will report on the strategic risk register to Council via the Audit and Risk Committee
5.10 Monitoring and review of the framework In order to ensure that risk and compliance management is effective and continues to support organisational performance, Council will:
Measure and evaluate risk management performance against indicators, which are annually reviewed for appropriateness; Biennially review whether the CRMF is still appropriate and suitable to support achieving the objectives of the organisation; Annually report on risk and how well the CRMF is being followed; and Annually review the effectiveness of the CRMF.
DM 14119488 Compliance and Risk Management Framework Page 15
6 Compliance Management
6.1 Compliance Register Council has developed a Compliance Register identifying areas of compliance and allocating responsibility:
The register provides all Councillors, employees and contractors with an awareness and understanding of legislations that are relevant to their functions; and It allocates accountability with regards to legislative compliance.
The Compliance Register contains the following information:
Name of the Act; Corresponding Regulation; The purpose of the Act; Relevance to Council with reference to specific sections; Corresponding Council policies, plans and publications, including plans that may be needed to ensure proper compliance to specific instruments; Directorate(s) and Branch(es) impacted by the Act; and The relevant Manager responsible for overseeing the compliance of the Act.
Corresponding Council policies, plans and publications shall be reviewed by the responsible Manager detailing that Council is meeting its obligations.
6.2 Legislative Changes The requirements for managing Legislative changes shall be documented in a procedure that sets out the required processes and responsibilities for:
Receipt of change alert or equivalent; Initial recording of legislative amendment in the Legislative register; Assessment of the impact on Council; Allocation of designated lead to coordinate further actions; Update to policies / procedures / other documentation; Development of required communication for change; Release and distribution of communication; and Tabling at Audit and Risk Committee.
6.3 Compliance Breach Management A breach is defined as a non-compliance with a legislative, regulatory, standard or Council compliance obligation.
Compliance Breaches may either result from:
Breaches of Council Policies and/or;
DM 14119488 Compliance and Risk Management Framework Page 16
Breaches in legislation.
6.3.1 Internal Reporting and Investigation
The Director is the representative of the CEO in their Directorate; Breaches in compliance with any legislative, regulatory, standard or Council compliance requirement must be reported to the Corporate Governance Manager. ; The Corporate Governance Manager is to report all compliance breaches with a potential consequence of ‘Major’ or ‘Catastrophic’ to the Executive Leadership Team and Audit and Risk Committee in line with Council’s Risk Matrix. See Table 6-1 below, A breach may also be reported by a finding in a review or audit; A reported breach shall be risk assessed for importance and consequence to Council; The Manager of each relevant Branch, in consultation with the Corporate Governance Manager, shall recommend treatment for restoring compliance; All breaches shall have a Risk Treatment Plan provided by the Corporate Governance Manager and endorsed by the Director Organisational Services; and Consultation shall occur to ensure negative effects are not produced in other areas or Departments.
Negligible Minor Moderate Major Catastrophic Politics, Leadership Compliance with A “working” Non-compliance or Non-compliance Formal, external and Governance legislation, relationship exists policy failure is requires formal, investigation of non- Examples: regulations, between Council and investigated external compliance results in compliance with directives, policies, other levels of (internally/externally) investigation. High financial penalties and legislation, code of conduct, government. and is resolved possibility of financial prosecution (individual directives, procedures etc. Non-compliance is without financial penalties and/or or corporate), including delegations, managed internally penalties or prosecution imprisonment. policies, local laws, without penalties or prosecution. (individual/corporate Termination of code of conduct – prosecution. Decision made re ). Decision made re individual. staff and individual individual councillors, consequences. suspension or governance termination. Reputation Predominantly Periodic, local, Increasing and Sustained, Sustained, adverse Examples: local publicity. adverse publicity broadening adverse publicity at media attention at media exposure, Positive Identified that adverse publicity local and state local, state and nation social media, political reputation service delivery at local and state level. level. influences maintained. may be impacted level. Media scrutiny Possibility of Positive by media scrutiny. Service delivery impacts service worldwide media relationships with Reputation may be impacted delivery. exposure. media variances within by media scrutiny. Damage to Media scrutiny stakeholders. the community. Sustained reputation within adversely impacts Isolated social Positive reputation the community. service delivery. media relationships with variances within Publicity may lead Sustained damage to communications media the community. to an audit, inquiry, reputation within the stakeholders Relationships with or other legal community. maintained. media proceedings. Ongoing exposure May cause some stakeholders may Impact of strained may lead to audit, social media or be strained. relationships with inquiry, or legal formal complaints Significant social media proceedings. (justified or media and / or formal stakeholders Irreparable damage unjustified) complaints known. to relationships with Mass and media stakeholders. extended adverse ‘Viral’ adverse social social media media coverage (e.g. coverage. (hashtag on twitter).
