PERFORMANCE REPORT – Adoption of revised Risk Management ...

1,326 views

Published on

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

PERFORMANCE REPORT – Adoption of revised Risk Management ...

  1. 1. PERFORMANCE REPORT – Adoption of revised Risk Management Strategy EXECUTIVE th Date: 7 December 2006 Agenda Item: 9 Contact Officer: Rita Wilson 01543 308101 Steve Langston 01543 308119 KEY DECISION: NO REPORT OF THE DEPUTY LEADER OF COUNCIL AND ORGANISATIONAL DEVELOPMENT PORTFOLIO HOLDER RISK MANAGEMENT STRATEGY 1. Purpose of Report 1.1 To seek Executive approval for the adoption of the new Risk Management Strategy. 2. Recommendation 2.1 That the Executive approves the Risk Management Strategy and agrees to its implementation as Council Policy. 3. Community Impact 3.1 The sound management of risk ensures that the ability to deliver corporate ambitions and priorities which secure community benefits is maximised. 4. Statement of Reasons 4.1 The Strategic Plan 2004/8 sets out clear objectives in terms of risk management as part of the top priority of ‘getting better at forward planning and being performance driven. The task set within the year three action plan was as follows; ‘Take forward risk management procedures including a clear linkage of strategic planning and risk management into service planning and team level activities and planning for business continuity.’ 4.2 The new Risk Management Strategy supports this priority by providing the framework to support the Council and ensure that risk management activities are embedded in its operation. 4.3 It should also be noted that the sound management of risk is an important factor used by inspectors and auditors in assessing how well a Council is managed. Having robust risk management procedures in place will therefore also support the Council’s drive to continuous improvement as measured through such means as the Comprehensive Performance Assessment process and the ongoing Use of Resources Assessment with its focus on internal controls. 4.4 The Audit Commission specify that the Council should ensure that all employees and Members take appropriate action to ensure that corporate risks are being actively managed. The revised Strategy emphasises the role of employees during day to day activities as well as the role of Risk Management Report Page 1 of 1
  2. 2. Members who have an overview role via Audit Committee, Regulatory Committees, as Portfolio Holders and through the Overview and Scrutiny process. It is essential that Members understand the importance of assessing the risks to the Council’s operations and ability to deliver on priorities, to ensure that the right actions are being taken to control those risks. 5. Any Alternative Options 5.1 The Council has set itself the top priority outlined above and as such there is no other way that the priority could be delivered without a revised Risk Management Strategy in place. 6. Consultation 6.1 The Strategy is very much an internally focussed document designed to support the management processes. Therefore there has been a focus on seeking the views of key officers and Members to improve the Strategy. There has also been a dialogue with colleagues from other authorities and other agencies to help inform the Strategy and pick up on best practice. 7. Financial Implications 7.1 The delivery of the Strategy can be resourced from within the allocated budgets. 7.2 Sound risk management is especially important in relation to financial management. Effective risk management therefore protects the authority from a range of financial risks at the corporate, service, project or partnership levels. 8. Strategic Plan Implications 8.1 The strategy supports the delivery of the top priority identified at 4. above. 9. Sustainability Issues 9.1 The Strategy will aid the Council in assessing and managing risks related to sustainability 10. Human Rights Issues 10.1 The strategy will aid the Council in assessing risks related to potential contraventions of Human Rights issues and therefore assist in the prevention of any negative impact from the Council’s activities. 11. Crime and Community Safety Issues 11.1 The Strategy will aid the Council in assessing risks related to Crime and Community Safety and support improvement in this area. 12. Risk Management Issues 12.1 The Strategy is the fundamental vehicle by which the Council will meet its objectives related to risk management. It sets out the policies and procedures the Council will use to manage risk across the authority and identifies the key roles and responsibilities in relation to risk management. 12.2 The Executive will be aware that the new Strategy attached at Appendix A and consolidates previous practice and emerging requirements. The Risk Management Strategy will continue to be reviewed and updated annually. 12.3 It is however worth drawing to attention a number of key improvements and benefits that the Strategy brings, as it consolidates a number of requirements essential to manage the activities of the Council in a business sense. Members’ attention is drawn to: Risk Management Report Page 2 of 2
