Embed Size (px)
Citation preview
PERFORMANCE REPORT – Adoption of revised Risk Management Strategy
EXECUTIVE Date: 7th December 2006
Agenda Item: 9 Contact Officer: Rita Wilson 01543 308101
Steve Langston 01543 308119
KEY DECISION: NO
REPORT OF THE DEPUTY LEADER OF COUNCIL AND ORGANISATIONAL DEVELOPMENT PORTFOLIO HOLDER
RISK MANAGEMENT STRATEGY
1. Purpose of Report 1.1 To seek Executive approval for the adoption of the new Risk Management Strategy.
2. Recommendation 2.1 That the Executive approves the Risk Management Strategy and agrees to its implementation
as Council Policy. 3. Community Impact 3.1 The sound management of risk ensures that the ability to deliver corporate ambitions and
priorities which secure community benefits is maximised. 4. Statement of Reasons 4.1 The Strategic Plan 2004/8 sets out clear objectives in terms of risk management as part of the
top priority of ‘getting better at forward planning and being performance driven. The task set within the year three action plan was as follows; ‘Take forward risk management procedures including a clear linkage of strategic planning and risk management into service planning and team level activities and planning for business continuity.’
4.2 The new Risk Management Strategy supports this priority by providing the framework to support
the Council and ensure that risk management activities are embedded in its operation.
4.3 It should also be noted that the sound management of risk is an important factor used by inspectors and auditors in assessing how well a Council is managed. Having robust risk management procedures in place will therefore also support the Council’s drive to continuous improvement as measured through such means as the Comprehensive Performance Assessment process and the ongoing Use of Resources Assessment with its focus on internal controls.
4.4 The Audit Commission specify that the Council should ensure that all employees and Members
take appropriate action to ensure that corporate risks are being actively managed. The revised Strategy emphasises the role of employees during day to day activities as well as the role of
Risk Management Report Page 1 of 1
Members who have an overview role via Audit Committee, Regulatory Committees, as Portfolio Holders and through the Overview and Scrutiny process. It is essential that Members understand the importance of assessing the risks to the Council’s operations and ability to deliver on priorities, to ensure that the right actions are being taken to control those risks.
5. Any Alternative Options 5.1 The Council has set itself the top priority outlined above and as such there is no other way that
the priority could be delivered without a revised Risk Management Strategy in place. 6. Consultation 6.1 The Strategy is very much an internally focussed document designed to support the
management processes. Therefore there has been a focus on seeking the views of key officers and Members to improve the Strategy. There has also been a dialogue with colleagues from other authorities and other agencies to help inform the Strategy and pick up on best practice.
7. Financial Implications 7.1 The delivery of the Strategy can be resourced from within the allocated budgets. 7.2 Sound risk management is especially important in relation to financial management. Effective
risk management therefore protects the authority from a range of financial risks at the corporate, service, project or partnership levels.
8. Strategic Plan Implications 8.1 The strategy supports the delivery of the top priority identified at 4. above. 9. Sustainability Issues 9.1 The Strategy will aid the Council in assessing and managing risks related to sustainability 10. Human Rights Issues 10.1 The strategy will aid the Council in assessing risks related to potential contraventions of Human
Rights issues and therefore assist in the prevention of any negative impact from the Council’s activities.
11. Crime and Community Safety Issues 11.1 The Strategy will aid the Council in assessing risks related to Crime and Community Safety and
support improvement in this area. 12. Risk Management Issues 12.1 The Strategy is the fundamental vehicle by which the Council will meet its objectives related to
risk management. It sets out the policies and procedures the Council will use to manage risk across the authority and identifies the key roles and responsibilities in relation to risk management.
12.2 The Executive will be aware that the new Strategy attached at Appendix A and consolidates
previous practice and emerging requirements. The Risk Management Strategy will continue to be reviewed and updated annually.
12.3 It is however worth drawing to attention a number of key improvements and benefits that the
Strategy brings, as it consolidates a number of requirements essential to manage the activities of the Council in a business sense. Members’ attention is drawn to:
Risk Management Report Page 2 of 2
• The establishment of a Risk and Resilience Team earlier in the year which focuses the
Councils risk related resources in a single area responsible for the delivery of the Strategy. The Team pulls together knowledge and experience in such matters as Health and Safety, Insurance, Business Continuity and Civil Contingencies.
• ‘Risk Champions’ at Senior Officer and Member level are identified. • The Strategy clearly sets out the roles and responsibilities at Officer, Member and
Committee level and provides a set of processes, procedures and definitions which permit consistent standards to be met in the management of risk. It addresses the needs to identify corporate and operational risks and opportunities, assess likelihood and impact, identify mitigating controls and assign responsibility.
• The Strategy supports the further embedding of risk management into key activities such as strategic planning, financial planning, policy making and review as well as wider performance management.
• The Strategy sets out clear timescales for the reporting of risk issues back to Members. • The Strategy sets out timescales for the regular review of risk registers and ensures that
strategic, operational, project and partnership risks are identified and managed. • The investment in 2004/5 in a performance management system (Covalent) gives us the
opportunity to join together risk management, action planning and performance measurement. This provides the basic tool to hold risk registers, action plans etc. assign responsibilities and cross reference to corporate ambitions and priorities.
• The Strategy affords means by which the Council not only monitors negative risk, but also enables it to pick up positive opportunities.
• The Strategy addresses the training needs at Officer and Member level.
Background Documents: Appendix A: Risk Management Strategy
Risk Management Report Page 3 of 3
Risk Management Strategy
November 2006
“Risk Management in Lichfield District Council is all about managing our business threats and opportunities and creating an environment of “no
surprises”
“Risk management is the identification, analysis and economic control of those risks which might prevent an organisation achieving its objectives”.
