Sections Making Up The Local Council

Published Date: 02 Nov 2017

1.0 Introduction

Upon analysing the National Audit Report 2011 (Appendix 2), it transpired that there is a lack of awareness about risk management within the Local Councils. For the purpose of this essay, further analysis was carried out in connection with risk management issues highlighted in the Ħad-Dingli Audit Report 2011 and also with the relevant sources that describe the process of risk management in the aforementioned Local Council. In this regard, one may suggest that there is still room for improving the economy, efficiency and effectiveness of the Ħad-Dingli Local Council. In real terms, what kind of message does Ħad Dingli Local Council transmit, and why should the risk management framework be of such importance to the Local Council and the respective stakeholders? It seems that part of the answer may be that, since the risks attributed to the non application of risk management systems are not insignificant, good practices in connection with Local Council risk management should be documented, communicated and implemented. On the other hand one must consider evaluating the cost effectiveness related to an efficient implementation of a risk management framework.

1.1 Background Information Regarding Ħad-Dingli Local Council

The organisation under review is one of the sixty eight (68) Local Councils in the Maltese Islands. The Council is composed of five elected members. The administration is made up of an Executive Secretary who is the executive, administrative and financial head of the Council and an Assistant Principal Officer. Given that the workload at the Council is rather high due to the projects and requests by the Locals, an employee of IPSL [1] was moved from performing manual duties to undertake office work.

The administrative personnel at the Local Councils are required to follow the directives issued by the Department for Local Government. The Council also have regulations and directives instituted by Government to ensure good governance. The Department for Local Government together with Local Councils form the executive pillar of democracy. To ensure the effectiveness of the checks and balances, the Local Councils’ roles are distinct and seperate i.e. the Executive Secretary part of the civil service, the Mayor as an elected member and also the Council members pertaining to different politcal and social groups. This enables the Council to obtain the highest levels of good governance. Political goals do not always move parallel with regulations and directives of the Department, thus control is needed.

1.2 Sections Making up the Local Council

Ħad-Dingli Local Council is made up of various sections mainly the Financial, Human Resources, Projects, Customer Care and Community Services. The financial aspect requires that the Council keeps financial records on an accrual basis, publish the named statements as per the Local Councils Act financial subsidiary legislation and maintain a fixed asset register. The quarterly financial reports should be presented every three months starting from January and the annual financial statements should be submitted till the 21st of February. The Council would also store inventory items like for example books, maps, lapelpins and other material to be sold or donated to the general public. Other responsabilities of the Council are the issuing of payments to creditors and the collection of dues from the respective debtors. All transactions are duly recorded by using an accounting package namely Sage Pastel.

The Human Resources aspect entails that the Council performs the processing of the employees payroll, the recording of attendance, vacation leave, sick leave and other special leave. From time to time the Council may accept requests to admit students to perform internships. The Council is obliged to keep records regarding the tasks assigned to the individuals employed with the Council. The Human resources section is also responsible to identify and address the employee training needs.

The Council is entrusted to perform various works so to embellish and ameliorate the infrastructure of the Locality. This implies projects financed by the allocation given by Central Government and grants which are obtained from the European Union. Such projects may entail road construction, pavements, recreational areas, heritage sites and non-urban infrastructure.

Community service is an important aspect of the Local Council since the Local community will directly benefit from various services like for example health services (influenza jab for all Local residents who are eligible according to the Health Department), cultural activities (Wirja Agrarja and Jum Ħad-Dingli ), sport activities including football tournaments, pilates lessons and infrastructure for cycling, notwithstanding also the development of educational activities including language, information communication technology (ICT) and art courses.

Customer Care is an aspect which is given great importance and therefore it is well catered for by the means of a system which was built in-house. This system is thoroughly implemented and is used to record complaints forwarded from the Local community. Each complaint is analysed and tackled according to the nature of the complaint; prioritization of cases according to the urgency. The Council serves as the focal point of the Local community with regards to suggestions and difficulties which are being encountered namely the heavy traffic passing through the village core which is a hotly debated current issue.

1.3 Data Gathering - Observation and Interviews

Considering the number of tasks associated with the day to day running of the Local Council’s administration, data collection was conducted by the means of observation, two group interviews and secondary data. For this reason triangulation has been used so as to affirm the answers obtained from three different points of view as discussed by Berg (2001, pp 4). The observation has been conducted by physically observing work processes and documentation on a weekly basis for three activities. The observation sessions started to take place from July till November 2012. The observation was performed by one person of our team so the employees would not feel uncomfortable. With this method we obtained invaluable insight of work practices.

The group interviews involved both the Councillors and Administration of the Local Council. We allotted 30 minutes to each group. Each group Ħad to answer some questions under three headings namely: Risk Management, Control Activities and Supervision Activities. Creswell and Boyd (pp. 65 & 113) as cited by Groenewald (2004, p. 11) stated that two to ten people would suffice to reach saturation; taking into consideration the quality of the data gathered. The participants were asked a number of predetermined questions. All discourse was undertaken in Maltese so that the arguments were clearly understood. In between questions, probing was performed, planned and spontaneous, to keep the conversation going. The participants were encouraged to freely express their thoughts and provide information that is considered to be subjectively important.

2.0 The Need for a Risk Management Guide

2.1 Defining Risk

As early as 1921, Frank Knight stated that there was little consensus about how to define risk. At that period discussions were divided between objective and subjective risk.

Knight (1921, pg3) wrote that: "uncertainty must be taken in a sense radically distinct from the familiar notion of risk from which it has never been separated. The essential fact is that risk means, in some cases, a quantity susceptible of measurement while other times it is something distinctly not of this character and there are far reaching and crucial difference in the bearing of the phenomena depending on which of the two is really present and operating. It will appear that a measurable uncertainty or proper risk, as we shall use the term, is so far different from an un-measurable one that it is not in effect an uncertainty at all."

