On October 18, 2021, the Controller and Auditor General of New Zealand issued report entitled:” Our observations on local government risk management”. (1) The report is a follow up on a 2016 report “Reflections from our audits: Governance and accountability”. The 2016 report noted that risk management practices were needed in local government. The 2021 report is an in-depth examination of risk management practices of four councils: Auckland Council, Environment Canterbury Regional Council, Queenstown Lake District Council and Waipa District Council.

In addition, a survey was conducted of 63 councils. Of the 63 councils surveyed 55 said they had a risk management framework. Of the eight councils that did not have a framework, seven said that they were preparing one. This article discusses the report.

Municipal Risks

The report notes that municipalities face an increasingly volatile environment, with multifaceted risks. Consequently, municipalities were asked, in the survey, to identify their top five risks. The top two were natural hazards and asset management. Other risk identified include health and safety, impact of climate change, fraud, cyber-security, cost escalation, drinking water quality and changes in regulatory standards. Given these risks, the report encourages local governments to develop a risk management framework.

Risk Management

The report does not specify a particular risk management framework. However, it does identify core elements. Many of the element are consistent with ISO 31000. ISO 31000 is the basis of most of the risk management frameworks used by New Zealand local governments. The elements identified include:

1. A structure for governance or risk management, with defined levels of accountability and reporting mechanisms.
2. Processes are applied across a council to:
3. Identify, analyze, and evaluate risks and their significance.
4. Monitor and review risks to ensure that a council understands what could get in the way of achieving its strategic objectives.
5. Treat risks to ensure that these are being appropriately managed.
6. Ongoing monitoring and review of the risk management process to ensure that it remains effective, and councils continue to mature their risk management practices as planned.
7. The risk management framework should be tailored to the objectives of the council.

The council’s examined use a variety of techniques and tools to determine the level of risks. The Auckland Council provides an example of the techniques used.  They are:

1. Risk appetite statements, which are directive from the executive leadership team and endorsed by elected members.
2. Brainstorming sessions with experienced and knowledgeable staff.
3. Structured techniques (such as strengths, weaknesses, opportunities, and threats analysis; process mapping).
4. Annual strategic, council planning, budget, and risk identification workshops.
5. Quarterly reassessment of top and emerging risks with the senior leadership team and the audit and risk committee.

An import aspect of the risk management framework is the audit and risk committee.

Audit and Risk Committee

The Audit and Risk Committee needs to have a good handle on the organization’s objectives and the council’s key risk areas and the likelihood of their occurring.  Specifically, the committee can help the council by:

1. Reviewing the effectiveness of a council’s risk management framework, policies, processes, and controls.
2. Providing assurance that a council’s strategies are achieving the intended objectives.
3. Helping elected members test and challenge new ideas and business-as-usual operations so the council can meet its objective.

The Waipa District Council’s Audit Committee’s role is an example. The committee was appointed in 2015. An independent chairperson was appointed in 2019. The committee’s role includes:

1. Ensure that the Council’s risk management framework is current, comprehensive, and appropriate.
2. Assist the Council in determining its risk appetite.
3. Review the effectiveness of the Council’s risk management framework and internal controls.
4. Review risk management reporting quarterly.

Based on the review of specific council risk management practices and the survey results, the Auditor General makes a series of suggestions.

Auditor’s Suggestions

The suggestions include the following.

1. Assess the current level of risk management maturity and the level desired.
2. Formally document the risk management practices that staff and elected members are expected to adopt.
3. Integrate risk management into all council activities, particularly strategy-setting and decision-making practices.
4. Ensure that audit and risk committee is clear about its role in gaining assurance over the management of risk.
5. Regularly review risk management activities to determine progress and areas of improvement.
6. Make greater use of quantitative risk analysis or assessments to support relevant decision-making.

Observations

There are a few things worth noting about this report. First, it is presented to the Parliament by the Auditor General. While this report seems to carry no legal weight, it is intended to both encourage the Parliament to strengthen the risk management efforts in local governments and encourage local governments to do the same. Second, the stress of the Audit Committee’s role, coming from the Auditor General, is another indication the auditing profession sees Enterprise Risk Management (ERM) as an approach they should champion. Third, while recognizing that most local government are using ISO 31000 and suggesting many of its elements be used, it does not specifically recommend ISO 31000. This is unfortunate because there are many examples of its use by local government worldwide. I provide such examples in my book Enterprise Risk Management in Government: Implementing ISO 31000:2018. But equally important, there are lots of examples from its Australian neighbor. Fourth, risk maturity is mentioned numerous times, but no mention is made of the use of a model. This is unfortunate because Comcover, in Australia, has a well-developed risk maturity model which could be used in whole or part. Lastly, for those interested in ERM in government it provides numerous examples from New Zealand local governments. It also shows that ERM is considered a useful approach for improving government’s performance.

Endnotes

1. Controller/Auditor General, 2021, Our observations on local government risk management practices, October 18, https://org.parliament.nz/2021/risk-management/cdocs/summary-risk-management .pdf (On the summary page is a link to the full report.)

James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence, and a Certified Enterprise Risk Manager.  He has work for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored numerous articles on quality and risk management. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon.  He is the principle of JK Consulting. He can be contacted on LinkedIn or jamesjk1236@outlook.com