As state governments put pressure on councils to integrate risk management into overarching strategic planning and reporting frameworks, the question of HOW to integrate risk is top of mind. To answer that question, we unpack risk management and show how one innovative council is tackling the challenge.
In any business, uncertainty is constant. From economic fluctuations to technological advancements and don’t we all know it—global pandemics, organisations of all kinds face an array of risks and opportunities that can significantly impact their operations, finances, and reputation. In turn, this can have dramatic effects on the achievement of strategic and operational goals.
In navigating this uncertain and extraordinarily complex landscape, one indispensable tool stands out in an organisation’s arsenal: the risk register. This tool serves as a comprehensive inventory of potential risks, their likelihood, impact, and mitigation strategies. However, merely creating a risk register is not enough. Just like an organisation’s annual or long-term business plan, the real value lies in actively managing it and ensuring visibility and informed decision-making through regular tracking and reporting.
Herein lies the headache for many councils. Exactly HOW do you do that, and how can you gain visibility over the impacts of your risks on your strategic and operational goals?
Let’s take a closer look…
Identify and assess your risks, then factor them into your plans
Beyond mere identification, a risk register fosters a proactive approach to mitigation and action planning by providing organisations with a structured framework to systematically evaluate and assess each risk. In doing so, organisations can outline specific action plans, assign responsibilities, and then focus their efforts and resources effectively to pre-emptively address these potential threats.
Akin to this process, constructing a well-designed and robust business plan also deploys the same proactive approach and utilises a similarly structured framework for prioritising focus and organisational resources towards future-planned goals and activities.
Sounds all nice and logical at this point, doesn’t it?
Fast-forward into the proverbial future and many organisations face scrutiny at the realisation that crucial risk mitigation actions that should have been implemented were overlooked or forgotten about, deprioritised, and that once perceived threat has now elevated, or worse, manifested. At best, the organisation is red-carded by its Audit, Risk, and Improvement Committee (ARIC) and advised to “do better.” At worst, by the time this happens, organisational progress is likely already being hampered by the effects.
Sound familiar?
If you are in this boat, you’re not alone. This is a common struggle that many organisations are facing currently, and it is a pitfall many fall victim to when developing risk plans in isolation from key business plans. Decentralised, all best intentions and efforts are undermined, as mitigation actions are not clearly visible or aligned with other planned/budgeted activities—this can lead to neglect, unnecessary duplication, reporting fatigue, or contradicting efforts against other budgeted priorities.
This doesn’t have to be the way. To demonstrate, I want to introduce a small but rather mighty council that is leading the way. Eagerly led by General Manager (Andrew Roach), Norfolk Island Regional Council (NIRC) is utilising the collective power of their Integrated Planning and Reporting Software Suite (Envisio) to gain increased visibility of their risks and align mitigation actions into their Strategic and Operational Plans.
“At the end of the day, visibility and meaningful data is the key to effective decision-making. By documenting our risks and their corresponding control measures and then aligning these into our Delivery and Operational planning efforts, we are not only demonstrating our commitment to transparency and accountability, but we are far more likely to be successful in our efforts to accomplish them as we can factor these into our resource and budgetary commitments.” Andrew Roach, NIRC
Strengthening Compliance and Governance: The Impending Changes for NSW and Norfolk Island’s Response
In today's regulatory landscape, compliance is non-negotiable. Risk registers play a pivotal role in ensuring adherence to industry regulations and governance standards. In NSW, the Office of Local Government has introduced a renewed focus on integrating risk management into the integrated planning landscape, coming into effect on 1 July 2024. As part of this, there will be additional expectations for councils to demonstrate how they are aligning their risk management efforts into their operational activities (cue the collective gulp).
By taking advantage of the centralisation and multi-linkage capabilities of Envisio to streamline progress reporting, Norfolk Island will be setting the standard for demonstrating their commitment to these new guidelines. Through regular tracking and reporting against this information, their management team will have timely insights into emerging issues and a better understanding of areas needing attention and the potential flow-on impacts to the achievement of key strategic goals or initiatives.
“Armed with such information, our managers can then make informed choices regarding their priorities and resource allocation, which is a game changer for us." - Paul Martin, Corporate and Finance Manager, NIRC
Enhancing Stakeholder Confidence and Trust
It is no secret that we all have deeply entrenched in our intuitive psyche that trust must be earned, and in a government context, it is hugely evident that “government moves at the speed of trust."
"Government moves at the speed of trust." Mike Bell, CEO, Envisio
Therefore, in an interconnected world with information readily available at our fingertips, the ability to proactively manage and share information both internally and externally through transparent tracking and reporting platforms like Envisio can significantly increase confidence and foster trust amongst stakeholders, which is critical for strategic progress.
Norfolk Island’s Audit and Risk Improvement Committee (ARIC) are provided access to a suite of interactive reports and dashboards produced from Envisio highlighting Council’s progress toward its strategic and operational risks.
A comment made by a current standing ARIC Committee Member for Norfolk Island, Gary Mottau, expressed,
“The control environment adopted by management needs to provide of existence throughout the reporting period. Mere attestation is not enough. ARIC members seek evidence that risk management information is assessed accurately and completely. The risk register should therefore be consistent with all other IP&R documents as the "single source of truth. The strength of Envisio to both provide this single-source-of-truth, but also enable Council to integrate its risk management activities into its existing Delivery Plan efforts is setting a new standard in delivering this evidence. The confidence we now have as ARIC members has substantially increased as a result. Anecdotally, there is no other Council I am aware of producing information in such a transparent and interactive way to their ARIC committees.”
As many organisations head into the deep waters of their Operational Planning for the upcoming financial year and QLD councils welcome freshly elected members and Mayors, let this be a poignant reminder to consider how you might be incorporating your mitigation strategies into your business activities.
A well-maintained risk register integrated into your Strategic and Operational Plans will serve as a cornerstone of effective organisational planning and strategic achievement. However, to derive maximum value from this process, it is also crucial to ensure visibility through regular tracking and reporting. By doing so, your organisation will not only enhance its resilience but also foster trust, promote compliance, and empower informed decision-making to make more efficient strides toward community goals.
In today's fast-paced environment, the ability to manage these two worlds effectively is not just a prudent practice – it is a strategic imperative.