Glyn Holton (2004, pg22) discussed that two factors are essential for risk to exist. The first is uncertainty about the potential outcomes and the other is that the outcomes have to matter in terms of providing utility. Furthermore, COSO (2004, App F) described risk as "the possibility that an event will occur and adversely affect the achievement of objectives".

The International Organisation for Standardisation (ISO) 31000 defines risk (2009, pg9) as the "effect of uncertainty on objectives". It also explains that an "effect" is a deviation from the original plan which may be either positive (opportunity) and/or negative (threat). The term "objective" is a wide statement which may refer to the whole spectrum of an organisation namely financial, health and safety and environmental goals. The term "risk" refers to possible events and consequences or a combination of the two and may be expressed in terms of the impact and likelihood associated with a potential event.

2.2 Why There is a Need for a Risk Management Framework

The Victorian Management Insurance Authority – VMIA (2010, pg18) explains that a risk management framework is a set of elements that provide the basis and organisational arrangements for designing, implementing, monitoring, reviewing and continuously improving risk management throughout the organisation. This should be entrenched with the organisation’s overall strategic and operational policies and practices. The framework may include plans, relationships, accountabilities, resources, processes and activities.

VMIA (2010, pg11) states that a risk management framework is crucial to ensure that organisations can perform on their commitment to the Local community. Thorough analysis over community service standards and the expenditure of public funds has required an increased emphasis on the design and implementation of strong risk management practices to facilitate Local Councils minimising risk in connection to their activities. A guide, particularly developed by the Department for the Local Government for all Local Councils, will uniformly formalise and build upon existing processes to improve the Councils’ accountability and transparency. The guide will also seek to provide a reference with regards to the use and application of laws and regulations from a Local Council wide perspective.

2.3 What is a Risk Management Framework

The main function of risk management is to deal with risks and opportunities affecting the organisation’s improvements (COSO, 2004). Furthermore, COSO (2004, pg8) defines Enterprise Risk Management as:

"The process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives".

Others like John Bromfield (2010), a partner at PWC UK, stated that most managers understand the concept of a risk management framework. However the picture is less clear about what it entails in practice including how the framework should be structured, governed and how it will affect the way organisations are managed. In fact, what all this boils down to is being able to provide answers to five fundamental points that all managers should satisfy themselves upon.

Identify risks – that is, what risks does the entity face?

Risk appetite – that is, how much risk are we prepared to take?

Who is responsible for managing these risks?

How can the entity assure that unexpected occurrences take place?

How does our risk profile influence the entity’s investments?

2.4 Who needs to prepare The Risk Management Framework?

Studies carried out by both the Risk Management Association (2010) and the PWC (2009) suggest that the preparation of the risk management framework depends on the nature of the organisation. The risk management role may vary from a part-time risk manager to a single risk champion, to a full scale risk management department. The role of the internal audit function will also differ between different organisations. In establishing the most appropriate role for internal audit, the organisation needs to make sure that the independence and objectivity of internal audit are not compromised.

Moreover, PWC (2009) also concludes that everyone has a role to play in managing risk. An organisation’s business units should be responsible for the decisions they take, how their employees behave and the effectiveness of the controls they use. But every individual who works for the organisation also has a duty to identify risks and manage them properly. Senior Management’s job is to provide visible support for the business units and individual employees alike and thus to reinforce their efforts.

The range of risk management responsibilities that need to be allocated is broad and extensive. Senior management is liable to set strategic approaches to risk and establish risk appetite, set up the structure for risk management, identify the most significant risks and be able to handle the organisation in the appropriate manner in times of crisis. The responsibility of the unit falls within the remit of middle management. The latter is required to develop a culture of risk awareness so to establish risk management performance deliverables, to make sure that the risk recommendations are properly executed, recognised and report in writing any change of the situations and/or risks.

Apart from the management’s responsibilities, every individual employee should understand, agree to and apply risk management processes. Controls which are not required, useless and unproductive should be reported immediately by employees. Even near miss incidents should be reported in writing. It is important that employees co-operate in full with management on every incident investigation. Ideally, all organisations should appoint a risk manager in order to develop, monitor and update risk management policies, to record the internal risk policies and structures, organise the internal controls vis-à-vis risk management activities and register the relevant risk information so as to provide the necessary reports to the Board.

Further to the aforesaid, it is pertinent to note that the internal audits’ role is fundamental to create a risk-based agenda, to review the risk processes through out the organisation, to collect and provide assurance on issues related to risk management and to inform and document the efficiency and effectiveness of internal controls.

2.5 The Enterprise Risk Management Framework

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) (2004) has observed an increased interest and attention regarding risk management. Gradually it felt the need for a robust framework to effectively detect, assess and manage risk. In 2001 COSO commenced a project and sought the partnership of PWC to setup a framework and therefore facilitate evaluations by managements; this would be needed to improve their organisation’s risk management. Enterprise Risk Management (ERM) gives management the opportunity to effectively deal with uncertainty and associated risk together with opportunity; thus making it possible to focus more on the ability to build value.

Management should consider the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and enhancing tools to manage related risks. ERM provides the application to identify and the ability to choose among alternative risk responses which basically are risk avoidance, reduction, transferring, and acceptance. Entities will be in a position to add improved capabilities to recognise and classify possible events and set up adequate and timely responses, lower potential surprises and associated costs or losses.