“Risk management is not about insurance – not least because over 80% of risks faced by organisations is not insurable. Certainly risk transfer is part
of risk management, but so is risk retention and control”.
Risk management is not simply a compliance issue, but rather a way of viewing our operations with a significant impact on long-term viability.
It is critical to success and is a focal point for senior management and Members.
It helps us to demonstrate openness, integrity and accountability in all of our dealings
1
RISK MANAGEMENT POLICY STATEMENT
Lichfield District Council Risk Management Policy Statement
Our Risk Management Policy is drawn up within the context of the District Council’s ambitions and overall focus. We are focussed on ‘dramatically improving services’ and ‘leading and shaping the growth of the district’. This supports our ambitions of:
• Providing a clean safe and sustainable environment • Delivering a thriving economy • Making the district a good place to live • Delivering a better quality of life • Working together through a Joint Effort
These ambitions are delivered through our top 12 priorities: • Progressing the work on our two urban centres • Improving the quality of life in our villages • Tackling deprivation and reducing health inequalities • Balancing our housing market • Involving the community in setting the district agenda • Shaping the growth of our district • Feeling Safe in Lichfield District • Enhanced community leadership • Putting customers first • Delivering the improvements in prioritised services • Getting better at forward planning and being performance driven • Taking forward our Organisational Improvement Plan
These priorities and ambitions are set out in the District Council’s Strategic Plan (2004/8), and are underpinned by targets and milestones which are monitored through our Performance Management Framework, which covers the key areas of the Council’s activity.
The anticipation and assessment of risks to the delivery of these objectives and targets is a vital part of the District Council’s activities. The continuous improvement of our risk management is a sub priority under the overall priority of getting better at forward planning and being performance driven.
The District Council’s ambitions relate to the whole District. As a result they can be influenced by an enormous variety of risks.
It would be impossible to identify all of those risks, so it is also important that there is a focus on getting early warning when risks become more imminent, or start to take effect.
2
The District Council is setting out its approach to risk management, which includes working with directorates and their constituent services on the improvement of risk management and internal control.
As part of the corporate governance agenda we prepare a Statement of Internal Control as part of our wider activities to improve management of resources and deliver value for money. This statement is signed by the Chief Executive and Leader of the District Council. It is validated through an audit process and through other inspections such as the annual Use of Resources Assessment
The District Council sets out a framework which enables and encourages directorates to manage risks: that includes the requirement to produce a Statement of Internal Control; advice to directorates; and publication of the Risk Management Strategy and Methodology. Transparency and accountability is key to the process.
The framework for dealing with all these risks will be built on a regular process of risk assessment. This process identifies and scores key risk factors, and results in a corporate register of key risks and directorate/service registers of risks. This enables Leadership Team to review the strategic risks to the authority and service managers to maintain controls and plans which respond to those risks, and learn from experience.
This policy is fully supported by Members, the Chief Executive and the Leadership Team. Signed Chief Executive Date Signed Leader of the Council Date
3
1. Introduction
Risk management is an integral part of corporate governance and the Council formally adopted a framework for corporate governance at Council in October 2002. Corporate governance requires maintaining a sound system of internal control. Financial Regulations place responsibility with Directors for risk management and maintaining sound systems of internal control within their area of service delivery. Implementation of the strategy will ensure that two types of risk are addressed:
• Direct threats – (damaging events) which could lead to a failure to achieve ambitions and deliver on priorities
• Opportunities – (constructive events) if exploited can offer an improved way of achieving objectives but which are surrounded by threats. Examples include areas such as partnership arrangements.
1.1 What is Risk Management? Risk can be defined as the chance or possibility of loss, damage, injury or failure to achieve objectives being caused by an unwanted or uncertain action, event, or chain of events. Risk therefore includes a level of uncertainty of outcome (whether positive outcome or negative threat). Risk is ever present and some amount of risk taking is inevitable if the Council is to achieve its objectives. Risk management involves having processes in place to identify and monitor risks, be able to access up to date and reliable information about risks, ensure the right balance of control in place to deal with risks; and a decision making process that is supported by a framework of risk analyses and evaluation. Risks should be managed in an integrated way at different key levels to manage interdependencies – strategic risk, operational risk and project risks. A simple view of what risk management is trying to do is: Risk management is about making the most of opportunities (making the right decisions) and about achieving objectives once those decisions are made. This is achieved through transferring risks, controlling risks and living with risks. Risk management is not just about insurance – not least because over 80% of risks faced by organisations are not insurable. Certainly risk transfer is part of risk management, but so is risk retention and control.
4
1.2 Risk Maturity Risk Maturity is “The extent to which a robust risk management approach has been adopted and applied, as planned, by management across the organisation to identify, assess, decide on responses to and report on opportunities and threats that effect the achievement of the organisations objectives.” (Institute of Internal Auditors)
The level of risk maturity is considered in the following terms:
• Risk Naïve - (No formal approach developed for risk management.)
• Risk Aware - (Scattered silo based approach to risk management.)
• Risk Defined - (Strategy and policies in place and communicated. Risk Appetite (toleration) Defined.)
• Risk Managed - (Enterprise approach to risk management developed and communicated.)
• Risk Enabled - (Risk management and internal controls fully embedded into the operations.)
During an Audit in March 2006 Lichfield District Council was considered as ‘Risk Aware’ by Internal Audit. This revised Risk Strategy implements many of the recommendations from the Audit report and as such both commits and enables the Authority to move towards becoming ‘Risk Enabled’ with risk management being fully embedded within the Authority.