  3. 3. • The establishment of a Risk and Resilience Team earlier in the year which focuses the Councils risk related resources in a single area responsible for the delivery of the Strategy. The Team pulls together knowledge and experience in such matters as Health and Safety, Insurance, Business Continuity and Civil Contingencies. • ‘Risk Champions’ at Senior Officer and Member level are identified. • The Strategy clearly sets out the roles and responsibilities at Officer, Member and Committee level and provides a set of processes, procedures and definitions which permit consistent standards to be met in the management of risk. It addresses the needs to identify corporate and operational risks and opportunities, assess likelihood and impact, identify mitigating controls and assign responsibility. • The Strategy supports the further embedding of risk management into key activities such as strategic planning, financial planning, policy making and review as well as wider performance management. • The Strategy sets out clear timescales for the reporting of risk issues back to Members. • The Strategy sets out timescales for the regular review of risk registers and ensures that strategic, operational, project and partnership risks are identified and managed. • The investment in 2004/5 in a performance management system (Covalent) gives us the opportunity to join together risk management, action planning and performance measurement. This provides the basic tool to hold risk registers, action plans etc. assign responsibilities and cross reference to corporate ambitions and priorities. • The Strategy affords means by which the Council not only monitors negative risk, but also enables it to pick up positive opportunities. • The Strategy addresses the training needs at Officer and Member level. Background Documents: Appendix A: Risk Management Strategy Risk Management Report Page 3 of 3
  4. 4. Risk Management Strategy November 2006 “Risk Management in Lichfield District Council is all about managing our business threats and opportunities and creating an environment of “no surprises” “Risk management is the identification, analysis and economic control of those risks which might prevent an organisation achieving its objectives”. “Risk management is not about insurance – not least because over 80% of risks faced by organisations is not insurable. Certainly risk transfer is part of risk management, but so is risk retention and control”. Risk management is not simply a compliance issue, but rather a way of viewing our operations with a significant impact on long-term viability. It is critical to success and is a focal point for senior management and Members. It helps us to demonstrate openness, integrity and accountability in all of our dealings
  5. 5. RISK MANAGEMENT POLICY STATEMENT Lichfield District Council Risk Management Policy Statement Our Risk Management Policy is drawn up within the context of the District Council’s ambitions and overall focus. We are focussed on ‘dramatically improving services’ and ‘leading and shaping the growth of the district’. This supports our ambitions of: • Providing a clean safe and sustainable environment • Delivering a thriving economy • Making the district a good place to live • Delivering a better quality of life • Working together through a Joint Effort These ambitions are delivered through our top 12 priorities: • Progressing the work on our two urban centres • Improving the quality of life in our villages • Tackling deprivation and reducing health inequalities • Balancing our housing market • Involving the community in setting the district agenda • Shaping the growth of our district • Feeling Safe in Lichfield District • Enhanced community leadership • Putting customers first • Delivering the improvements in prioritised services • Getting better at forward planning and being performance driven • Taking forward our Organisational Improvement Plan These priorities and ambitions are set out in the District Council’s Strategic Plan (2004/8), and are underpinned by targets and milestones which are monitored through our Performance Management Framework, which covers the key areas of the Council’s activity. The anticipation and assessment of risks to the delivery of these objectives and targets is a vital part of the District Council’s activities. The continuous improvement of our risk management is a sub priority under the overall priority of getting better at forward planning and being performance driven. The District Council’s ambitions relate to the whole District. As a result they can be influenced by an enormous variety of risks. It would be impossible to identify all of those risks, so it is also important that there is a focus on getting early warning when risks become more imminent, or start to take effect. 1