Every entity continuously faces numerous risks impacting several sections of an organisation. ERM enables valuable responses to the correlated effects and combined responses to multiple risks. By taking into account a wide array of potential events, management is enabled to clearly identify and proactively recognise opportunities. This in turn will help organisations to acquire relevant and sufficient risk information which will empower the management to weigh up overall capital requirements and improve capital distribution.

ERM entails that the above mentioned factors are included so as to strike a balance between organisational growth, the goals to be attained and the potential risks in order to achieve the organisational objectives.

3.0 The Eight Components of the ERM Framework

In its introduction to the Internal Control Concept, COSO (2011) stated that an organisation needs to establish a mission, formulate strategies, establish its objectives, and create plans to be attained. COSO also affirmed that an organisation must be sustained by eight interlinked components, namely:

Diagram no.1 – ISO 31000 ERM Framework

3.1 The Internal Environment

The Australian Auditing and Assurance Standards Board (2011) stated that organisations are made up of various units including Human Resources, Finance Department, Marketing Department, Senior Management, Operations Department and other supporting functions. This environment needs to include the governance and management functions, peoples’ attitudes, awareness and actions of those charged with governance and management. The control environment sets the way of an organisation to influence the actions of its people. The internal environment is the basis to conduct effective internal control, providing discipline and structure. Factors like risk culture, risk appetite, values and ethics are essential for the accomplishment of the plan.

3.1.1 Structure of Ħad-Dingli Local Council

Both the websites of the Department for Local Government and Ħad-Dingli Local Council do not illustrate the structure of the organisation. The Organogram of Ħad-Dingli Local Council consists only of the Executive Secretary as the executive, administrative and financial head of the Council and an Assistant Principal Officer who performs administrative duties. Two other employees are loaned from other entities; they perform both clerical and manual duties to support the administration.

The chain of command of the Local Council starts with the Executive Secretary and continues downwards to the Assistant Principal Officer. However, when analysing the hierarchy of the entity it was rather ambiguous to ascertain who directs who. In reality, if the Mayor gives an order which is in conflict with the Executive Secretary’s decision, the employees of the Council would find it rather difficult to decide which order to follow. It was also ambiguous to ascertain whether the Executive Secretary should follow the orders of the Director for Local Government or the Council.

3.1.2 Risk Culture of the Local Council

From our observations and the answers obtained from the interviews both the employees and the Council members felt that they have a natural understanding of risk culture. However it was noticed that they were not able to explain the concept of risk precisely and concretely. This means that the Local Council does not have a clear and holistic approach to risk culture. Even though the Council’s approach to risk in itself can be helpful, it can be claimed that in the context of being economic, efficient and effective this can be considered insufficient in addressing the concept of risk culture.

3.1.3 Risk Appetite

The COSO Enterprise Risk Management Integrated Framework (2012, Pg23) sets out five principles related to risk appetite. The first principle outlines strategy setting. Strategy entails that an entity should have a vision and a mission to accomplish. The second principle delineates how resources are allocated. The third principle combines harmoniously the entity with the people, processes and infrastructure. The fourth principle mirrors the entity’s risk management philosophy and affects the culture together with the operations undertaken. The last principle explains how strategy formulation aligns with the risk appetite of the entity.

Entities can be in a position to effect and come to terms with their beliefs with regards to risk appetite. Once formally stated, risk appetite can be communicated and fine tuned over time as the organisation increases its experience with the idea. An effective enterprise risk management entails that it is crucial to develop risk appetite from the beginning of an organisation’s commitment. As with pursuing corporate objectives, the main aim is to increase value by utilising effective enterprise risk management in achieving the entity’s targets.

COSO (2004, Pg18) describes risk tolerances as the levels of variation which maybe considered acceptable in relation to the attainment of the selected objectives. This suggests that when operations are performed within the risk tolerance range set by the organisation, it offers management an increased assurance that the entity stays within its risk appetite. Consequently it will provide a higher level of confidence that the entity will succeed to achieve its objectives.

The Local Council’s main objective is to render a service to the local community and not in pursuing profits. Thus, Council members did not feel the necessity to formulate a formal risk appetite statement. This may be attributed to the fact that risk appetite for local authorities is lower than commercial organisations. The risk appetite for the Local Council will be lower due to the extensive regulatory framework which must be abided to. Nonetheless, the Local Council may be required to undertake risks in order to satisfy the community expectations in creating or improving its services. As a matter of fact, it is noticed that one main problem that may lead organisation to face risks is that risk appetite is considered to be related to profit making organisations. However, this is not the case. All government entities and non-government organisations (NGOs) should try to develop a risk appetite policy. This appetite can be increased by reducing bureaucracy but without effecting trust.

3.1.4 Values and Ethics

From the findings obtained during the observation sessions, it transpired that both the employees and the Council members are knowledgeable with regards to values and ethics. Both Council employees and Councillors are obliged by the Department for Local Government to attend at least one training session regarding this issue. There are publications namely, Code of Ethics for Local Government Elected Representatives and Code of Good Practices for Local Government, which address this matter.

During informal discussions with Council employees, it was noted that they are keen to increase public trust and confidence in the Council by promoting the highest standards of personal and professional conduct. Employees also feel pride in what they do and this would enhance a positive attitude in their working values and ethics.

3.2 Objective Settings

COSO (2004) explains that objectives must be clearly defined in order to detect potential events which can have an impact on its achievements. Hence management must ensure that the organisation has established a process to set objectives. Management must also ensure that the selected objectives support the organisation’s mission and are in line with its risk appetite.

The Local Council’s objective settings were not found listed in the respective website and also no formal documentation was found at the office. However since this is a political environment, the Local Council’s employees referred us to the electoral manifest.