DM 14119488 Compliance and Risk Management Framework Page 17
Table 6-1: Compliance Breach Consequences
6.3.2 External Notification Notifiable breaches in compliance within Council are to be reported to the relevant regulatory authorities in accordance with Appendix 2: Notifiable breach requirements.
6.4 Reporting to the Audit and Risk Committee and ELT Reporting to the Audit and Risk Committee and ELT shall include:
Compliance breaches; Compliance levels; Significant changes to legislation or regulation and effect to Council; Compliance improvement activities and recommendations; and Key performance indicators for compliance management.
6.5 Key Performance Indicators Key Performance Indicators (KPI) shall be established at Branch and Directorate levels and adopted by the Executive Leadership Team.. The KPIs on compliance shall be communicated to the Corporate Governance Manager. Suggested KPIs include:
Relevant policies and procedures exist to detect and prevent bribery; Annual review of Compliance Management undertaken; Induction training includes Compliance – number of staff trained; Breaches reported vs breaches investigated and resolved; Internal Audits conducted; and Internal audit Findings / Improvement Opportunities Implemented (percentage of total findings).
6.6 Compliance audits Audits of the Compliance Management System are conducted in accordance with the Internal Audit Schedule with audit reports submitted to the Audit and Risk Committee.
6.7 Change Management Council’s Change Management Process shall ensure that all applicable changes are planned and reviewed to identify and mitigate any unintended consequences relevant to compliance obligations.
DM 14119488 Compliance and Risk Management Framework Page 18
Appendix 1: Risk Treatment Plan Template
Risk Risk: Risk Owner: No.
Risk Consequence (C) Likelihood (L) Residual Risk Level Rating
Causation:
TREATMENT:
Existing Controls:
New Treatments: WHAT do you intend to do (i.e. general strategy)?
Control Expected benefits Expected constraints
New Treatments: HOW do you intend to do it (i.e. specific actions)? Addresses C or L or both (tick)
RESOURCES required for implementation?
WHERE will new treatments be incorporated (e.g. business plan, operational plan, budget etc.)?
WHO is the Risk Owner (accountable officer)? WHO will implement the new treatments?
WHEN will the new treatments be developed? WHEN will you review new treatments for effectiveness?
HOW will you know when it’s done (i.e. what are the measurable indications that the planned new treatments have been implemented)?
Performance Indicators:
CLOSE OUT: The above treatment plan has been fully implemented
(signed) Risk Owner Date
DM 14119488 Compliance and Risk Management Framework Page 19
Appendix 2: Notifiable breach requirements
LCC Person Existing Council Document (Policy, Responsible Procedure, Guide etc) Category Legislation Breach / Notifiable Incident Further Information for notifying regulator WHS Work Health and Safety Act Death, serious injury or serious https://www.worksafe.qld.gov 2011 (Qld) illness of a person or involves a .au/injury-prevention- dangerous incident. safety/incidents-and- Electrical Safety Regulation notifications/what-is-an- 2013 9Qld) Serious electrical incident or dangerous incident#incident electrical event
Environment Environmental Protection environmental harm. https://environment.des.qld.g Act 1994 (Qld) s 320 ov.au/management/complian serious environmental harm ce-enforcement/obligations- duties material environmental
Information Privacy Act 1988 (Cth) Eligible data breach where; https://www.oaic.gov.au/priva cy-law/privacy-act/notifiable- Privacy Amendment - there is unauthorised access to, data-breaches-scheme (Notifiable Data Breaches) unauthorised disclosure of, or Act 2016 (Cth) loss of, personal information held by LCC; and Information Privacy Act 2009 - the access, disclosure or loss is (Qld) likely to result in serious harm to any of the individuals whom the information relates.