1.3 Risk Tolerance The risk tolerance (appetite) is “the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.” CIPFA). The risk tolerance table shown within the Risk Management Methodology (Appendix 1) shows the action levels according to the Councils agreed risk tolerance. The Council will manage risks according to the risk tolerance by accepting, reducing, preventing, transferring or eliminating risks or designing contingency plans. 2. Key Elements of Effective Risk Management There are two reasons effective risk management is essential for the Council:
• Support for Corporate Governance (CG being the system by which the Council directs and controls its functions and relates to the local community); and
• Support for business planning and decision making.
5
3. Risk Management Objectives The Council's risk management strategy's objectives are to:
• Integrate risk management into the culture of the Council • Manage risk in accordance with best practice • Anticipate and respond to changing social, political, environmental and
legislative requirements • Prevent injury, damage and losses and reduce the cost of risk • Raise awareness of the need for risk management by all those connected
with the Council's delivery of services • Ensure there are adequate arrangements for compiling the Councils
annual Statement on Internal Control with governance and risk management arrangements to support it.
These objectives will be achieved by:
• Establishing clear roles, responsibilities and reporting lines within the Council for risk management
• Providing opportunities for shared learning on risk management across the Council
• Offering a framework for allocating resources to identified priority risk areas
• Reinforcing the importance of effective risk management as part of the everyday work of employees by offering training
• Incorporating risk management considerations into all levels of service planning
• Monitoring arrangements on an on-going basis • Incorporating risk management considerations into partnership working
and contractual arrangements • Monitoring arrangements on an ongoing basis.
4. The benefits of having a risk management strategy
• Risk Management will alert the Leadership Team to the main service and financial issues. This will allow early and proportionate management handling.
• It contributes to better decision making, and the process of achieving
objectives. When embedded within existing planning, decision taking and option appraisal processes risk management provides a basis for ensuring implications are thought through, the impact of other decisions, initiatives and projects are considered, and conflicts are balanced. This will influence success and improve service delivery.
6
• It provides assurance to members and management on the adequacy of arrangements for the conduct of business and the use of resources. It demonstrates openness and accountability to various inspectorate bodies and stakeholders more widely.
• It leads to greater risk awareness and an improved control environment,
which should mean fewer incidents and other control failures. In some cases this can result in lower insurance premiums.
These are not intangible benefits. By identifying risks earlier, by making sure processes are not over engineered and are fit for purpose, and achieving a behavioural shift, risk management will be a process that will pay for itself many times over. Our approach to risk management, which underpins the strategy and provides a vision of what we are aiming for, is summarised below:
“Risk Management in Lichfield District Council is all about managing our business threats and opportunities and creating an environment of “no
surprises”
“Risk management is the identification, analysis and economic control of those risks which might prevent an organisation achieving its objectives”.
“Risk management is not about insurance – not least because over 80% of risks
faced by organisations is not insurable. Certainly risk transfer is part of risk management, but so is risk retention and control”.
“Risk management is not simply a compliance issue, but rather a way of viewing
our operations with a significant impact on long-term viability.” The long term aim is for risk profiles to be carried out at all levels of the organisation with each level feeding up to the next level to ensure that operational risks that could pose greater risks than strategic issues are not missed. A diagram showing our approach to risk management is attached as Appendix 2. 5 Roles and responsibilities and reporting lines The importance of establishing roles and responsibilities within the risk management framework is pivotal to successful delivery. The focus must be on ensuring that consideration of risks is embedded into policy approval (Strategic) and into service delivery (Operational) The agreed roles and responsibilities within the risk management framework at Lichfield District Council are outlined in the table below.
7
Group / Individual Role Leadership Team • Provide leadership for the process to achieve the culture
change. • To update the risk management strategy annually and
support its implementation of agreed changes. • Initiate, agree, Monitor and reviewing the Corporate
Risk Register. • To be ultimately and collectively responsible for the risk
management process. • To review the corporate risk register and the
effectiveness of actions put in place by Directors to manage corporate risks on a quarterly basis.
• To ensure all risks identified within the Corporate Risk register are effectively managed.
• To ensure all severe risks are reviewed regularly in line with an up to date risk management plan.
• To reduce the impact of risks that are likely to occur. • To identify a budget for on-going risk management
refresher training. • To ensure that risk management is a standard agenda
item on team meetings. Audit Committee • ness of Corporate Risk
Management arrangements, including the actions taken to manage risks and to receive regular reports on Risk Management. To monitor acti
Monitor the effective
• on being taken by the Council to mitigate the impact of potentially serious risks.
Executive / Executive Members
• To provide strategic direction with regards to risk management in particular the Risk Management Strategy. To conside• r risk management within service provision in the directorates as per their portfolio.
Strategic Directors and • erational risks. to
• sk management methodology is applied at
• e the culture
• risk management throughout their Directorate
• uarterly service reviews on risk
Directors To identify and manage business / Op
• To ensure risk management methodology is applied all Projects, Partnerships and Proposals within their directorate. To ensure riCorporate, Directorate and Service levels. Provide leadership for the process to achievchange. To embed
• To review and update their directorate risk registers at least quarterly. To ensure qmanagement and half yearly reports to Leadership team which will inform the Corporate Risk Register, the budget process and the Strategic Plan
8
To ensure that risk management has been explicitly
• f directorate risk
• cur. w
•
•
•
•considered in framing Service Plans. To assess the wider implications oassessments and feeding information to leadership team for consideration as corporate key risks. To reduce the impact of risks that are likely to oc
• To feed new key risks identified, such as from neprojects arising or new partnership working to the Operational Risk Register and where appropriate notify leadership team for inclusion into the Strategic Risk Register. Make arrangements for embedding risk management throughout their Directorate, which will assist them in providing assurance to Leadership Team and the Chief Executive. Reporting, on a quarterly basis, to Leadership Team and to Executive regarding progress with strategic risks.
• To ensure that employees attend appropriate risk management training to assist in the implementation of this strategy. To ensure that risk management is a standard agenda item on team meetings.
