While the Australian Stock Exchange’s principles of good corporate governance are receiving a mixed reception, there are simple solutions. Ken Muir outlines his approach to ASX Principle 7 self assessment for directors and senior management.

There are numerous and expensive ways of assessing risks. Often the task assessing risks across an enterprise or a diverse range of key activities is so great that risk managers are obliged to promote principles and let the managers manage or employ expert consultants to identify and assess risks.

Too often we struggle with applying principles in a practical format and the promotion of principles is viewed as yet another layer of bureaucracy and interference with management roles. “I’ve been managing this for years and nothing has gone wrong! I know what I’m doing and how I should do it!” Using consultants has merit whose value can be eroded by cost, the lack of will to act on the findings, which is directly related to ownership of the process, and the ability to monitor improvements in the future.

In 2000 Penrith Council, in conjunction with 14 other local councils, developed a risk profile survey that would form the basis of operational risk assessments. Hastam RiskChase software was used as the development tool to cover a wide range of activities. The profile was aimed at highlighting best practice and benchmarking risk management systems between sections, departments, business units and councils. Profile results were to be used to develop risk management improvement plans and to monitor progress. Monitoring progress was to be achieved by random samples by peers or internal auditors and by analysing the results of repeating the profile surveys at a later date.

In short, the operational profiling tells us where we are, helps assess our controls, allows for development as a low-cost process and helps promote risk management through participation in the process of identifying and risk-rating gaps and building improvement plans. Repeating the profiling process becomes part of continuous improvement.

The style of the profile survey was affected by the various structural configurations of councils. Some participants were initially discouraged by the bulk of the profile survey. Perhaps the scope of the project was too large, but the prospect of setting a platform for ERM and internal and external benchmarking has been a catalyst for further development.

Penrith sees risk management as integral to its traditional method of management for the whole of council activities. It views “integrated risk management as a series of systems and processes within an organisation that allows functionality of individual service areas to achieve their goals and objectives within an integrated systems approach, where the synergies of the service areas contribute to the growth of the business and no activities of any business unit undermine the stability and potential growth of the whole organisation”. Penrith continued with the operational risk self-assessment program and there is evidence of improvements in various departments and at various levels within departments. The program continues to gain momentum and a new enterprise-wide activity risk and resource assessment program is under development.

To improve acceptance of the operational profiling process, two abridged versions risk management ratings were developed as an introduction to the self-assessment process. One version related to asset management and the other to governance and risk management.

The risk management ratings are protected spreadsheets intended to be used as simple tools to identify gaps in management systems. Participants complete a series of questions on a spreadsheet and are immediately scored against best practice. Advantages of this introductory method are that there is no monitoring of results and the self-assessment can be performed on most PCs using standard software. The participants can see how they rate in the specific areas and respond accordingly (a ‘heal yourself’ approach).

The asset management self-assessment has been posted on the websites of Standards Australia and National Asset Management Strategy (nams.au) Committee of IPWEA.

The governance and risk management rating was demonstrated through Benchmarking Australia and some shortcomings were noted. The advent of ASX Principle 7, the Group 100 Guideline to Compliance with ASX Principle 7 Recognise and Manage Risk, and NSW Local Government Governance Health Check, contributed to the overdue revision of the self-assessment rating. The result is a Risk Management & Governance Self Assessment for Directors & Senior Management. The self-assessment tool comprises two worksheets.

• Sheet 1: Respondents consider their comfort zone, on a scale of one to five, while endorsing the following statement in the annual report: “The integrity of the organisation's operation is founded on a system of risk management and internal compliance and control which implements the policies of the organisation and the risk management, and internal control and compliance systems are operating effectively and efficiently in all material respects”

• Sheet 2 is aimed at providing substantiation to the “gut” feeling response on sheet 1. The 24 questions relate to best practices and the cumulative (validation) scores are compared with the initial response. (the blue boxes).

As the self-assessment tool is on a commonly available platform, organisations can readily apply the self-assessment across their enterprise. All directors and senior managers can be encouraged to consider the status of risk management by identifying areas of possible concern and through drilling down to seek assurance that healthy risk management programs are operating within their areas of responsibility.

Completing self-assessment and responding to improve scores is a step towards improved risk management and better governance.

Ken Muir is risk management coordinator at Penrith City Council

For more information on the self-assessment system contact him at kmuir@penrithcity.nsw.gov.au