Child Child Protection Act 1999 Reasonable suspicion that a child has https://www.csyw.qld.gov.au/ Protection (Qld) s13E(2) suffered, is suffering, or is at child-family/protecting- unacceptable risk of children/about-child- protection/mandatory- suffering, significant harm caused by reporting physical or sexual abuse; and may not have a parent
able and willing to protect them from harm
DM 14119488 Compliance and Risk Management Framework Page 20
LCC Person Existing Council Document (Policy, Responsible Procedure, Guide etc) Category Legislation Breach / Notifiable Incident Further Information for notifying regulator Financial & Local Government Act 2009 Material loss of asset https://www.dlgrma.qld.gov.a Procurement (Qld) u/local- Reportable loss of asset government/accountability/fra Local Government ud-management.html Regulation 2012. (Qld) s 307a
DM 14119488 Compliance and Risk Management Framework Page 21
Appendix 3: Risk Tools
Consequence Table Negligible Minor Moderate Major Catastrophic
Restriction of access or Restriction of access or Service Delivery disruption to essential services disruption to essential services Minor issue with Temporary restriction of access or critical business functions (< or critical business functions < Examples: Loss of access or disruption to essential communication, information or disruption to essential 24 hours or Maximum 48 hours or Maximum communication, data, technology services or critical business functions > 1 systems, technology, records, services or critical business Allowable Outage). Allowable Outage plus software, hardware, records, week or Maximum Allowable Outage plus 1 assets, property, buildings, assets, facilities or functions (< 1 day or < Multiple sites impacted by 12hours. week. equipment, plant, fleet, supplies, infrastructure. Maximum Allowable Outage). workforce issues. Temporary damage to Permanent damage to property, assets, human resources Service interrupted briefly. Localised workforce issues. Business Continuity property, assets, facilities or facilities or infrastructure. injury prevention, workplace No impact on external Business Continuity Directorate Recovery Plan is infrastructure. Ongoing, significant workforce issues at relations customers. Directorate Recovery Plan is referenced. Multiple sites impacted by recruitment, retention, succession multiple sites. Minor, localised workforce reviewed. Project management is in place significant workforce issues. staff, contractors, volunteers Master business continuity plan enacted. issues. Effective project management with multiple internal and Master business continuity plan project management: scope Completion/success of the project adversely All requirements of effective is in place, with internal and external stakeholders may be enacted. quality, risk management, impacted by time or cost increases 25% – project management are in external stakeholder consulted. Completion/success of the stakeholder consultation and 50%. communication, procurement, place. consultation required. Inadequate scoping may lead project could be impacted by governance to partial completion of project time or cost increases 15% – or achievement of outcomes. 25%. Finance and Legal Loss of or unplanned Loss of or unplanned expenditure of 5-10% of Loss of or unplanned Examples: Loss of or unplanned Loss of or unplanned expenditure of >20% expenditure of < 5% of budget. budget. expenditure of > 10-20% of fraud, corruption, litigation, claims, expenditure of < 1% of budget. of budget. Loss between 1K and 10K. Loss between 10K and 100K. budget. Loss of 100K to 500K. contract management, intellectual Loss < 1K. Loss of 500K or more. Budget variation manageable, Impact on budget beyond Impact on budget with recovery property, operational budgets, Budget variation manageable Impact on budget with recovery over absorbed over current financial current financial year, but over proceeding 2 or 3 financial procurement, contracts in the short term. proceeding 3 or more financial years. management, public liability, year. manageable within the next year. professional indemnity, insurance financial year.