Directorate Risk ‘Champions’
• To support Directors in the overall management of the Directorate Risk Registers.
• To provide the link to Service Managers and ensure their service level risk registers are maintained.
Service Managers
• orate risks / action plans into the annual
s arising or new partnership working to the
• • t
ctors.
• To identify, analyse, profile and prioritise service / operational risks.
• To review and update their service risk registers at least quarterly.
• To determine action on service / operational risks. To incorpservice plans.
• To delegate responsibility as appropriate for control of risks.
• To feed new key risks identified, such as from new projectStrategic Directors / Director for consideration as to the need for their inclusion to the Strategic Risk Register. To monitor progress on managing risks. To report on the service / operational risk managemenprocess to their Strategic Directors / Dire
• To ensure that risk management is a standard agenda item on team meetings.
Strategic Director Organisational
• Development
• To act as the Councils “Officer Champion” for risk management activities.
To act as the key provider of leadership for the process
9
to achieve culture change and the promotion of the robust risk management process.
Portfolio Holder Organisational
•
Development
To act as the designated “Member Champion” for risk management activities.
Chief Executiveof the Council
and Leader • e process to achieve the culture change.
the maintenance of the Corporate Risk
•
Provide leadership for th
• Monitoring/reviewing the Corporate Risk process, including Register To sign the annual Statement of Internal Control
Employees • in awareness of the impact and costs of risks. report
To mainta• To manage risk effectively in their job and to
risks and opportunities to their managers. • To be proactive in risk management issues through
team meetings and PDR’s etc Risk and Resilience unit
best practice.
service
•
• To develop the risk management framework, strategy and process in accordance with
• To provide advice and support to the Strategic Risk Management Group, Leadership Team andmanagers regarding the identification, analysis, profiling and prioritisation of risks. To provide risk management training as appropriate to officers and members.
Members erview and Scrutiny process.
• Overview role via Audit Committee, Regulatory Committees, and the Ov
• Also involved in other roles such as their membership of project boards/accountable bodies.
Strategic Risk Management Group •
oughout the District
•
Terms of Reference: To promote understanding of the management of risk in
best practice, thraccordance with Council.
• Ensuring that there are robust processes in place to implement risk management actions across the District Council.
• To assist with the ongoing development and review of the corporate risk management strategy and methodology.
• The Strategic Risk Management Group will also work closely with the officers identified by Directors to promote a risk aware culture and embed risk management throughout the District Council. The Strategic Risk Management Group can advise and assist on project management where appropriate and advise on the corporate process. The Group will develop, practical approaches for implementing risk management.
10
The Group shall comprise of those identified at Section 16Internal Audit
• ssurance on the risk management framework and processes as well as how well risk To provide a
management is embedded within the Council. For the Strategy to be effectiveCouncil. The District Council an ent to hange by identifying, profiling and prioritising corporate and cross-cutting risks.
control f risk by all involved in service delivery from the bottom-up.
there must be commitment throughout the District d its Directors will demonstrate their commitm
c This involvement from the top will set the style and tone for a cascade down the organisation. This top-down cascade will then meet the day to day operational o 6 Principal Categories of Risk To help define and categorise risks it is useful to have an overall set of risk categories, these are identified as follows:
Reputation Customer /
Citizen
Social
Competitive
Environmental
LegisRegu
lative / latory
Economic
Technological
Political
Physical
Managerial / Professional
Legal
Financial
Partnership / Contractual
Human Resources
11
Strategic/Business and Operational Risks 7
he categories listed above can influence both strategic and operational pressures. may exert pressures both at
tra
ern the Council’s medium and long-tem objec will
Operational risks concern the day to day issues confronting the Council as it seeks to deliver its strategic
TThe table below shows EXAMPLES of what type of issues s tegic and operational level. a
STRATEGIC / BUSINESS
Strategic risks primarily concOPERATIONAL
tives. Accordingly, the authorityensure that risk management is properly taken into account when formulating and approving Council policies. This may be issues such as
objectives. Risk management will therefore be properly taken into account in planning and implementing services.
Associated with failure to deliver either
cal or central g ent policy, or to eet the local administration’s
ssociated with the particular nature f each p eg housing ervice conce e welfare of
lo overnmmcommitments
Ao rofession (s rns as to thtenants)
Affecting the abi Council to meet s financial commitments. These include ternal budgetary pressures, inadequate
ssociated with l planning and ontrol of adequacy of insurance rrangements.
lity of the itininsurance cover, external macro level economic changes (i.e. interest rates, inflation etc), or the consequences of proposed investment decisions.
A financiaca
Relating to the of changes in emographic, residential or socio-conomic trends on the Councils ability to
effectsdedeliver its objectives. Also relates to the risks of not being fair and equitable and the need to recognise
elated to po breaches of gislation.
liance or non compliance
R ssiblele Associated with current or potential changes in national or European law e.g. the app(
of work equipment regulations etc).
Political
Economic
Social
Managerial / Professional
Financial
Legal
12
e needs of all sectors of the community.thSTRATEGIC / BUSINESS OPERATIONAL
Associated wit pacity of the
ouncil to deal with the pace / scale of chnological change, or its ability to use
elating to r operational quipment (e.g. IT systems, quipment or machinery).
h the caCtetechnology to address changing demands. They may also include the consequences of internal technological failures on the Councils ability to deliver its objectives.
R eliance onee
Associated wit or potential hanges in national or European law (e.g. e appliance or non compliance of TUPE
ssociated failure of ontractors to deliver services or roducts to the agreed cost and
h currentcthregulations).
A with thecpspecification.