  6. 6. The District Council is setting out its approach to risk management, which includes working with directorates and their constituent services on the improvement of risk management and internal control. As part of the corporate governance agenda we prepare a Statement of Internal Control as part of our wider activities to improve management of resources and deliver value for money. This statement is signed by the Chief Executive and Leader of the District Council. It is validated through an audit process and through other inspections such as the annual Use of Resources Assessment The District Council sets out a framework which enables and encourages directorates to manage risks: that includes the requirement to produce a Statement of Internal Control; advice to directorates; and publication of the Risk Management Strategy and Methodology. Transparency and accountability is key to the process. The framework for dealing with all these risks will be built on a regular process of risk assessment. This process identifies and scores key risk factors, and results in a corporate register of key risks and directorate/service registers of risks. This enables Leadership Team to review the strategic risks to the authority and service managers to maintain controls and plans which respond to those risks, and learn from experience. This policy is fully supported by Members, the Chief Executive and the Leadership Team. Signed Chief Executive Date Signed Leader of the Council Date 2
  7. 7. 1. Introduction Risk management is an integral part of corporate governance and the Council formally adopted a framework for corporate governance at Council in October 2002. Corporate governance requires maintaining a sound system of internal control. Financial Regulations place responsibility with Directors for risk management and maintaining sound systems of internal control within their area of service delivery. Implementation of the strategy will ensure that two types of risk are addressed: • Direct threats – (damaging events) which could lead to a failure to achieve ambitions and deliver on priorities • Opportunities – (constructive events) if exploited can offer an improved way of achieving objectives but which are surrounded by threats. Examples include areas such as partnership arrangements. 1.1 What is Risk Management? Risk can be defined as the chance or possibility of loss, damage, injury or failure to achieve objectives being caused by an unwanted or uncertain action, event, or chain of events. Risk therefore includes a level of uncertainty of outcome (whether positive outcome or negative threat). Risk is ever present and some amount of risk taking is inevitable if the Council is to achieve its objectives. Risk management involves having processes in place to identify and monitor risks, be able to access up to date and reliable information about risks, ensure the right balance of control in place to deal with risks; and a decision making process that is supported by a framework of risk analyses and evaluation. Risks should be managed in an integrated way at different key levels to manage interdependencies – strategic risk, operational risk and project risks. A simple view of what risk management is trying to do is: Risk management is about making the most of opportunities (making the right decisions) and about achieving objectives once those decisions are made. This is achieved through transferring risks, controlling risks and living with risks. Risk management is not just about insurance – not least because over 80% of risks faced by organisations are not insurable. Certainly risk transfer is part of risk management, but so is risk retention and control. 3
  8. 8. 1.2 Risk Maturity Risk Maturity is “The extent to which a robust risk management approach has been adopted and applied, as planned, by management across the organisation to identify, assess, decide on responses to and report on opportunities and threats that effect the achievement of the organisations objectives.” (Institute of Internal Auditors) The level of risk maturity is considered in the following terms: • Risk Naïve - (No formal approach developed for risk management.) • Risk Aware - (Scattered silo based approach to risk management.) • Risk Defined - (Strategy and policies in place and communicated. Risk Appetite (toleration) Defined.) • Risk Managed - (Enterprise approach to risk management developed and communicated.) • Risk Enabled - (Risk management and internal controls fully embedded into the operations.) During an Audit in March 2006 Lichfield District Council was considered as ‘Risk Aware’ by Internal Audit. This revised Risk Strategy implements many of the recommendations from the Audit report and as such both commits and enables the Authority to move towards becoming ‘Risk Enabled’ with risk management being fully embedded within the Authority. 1.3 Risk Tolerance The risk tolerance (appetite) is “the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.” CIPFA). The risk tolerance table shown within the Risk Management Methodology (Appendix 1) shows the action levels according to the Councils agreed risk tolerance. The Council will manage risks according to the risk tolerance by accepting, reducing, preventing, transferring or eliminating risks or designing contingency plans. 2. Key Elements of Effective Risk Management There are two reasons effective risk management is essential for the Council: • Support for Corporate Governance (CG being the system by which the Council directs and controls its functions and relates to the local community); and • Support for business planning and decision making. 4
