Local Government Magazine
Risk Management

Working with risk & audit committees

Risky_business_How_to_work_with_risk_and_audit_committees

Rotorua Lakes Council COO Dave Foster has built a list of tools for officers wanting to improve their working relationship with their council’s risk and audit committee.

Dave Foster is no newcomer to the working ways of local government. Already embedded in the sector prior to the 1989 reforms, his career has since spanned councils in Whanganui, Palmerston North and Manukau, and stints with the Office of the Auditor-General and Auckland Transport. He moved to Rotorua Lakes Council in 2013 first as CFO before shifting to his current role as its COO.

All of which is a long way around saying Dave Foster knows his onions and has over the years built up a solid bank of evidence-based insights into how officers and elected members can best work together to manage risk.

He was a guest speaker at the SOLGM Risk Management Forum in Wellington recently. In a one-on-one interview, he also shares some of his ideas here with Local Government Magazine.

Cutting straight to the point, Dave says his “toolkit” of advice can be boiled down into five simple ideas.

1 Develop really strong relationships with both the external member and the chair of the risk and audit committee. An external member typically brings “cold eyes” and has significant sway at the table. Their independent stance enables them to think non-politically and take a wider view.

Good relationships can help steer elements through the agenda and provide a sense of what people see as the hot points so you’re not constantly reacting.

2 KIS. Produce a simple one-page document – maybe on an A3 page – and keep pulling discussions and actions back to that. On that document, list risks in categories and the ideas of how you’re going to deal with them.

“Organisations often identify too many risks,” says Dave, who has worked for a local body that had 1500 risks on its registers when he arrived.

“I had somebody break them down and found they typically fit into seven to 10 categories,” he says. “And within that they typically have seven to 10 causes.

“You might, for example, have the category ‘we don’t have enough staff to do the job’. That can be caused by a virus or an earthquake, for instance. You don’t want to get to the stage where you’ve listed 100 times that you’ve got a high level of risk within each department – all with 
multiple causes.”

3 Put like with like. Manage your programmes and works into categories. “You’re going to do internal audit work, so categorise your risks so you get similar things together,” says Dave. “You want your risk and audit programme to be categorised into logical programmes such as revenue, H&S or assets. Then match them back to your risks.”

Then within that ensure your programme reflects where your local authority’s risk lies.

“So you may not do a high level of audit work on parking infringements because parking revenue may represent, say, just 0.5 percent of your revenue,” says Dave. “But you should, every year, do a risk analysis and an internal audit of your rate setting processes because that could represent, say, 55 percent of your total revenue. And if you get it wrong you’re going to get it horribly wrong.”

That’s not to say you wouldn’t do parking, says Dave. “But you maybe wouldn’t do work across the board on parking every year.

“You need to understand your organisation’s high-pressure points.”

4 Keep an ongoing list of the issues and the to-dos. The worst thing is to say you’re going to do something and then not do it.

5 Reuse items and ideas that are commonly on the agenda. Rather than producing a fresh report from scratch every month, aim to provide an ongoing update on your risk and audit programme.

Develop a template outlining the programme and progress against it. Then simply update it for changes. That way, your executive team and your risk and audit committee members don’t come in cold every time they have a meeting.

Dave notes that, unlike many other committees, risk and management groups do not usually meet every month. Typically they meet about four times a year.

For such committees, it’s not about frequency. It’s about the depth of the thinking, he says. So make sure when you’re looking at issues you’re doing it well and in depth.


In an ideal world

Counter-intuitively, perhaps, Dave Foster says risk and audit committee members do not necessarily need to have huge expertise in risk management – although officers certainly do.

According to Dave, who is COO at Rotorua Lakes Council, it is vital that committee members have “a level of nous” that enables them to perform their role on the committee well.

Legal, financial, business and political skills, plus an understanding of occupational health and safety would be useful, he says. So, too, would knowledge of contracting and construction.

“They may not be a contractor or a constructor but someone who knows that contracts and big construction works come with a set of risks,” he says.

People with legal skills can always be engaged separately as necessary.

Pitfalls

Many officers make the mistake of seeing their council’s risk and audit committee primarily as a group reviewing their work – while in reality a good committee is there to enable and support them. So says Rotorua Lakes Council COO Dave Foster who adds that officers often undervalue the benefit to themselves of a risk and audit committee.

“So many CFOs fight an internal audit committee. They see it as them being accountable to the committee.”

This mindset, he says, can be changed as trust is built.

“The interesting thing is the risks have been identified by the executive, anyway, not by the council.”

The flipside of risk

What do you get when officers and risk and audit committee members form a great relationship and back it up with great programmes? The answer is trust, says Rotorua Lakes Council COO Dave Foster.

“Small successes build momentum. Momentum builds trust and trust builds speed.”

He adds that it’s necessary for any incoming new councillors to understand the implications of risk management.

“That’s huge. But my personal view is that risk is two-sided and it’s important for everybody to understand there’s a risk of action but inaction holds the reverse risk of action.

“People need to build up a balanced picture and understand risk isn’t just one sided. A risk not taken is an opportunity forgone.”


This article was first published in the April 2016 issue of NZ Local Government Magazine.

Subscribe to Local Government Magazine >>


Related posts

Will nationwide risk management work?

Ruth LePla

Alpha Bravo Charlie: Ten miles north, intend landing

Ruth LePla

Smart solutions – Earthquakes

Jonathan Whittaker