Relating to environmental onsequences of progressing the ouncils strategic objectives (e.g. in term
elating to po ise or energy fficiency of ongoing service peration.
the cCof recycling, energy efficiency, pollution, emissions etc)
R llution, noeo
Affecting the eness of the ervice (in terms of cost or quality) and / r its ability to deliver best value.
elated to fir rity, accident revention and health and safety
competitivso
R e, secup
Associated with failure to meet the urrent and c needs and xpectations of customers and citizens
ssociated with g issues (e.g. cruitment n, sickness ana
c hanginge
A staffin
/ retentiorem gement, change management
Technological
Legislative / Partnership / Contractual
Human Resources
Environmental
Technological
Regulatory
Environmental
Physical Competitive
Customer / Citizen
13
etc) 9 Identifying Risks This involves identifying potential rtunities and risks relating to the
iev l’s objectives. These may arise because of the eneral environment in which we are operating or in relation to specific decisions
d and brought into the risk profile as appropriate.
as llows:
identifying risks annually within service plans • At the planning stage / initiation of a new project, partnership or proposal.
yee ager or Health & Safety
• uncil’s external auditors
cidents, incidents and near misses internally or by external consultants
ed from various sources
10
oppoach ement of the Councigbeing made or options being considered. All types and categories of risk should be considered at this stage.
Risk identification should be carried out using service objectives (or the objectives of the project). This stage can be repeated regularly to ensure that new risks arising are identifie The Council recognises that no one person is responsible for identifying key risks. Risks are identified at various levels and in various ways, including fo
• By identifying risks associated with achieving the Strategic Plan. • By
• By individual directors, managers, supervisors or any other emplo• By the Council’s Insurance Officer, Audit Man
Manager • Through Health & Safety meetings at various levels • At Leadership Team meetings
By the Co• By the Council’s insurance provider • By considering the causes of ac• By ad hoc risk reviews undertaken • By risk management literature receiv• Through discussion at individual team meetings • From the results of inspections undertaken • By examining complaints received. Recording Risks – Risk Registers
prioritising, control
to the Council’s services and ctivities, including projects and partnerships. Responsibility for preparing,
Risk Registers are a primary tool to administer the recording, monitoring, review and auditing of significant risksaacting on, updating and revising Risk Registers is as follows:
Strategic Risk Register: Leadership Team
Operational Directorate and Service Risk Registers : the appropriate Strategic ir own management teams Director / Director with the assistance of the
14
For individual Project Risk Registers: the officer identified as operationally responsible for the project.
For Partnership Risk Registers: the officer or the lead partner who is identified
ty’s participation should ensure this arrangement at
as operationally responsible for the project. (The officer operationally responsible for this authorithe outset, and should monitor the Project Risk Register on behalf of Lichfield District Council. He/she should liaise with his/her line manager in the event of inadequate progress).
For Proposal Risk Registers: the officer identified as operationally responsible for the project.
Risk Registers are working documents and will be reviewed and updated on a regular basis as changes in risk are identified.
11 Recording Risks – Committee Reports ll Council activities involve a level of risk. Any proposal coming forward to the
f such risks.
This will give a consistent format for reporting risk, which is not currently evident. As such it is a requirement that all committee reports include a completed section
r as required.
ACouncil for consideration and approval must identify:
• The risks to the Councils strategic delivery through the proposal. • The controls necessary to mitigate the action o
that highlights the risks in relation to the Councils business.
Any information contained within the risk management section of the report will be able to be easily transferred to the operational risk registe
The format for the Risk Management section for committee reports is enclosed
as Appendix 8 12 Recording Risks – Use of technology
The Covalent system being web based has the advantages that it is accessible
eans by which reports can municated and published internally or externally. Its hierarchy of
e/service project/partnership risks. Risks shall not be managed or
from a wide variety of locations and provides simple mbe compermissions and security provides reassurance that information is held securely but remains accessible. It maintains electronic audit trails of changes and amendments which supports performance monitoring of activities related to the routine updates of identified risks. The standardisation of the system provides the organisation with a simple format to ensure consistency of approach throughout the Council.
The system shall be used for the recording and management of all Corporate and directorat
15
recorded outside of this system without the agreement of the relevant Director,
ance indicators. The functionality is such that actions, risks and indicators can be cross referenced to provide a 'virtuous circle' and for example a
and should in any event be recorded as an exception.. In the longer term the systems more advanced functionality such as for the score carding and weighting of baskets of risks is expected to be used to improve the maturity of the Councils approach.
The system also maintains the Council's records in relation to action planning and perform
specific risk may generate a set of linked actions with associated measures which all can be held in one place and managed holistically, this provides a means by which risk can truly be embedded with the workings of the organisation.
13 Methods of Controlling Risks
Prompt action will be taken to control risks falling into the ”Severe“ category and n he threat of these risks, so bringing
them within the “Material” category.
sks may also receive attention where cost-effective and will be kept under
ate:
Acce asonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level.
actio plans will be developed to reduce t
“Material” risk will also receive appropriate attention where this is cost effective.
“Low” rireview.
Each risk will be addressed in whichever of the following ways is most appropri
ptance Tolerate the risk – perhaps because nothing can be done at a re
Reduction
Treat the risk – take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact to acceptable levels. Actions can be : • Preventative, such as physically restricting access to hazardous
chemicals, insisting on two signatories, implementing authorisation limits etc.
• Detective, such as quality checks, alarms, exception reports, accident reports, financial reports such as budget monitoring reports, insurance claims are a further example. These will show when something has gone wrong – perhaps a trigger event that can then alert you that the risk event is becoming more likely to occur.
• Directive, such as procedure manuals, guidance notes, instructions, training. These advise on how to carry out processes safely but if they are not adhered to they will not prevent risk events occurring.
16
ing the
om occurring or prevent it Prevention Terminate the risk – by doing things differently and thus removrisk, where it is feasible to do so. Countermeasures are put in place that either stop the threat or problem frhaving any impact.
