RISK MANAGEMENT

IMPLEMENTATION PLAN
 DOCUMENT INFORMATION
DOCUMENT TYPE: Strategic document

DOCUMENT STATUS: Approved

POLICY OWNER POSITION: Director Corporate

INTERNAL COMMITTEE Audit and Risk Committee

ENDORSEMENT:
APPROVED BY: Council

DATE ADOPTED: 28/06/2022

VERSION NUMBER: 1

REVIEW DATE: 20/12/2022

DATE RESCINDED:

RELATED STRATEGIC Risk Management Framework

DOCUMENTS, POLICIES OR Risk Management Implementation Plan
PROCEDURES: Risk Management Procedure
Risk Appetite Statement
Occupational Health and Safety Policy
ISO 31000:2018 Risk Management Guidelines
RELATED LEGISLATION: Local Government Act 2020
Occupational Health and Safety Act 2004
Occupational Health and Safety Regulations 2017
EVIDENCE OF APPROVAL:

Signed by Chief Executive Officer

FILE LOCATION: K:\EXECUTIVE\Strategies policies and

procedures\Strategies - adopted PDF and Word\STR
Risk Management Implementation Plan v1.docx
Strategic documents are amended from time to time, therefore you should not rely on a
printed copy being the current version. Please consult the Loddon Shire website to ensure
that the version you are using is up to date.

This document is available in alternative formats (e.g. larger font) if requested.

 CONTENTS
1 PURPOSE .........................................................................................................................1
2 BUDGET IMPLICATIONS ................................................................................................1
3 RISK ANALYSIS ...............................................................................................................1
4 INTRODUCTION ...............................................................................................................1
5 DESIRED STATE ..............................................................................................................2
6 ACTION PLAN ..................................................................................................................2
6.1 Risk management framework ..................................................................................3
6.2 Risk management process .......................................................................................4
6.3 Risk management culture ........................................................................................5
6.4 Other strategies to improve risk ...............................................................................7
7 REVIEW ............................................................................................................................7
1 PURPOSE
The purpose of this Risk Management Implementation Plan is to document a path to transition
Council into enterprise risk management1. It should be acknowledged that the first iteration of
this plan will be focussed on implementing the foundations to build on risk management maturity
over time. For this reason, this plan will be reviewed annually to monitor completion of actions
and to add new actions to further mature Council in risk management.

2 BUDGET IMPLICATIONS
It is not anticipated that additional budget will be required to implement the actions in this plan.

3 RISK ANALYSIS
This plan has been documented to provide a roadmap to increase risk management maturity
within Council. The achievement of this will help the organisation in managing its current risks,
understanding when risks are emerging, and improving risk maturity to a level where risk
management increases performance.

4 INTRODUCTION
In trying to achieve best practice in overall governance (which comprises governance-compliance-risk),
Council, the Management Executive Group and Loddon Leaders must demonstrate a commitment to a
culture of risk management in the organisation.

Council has developed a risk management system that includes a Risk Management Policy,
Risk Management Framework, Risk Appetite Statement, Risk Management Procedure and this
Risk Management Implementation Plan.

It has been developed in line with ISO 31000:2018, the International Standard for risk
management, which applies a best practice approach.

The five documents articulate:

 the objectives of the risk management system
 Council’s commitment to managing risk
 roles and responsibilities in risk management within the organisation
 a plan to increase the focus on risk management and ensure that Council’s governance
framework provides risk reporting to the appropriate audiences.
It is acknowledged that risk management is being undertaken already in the organisation and
that Council already has a focus on risk management through:

1
“ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant
to the organization's objectives (threats and opportunities), assessing them in terms of likelihood and magnitude of impact,
determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities,
business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and
society overall”, https://en.wikipedia.org/wiki/Enterprise_risk_management, accessed 09/05/2022.
Page 1 of 7
  general awareness and constant discussion across the organisation
 assessment of risk when prioritising projects and capital works
 an active Audit and Risk Committee
 embedded incident management practices.
However, it is also acknowledged Council currently does not operate under an enterprise risk
management model as:
 there are individual risk registers across the business that are not communicated across
the organisation
 there are areas of the business without risk registers
 there appears to be a knowledge gap in formal risk management practices
 there is low awareness of the formal risk management tool available.
This Risk Management Implementation Plan should help to overcome the risk management
deficiencies that exist, and start to increase the focus on risk management across the
organisation.

5 DESIRED STATE
In order to identify the actions required to deliver best practice risk management, it is important
to articulate and acknowledge what we are aiming to achieve, which for Council should include,
but will not be limited to:

 a business intelligence tool that consolidates all risk registers into an enterprise risk
register and provides the Audit and Risk Committee with consolidated reporting, such as
an enterprise risk profile
 high level strategic reporting of key performance indicators and key risk indicators that
provide trend analyses to identify any “red flags” related to trends of indicators
 an active and engaged Risk Management Committee of senior managers and other key
stakeholders that monitors risks right across the organisation, regardless of the
Committee members’ area of expertise and knowledge
 an agreed reporting structure that provides the Audit and Risk Committee with the right
information at the right time to provide comfort that risk is being managed across the
organisation
 assessment of emerging risks by the Risk Management Committee that are reported to
the Audit and Risk Committee before being reported to the Council
 a culture where every decision is made from a risk-reward perspective assessing how
each decision impacts delivery of the strategic objectives
 a fully integrated governance-risk-compliance (GRC) model where work in one area
complements the other areas
 an environment where risk management becomes a seamless part of everyone’s work.

6 ACTION PLAN
The actions in the following table have been identified as important to start the process of
transitioning Council into an enterprise risk management environment. The initial actions are
broken into the areas of:
 Risk management framework
 Risk management process
 Risk culture.