  9. 9. 3. Risk Management Objectives The Council's risk management strategy's objectives are to: • Integrate risk management into the culture of the Council • Manage risk in accordance with best practice • Anticipate and respond to changing social, political, environmental and legislative requirements • Prevent injury, damage and losses and reduce the cost of risk • Raise awareness of the need for risk management by all those connected with the Council's delivery of services • Ensure there are adequate arrangements for compiling the Councils annual Statement on Internal Control with governance and risk management arrangements to support it. These objectives will be achieved by: • Establishing clear roles, responsibilities and reporting lines within the Council for risk management • Providing opportunities for shared learning on risk management across the Council • Offering a framework for allocating resources to identified priority risk areas • Reinforcing the importance of effective risk management as part of the everyday work of employees by offering training • Incorporating risk management considerations into all levels of service planning • Monitoring arrangements on an on-going basis • Incorporating risk management considerations into partnership working and contractual arrangements • Monitoring arrangements on an ongoing basis. 4. The benefits of having a risk management strategy • Risk Management will alert the Leadership Team to the main service and financial issues. This will allow early and proportionate management handling. • It contributes to better decision making, and the process of achieving objectives. When embedded within existing planning, decision taking and option appraisal processes risk management provides a basis for ensuring implications are thought through, the impact of other decisions, initiatives and projects are considered, and conflicts are balanced. This will influence success and improve service delivery. 5
  10. 10. • It provides assurance to members and management on the adequacy of arrangements for the conduct of business and the use of resources. It demonstrates openness and accountability to various inspectorate bodies and stakeholders more widely. • It leads to greater risk awareness and an improved control environment, which should mean fewer incidents and other control failures. In some cases this can result in lower insurance premiums. These are not intangible benefits. By identifying risks earlier, by making sure processes are not over engineered and are fit for purpose, and achieving a behavioural shift, risk management will be a process that will pay for itself many times over. Our approach to risk management, which underpins the strategy and provides a vision of what we are aiming for, is summarised below: “Risk Management in Lichfield District Council is all about managing our business threats and opportunities and creating an environment of “no surprises” “Risk management is the identification, analysis and economic control of those risks which might prevent an organisation achieving its objectives”. “Risk management is not about insurance – not least because over 80% of risks faced by organisations is not insurable. Certainly risk transfer is part of risk management, but so is risk retention and control”. “Risk management is not simply a compliance issue, but rather a way of viewing our operations with a significant impact on long-term viability.” The long term aim is for risk profiles to be carried out at all levels of the organisation with each level feeding up to the next level to ensure that operational risks that could pose greater risks than strategic issues are not missed. A diagram showing our approach to risk management is attached as Appendix 2. 5 Roles and responsibilities and reporting lines The importance of establishing roles and responsibilities within the risk management framework is pivotal to successful delivery. The focus must be on ensuring that consideration of risks is embedded into policy approval (Strategic) and into service delivery (Operational) The agreed roles and responsibilities within the risk management framework at Lichfield District Council are outlined in the table below. 6
  11. 11. Group / Individual Role Leadership Team • Provide leadership for the process to achieve the culture change. • To update the risk management strategy annually and support its implementation of agreed changes. • Initiate, agree, Monitor and reviewing the Corporate Risk Register. • To be ultimately and collectively responsible for the risk management process. • To review the corporate risk register and the effectiveness of actions put in place by Directors to manage corporate risks on a quarterly basis. • To ensure all risks identified within the Corporate Risk register are effectively managed. • To ensure all severe risks are reviewed regularly in line with an up to date risk management plan. • To reduce the impact of risks that are likely to occur. • To identify a budget for on-going risk management refresher training. • To ensure that risk management is a standard agenda item on team meetings. Audit Committee • Monitor the effectiveness of Corporate Risk Management arrangements, including the actions taken to manage risks and to receive regular reports on Risk Management. • To monitor action being taken by the Council to mitigate the impact of potentially serious risks. Executive / Executive • To provide strategic direction with regards to risk Members management in particular the Risk Management Strategy. • To consider risk management within service provision in the directorates as per their portfolio. Strategic Directors and • To identify and manage business / Operational risks. Directors • To ensure risk management methodology is applied to all Projects, Partnerships and Proposals within their directorate. • To ensure risk management methodology is applied at Corporate, Directorate and Service levels. • Provide leadership for the process to achieve the culture change. • To embed risk management throughout their Directorate • To review and update their directorate risk registers at least quarterly. • To ensure quarterly service reviews on risk management and half yearly reports to Leadership team which will inform the Corporate Risk Register, the budget process and the Strategic Plan 7
