The City of Rockingham in Western Australia boasts a robust risk management system, but it wasn’t so easy to introduce.
In 2012, the City made plans to introduce risk management across the organisation. The process was done by the book: a working group was established, council and executive policies were adopted; a full time position was created; internally and externally facilitated training was organised; and numerous risks were entered into the database.
Quarterly risks were reported to the executive and management, and risk was reported in the council agenda.
But not long after the process was launched, it hit stormy waters. There seemed to be a lack of ownership at all levels of the organisation. Many staff members did not consider risk at all, and the overall quality of reported risks was poor.
A survey to gauge the success of the rollout clearly showed it was not working. Some of the comments included: “There isn’t a culture of managing risk – it’s a box you tick”; “Too technical, too complicated, too long winded”; “It’s not relevant and is a waste of time – I have better things to do”.
Clearly there were holes in the process that needed to be plugged, quickly, or the entire risk management program was going to sink without a trace.
The journey was put on hold so the process could be stripped back to basics by the chief executive officer and the executive group.
The core issues underlying the poor acceptance of the rollout were identified as:
- no risk culture
- lack of leadership and ownership
- complexity of the process .
The solution was to develop a process “designed by the City for the City”, with the Executive and Management taking direct responsibility. Some drastic actions were taken. A complete overhaul of the process was instigated, meaning:
- Branding was adopted to make the process appealing, simple and fun, and used the City’s well-established and popular branding element – CORi the Pelican.
- Tools were simplified, including a risk-rating calculator with automated alerts.
- Council and executive policies were re-drafted and adopted.
Directors were made responsible for strategic risks. - Managers were made responsible for operational risks.
- Training was made compulsory for all Level 5 Officers and above.
- Internal Auditor reviews were introduced to identify risks and scrutinise controls.
Now that this redesigned program has been launched, the City is confident it can maintain a robust, effective and fully integrated risk management system and is looking forward to smooth sailing ahead.