The electoral manifest of each political party contesting the Local Council elections will propose various measures on diverse issues. When summarising the main objectives of Local Councils, the following areas were noticed as being common to every Council:

The Economy – to help in the creation of jobs for the Local community by increasing economic activity.

Crime – to reduce crime and disorder and help people feel safer.

Health – to prevent ill-health and improve well-being in the Locality.

General Services – to provide services that are economical, efficient and effective.

Education – to enhance training and provide opportunities for live long learning.

Environment – to preserve and conserve the environment of the Locality

Transport – to improve and maintain the transport infrastructure

Culture – to ensure that people have the opportunity to participate in various activities that contribute to their quality of life.

The above mentioned objectives were compared against the electoral manifest proposed by the winning party of the last election which took place in March 2012 and was won by the Labour Party. It transpired that all the objectives did feature in the said manifest. Hence even though the Council’s office does not have a written and filed document stating the objectives, it can be said that the Local Council’s objectives are set by the political party. These are then made public and are knowledgeable by every stakeholder.

In spite of this, studies suggested that a formal documented objective setting would enhance the economy, efficiency and effectiveness of the Council’s operations. Moreover, by documenting its objective settings, the Council would reduce the operational uncertainty. Secondly the documentation would assist new human resources to pick up momentum with regards to their learning curve by focusing on clear written objectives. Thirdly, both the Council members and employees would use this documentation to understand correctly what the aims and capabilities of the Council are in order to determine what they can promise to the local citizens and what can really be executed.

3.3 Event Identification

Organisations form part of a vast network and they are continuously effected by events since no single entity operates in a vacuum. Management should be aware of the strengths and weaknesses of their organisations, together with the opportunities and threats they may encounter. COSO (2004) suggests that internal and external events affecting achievement of an organisation’s objectives must be identified and a decision taken whether a situation is either a risks or an opportunity. COSO is suggesting that a SWOT analysis or other tools must be adopted so to thoroughly foresee events. A SWOT analysis is a technique that is used to examine the Internal and External Environment. The ‘strengths’ of the organisation are the resources or capabilities that help an organisation accomplish its objectives, while the ‘weaknesses’ are the scarcity of resources and capabilities that hinder an organisation's ability to accomplish its objectives. The ‘opportunities’ are external factors or situations that can affect an organisation in a positive way, while ‘threats’ are other external factors or situations that can affect the organisation in a negative way.

The Risks which are relevant to each objective needs to be identified and documented. In its Fraud Prevention and Contingency Plan, Roscommon County Council (2010, pg6) defines risk as the threat that an event, action, or lack of action will adversely affect an organisation's ability to achieve its business objectives and execute its strategies successfully. These risks can be categorised into four major groups that are Strategic, Operational, Financial and Compliance.

There are other risk categories that can affect the organisation such as Environmental, Information Security, People, Reputation and Information and Communication Risks. These risks can be identified by using tools such as by doing a list of all significant activities of the organisation, and all the risks arising from these activities are identified. The risks are then related to the objectives of the organisation. Risk Identification tools can be Scenario Planning, Brainstorming Sessions, Questionnaires, Risk Identification Workshops, Monitoring and Auditing Inspections.

During our study it transpired that identification tools such as SWOT analysis were seldom used. Scattered information could be found from minutes taken during Council meetings and other discussions which may have taken place during exit meetings related to projects and activities. Also from the questionnaire (appendix 1) it resulted that expertise from professional people is sought at every stage of the projects / activities undertaken for example an Architect is consulted on a project related to roads or an Accountant in relation to financial issues. However no documentation could be found to support the aforementioned statement.

The Local Council should consider enhancing its reporting procedures by increasing details regarding the risks, opportunity costs, weaknesses and strengths experienced and scenario planning. The Local Council must ponder to use questionnaires which should address a number of risks to be considered by participants, focusing on internal and external factors that affected, or may affect, events. Moreover, the Local Council should consider making use of a Process Flow Analysis which entails the illustration of a process in a diagram form, with the objective of improving the understanding of interrelated inputs, tasks, outputs, and responsibilities. This would assist the Local Council to identify events and set up the necessary actions against process objectives.

3.4 Risk Assessment

PWC (2008) described how risk assessment can be a tool to identifying which risks may signify opportunities and which represent potential threats. When adequately performed, a risk assessment provides organisations with a clear vision of factors to which they may be exposed. A good assessment procedure is embedded within the organisations’ pre-established risk appetite and tolerance, thus providing the fundamentals to identify the appropriate risk responses.

A strong risk assessment process, when applied consistently throughout the organisation, enables the management to better recognise, evaluate, and make use of the appropriate risks for their business, while retaining the appropriate controls to safeguard effective and efficient operations and regulatory compliance.

In fact, COSO (2004) gives detailed examples of the application techniques with regards to inherent and residual risk assessments; qualitative techniques like for example risk ranking and questionnaires. Adding to this COSO (2004) describes quantitative techniques and probabilistic techniques such as market value at risk, loss distributions, and back-testing. COSO (2204) also illustrates further examples of non-probabilistic techniques like for instance sensitivity analysis, scenario analysis, stress testing, and benchmarking.

The risk register is a means of recording all identified risks, their severity and the actions (internal controls) taken to address risks. This document should evolve over time with potential risks removed and new ones added as changes occur. The best way to view the risk register is as a management tool through a review and updating process that identifies, assess and manage risks down to acceptable levels. The layout of the risk register reflects the sequence in which information is captured and documented and it should contain enough detail to enable risk response, planning and subsequent control. The risk register assist the management to quantify and rank risks. It provides a basis for information to be collected in a systematical approach. It enhances both the analysis of risks and decision making on two main questions namely whether and how those risks should be treated.