Page 2 of 7
It is expected that best practice at the framework and process level will support a maturity in risk
culture throughout the organisation.

In addition to risk specific actions, other actions that will facilitate better risk management, but
are not specifically risk actions, have been included as “Other strategies to improve risk”.

6.1 Risk management framework

No Action Evidence of Responsible Target date

Completion Officer
1F Review the Risk Policy approved by Director A&R: May
Management Policy to Council, after Corporate 2022
ensure it aligns with endorsement by the
ISO31000:2018 and Audit and Risk Council:
recent risk management Committee (A&R) June 2022
internal audit report
2F Review the Risk Framework approved Director A&R: May
Management Framework by Council, after Corporate 2022
to ensure it aligns with endorsement by the
ISO31000:2018 and Audit and Risk Council:
recommendations from Committee June 2022
the risk management
internal audit report
3F Develop a Risk Procedure developed Director June 2022
Management Procedure to and approved by Corporate
assist risk owners in how Management
to log and manage risks Executive Group
4F Review the Terms of Reviewed Terms of Director Loddon
Reference of the Risk Reference approved Corporate, in Leaders:
Management Committee by the Management consultation May 2022
to ensure the Committee’s Executive Group with Loddon
work is focussed correctly. (MEG) Leaders MEG: June
2022
5F Develop a Risk Appetite Risk Appetite Director A&R: May
Statement Statement approved Corporate 2022
by Council, after
endorsement by the Council:
Audit and Risk June 2022
Committee
6F Provide Audit and Risk Standing agenda item Director May 2022
Committee with quarterly on Audit and Risk Corporate
reports of the status of Committee of
outstanding actions Outstanding Action
Report
7F Develop a reporting Standing agenda item Director September
framework for risk on Management Corporate 2022
management that is Executive Group
provided to the agenda each quarter

Page 3 of 7
 Management Executive
Group
8F Develop a reporting Standing agenda item Director November
framework for risk on the Audit and Risk Corporate 2022
management that is Committee agenda
provided to the Audit and each quarter
Risk Committee
9F Develop a compliance Framework approved Director A&R:
management framework in by Council, after Corporate November
accordance with ISO endorsement by the 2022
19600:2014 Compliance Audit and Risk
Management – Guidelines Committee Council:
December
2022

6.2 Risk management process

No Action Evidence of Responsible Target date

Completion Officer
1P Corporate Review undertaken Director December
documentation review to and Corporate 2022
incorporate risk recommendations
management (Council provided to the
Report Template, Budget Management
Bids, etc.) Executive Group
2P Facilitate training Training Governance September
sessions for key undertaken Coordinator 2022
stakeholders in Risk
Management Software
3P Review the current risk Register reviewed Director A&R: May
register to confirm and provided to Corporate 2022
strategic risks, ensuring Audit and Risk
they are documented as Committee prior to Council: June
true risk statements, and presentation to 2022
have been assessed and Council
controls documented
4P Review the current risk Register reviewed Director November
register to confirm and provided to Corporate 2022
current operational risk, Audit and Risk
ensuring they are Committee
documented as true risk
statements, and have
been assessed and
controls documented

Page 4 of 7
 5P Assess the current risk Report presented Director March 2023
management software to to the Risk Corporate
understand whether it is Management
fit for purpose, and if not, Committee
investigate other risk recommending
management software current or new risk
for consideration management
software
6P Assess the safety Gap analysis Director December
management system reported to Corporate 2022
against ISO 45001:2018 Management
Occupational health and Executive Group
safety management
systems to identify gaps Action plan Director March 2023
in safety risk governance developed and Corporate
and implement an action reported to
plan from identified gaps Management
Executive Group
7P Identify new and Standing agenda Risk Progressive
emerging risks for all Item for Risk Management reports to
areas of the business Management Committee Risk
Committee members Management
Committee
Meeting

6.3 Risk management culture

No Action Evidence of Responsible Target date

Completion Officer

1C Source a risk Report provided Director November

management culture to the Risk Corporate 2023
tool, and undertake a risk Management
maturity assessment to Committee
measure the progress
towards an enterprise Report provided
risk management to the Audit and
environment Risk Committee
Note: This may not be
achievable due to
previous attempts to find
a tool; however, further
attempts will be made.
2C Undertake a risk maturity Report provided Director One year
assessment to measure to the Risk Corporate after initial
the progress towards an Management assessment
enterprise risk Committee

Page 5 of 7
 management
environment Report provided
to the Audit and
Risk Committee
3C Develop Key Risk Key Risk Director November
Indicators, taking into Indicators Corporate 2023
consideration risk and embedded into
reward for the business Audit and Risk
Committee
Reporting

Page 6 of 7
6.4 Other strategies to improve risk

No Action Evidence of Responsible Target date

completion officer
1O Review the Strategic Framework Director September
Document, Policy and approved by the Corporate 2023
Procedure Framework in Management
accordance with AS/NZS Executive
ISO 9001: 2016 Quality Group
Management Systems –
Requirements to ensure
that all corporate
documentation has
strong document control
and review processes
2O Review the list of Number of Director December
overdue documents, as overdue items Corporate 2022
per the Strategic reduces monthly
Document, Policy and
Procedure Framework,
and progressively review
all documents until they
are up to date and
current
3O Review and implement Revised Chief Executive December
project management framework Officer 2022
framework approved by
Management
Executive
Group

7 REVIEW
This plan will be reviewed six monthly to monitor progress with current actions and to record
any new actions that have been identified throughout the period.

Page 7 of 7