Transference
ce, an insurance
an i
This is a specialised form of risk reduction where the management ofthe risk is passed to a third party via, for instanpolicy or penalty clause, such that the impact of the risk is no longer
ssue. Not all risks can be transferred this way.
Elimination Ceasing to carry out the activity because preventing or reducing it would not reduce the risk to an acceptable level
Contingency These are actions planned and organised to come into force as and when the risk occurs.
14 Communication
The respon i agement
Strategy and gu esilience Unit.
The Risk M
ite y t ne,
Lichfield.
ble in w
variety of re fidentiality that the a its
i
sib lity for ensuring up to date versions of the Risk Manidance notes are available will be with the Risk and R
anagement Strategy will be available on the Councils Internet and s. In addition paper copies or electronic versions can be obtained bhe Risk and Resilience Unit at the District Council House, Frog La
intranet scontacting
Note: As inthe way in
dicated above, the Council wishes to be as transparent as possihich it manages its risks. However, there is an acceptance that for aasons including such matters as commercial con
Council mregisters.
y on occasion reserve its right not to publish some parts of
15 Tra ning
ele required to have a suitable level of training in Risk Management that enables them to apply the principles laid out within this
Leadership Team*: Half day Strategic Risk Management awareness
/ Members*: Risk Management Member development training refreshed following each election.
ined in risk management practices within a suitable time frame.
All r vant employees are
document to everyday activities. The basic level of training required is as follows:
Refreshed every 3 years. Managers*: One Day Strategic and Operational Risk Management
(STORM) training. Refreshed every 3 years. Executive
Employees: Information leaflet issued upon recruitment and reissued every 3 years.
*Training sessions will be scheduled annually to ensure new recruits within these roles are tra
17
16 Risk Management Strategy Group (membership)
he Risk Management Strategy Group will chaired by the Strategic Director,
tor of Finance, Revenues and Benefits (or nominated representative)
Policy and Performance Manager
•
p
7. List of Appendic
TOrganisational Development (or nominated representative) and incorporate the following employees:
• Direc• • Health and Safety Manager;
Insurance Officer; • Audit Services Manager;
ions (6) • Directorate Risk Cham• IT Manager; • Property Services Manager;
es1 Appendix 1 - Risk Management Methodology Appendix 2 - Risk Management Process Flowchart
pp dix 3 - Action Plan for Implementing the Risk managemA en ent Strategy
anagement Calendar
Appendix 4 - Corporate Risk Register Format Appendix 5 - Program Risk Management Risk registers Appendix 6 - Risk Management Action Plan (sample format) Appendix 7 - MAppendix 8 - Committee Report Format
Appendix 1
Risk Management Methodology
November 2006
18
19
Introduction
Lichfield District Council has a Risk Management Policy Statement and a Risk Management Strategy. These are companion documents to this document, which describes the methodology to be used within Lichfield District Council. There are seven elements to be carried out:
• Identify the potential risk • Analyse the risk • Profile the risk according to likelihood and impact • Prioritise the action to be taken based on the Council’s appetite for or tolerance to risk and
the availability of resources • Determine the best course of action for the Council • Control the risk, once appropriate action has been decided for each risk, by taking action
to minimise the likelihood of a risk occurring and/or reducing the severity of the consequences should it occur
• Monitor and report on progress of managing risk – not just the ones being controlled but the whole spectrum of risks in the risk profile. In addition to internal reporting, external stakeholders will need to know how risk have been managed and how effective that management is in practice
20
1 Identifying the Potential Risks This involves identifying potential opportunities and risks relating to the achievement of the Council’s objectives. These may arise because of the general environment in which we are operating or in relation to specific decisions being made or options being considered. All types and categories of risk should be considered at this stage.
Risk identification should be carried out using service objectives (or the objectives of the project). This stage can be repeated regularly to ensure that new risks arising are identified and brought into the risk profile as appropriate. The Council identifies risk at various levels and in various ways, including as follows:
• By individual directors, managers, supervisors or any other employee • By the Council’s Insurance Officer, Head of Internal Audit or Health & Safety Manager • Through Health & Safety meetings at various levels • At Leadership Team meetings • By the Council’s external auditors • By the Council’s insurance provider • By considering the causes of accidents, incidents and near misses • By ad hoc risk reviews undertaken internally or by external consultants • By risk management literature received from various sources • Through discussion at individual team meetings • From the results of inspections undertaken • By examining complaints received.
2 Analyse the Risk This is the process of reviewing the risks identified so that similar risks can be grouped and classified according to the likelihood of them occurring and the impact they would have.
Measures of likelihood
Description Example Detail Description
High Almost certain, is expected to occur in most circumstances. Greater than 80% chance.
Significant Likely, will probably occur in most circumstances. 50% - 80% chance.
Medium Possible, might occur at some time. 20% - 50% chance.
Low Unlikely, but could occur at some time. Less than 20% chance.
21
Measures of Impact
Description Example Detail Description
High
Critical impact on the achievement of objectives and overall performance. Critical opportunity to innovate/improve performance missed/wasted. High impact on costs and/or reputation. Very difficult to recover from and possibly requiring a long term recovery period.
Significant
Major impact on costs and objectives. Substantial opportunity to innovate/improve performance missed/wasted. Serious impact on output and/or quality and reputation. Medium to long term effect and expensive to recover from.
Medium
Waste of time and resources. Good opportunity to innovate/improve performance missed/wasted. Moderate impact on operational efficiency, output and quality. Medium term effect which may be expensive to recover from.
Low Minor loss, delay, inconvenience or interruption. Opportunity to innovate/make minor improvements to performance missed/wasted. Short to medium term effect.