From the research it was concluded that Ħad-Dingli Local Council gives its full attention to budgeting and that projects are in line with the financial estimates. It was also observed that discussions do take place on how to respond to risks; however no formal structure is in place. Considering the size of Ħad-Dingli Local Council and the limited funds available it would be suitable to use a cost effective technique such as benchmarking.

The Local Council may adopt the practices outlined by Hellriegel, Jackson and Slocum [2] whereby they can compare their practices with other Maltese and foreign Local Councils. Although Ħad-Dingli Local Council is demographically small when compared with much larger Councils like for example the Council of London in the United Kingdom, best practices still may be adopted on a smaller scale, resources permitting. The authors also commented that particular areas of excellence which other organisations have reached may be set as standards so to emulate the best practices. They described how the environment is defined, best performers identified, collection and analysis of gaps, setting of goals, planning and evaluation.

3.5 Risk Response

Risk response mainly involves the developing of strategies in order to reduce or even eliminate the threats and events that give rise to risks. If the management of the risk is within the control of the entity, the response strategies should be chosen from four main responses namely terminate the risk, tolerate the risk, transfer the risk and / or treat the risk. In reality, as stated also by the Treasury Board of Canada Secretariat (2011), unwanted risk can rarely be completely avoided. On occasion the risk can be transferred, by covering with risk insurance, but then the larger the risk, the higher the premium. Another option to reduce risk is through changes in operations or by the introduction of new and better controls. The Treasury Board yet states that drastic reduction of risk may have a negative influence on the workplace.

The administration can decide, after considering options, to "live with risk" instead of reducing or repressing it. Another option is linked to an opportunity that outweighs the possible negative impact of the risk materialization. Although, every organisation has a tolerance limit to risk; if this limit is reached, the risk must be mitigated or eventually eliminated. The degree of tolerance is likely to change with time, adjust according to the relevant environment, or similarly to a change in administration.

From the observations carried out, Ħad-Dingli Local Council lacks planning of risk response which consists of the identification of feasible responses to risks that should have been identified and the best response duly selected. Options to be considered in terms of feasibility and cost effectiveness in planning risk treatment strategies can include accepting, mitigating and transferring the risks.

Although no formal planning exists, avoidance is conducted on the basis that human resources and finances are limited. From a political perspective this is a very hard decision to take by a Local Council since the main aim of the entity is to accommodate residents. If such activities are conducted this may pose a grievous risk on the operations of the Council. Therefore the Council should not engage in new activities that would give rise to risks. It is pertinent to note that due to the human resources’ limitations all major projects are subcontracted.

In such circumstances and even in the best interest of the tasks performed by Ħad-Dingli Local Council, the Councillors are knowledgeable that risks are shared by subcontracting or making other arrangement with third parties. The Council has in place a comprehensive insurance coverage which is encompassing all the delineated area by the law against risks such as injuries, road accidents caused by lack of maintenance, damages to street furniture and theft from public buildings administered by the Local Council.

3.6 Control Activities

COSO (2004, Pg72) argues that control activities are formulated to ensure that risk responses are adequately established. With regards to objective settings and performance, control activities are themselves responses to risks. In their white paper named Key Elements of Antifraud Programs and Controls, Price Waterhouse Coopers – PWC (2003) stated that once the fraud-risk assessment has been put in place, the organisation should search for control activities implemented to mitigate the identified fraud risks.

The control activities are those actions taken by management to detect, prevent and reduce risks. These also include fraudulent financial reporting actions or misuse of the organisation's assets. These control activities should occur throughout the organisation at all levels and in all of day to day activities. These controls include approvals, authorizations, verification and reconciling exercises, segregation of duties, evaluation of performance’s operations and safeguarding of assets. During the course of our observation, it was noticed that a number of control activities are in place at Ħad-Dingli Local Council. In fact the Local Council possesses formal procedures which are not documented but well implemented for the authorisation and execution of transactions.

The Council should systematically assign the responsibility to a number of individuals, key stages like for example authorization, recording, processing and auditing. It transpires that there is a limitation to carry out this type of control. According to the Local Councils Act, Local Councils are permitted to employ not more than one full time employee for every 2500 residents; this excludes the Executive Secretary. In the case of Ħad-Dingli Local Council, according to the last census, the population approximately counts 3800 persons. Hence the Ħad-Dingli Local Council is eligible to employ one full time employee only and another part time employee.

In this circumstance, Ħad-Dingli Local Council has the possibility to employ an additional part time employee but the Council refrains from doing so due to the fact that tangible projects are preferred over less tangible expenditure like for example employing another person. The Executive Secretary is exerting much of his effort to carry out the day to day processes such as inputting of financial data, overseeing projects, customer care, meetings, reporting to the Department for Local Government and to the Council and other public relations. Thus problems are encountered in continuing the day to day processes once an employee is absent from the place of work for one reason or another.

When coming to segregation of duties it was noticed that same persons are applying the four eyes principle. Due to the size of the administration, the Local Council is not capable to provide appropriate and continuous supervision in order to ensure that control activities are achieved. An option would be that the Council would act as the oversight body.

However, considering the fact that most of the Council’s members are on a part time basis, they already have another full time job and thus, this option would be somehow difficult to execute without being a rubber stamp exercise.

It was noticed that physical assets such as the Council’s offices, public buildings which were conceded to the Local Council, vehicles and IT equipment are solely accessed by authorised individuals who are accountable for the custody and use of the resources. Further to this, Ħad-Dingli Local Council is in possession of other physical assets namely streets, street furniture and playing fields. It is the Council’s responsibility to maintain and safeguard the named possessions which take up a good portion of the Council’s yearly allocation of funds. In this regards the Council agreed that the major deterrent to keep vandalism at bay is the installation of closed circuit cameras. Currently the Local Council is in the process of upgrading this system to view images in real time by the use of the internet.

Receivables and payables are recorded through Sage system by the Executive Secretary. Although there are no verifications before the processing of transactions, the Department for Local Government introduced a control system whereby every three months, the Council is obliged to submit online quarterly financial statements. Consequently Ħad-Dingli Local Council sought the services of an accountant in order to verify transactions. It was interesting to find out that each and every transaction is uploaded on the Department for Local Government’s website to enhance the Local Councils’ accountability and transparency. Adding to this the Department for Local Government has a monitoring unit whose responsibility is to verify that these reports are duly submitted in time.

It was observed that Ħad-Dingli Local Council does not have in place a control activity to review operating performance against standards, regulations and procedures on a regular basis. Moreover, the effectiveness and efficiency of operations are not being assessed and thus no necessary actions are being taken to address such issues.

At the moment the main focus of the Local Council is to abide by the Local Councils Act, the Financial Regulations and to stay within budgeted amounts. However, one can argue that the performance of the Council is being assessed by the means of the Council elections which is the direct voice of the Local community. This means that if the general public perceives that the Council is not delivering the promised objectives, it will be reflected in the election results.

With regard to the IT system, Ħad-Dingli Local Council utilizes the Sage Line 50 for accounting purposes. Other accounting documents namely purchases invoices, quotations, statements, remittance advices and contracts are all recorded on the Executive Secretary’s personal computer to ensure that the information is complete and accurate. Backups are carried out on a monthly basis on an external hard drive which is kept in a separate location. Only the appropriate people are enabled to access such data to carry out their responsibilities.

In view of the above, the management should estimate whether correct internal controls have been implemented in any areas that management has identified as posing a higher risk of fraudulent activity (such as revenue recognition and non-standard journal entries), as well as controls over the organisation's financial reporting process and the potential for management override. The importance of IT in the support of operations and the processing of transactions is high, so the management also needs to apply and maintain appropriate controls, either automated or manual, over computer-generated information.

As described by PWC (2003), the setting in which an organisation functions (in this case is the Local Council) affects the fraud risks to which it is exposed and may present unique external reporting requirements, or special legal or regulatory requirements. Thus Ħad-Dingli Local Council must consider whether the controls that exist are adequate to address all of the individual Council's particular operational activities; whether these controls are rightly designed for the intention of identifying, preventing and mitigating a specific fraud risk that the Council may in the recent future incur; and whether these controls are being applied properly to sufficiently address the Council's unique operations and fraud risks.

3.7 Information and Communication

Hellriegel and Slocum (2004) defined information as an important factor for identification, evaluation and responsiveness to the environment. COSO (2004) concluded that all information deriving from the internal and external environment should be thoroughly analysed to set the strategy and objectives, identify future events, evaluate risks and establish risk responses. The usefulness of information would not be relevant unless communicated effectively.

Price Waterhouse Coopers (PWC) (2003) states that communication is an essential element to ensuring the achievement of a successful project or program. Policies should be stated clearly and each employee’s responsibilities in relation to the program should be made in writing. This information must be then communicated to employees in a form and time frame that permits employees to carry out their responsibilities effectively. Hence, an evaluation of the organisation’s program must consider whether the content of its policies is relevant, timely, current and properly disseminated to all appropriate stakeholders.

Moreover, PWC (2003) voices COSO’s (1994) concerns on how effective communication regarding the organisation’s risk policies and procedures must flow down, up and across an organisation. The organisation must send a clear message to all employees that it is serious about its commitment to introduce a risk culture. Employees must comprehend all the appropriate aspects of his or her position and relevant responsibilities. In addition employees must be aware what is expected or acceptable, and what is unacceptable. According to PWC, an organisation must also put in place an effective means of communicating significant information. In fact, effective communication must also occur between the organisation and external stakeholders, such as clients, suppliers, supervisory bodies and shareholders.

Most of the time, the size of Ħad-Dingli Local Council was being considered a problem when coming to terms with the implementation and application of risk management. However, with reference to information and communication, this situation has overturned and it can be deemed as advantageous. Since the information is handled by a small number of people, it is generally communicated in time and also reduces the risk of altering its meaning and significance.

The major source of information are the discussions conducted during Council meetings; such meetings are conducted approximately on a monthly basis. These also include the approval of payments which are than minuted and uploaded on the Department for Local Government’s website. During such meetings, the Councillors perform brainstorming exercises so to come up with ideas or decisions to be implemented. The risks associated with the Council’s objectives are raised in an informal manner. However it was observed that in Ħad-Dingli Local Council, the subsequent exercise to analyse the data in order to identify and prevent future risks is not carried out adequately.

To enhance the communication with all stakeholders, various channels are offered including the possibility to attend for the Council meetings, viewing the meeting life streamed on the internet or else access the Department for Local Government’s website and read the minutes. Information and Communication with the business community are regulated by the various subarticles of the Local Councils Act and other laws and regulations.

3.8 Risk Monitoring

PWC (2003) explains that an organisation’s controls, procedures and policies must be continuously monitored and must be subjected to ongoing and periodic performance evaluations. It is in the management’s remit and judgement to determine the frequency of separate evaluations or audits necessary to have reasonable assurance about the effectiveness of its controls and procedures.

PWC (2003) argues that an organisation should consider the nature and degree of changes occurring in the organisation and their associated risks. Competence and experience of the individuals implementing the controls should also be given weight. It is imperative that results obtained should be monitored contiuously.

