Purpose:
To ensure that risk management forms part of ICMA’s internal control and corporate governance arrangements.
The detail of the risk management process to be adopted by ICMA, the governance responsibilities of Council and those of ICMA Management are included in the Risk Management framework document entitled ICMA Risk Management Framework.
Policy:
ICMA Council and senior management recognise risk management as an integral part of good management practice and an essential component of good governance. It is recognised that risk management creates and protects value, through contribution to the demonstrable achievement of objectives and improvement in organisational performance. It is recognised as an iterative process integral to all organisational processes which when undertaken enables continual improvement in strategic decision-making and innovation, as well as helping protect the organisation from adverse events.
ICMA is committed to implementation of a comprehensive risk management framework, which addresses in detail four fundamental activities:
- Governance and management responsibilities,
- Risk identification, analysis and assessment,
- Risk control/treatment,
- Performance monitoring and risk performance assurance
ICMA defines risk as the effect of uncertainty on objectives. Risk may have a positive or negative impact.
Risk management is the logical and systematic process of communicating, consulting, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risks associated with any activity, function or process in a way that will enable organisations to minimise losses and maximise opportunities. Risk management is effective if it reliably protects the organisation’s goals, and it is
efficient if it does this at lowest sustainable long-term cost.
Risk management within ICMA is based on the following principles:
- Risk is part of running any organisation and while not strongly risk averse, ICMA recognises the need to proactively identify and manage its risks.
- Risk Management is a governance issue, and a management
- Managers understand and accept their responsibilities to manage those aspects of risk that threaten the organisation’s goals, which fall within their areas of influence and
- Risk Management is embedded in the culture of the
- Risk identification and management is to be undertaken, across all ICMA activities, including Regional Offices, subsidiaries and controlled entities, as circumstances reasonably dictate as part of:
- Strategic Planning
- The Annual Planning Process
- Day-To-Day Operations
- Investment and Strategic Analysis
- Strategic Audits
- Programme and Project Management
The process used to identify and manage risk at ICMA will reflect AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines. Furthermore, ICMA will evaluate the effectiveness of risk controls in accordance with the COSO (Committee of Sponsoring Organisations) model.
Although all members of the ICMA community have a role to play in the identification and management of risk, risk management processes are primarily a line management responsibility since risk is inextricably linked with operational activity.
Therefore, managers must familiarise themselves with the Risk Management Framework and take proactive steps to identify and manage risk within their areas of influence and control. Managers must provide reports requested from time to time as part of the Risk Management Framework to the CEO, Council and Finance, Audit and Risk Advisory Board (FARAB)
As part of the Risk Management Framework, Managers will prepare risk reports at least annually, and more often as required, using agreed templates. Reports will be prepared and forwarded on a ‘bottom up’ basis and contribute to the Performance Reporting for Council prepared by the CEO and members of the Senior Leadership Team.
Definitions:
Risk: effect of uncertainty on objectives
Risk management: coordinated activities to direct and control and organisation with regard to risk
Risk management framework: set of components that provides the foundations and organisation arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.
Risk Owner: Person or entity with the accountability and authority to manage a risk
Risk management process: systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Risk assessment; overall process of risk identification, risk analysis and risk evaluation
Risk Treatment: Process to modify risk. Such treatments may also be known as “Risk Mitigation”, and can involve avoiding the risk, accepting the risk to pursue an opportunity, removing the source of risk, changing the likelihood or consequence, sharing risk, and/or retaining the risk by informed decision.
Risk Control: Measure that is modifying risk; and includes any process, policy, device, practice, or other actions which modify risk. However, the measures may not always exert the intended or assumed modifying effect.
Audience:
All staff
Relevant legislation:
None
Legal compliance:
None
Related procedures / documents:
AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines