Risk Management - Embedding the process into council culture

Published on 03 March 2026

By David Royston-Jennings | Regional Risk & Resilience Coordinator

In my experience, this is the hardest part of implementing any process at council.

We’ve all been there before, right? Striving for change through facilitated workshops, cross-departmental collaboration on draft documents, navigating relationships across middle-management and executive leadership, then ultimately getting a council resolution confirming adoption of policies and processes which will change the way we do business for the better.

And then we’re on to the next problem policy overdue for review, or an administrative action complaint which somehow requires a response in 3 days even though it only just came across your desk yesterday (note: it only feels like yesterday, it’s actually been a week already but you’ve not had chance to get there yet). Then somehow, it’s a month later and you have long since forgotten about risk management because the new shiny framework has been adopted, which means it’s all happening, right? Mission accomplished, right? Wrong.

We’ve been too busy getting on to the next important thing, we didn’t ensure the last important thing was really embedded into the organisation. And when it comes to risk management, the most frustrating part is enduring the irony of realising that if you were able to embed the process better and manage risk more effectively, the other fires you’re busy trying to put out might not have popped up in the first place. Instead, you’re busy firefighting, watching your risk management framework collecting dust on the metaphorical shelf instead of bringing it to life.

Why it’s important

Embedding risk management into the culture of an organisation requires integrating it into all aspects of the business and having leaders which expect and demand risk to be managed efficiently, effectively and consistently, to enhance resilience, improve service delivery, and build greater trust with the community.

The reality is, it doesn’t take much as a council to tick the legislative compliance box when it comes to risk management. Local governments in Queensland must keep a written record stating the risks its operations are exposed to (and the extent they are relevant to financial management) and any control measures adopted to manage those risks (LGR 2012 s164).

However, to do the bare minimum in this regard would be folly for your council.

Striving to secure a risk management culture throughout your council will ultimately enhance decision-making and improve resilience. If done well, it will reduce the chance of negative surprises, and increase opportunities for improvement. Your council is more likely to succeed in delivering services and achieving its strategic direction if risk is managed robustly, so it is in your interest to ensure that it is embedded into the organisations culture.

How to do it

Initially, you should try to get an understanding of the current culture in relation to risk. Do people know what risk management is? Do they care? Council can conduct a risk culture self-assessment to review and consider if the existing culture is capable of facilitating open and objective risk management dialogue.

Key questions to consider asking employees in relation to risk management include:

  • Do you understand the types of risks that could impact our council?
  • How confident are you in identifying risks in your daily work?
  • Are risk management policies and procedures clear and accessible to you?
  • Does the Executive Leadership Team demonstrate a commitment to managing risk?
  • How often does the Executive Leadership Team communicate about risk and its importance?
  • Do you feel supported by management when raising risk concerns?
  • Is there an open environment where employees can report risks or mistakes without fear of blame?
  • How effective are the channels for reporting risks or incidents?
  • Are risk-related issues discussed openly in team meetings?
  • Is risk management integrated into your daily tasks and decision-making processes?
  • Do you receive adequate training to manage risks relevant to your role?
  • Are risk considerations part of project planning and execution?
  • Are roles and responsibilities for managing risk clearly defined?
  • Do you feel personally accountable for managing risks in your work?
  • Is there a clear process for escalating risk issues?
  • Does the organization learn from past risk events or near misses?
  • Are improvements made based on risk assessments and feedback?
  • How often is risk management performance reviewed and improved?
  • Do you understand councils risk appetite and tolerance levels?
  • Are you encouraged to take appropriate risks to achieve objectives?
  • Is there clarity on what types of risks are acceptable or unacceptable?

With responses to such a survey, you will be able to tailor your approach for supporting the embedding of risk management throughout your council.

Practical examples you may consider introducing if they are not already in place include:

Induction Training

As part of their induction to the organisation, new council employees should be provided with initial training on the organisations risk management policy and framework which is proportionate to their role and responsibilities.

At a minimum, the induction training should provide new employees with the following:

  • A general understanding of the principles and benefits of risk management;
  • Practical guidance in undertaking and documenting the risk assessment process, using council's adopted risk assessment and evaluation criteria, tools, templates and systems; and
  • An understanding of council’s risk appetite and actions required to effectively consider risk management options

Refresher Training

All Council employees could be invited to participate in annual training to ensure their understanding of the risk management policy and framework, which is proportionate to their role and responsibilities.

Information Sharing

Reports, resources and other information sources which support or enhance council’s approach to managing risk should be shared internally to encourage employee’s understanding and awareness of risk management and risks which may impact the organisation.

The person responsible for facilitating the risk management process should ensure they receive reports and updates from relevant agencies, such as the Queensland Audit Office, and review material on broader risk trends from external sources (e.g. the JLT Public Sector Risk Report and World Economic Forum Global Risk Report).

Throughout the year there are a series of significant days and events, such as the International Day for Disaster Risk Reduction and the International Anti-Corruption Day, which should be celebrated internally and leveraged to highlight how council manages risk.

Risk Management Award

Councils often celebrate and recognise achievements internally to acknowledge when employees have gone above and beyond in their role. An award could be introduced to celebrate an employee or team which has utilised risk management to achieve an accomplishment of significance to the Council and/or the community.

Conclusion

One of the key observations I have made working in local government in Queensland for the last 7 years is this: processes do not outlast people.

What I mean by this is, despite having Council adoption, executive approval and middle-management agreeing to do their part, enterprise-wide processes can fall apart when the person driving them leaves an organisation. For regional, rural and remote councils, this is often crippling, as it can take several months to find someone new. And even then, when someone else finally gets their feet under the desk, more often than not it triggers a reset of the entire process, and we start from square one again.

This happens far too often for risk management.

However, if more is done to establish a positive and clear risk culture, then any council can maintain its process for managing risk – even in troubling times, which is when you need it most.

For Queensland councils, embedding risk management into the culture is a strategic imperative that enhances governance, operational effectiveness, and community trust. By fostering a risk-aware culture, councils can better anticipate challenges, seize opportunities, and deliver sustainable outcomes for their communities.

Tagged as:
Back to top