Health and Safety Injury or illness requiring treatment by a medical Examples: Injury or illness where Injury or illness requiring practitioner or hospitalisation, Permanent disability injuries and illness to staff, Report Only – Minor incidents First Aid treatment is required treatment by a medical AND where a full work shift or Long term hospitalisation contractors and the public such where no injury was sustained. (can be administered by a GP, practitioner (MTI) . more is lost (LTI). Life threatening event / Death. as exposure to chemicals, First Aider or co-worker). vehicles, falls, and other Any Notifiable Event to the workplace hazards WHS/ESO Regulator. RISK CATEGORIES RISK CATEGORIES
DM 14119488 Compliance and Risk Management Framework Page 22
Negligible Minor Moderate Major Catastrophic
Political or Political or leadership/management leadership/management Ongoing political or issues result in escalation of issues result in ongoing leadership/management issues result in Political or leadership issues community concerns. community concern. escalation of community concern for a result in community concern. Instability recognised in Ongoing challenges with sustained period of time. Internal political/leadership Politics, Leadership Challenges identified with leadership/management. leadership/management. Ongoing instability in issues. leadership and governance. Decision making causes and Governance Decision making has potential leadership/management. Community is unconcerned. Decision making has potential disruption to service delivery of Examples: to disrupt service delivery in Decision making causes disruption to Effective governance and to disrupt service delivery in 1 1 branch. political influence, governance, multiple branches. service delivery across Council. decision making. branch. Introduction of new legislation management, complaints, Introduction of new legislation Introduction of new legislation significantly Introduction of new legislation impacts service delivery across auditing, performance, resource Positive working relationships impacts service delivery of impacts service delivery and capacity to accountability, service level with other levels of impacts service delivery in 1 Council. multiple Branches. ensure compliance across Council. agreements, strategic and government. branch. Ongoing disagreement Disagreement between Council Ongoing disagreement results in irreparable operational planning, compliance Compliance with legislation, A “working” relationship exists between Council and other with legislation, directives, and other levels of government. damage between Council and other levels regulations, directives, policies, between Council and other levels of government. delegations, policies, local laws, Non-compliance or policy of government. code of conduct, procedures levels of government. Non-compliance requires code of conduct – and failure is investigated Formal, external investigation of non- Non-compliance is managed formal, external investigation. councillors, governancestaff etc. (internally/externally) and is compliance results in financial penalties and internally without penalties or High possibility of financial resolved without financial prosecution (individual or corporate), prosecution. penalties and/or prosecution penalties or prosecution. including imprisonment. Termination of (individual/corporate). Decision made re individual individual. Decision made re individual consequences. suspension or termination.
Stakeholder engagement fails.
Community expectations are No stakeholder engagement. Active stakeholder Unsuccessful stakeholder Community Stakeholder engagement not known or understood. Escalating, ongoing community concerns or engagement. engagement. occurs. Escalating community complaints. Expectation Community expectations not Community expectations are Community expectations concerns or complaints. Active community campaigning. Examples: fully known or understood. not fully known or understood. known. Community campaigning may Loss of community support. expectations, feedback, Divergence between policy and Clear divergence between Minimal local feedback . occur. Total divergence between policy and public stakeholder engagement public opinion identified. policy and public opinion. Major divergence between opinion. policy and public opinion.
DM 14119488 Compliance and Risk Management Framework Page 23
Negligible Minor Moderate Major Catastrophic
Sustained, adverse publicity at Periodic, local, adverse Sustained, adverse media attention at local, local and state level. publicity Increasing and broadening state and nation level. Media scrutiny impacts service Identified that service delivery adverse publicity at local and Possibility of worldwide media exposure. delivery. may be impacted by media state level. Media scrutiny adversely impacts service Predominantly local publicity. Damage to reputation within scrutiny. Service delivery may be delivery. Positive reputation maintained. the community. Reputation Reputation variances within the impacted by media scrutiny. Sustained damage to reputation within the Positive relationships with Publicity may lead to an audit, Examples: community. Sustained reputation variances community. media stakeholders. inquiry, or other legal media exposure, social media, Positive relationships with within the community. Ongoing exposure may lead to audit, political influences Isolated social media proceedings. media stakeholders Relationships with media inquiry, or legal proceedings. communications. Impact of strained relationships maintained. stakeholders may be strained. Irreparable damage to relationships with with media stakeholders May cause some social media Significant social media and / media stakeholders. known. or formal complaints (justified or formal complaints. ‘Viral’ adverse social media coverage (e.g. Mass and extended adverse or unjustified). (hashtag on twitter). social media coverage.
