Risk Management – Embedding the process at the operational level

Published on 27 March 2026

By David Royston-Jennings | Regional Risk & Resilience Coordinator

In an era marked by rapid change and uncertainty, local governments face a myriad of challenges that can impact their ability to serve their communities effectively. From natural disasters and public health crises, to financial constraints and cybersecurity threats, the need for robust risk management practices has never been more critical. Embedding risk management at the operational level is essential for local governments to enhance resilience, improve decision-making, and ensure the sustainability of core services the community expects.

As the external environment Queensland councils operates within continuously changes, so too does the amount of risk councils must manage to deliver services to their community. This ever-changing landscape presents both challenges and opportunities for local government. By proactively identifying and managing these risks, councils can enhance their resilience and exercise caution with innovative approaches to providing services more efficiently.

Defining operational risk

Surprise, surprise. Just as the relevant Standard does not provide a definition for strategic risk, operational risk is not explained either.

Personally, in a local government context, I put forward the following definition:

Operational risks are those which may impact upon the Council administrations ability to safely and sustainably deliver services, and achieve activities associated with individual business units. These risks relate to the effective and efficient use of Council’s resources and may have an impact on the day-to-day operations of the council.

In keeping with its legislative requirements (which we will return to), the objective of operational risk management in a Queensland Council context is therefore to ensure that a council keeps a written record of the risks its operations are exposed to and the control measures adopted to manage those risks, such that Council is able to:

  • Sustain and enhance operational performance;
  • Increase positive outcomes and advantage whilst reducing negative surprises;
  • Reduce performance variability;
  • Improve resource deployment based on an understanding of overall resource needs, priorities and existing allocations; and
  • Enhance enterprise resilience, particularly as the pace of change accelerates and the complexity of the operational environment increases.

The importance of operational risk management

Whilst it does not include a definition, the Local Government Regulation 2012 does at least refer to operational risk and imposes some legislative requirements on Queensland councils. This is indicative of the importance of operational risk management to the sector.

In short, councils are obligated to keep a written record of the risks their operations are exposed to (to the extent they are relevant to financial management), and the control measures adopted to manage these risks.

Additionally, a Council’s Operational Plan must state how the local government will manage operational risks. Councils typically include a few brief remarks outlining their overall approach to risk management to satisfy this legislative requirement.

Finally, a local government’s internal audit plan must include statements about the way in which operational risks have been evaluated, the most significant operational risks identified from an evaluation, and the control measures adopted (or to be adopted) to manage the most significant operational risks.

Beyond obligations under the local government legislation, managing risks at this level is essential for delivering effective and efficient services to community. Operational risk management can have positive outcomes, such as increased efficiency, improved compliance, and protection of council assets. It can also increase resilience, preserve council’s reputation, reduce costs, reduce safety incidents, and ultimately improve community confidence in the organisations ability to deliver services.

By contrast, not managing operational risks can lead to significant pitfalls, such as financial losses, reputational damage, regulatory consequences, inefficient resource allocation, public safety risks, service disruptions, employee morale issues, and disconnect with the community. In summary, failing to manage operational risks in a local government context can have far-reaching consequences that affect not only the organisation itself but also the community it serves.

Integrating risk management into council operations

Council can consider operational risk management through two lenses, by either organising their operational risk register by function or activity.

Organising an operational risk register by function means that the document provides a structured approach to identifying, assessing, and managing risks within different departmental areas of the organisation e.g. finance department, human resources department, information technology department, etc. Risks are categorised by each department, with the manager (or equivalent) of each area nominated as the owner for risks relevant to their respective aspect of council operations. In practice, this may look like an Excel spreadsheet with several tabs, one for each department or business unit at council.

Alternatively, categorising risks by activity in an operational risk register provides a detailed and comprehensive view of the risks associated with each specific task or process across the organisation. This can support the prioritisation of risks, better resource allocation, and ensuring operational resilience. For example, in a local government setting, activities such as procurement, revenue collection, information technology management, or emergency response may each have their own set of risks. By categorising risks by activity, it becomes easier to assess the potential impact and likelihood of risks occurring in with each specific task.

My recommendation would be that at a minimum, Council has an operational risk register organised by activity. The LGMS Enterprise Risk Management guide includes an appendix which contains a list of 20 common risks to the local government sector. This list is an ideal starting point for any council to utilise as an operational risk register. After an initial assessment of these risks, Councils leadership teams could continuously check in on and update their status monthly. This would go a long way in improving your organisations operational risk management.

For larger councils, and councils with more robust and resourced risk management systems already in place, I would encourage operational risks to be managed by both activity and function. There are operational activities which can have widespread impacts across the organisation, which I believe should be documented in an operational risk register organised by activity and monitored by the CEO and their leadership team.

However, there are also granular risks to each area of council operations which can be managed at a lower level by an approach organised by function. Managing risk at this lower level would inform the operational risk register organised by activity. For example, an operational risk register organised by activity may include the risk that Council has inefficient or ineffective governance. A further risk register maintained by the governance department may include risks specific to services this area is responsible for, which may include:

1.    Risk that Right to Information requests are not processed in time

2.    Risk that Administrative Action Complaints are not managed within legislative parameters

3.    Risk that Council’s delegation register is non-compliant

4.    Risk that a Council policy is overdue for review

This approach allows greater oversight and ownership of risk across all council operations and increases the organisation’s ability to manage all risks effectively. 

Embedding risk management at the operational level of local governments is not just best practice, it is a necessity in today’s complex and unpredictable environment. By establishing a robust risk management framework, conducting regular assessments, and fostering a culture of risk awareness, local governments can enhance their resilience, improve decision-making, and build stronger relationships with their communities.

The benefits of effective risk management extend beyond mere compliance. They contribute to the overall sustainability and effectiveness of local governance, ultimately leading to safer, more vibrant communities. As local governments continue to navigate the challenges of the 21st century, a proactive approach to risk management will be essential for their success.

Tagged as:
Back to top