Part 4: Clear governance and management roles and responsibilities

Our observations on local government risk management practices.

4.1
Councils should have a structure for how they govern and manage risk, with defined levels of accountability. Roles and responsibilities for the governance and management of risk are often split between different individuals and teams. Therefore, it is vital that these roles and responsibilities are documented and understood. This includes the roles and responsibilities of elected members and audit and risk committees.

4.2
Collectively, elected members are responsible for setting the risk management tone and objectives for their council. They are also responsible for overseeing the council's strategic, financial, operational, and reputational risks. This is because elected members are ultimately accountable to the public for their council's performance.

4.3
Audit and risk committees can support elected members in risk management. However, there should be clear lines of communication between the audit and risk committee and the elected members about risk management.

Audit and risk committees' important role in risk assurance

4.4
Audit and risk committees could be better thought of as risk and assurance committees. Their focus should be on risk, and their purpose should be to provide assurance to elected members that their council is managing risk well.

4.5
Risk is the effect of uncertainty on achieving an organisation's objectives. Therefore, it is important that audit and risk committees have a good understanding of what their council is trying to achieve now and in the long term. Audit and risk committees should also understand the council's key risk areas, including the likelihood of those risks occurring and the consequences if they do.

4.6
Audit and risk committees can help a council by:

  • reviewing the effectiveness of a council's risk management framework, policies, processes, and controls, which provides assurance to elected members that there are effective internal controls to manage risks and that the risk management framework is fit for purpose and used effectively;
  • providing assurance that a council's strategies are achieving their intended objectives;
  • helping elected members test and challenge new ideas and business-as-usual operations so that the council improves and meets its objectives; and
  • providing an opportunity for the chief executive or other senior managers to test ideas in a constructive forum.

4.7
In our view, each council should consider the appropriate functions and role of its audit and risk committee for risk management. Audit and risk committees should have the training and support they need to carry out their role.

4.8
We saw effective risk management in the four councils we looked at. The audit and risk committees of these councils had clear roles and the right experience and skillsets for the types of risks their councils face. The four councils' audit and risk committees all received updates from risk managers at each committee meeting.

4.9
The audit and risk committee chairpersons we spoke to noted that their council's processes have matured significantly. This was often demonstrated during the response to Covid-19, with audit and risk committees playing a critical role.

4.10
In Figure 7, we describe Waipā District Council's audit and risk committee's role in risk management.

Figure 7
Waipā District Council's audit and risk committee

We saw some good practice applied by Waipā District Council's audit and risk committee. The committee was established in September 2015, and an independent chairperson was appointed in December 2019. The committee is a sub-committee accountable to the elected members for the Council's risk management activities.

The committee's role in risk management is to:
  • ensure that the Council's risk management framework is current, comprehensive, and appropriate;
  • assist the Council in determining its risk appetite;
  • review the effectiveness of the Council's risk management framework and internal control systems; and
  • review risk management reporting quarterly.
The committee meets quarterly and is provided with a Quarterly Risk Management Report. The report provides an update on key insights; strategic, operational, and project risks; emerging risks; an update on the mitigation actions taken; internal audit activities; and how the implementation of the risk management strategy is progressing.

The main purpose of the quarterly reports is to provide a basis for discussion and start effective risk conversations.

The committee asks the following three questions to hold management to account:
  1. Are management happy with where risk management is at?
  2. If not, what do they need to do to respond to that risk?
  3. Does management have the support they need to respond to risk?
Standing items on the committee's agenda cover:

  • a "deep-dive" discussion on one of the Council's top risks (this is on a rotating basis, with the intent that each top risk is discussed once a year);
  • an organisational risk discussion with the Chief Executive; and
  • a group risk discussion with each of the group managers on a rotational basis that covers what is on the manager's work programme, what is on their upcoming work programme, and what "keeps them awake at night".
There are clear lines of communication between the committee and the full Council.

The Council reviews the performance and effectiveness of its audit and risk committee through an annual perceptions survey. All elected members and key staff members who work regularly with the committee complete this survey. The first survey was carried out soon after the committee was established and acts as a baseline. Subsequent survey results provide a long-term view of the committee's effectiveness.

Improving elected member confidence in risk management

4.11
Identifying, understanding, and managing risk is a core part of the role of elected members. Elected members should:

  • establish a tone at the top that promotes a risk-aware culture;
  • set the council's risk policy and approach;
  • be informed about risks and the measures that management is taking to manage significant risks; and
  • ensure that the council has appropriate processes for identifying, assessing, and responding to risks in keeping with its risk approach and that these processes are operating effectively.

4.12
We saw a need for councils to have a stronger focus on the role that elected members play in risk management. This includes ensuring that elected members are getting the training and support they need to carry out their risk management roles and responsibilities.

4.13
Elected members need to be able to make informed decisions about how to deliver their council's objectives that have been set in consultation with their community. They also need to understand the implications of these decisions.

4.14
This includes understanding the risks associated with progressing a proposed course of action and how their council is managing these risks. Elected members need to be able to test the information they receive from council staff and make well-informed decisions.

4.15
It is important that elected members understand the context in which they are making decisions on behalf of their community and the implications of the risk information staff provide to them.

4.16
Staff and elected members need to discuss risk and how it should be managed in a clear way. Good communication between elected members and management is essential to set risk management expectations, including roles and responsibilities and the council's risk appetite and risk tolerance levels.

Recommendation 2
We recommend that councils ensure that elected members get the training and support that they need to carry out their risk management roles and responsibilities.