  12. 12. • To ensure that risk management has been explicitly considered in framing Service Plans. • To assess the wider implications of directorate risk assessments and feeding information to leadership team for consideration as corporate key risks. • To reduce the impact of risks that are likely to occur. • To feed new key risks identified, such as from new projects arising or new partnership working to the Operational Risk Register and where appropriate notify leadership team for inclusion into the Strategic Risk Register. • Make arrangements for embedding risk management throughout their Directorate, which will assist them in providing assurance to Leadership Team and the Chief Executive. • Reporting, on a quarterly basis, to Leadership Team and to Executive regarding progress with strategic risks. • To ensure that employees attend appropriate risk management training to assist in the implementation of this strategy. • To ensure that risk management is a standard agenda item on team meetings. Directorate Risk • To support Directors in the overall management of the ‘Champions’ Directorate Risk Registers. • To provide the link to Service Managers and ensure their service level risk registers are maintained. Service Managers • To identify, analyse, profile and prioritise service / operational risks. • To review and update their service risk registers at least quarterly. • To determine action on service / operational risks. • To incorporate risks / action plans into the annual service plans. • To delegate responsibility as appropriate for control of risks. • To feed new key risks identified, such as from new projects arising or new partnership working to the Strategic Directors / Director for consideration as to the need for their inclusion to the Strategic Risk Register. • To monitor progress on managing risks. • To report on the service / operational risk management process to their Strategic Directors / Directors. • To ensure that risk management is a standard agenda item on team meetings. Strategic Director • To act as the Councils “Officer Champion” for risk Organisational management activities. Development • To act as the key provider of leadership for the process 8
  13. 13. to achieve culture change and the promotion of the robust risk management process. Portfolio Holder • To act as the designated “Member Champion” for risk Organisational management activities. Development Chief Executive and Leader • Provide leadership for the process to achieve the culture of the Council change. • Monitoring/reviewing the Corporate Risk process, including the maintenance of the Corporate Risk Register • To sign the annual Statement of Internal Control Employees • To maintain awareness of the impact and costs of risks. • To manage risk effectively in their job and to report risks and opportunities to their managers. • To be proactive in risk management issues through team meetings and PDR’s etc Risk and Resilience unit • To develop the risk management framework, strategy and process in accordance with best practice. • To provide advice and support to the Strategic Risk Management Group, Leadership Team and service managers regarding the identification, analysis, profiling and prioritisation of risks. • To provide risk management training as appropriate to officers and members. Members • Overview role via Audit Committee, Regulatory Committees, and the Overview and Scrutiny process. • Also involved in other roles such as their membership of project boards/accountable bodies. Strategic Risk Management Terms of Reference: Group • To promote understanding of the management of risk in accordance with best practice, throughout the District Council. • Ensuring that there are robust processes in place to implement risk management actions across the District Council. • To assist with the ongoing development and review of the corporate risk management strategy and methodology. • The Strategic Risk Management Group will also work closely with the officers identified by Directors to promote a risk aware culture and embed risk management throughout the District Council. • The Strategic Risk Management Group can advise and assist on project management where appropriate and advise on the corporate process. The Group will develop, practical approaches for implementing risk management. 9