Emergency and Emergency or disaster Emergency or disaster Emergency or disaster Disaster Response response required by Council response required by Council response required by Council Emergency or disaster response required results in disruption to service resulting in disruption to service resulting in disruption to service by Council resulting in disruption to service Examples: No emergency or disaster delivery of 1 branch for < 1 delivery for multiple branches delivery for multiple branches > delivery for multiple branches > MAO plus 1 pandemic, terrorism, response required by Council. environmental spills, hazardous week or Severe impact requiring Minor breach of policy or Moderate impact on the Long-term, large-scale damage to habitat or Environment remedial action and review of procedures. environment; no long term or environment. Examples: Minor localised impact; one-off processes to prevent Minor environmental damage is irreversible damage. Serious / repeated breach of legislation / environment, bushland, parks, situation easily remedied. reoccurrence. creeks and waterways, wildlife immediately remediated with May incur cautionary notice or licence conditions. Penalties and / or direction or minimal resources. infringement notice. Cancellation of licence and / or prosecution. habitat, preservation compliance order incurred. DM 14119488 Compliance and Risk Management Framework Page 24 Effectiveness of Controls Rating Description 1 Fully Effective (Prevents the risk from being realised) 2 Substantially Effective (Mostly prevents the risk from being realised) 3 Partially Effective (Sometimes prevents the risk from being realised) 4 Ineffective (Does not prevent the risk from being realised) Likelihood Table FREQUENCY LIKELIHOOD PROBABILITY ANECDOTAL EXAMPLES AND/OR EXPOSURE Almost certain > 95% to 100% Several times a week Most people are strongly aware of the risk occurring on several occasions Several people have recollections of a similar event occurring several times Likely > 70% to 95% Monthly or several times a year over the years Several people have recollections of a similar event occurring, but are not Possible > 30 – 70 % Once every 1 -2 years really sure where or when, and on more than one occasion Never heard of it, but it sounds like something that we know has happened Unlikely > 5% - 30% Once every 2 – 5 years elsewhere before Rare > 5% Greater than every 5 years Nobody has ever heard of it happening DM 14119488 Compliance and Risk Management Framework Page 25 Risk Matrix CONSEQUENCE RATINGS Negligible Minor Moderate Major Catastrophic Almost certain M7 H9 H6 E3 E1 Likely M8 M5 H7 H4 E2 Possible L3 M6 H8 H5 H1 Unlikely L4 L1 M3 M1 H2 Rare L5 L2 M4 M2 H3 LIKELIHOOD Response RISK RATING ACTION REQUIRED H&S RESPONSE and RISK OWNER Green = Low (L: 1-5) Risk may be managed by routine operations or procedures with ongoing monitoring. Implement controls and undertake tasks. Implement controls and additional treatments and undertake Yellow = Medium (M: 1-8) Risk is managed by routine operations with ongoing monitoring. task with approval from Task/Site Supervisor. A detailed action plan must be implemented and monitored to reduce risk rating. Risk Owner authorises and approves further treatments. Approval from Branch Manager required before commencing Orange = High (H: 1-9) Escalation is required to the Director, through the Manager for further review and task. approval. A detailed action plan must be implemented and monitored to reduce risk rating. Do not commence task. Risk Owner* authorises and approves further treatments. Red = Extreme (E: 1- 3) Escalation is required to the CEO, (Branch Manager > Director Escalation is required to the CEO, (Manager > Director > CEO) for further review > CEO) for approval. and approval. CEO may escalate to Council if required. DM 14119488 Compliance and Risk Management Framework Page 26