The descriptions are applied as follows: • Firstly the likelihood and impact of the risks identified will need to be considered based on an
evaluation of the effectiveness of existing controls to give the risk now. • Then there will need to be consideration of what the target risk is. This is the level of risk that you
are aiming to manage the risk down to, over time with any added controls that may be introduced.
3/4 Profile and Prioritise Action / Risk toleration The Councils risk toleration is based upon the likelihood and impact of risks. Firstly the likelihood and impact of the risks / opportunities identified will need to be considered as if no controls exist – this will give the inherent risk. Secondly the likelihood and impact of the risks will then need to be considered based on an evaluation of the effectiveness of existing controls to give the residual risk now. Then there will need to be consideration of what the target risk is. This is the level of risk that you are aiming to manage the risk down to, over time. Once the inherent risks have been classified they need to be mapped onto the matrix as shown in this example. The colours are a “traffic light” system that will show how controls in place have influenced
22
where residual risks now are mapped. For example, the inherent risk could place a risk within the red zone, but because controls in place are evaluated as being effective and consistently applied the residual risk could fall within the yellow or green zone. The mapping will need to be repeated to record the inherent, residual and target risks.
High 7,8
Significant 1 2 11
Medium 9, 12 10
Low 3 5, 6 4
Low Medium Significant High
LIK
EL
IHO
OD
I M P A C T Risk Toleration Table
Once the risks have been plotted onto the matrix (as above) the requirement for further action is based on the following agreed risk toleration table. The table identifies at what level of risk the Council will take additional action
Key:
Severe Immediate control improvement to be made to enable business goals to be met and service delivery maintained/improved. Action Plan to be completed.
Material Close monitoring to be carried out and cost effective control improvements sought to ensure service delivery is maintained. Action Plan to be completed
Tolerable Regular review, low cost control improvements sought if possible.
5/6 Determination and Control of risks This aspect of the process involves: • Assessing whether to accept, reduce, prevent, transfer or eliminate the risk, or agree contingency
measures if and when the risk occurs, or how to respond to the opportunity, based on the availability of resources:
• Documenting the reasons for the decision taken; • Implementing the decision;
23
age the risks / opportunity to specific officers; and their effectiveness
ontrols are the tools that managers use to manage their services. They are the methods used by
Actions Definition
• Assigning ownership to man• The completion of an Action Plan detailing existing controls, an assessment of
and what further controls are needed, along with who is responsible for the actions (Appendix 3)
Cmanagers to assure them that they are achieving their business aims and service objectives and that the service is being provided in the most efficient and effective way. The cost and robustness of existing or additional controls is a key consideration at this point and needs to be balanced against the potential consequences (reputational, financial or otherwise) if the event occurred.
Acceptance Tolerate the risk – perhaps because nothing can be done at a reasonable
cost to mitigate it or the likelihood and impact of the risk occurring are at anacceptable level.
Reduction
e action to control it in some way where the actions
restricting access to hazardous n
• such as quality checks, alarms, exception reports, accident
• y
Treat the risk – takeither reduce the likelihood of the risk developing or limit the impact to acceptable levels. Actions can be : • Preventative, such as physically
chemicals, insisting on two signatories, implementing authorisatiolimits etc. Detective, reports, financial reports such as budget monitoring reports, insurance claims are a further example. These will show when something has gone wrong – perhaps a trigger event that can then alert you that the risk event is becoming more likely to occur. Directive, such as procedure manuals, guidance notes, instructions, training. These advise on how to carry out processes safely but if theare not adhered to they will not prevent risk events occurring.
Prevention Terminate the risk – by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place that either stop the threat or problem from occurring or prevent it having any impact.
Transference This is a specialised form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or penalty clause, such that the impact of the risk is no longer an issue. Not all risks can be transferred this way.
Elimination Ceasing to carry out the activity because preventing or reducing it would not reduce the risk to an acceptable level
C ontingency These are actions planned and organised to come into force as and whenthe risk occurs.
7 Monitoring
management process. It is necessary to monitor the action plans
ssment of the effectiveness of risk management actions put in sk events occurring. Alternative action will need to
be taken if the initial action has proved ineffective.
progress
his is a key stage of the riskTdeveloped at stage 4 above and to regularly report on the progress being made in managing risks / taking advantage of opportunities so that the achievement of business aims and service objectives is maximised and losses are minimised.
addition there needs to be an asseInplace to reduce the likelihood/impact of adverse ri
24
idly or the project is deemed to be high risk. If the roject is high risk then it should be referred regularly to the Strategic Risk Management Group for
ement cycle.
Monitoring should take place at service level on at least a quarterly basis, and more frequently if there are many changes or the project is progressing rappreview and any assistance. A management calendar is attached as Appendix 7 that clearly identifies when actions are required during the annual risk manag
25
Appendix 2RISK MANAGEMENT PROCESS
Technological Competitive Legal
Economic Political
Leadership Team Set Strategic Plan and Budget Requirements.
Pressures
Social
Enviro
Managerial /
nmental
ProfessionalFinancial
Legislative / Regulatory Physical
Customer /
Reputational Human Resources
CitizenPartnershContractu
ip / al
Audit Committee Annual report on updated
risk register. Interim report on progress
s where for severe risks. Ad hoc reportnecessary.
Risk Ma ment Strategy Group • To ork closely with the
nage
wofficers identified byCorporate Directors pro
tomote a risk aware
•
culture and embed riskmanagement throughoutthe District Council. To advise and assist onproject managementwhere appropriate andadvise on the corporateprocess. The Group willdevelop, practicalapproaches forimplementing riskmanagement.