  14. 14. The Group shall comprise of those identified at Section 16 Internal Audit • To provide assurance on the risk management framework and processes as well as how well risk management is embedded within the Council. For the Strategy to be effective there must be commitment throughout the District Council. The District Council and its Directors will demonstrate their commitment to change by identifying, profiling and prioritising corporate and cross-cutting risks. This involvement from the top will set the style and tone for a cascade down the organisation. This top-down cascade will then meet the day to day operational control of risk by all involved in service delivery from the bottom-up. 6 Principal Categories of Risk To help define and categorise risks it is useful to have an overall set of risk categories, these are identified as follows: Financial Partnership / Social Contractual Human Environmental Political Resources Legal Competitive Economic Managerial / Professional Legislative / Technological Regulatory Physical Customer / Reputation Citizen 10
  15. 15. 7 Strategic/Business and Operational Risks The categories listed above can influence both strategic and operational pressures. The table below shows EXAMPLES of what type of issues may exert pressures both at a strategic and operational level. STRATEGIC / BUSINESS OPERATIONAL Strategic risks primarily concern the Operational risks concern the day to Council’s medium and long-tem day issues confronting the Council as objectives. Accordingly, the authority will it seeks to deliver its strategic ensure that risk management is properly objectives. Risk management will taken into account when formulating and therefore be properly taken into approving Council policies. account in planning and implementing This may be issues such as services. Political Managerial / Professional Associated with failure to deliver either Associated with the particular nature local or central government policy, or to of each profession (eg housing meet the local administration’s service concerns as to the welfare of commitments tenants) Economic Financial Affecting the ability of the Council to meet Associated with financial planning and its financial commitments. These include control of adequacy of insurance internal budgetary pressures, inadequate arrangements. insurance cover, external macro level economic changes (i.e. interest rates, inflation etc), or the consequences of proposed investment decisions. Social Legal Relating to the effects of changes in Related to possible breaches of demographic, residential or socio- legislation. economic trends on the Councils ability to deliver its objectives. Associated with current or potential changes in national or European law Also relates to the risks of not being fair (e.g. the appliance or non compliance and equitable and the need to recognise of work equipment regulations etc). 11
  16. 16. the needs of all sectors of the community. STRATEGIC / BUSINESS OPERATIONAL Technological Technological Associated with the capacity of the Relating to reliance on operational Council to deal with the pace / scale of equipment (e.g. IT systems, technological change, or its ability to use equipment or machinery). technology to address changing demands. They may also include the consequences of internal technological failures on the Councils ability to deliver its objectives. Legislative / Partnership / Regulatory Contractual Associated with current or potential Associated with the failure of changes in national or European law (e.g. contractors to deliver services or the appliance or non compliance of TUPE products to the agreed cost and regulations). specification. Environmental Environmental Relating to the environmental Relating to pollution, noise or energy consequences of progressing the efficiency of ongoing service Councils strategic objectives (e.g. in term operation. of recycling, energy efficiency, pollution, emissions etc) Competitive Physical Affecting the competitiveness of the Related to fire, security, accident service (in terms of cost or quality) and / prevention and health and safety or its ability to deliver best value. Customer / Human Citizen Resources Associated with failure to meet the Associated with staffing issues (e.g. current and changing needs and recruitment / retention, sickness expectations of customers and citizens management, change management 12
  17. 17. etc) 9 Identifying Risks This involves identifying potential opportunities and risks relating to the achievement of the Council’s objectives. These may arise because of the general environment in which we are operating or in relation to specific decisions being made or options being considered. All types and categories of risk should be considered at this stage. Risk identification should be carried out using service objectives (or the objectives of the project). This stage can be repeated regularly to ensure that new risks arising are identified and brought into the risk profile as appropriate. The Council recognises that no one person is responsible for identifying key risks. Risks are identified at various levels and in various ways, including as follows: • By identifying risks associated with achieving the Strategic Plan. • By identifying risks annually within service plans • At the planning stage / initiation of a new project, partnership or proposal. • By individual directors, managers, supervisors or any other employee • By the Council’s Insurance Officer, Audit Manager or Health & Safety Manager • Through Health & Safety meetings at various levels • At Leadership Team meetings • By the Council’s external auditors • By the Council’s insurance provider • By considering the causes of accidents, incidents and near misses • By ad hoc risk reviews undertaken internally or by external consultants • By risk management literature received from various sources • Through discussion at individual team meetings • From the results of inspections undertaken • By examining complaints received. 