Information technology gives rise to both risk and opportunity. PCW explains that IT assisted audits are an essential tool to improve considerably the usefulness of an organisation’s monitoring activity. In addition, PWC states that the market offers numerous software programs to help organisations to detect risk activities.

Taylor (2009, pg39) explaines that a continous monitoring process of real time information not only give assurance that internal controls are being executed effectively, but also serves as both a preventive, detective and corrective measure. It also serves to establish the vision by providing a deterrent, thus giving the opportuninity to identify and find adequate actions to control risks which can have material impact.

A monitoring process in Ħad-Dingli Local Council does exist, for example monitoring of expenditure is carried out on a monthly basis and reports are uploaded on the Department for Local Government’s website. Physical projects are also monitored on a continuously basis through inspections. Such inspections include stock control and financial monitoring. A particular difficulty encountered by the Local Council is the fact that there are no written standards or checklists with which employees can be guided. Due to time limitations, reports are drawn only in connection with the financial aspect and the only reporting in conjuction to operational activites are carried out by the Achitect in charge. The reporting by the Architect would not include quantities and perhaps other information which could help the Local Council to detect risks in relation to the project under review.

Monitoring and reviewing pertinent information, even past documentation, should be a must; this can assist Ħad-Dingli Local Council to identify past occurances which Ħad a negative impact and measure the respective costs, in order to foresee forthcoming risks. In this case, monitoring the macro and micro environments by the means of PESTEL or similar tools would enhance the effectiveness of achieving objectives. Information related to past occurances are generally utilised in risk assessment and documented in a risk register. These are typically based on real experience including the probabilty and effects.

Also Ħad-Dingli Local Council may find that documenting monitoring procedures would be beneficial given that these provide a source for fact-based discussion, documenting knowledge and offering a basis for comprehending costs releated to losses which are associated to risks. Utilising forecasting tools will definetely facilitate the triggering of investigation and corrective measures of control weaknesses before these can eventually affect financial goals or the Council’s objectives.

4.0 Three Lines of Defence Model in Relation to Risk Management Framework

The Local Council’s members are loaded with a massive list of compulsory schedules and each of them must find adequate time in order to tackle these and other matters. The current economic situation is not simple, and the need to enhance accountability and transparency would certainly add pressure to the Council to adopt a good governance framewok. In this regard, the Council should focus its efforts to maintain a strong relationship and enhance the communication channels between the management (in this case the Executive Secretary) and the internal and external auditors.

4.1 First Line of Defence

As described by the Audit Committee Institute in Russia (2009) the first line of defence is mainly responsible to ensure that an organisation has adequate controls securely implemented to run the day-to-day business. Not only controls should be designed into systems and processes, assuming that the design is sound to appropriately mitigate risks, but line managements should be thoroughly trained to invent definitions of risks and prepare risk assessments. Studies suggest that proactive risk management and reporting on a regular basis is essential to identify risks and select the appropriate responses. The first line of defence is intended to provide reasonable assurance to management. Apart from this, the first line of defence is also crucial to identify risks, advise on actions to improve the organisation and to provide periodic reports.

4.2 Second Line of Defence

As stated in the previous paragraphs, the Council members and the administration are responsible to provide an oversight on the effective procedures of the internal control framework. In addition, these responsibilities should set defined boundaries by planning and implementing policies and practices. The Council members should review the management of risk in connection with the prescribed risk appetite of the Council. The Council together with the internal and external auditor should assure oversight by setting direction and make sure that everyone is compliant. The effectiveness of the second line of defence is determined by the oversight, the organisation structure, their terms of reference, the competence of the Council members and employees, the quality of the information in hand and the reports raised for monitoring purposes.

According to the ACCA UK Internal Audit (2007), it is important that the second line is strengthened by the monitoring functions of risk management and compliance. Also, risk management should clearly define and well prescribe the financial and operational risk assessment procedures for the organisation; maintain an updated risk registers and carry out periodical review practices to cover risks in collaboration with the respective management. This is also in line with the statements of the Audit Committee Institute in Russia (2009) which explains the importance of the review of policy frameworks. This assures that the right policy owners are aware of their responsibility to maintain polices up to date and react to the latest strategy priorities and risks. Nontheless, it is assumed these functions to report upon their work performed and noteworthy findings to the designated executive risk oversight officer in the second line model.

4.3 Third Line of Defence

In the case of Ħad-Dingli Local Council, the third line of defence is explained as an independent assurance provided by the the internal audit function and the external audit function that report to the Council’s members, the Department for Local Government and to the Public Accounts Committee. The Internal Audit and Investigations Department carries out a programme of risk based audits covering all aspects of both the first and second lines of defence.

With reference to basic principles, an internal audit function may rely on the work of the second line functions and lower or modify its checking of the first line.  Normally, the level of assurance engaged will definetly be proportioned to the effectiveness of the second line, including the internal audit function which will require to harmonize its efforts with compliance and risk management. Additionaly, it is the internal audit’s duty to assess the work of these functions. The results derived from these audits should be reported to all three lines. To make the picture more clear, the ACCA UK – Internal Audit (2007, pg1) highlighted the resemblance between the third line role with that of the role of a goalkeeper in a football match.  In fact, if we imagine that the ball is lost in midfield (first line) and the defence (second line) fails to stop the opposition’s attack, the goalkeeper (third line) is the last hope to save the day.  There is a reasonable expectation that both the internal and external audit will identify the weaknesses in both first and second lines. In the event that even the third line fails to do so, the organisation may impact significant losses.