Severe Items
Material / Tolerable
Strategic Risk Identified
Risk Owner completes action plan to manage
risks
Relevant Strategic Director add risk to
Operational Risk Register
Operational Risk Identified
Material /Tolerable
Director e / Departmental
Management to
at
review and
manage risk
Severe Items
Risk Owner completes Action Plan to manage
risks
Leadership Team Add it to the Corporate
Risk Register (May) and(Nov).
Leadership Team Annual report on updated
risk registers. Q
on risks.
uarterly review of Strategic Risk Register Interim reportsprogress for severe Ad hoc reports where necessary.
Ex Annual report on updated
risk regist Interim report on progress
for severe risks.
ecutive
er.
26
27
Appendix 3 Action Plan for implementing the Risk Management Strategy.
Milestone Target date
Directorates/Services refine risks already identified where they are too broad, so that they can be actively managed.
November 2006 (Covalent)
Introduce divisional risk champions and develop divisional risk profiles, where these do not already exist.
November 2006
Develop service unit / business unit risk profiles where these do not already exist.
November 2006
Develop project risk profiles, as appropriate, where these do not already exist.
November 2006 to April 2007
Deliver Risk Management Training for risk champions / members of the Risk management Strategy Group.
February 2007
Deliver Refresher Training to Leadership Team on Risk management Issues
February 2007
Deliver Risk Management Training to all Managers April 2007 to March 2006
Include risk management in staff induction. An information leaflet explaining what risk management is and the role employees play will be issued to all current employees when the strategy is issued. Any new employees will be issued with the information leaflet upon induction.
April 2007
Directorates/Services to clearly identify existing controls regarding the risks identified, and the degree to which they are consistently applied.
Monthly (Covalent)
Directorates/Services to evaluate existing controls for the degree of mitigation the controls provide and if further control is desirable.
Monthly (Covalent)
Directorates/Services calculate the cost of improving controls to provide greater mitigation to establish if further control would be cost effective.
Monthly (Covalent)
Directorate key risks reviewed and new significant risks fed into the corporate risk register on a quarterly basis.
Quarterly
Leadership Team monitors agreed corporate actions and assesses additions/deletions to corporate risk register on a quarterly basis.
Quarterly
Directors give assurance to Chief Executive regarding internal control, including the management of key risks,
Annually
28
Milestone Target date within their area of service delivery.
Directors to ensure that risk identification is intrinsically linked to service plan objectives.
2006/7 service plans and in subsequent years.
Directors to include performance on managing risks within performance monitoring of Service Plans and of senior officer’s performance contracts/plans.
2006/7 performance contracts/plans and in subsequent years.
Statement on Internal Control (incorporating risk management) made by Leader and Chief Executive, approved by Members and published in Statement of Accounts
Published in Statement of Accounts June 2007
Improve learning from insurance claims where appropriate. Ongoing
Use the knowledge and expertise of the Health and Safety Manager where appropriate.
Ongoing
Incorporate elements of the Emergency Plan where appropriate.
Ongoing
Appendix 4 Lichfield District Council
Corporate Risk register – (Date) Headings to be used in Corporate and Directorate/Service Risk Register report are set out below and can be automatically be generated and refreshed from the Covalent system.
Risk Code & Title
Description Traffic Light
Management Icon
Approach To Risk
Current Risk Matrix
Target Risk
Matrix
Responsible Organisational
Unit
Managed By
Assigned To
Portfolio Owners
29
Appendix 5 Lichfield District Council
Programme Risk Management Risk Register For assessing Likelihood and Impact: H = High; S = Significant; M = Medium; L = Low For Rating: S = Severe; M = Material; T = Tolerable
Description of Risk Identified
and Risk Owner
Likeli-hood (H, S, M, L)
Impact (H,S,M,L
) Rating (S,M,T) Type of Action Required
Description of Current Controls/mitigation in place
and date when Controls were last reviewed and reported
Further Controls Proposed and Date for
Implementation
Residual Risk
Rating (S,M,T
1.
2.
3.
30
Appendix 6 Lichfield District Council RISK MANAGEMENT PLAN – (Sample format)
Risk Register Number and Risk owner:
Inherent Risk Likelihood/Impact
Residual Risk Likelihood/Impact
Objective the risk or opportunity is linked to or arises from:
Residual risk accepted? Y/N
If residual risk not accepted what approach has been agreed? Control risk Modify risk Transfer risk Eliminate risk
Consequences if the risk event occurred or the opportunity is missed:
Target risk Likelihood/Impact
Description of risks that could prevent the objective being met/opportunities that could be missed:
What main controls are currently in place? Who is responsible for each main control? What action is being taken relating to each main control? When was the last check of the effectiveness of the main controls in place carried out and who were the results reported to?
What further action is to be taken to control, modify, transfer or eliminate the residual risk? Who is to take this further action? When will the further action occur?
31
Appendix 7
Management Calendar
Activity Who Frequency January February March April May June July August September October November December
Departmental Risk Scenarios review
Directors/ Managers Ongoing
Include Risk on monthly Departmental Team Meetings
Directors/ Managers Ongoing
Departmental Risk Register Review
Directors/ Managers Quarterly
Nominated Officer to report to Strategic Risk Management Group any changes to Risk Register
Directorate/ Service Nominated Officers
Quarterly
Review and Report Risk Register to Leadership Team
Strategic Risk Management Group/ Leadership Team
Half Yearly
Report to Executive/Audit Committee Interim review
Leadership Team /Executive Half Yearly
Report to Executive on Corporate Risk Register (Severe risks) -an annual report to coincide with Budget Setting and Strategic Planning process
Leadership Team /Executive
Annually
Risk Assessment of major projects and new or significant risks
Risk Management Group/Specific Dept/ Leadership Team
Ad Hoc
32
33
Appendix 8
Format for inserting Risk Management information into Committee Reports
Risk Likelihood/ Impact
Risk Category Countermeasure Responsibility