10 Recording Risks – Risk Registers Risk Registers are a primary tool to administer the recording, prioritising, control monitoring, review and auditing of significant risks to the Council’s services and activities, including projects and partnerships. Responsibility for preparing, acting on, updating and revising Risk Registers is as follows: Strategic Risk Register: Leadership Team Operational Directorate and Service Risk Registers: the appropriate Strategic Director / Director with the assistance of their own management teams 13
  18. 18. For individual Project Risk Registers: the officer identified as operationally responsible for the project. For Partnership Risk Registers: the officer or the lead partner who is identified as operationally responsible for the project. (The officer operationally responsible for this authority’s participation should ensure this arrangement at the outset, and should monitor the Project Risk Register on behalf of Lichfield District Council. He/she should liaise with his/her line manager in the event of inadequate progress). For Proposal Risk Registers: the officer identified as operationally responsible for the project. Risk Registers are working documents and will be reviewed and updated on a regular basis as changes in risk are identified. 11 Recording Risks – Committee Reports All Council activities involve a level of risk. Any proposal coming forward to the Council for consideration and approval must identify: • The risks to the Councils strategic delivery through the proposal. • The controls necessary to mitigate the action of such risks. This will give a consistent format for reporting risk, which is not currently evident. As such it is a requirement that all committee reports include a completed section that highlights the risks in relation to the Councils business. Any information contained within the risk management section of the report will be able to be easily transferred to the operational risk register as required. The format for the Risk Management section for committee reports is enclosed as Appendix 8 12 Recording Risks – Use of technology The Covalent system being web based has the advantages that it is accessible from a wide variety of locations and provides simple means by which reports can be communicated and published internally or externally. Its hierarchy of permissions and security provides reassurance that information is held securely but remains accessible. It maintains electronic audit trails of changes and amendments which supports performance monitoring of activities related to the routine updates of identified risks. The standardisation of the system provides the organisation with a simple format to ensure consistency of approach throughout the Council. The system shall be used for the recording and management of all Corporate and directorate/service project/partnership risks. Risks shall not be managed or 14
  19. 19. recorded outside of this system without the agreement of the relevant Director, and should in any event be recorded as an exception.. In the longer term the systems more advanced functionality such as for the score carding and weighting of baskets of risks is expected to be used to improve the maturity of the Councils approach. The system also maintains the Council's records in relation to action planning and performance indicators. The functionality is such that actions, risks and indicators can be cross referenced to provide a 'virtuous circle' and for example a specific risk may generate a set of linked actions with associated measures which all can be held in one place and managed holistically, this provides a means by which risk can truly be embedded with the workings of the organisation. 13 Methods of Controlling Risks Prompt action will be taken to control risks falling into the ”Severe“ category and action plans will be developed to reduce the threat of these risks, so bringing them within the “Material” category. “Material” risk will also receive appropriate attention where this is cost effective. “Low” risks may also receive attention where cost-effective and will be kept under review. Each risk will be addressed in whichever of the following ways is most appropriate: Tolerate the risk – perhaps because nothing can be done at a Acceptance reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level. Treat the risk – take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact to acceptable levels. Actions can be : • Preventative, such as physically restricting access to hazardous chemicals, insisting on two signatories, implementing authorisation limits etc. • Detective, such as quality checks, alarms, exception reports, accident reports, financial reports such as budget monitoring Reduction reports, insurance claims are a further example. These will show when something has gone wrong – perhaps a trigger event that can then alert you that the risk event is becoming more likely to occur. • Directive, such as procedure manuals, guidance notes, instructions, training. These advise on how to carry out processes safely but if they are not adhered to they will not prevent risk events occurring. 15