4.4 Relationship between Internal Audit and Local Councils

The Internal Audit and Financial Investigation Act states that:

"internal audit means an independent, objective assurance and consulting activity designed to add value and improve the operations of auditees, helping the auditee to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes".

Internal auditing professional standards require the Internal Audit and Investigation Department to continuously monitor and assess the effectiveness of the Local Councils’ risk management procedures. Risk management entails that every entity has a mechanism in place to establish objectives, then it should clearly identify, analyse, and respond to the risks that may potentially impact the achievement of its objectives.

Internal auditors should consider and assess each activities such as strategic planning, marketing planning, capital planning, budgeting, motivation payment structure , and credit practices. Emphasis should be made on procedures utilised by management to report, communicate and monitor the identified risks. An example of this can be described well when an internal auditor gives advise to management in conjunction to the reporting of operating activities , to assist in the identification of upcoming risks.

In larger Local Councils, significant strategic initiatives are implemented to attain the selected objectives and be in a position to have better control on undesired changes. This enables management to report on a number of identified risks the entity may encounter to the Internal Audit and Investigation Department, or make sure that management's risk documentation is reported in an effective manner which suites for the purpose.

The Internal Audit and Investigation Department should be of assistance to Ħad-Dingli Local Council in order to set up and maintain Enterprise Risk Management processes. The said Department also has a significant role to help Local Councils to provide an opinion on management's assessment of its own internal controls. With reference to the former two aspects, the Internal Audit and Investigation Department should be an essential component of the risk assessment team in an advisory position .

4.5 Relationship between National Audit Office and Local Councils

The National Audit Offices of the United Kingdom (2000, Pg5) expressed its ideas that the Local Councils are responsible for a variety of services for the Local community such as the payment of capital projects, support for Local business, the provision of health care and education and protecting the environment. These entail a potential amount of risk. In particular, risk may be a result of events or situations that are not thoroughly planned, services which are not rendered in adequate time, or cannot react to rapid changes as demanded, or are of low quality level, or perhaps are not economical.

On the other hand, risks may as well be missed opportunities to deliver better value services. For example, acquire improved technological personal computers which may be utilised to offer services online, such as applying for driving licences and submitting tax returns. This will imply that the Local community can access services directly from their homes 24 hours a day, 7 days a week. The Local population including businesses can suffer losses if Local Councils are not proactive to introduce new types of cost-effective services which are feasible by innovation and technological advances. However one must pay particular attention to risks which are related to carrying out things differently. New types of service delivery should be created in such a way that risks are minimised and thus preventing from failing to maintain and improve the quality of the service.

The National Audit office of Malta are the external auditors of the Local Councils and its role and responsibility is to support a properly managed risk mechanism which main aim is to result in tangible payback for all taxpayers. Thus the National Audit office (NAO), as a supreme institution, should report annually to help promote improvements in risk management by Local Councils. NAO should be more active and give tangible examples by clearly illustrating how to operate good practices from both the public and the private sector. The National Audit Office should encourage and explain to all stakeholders the importance of risk management.

In reality, Maltese Local Councils are facing a number of risks and Ħad-Dingli Local Council is no exception. These risks may be anything that poses a threat to the attainment of the objectives, projects and the services rendered to the Local community. A risk may arise if damage to the reputation of Ħad-Dingli Local Council occurs; this will surely undermine the citizens’ trust in the Council.

Risk may arise from failure to safeguard against impropriety, malpractices, waste of resources and low value for money or failure to comply with legislation and regulations namely those covering financial and environmental aspects. The lack of ability to react and manage situations promptly and in a way that prevents or reduces negative effects on the services rendered to the Local community will also give rise to risk.

The Maltese National Audit Act (cap 396) paragraph 5 obliges the Auditor General to report annually to the House of Representative. Each report under paragraph 5 shall call attention to anything that the Auditor General may judge to be regarded as important and Ħad relevant characteristcs that should be brought to the attention of the House of Representatives, including any particular scenario in which he may have noticed that:

(i) "essential records have not been maintained or the rules and procedures applied have been insufficient to safeguard and control public property, to secure an effective check on the assessment, collection and proper allocation of revenue and to ensure that expenditures have been made only as authorised";

(ii) "Satisfactory procedures have not been established to measure and report the effectiveness of expenditure programmes, where such procedures should reasonably have been established."

5.0 Conclusion

The research conducted at Ħad-Dingli Local Council concluded that in actual fact there is a sensible recognition of the importance of risk management. Changes in this aspect are considered a way to promote innovation. In this point in time the Council is lacking the experience as to how risk management mechanisms should be set up in practice. The Department for Local Government, which is the legal responsible entity, should address this issue through a number of different initiatives, including training sessions and guidance so to promote innovation, creativity, accountability, and transparency. This will definitely boost the implementation of ground-breaking Local projects through cost effective investment; enhancing innovation and risk management techniques.

The analysis, based on results obtained with regard to risk management practices adopted by Ħad-Dingli Local Council, suggests that six crucial elements should be in place if risk management is to be effective, efficient and new modern concepts introduced.

These elements mainly are as follows:

The policy making;

The support needed to implement risk management;

The culture;

The risk management techniques grounded in the daily tasks;

The objective setting; and

The attainment of objectives.

Policies directed towards risk management and the advantages that may derive from its implementation should be divulged with all the employees. The policies should target all employees at any grade and level, whether with indefinite or definite contracts or working part time within the Local Council. Contractors and experts working on behalf of the Local Council should also abide with such policies.

Ħad-Dingli Local Council’s risk management policy and strategic plan should be expanded to include local citizens, employees, reputation, finances, strategies and governance. The Department for Local Government should be consulted during the policy and strategy exercise.

The