  20. 20. Terminate the risk – by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place Prevention that either stop the threat or problem from occurring or prevent it having any impact. This is a specialised form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance Transference policy or penalty clause, such that the impact of the risk is no longer an issue. Not all risks can be transferred this way. Ceasing to carry out the activity because preventing or reducing it Elimination would not reduce the risk to an acceptable level These are actions planned and organised to come into force as and Contingency when the risk occurs. 14 Communication The responsibility for ensuring up to date versions of the Risk Management Strategy and guidance notes are available will be with the Risk and Resilience Unit. The Risk Management Strategy will be available on the Councils Internet and intranet sites. In addition paper copies or electronic versions can be obtained by contacting the Risk and Resilience Unit at the District Council House, Frog Lane, Lichfield. Note: As indicated above, the Council wishes to be as transparent as possible in the way in which it manages its risks. However, there is an acceptance that for a variety of reasons including such matters as commercial confidentiality that the Council may on occasion reserve its right not to publish some parts of its registers. 15 Training All relevant employees are required to have a suitable level of training in Risk Management that enables them to apply the principles laid out within this document to everyday activities. The basic level of training required is as follows: Leadership Team*: Half day Strategic Risk Management awareness Refreshed every 3 years. Managers*: One Day Strategic and Operational Risk Management (STORM) training. Refreshed every 3 years. Executive / Members*: Risk Management Member development training refreshed following each election. Employees: Information leaflet issued upon recruitment and reissued every 3 years. *Training sessions will be scheduled annually to ensure new recruits within these roles are trained in risk management practices within a suitable time frame. 16
  21. 21. 16 Risk Management Strategy Group (membership) The Risk Management Strategy Group will chaired by the Strategic Director, Organisational Development (or nominated representative) and incorporate the following employees: • Director of Finance, Revenues and Benefits (or nominated representative) • Policy and Performance Manager • Health and Safety Manager; • Insurance Officer; • Audit Services Manager; • Directorate Risk Champions (6) • IT Manager; • Property Services Manager; 17. List of Appendices Appendix 1 - Risk Management Methodology Appendix 2 - Risk Management Process Flowchart Appendix 3 - Action Plan for Implementing the Risk management Strategy Appendix 4 - Corporate Risk Register Format Appendix 5 - Program Risk Management Risk registers Appendix 6 - Risk Management Action Plan (sample format) Appendix 7 - Management Calendar Appendix 8 - Committee Report Format 17
  22. 22. Appendix 1 Risk Management Methodology November 2006 18
  23. 23. Introduction Lichfield District Council has a Risk Management Policy Statement and a Risk Management Strategy. These are companion documents to this document, which describes the methodology to be used within Lichfield District Council. There are seven elements to be carried out: • Identify the potential risk • Analyse the risk • Profile the risk according to likelihood and impact • Prioritise the action to be taken based on the Council’s appetite for or tolerance to risk and the availability of resources • Determine the best course of action for the Council • Control the risk, once appropriate action has been decided for each risk, by taking action to minimise the likelihood of a risk occurring and/or reducing the severity of the consequences should it occur • Monitor and report on progress of managing risk – not just the ones being controlled but the whole spectrum of risks in the risk profile. In addition to internal reporting, external stakeholders will need to know how risk have been managed and how effective that management is in practice 19
  24. 24. 1 Identifying the Potential Risks This involves identifying potential opportunities and risks relating to the achievement of the Council’s objectives. These may arise because of the general environment in which we are operating or in relation to specific decisions being made or options being considered. All types and categories of risk should be considered at this stage. Risk identification should be carried out using service objectives (or the objectives of the project). This stage can be repeated regularly to ensure that new risks arising are identified and brought into the risk profile as appropriate. The Council identifies risk at various levels and in various ways, including as follows: • By individual directors, managers, supervisors or any other employee • By the Council’s Insurance Officer, Head of Internal Audit or Health & Safety Manager • Through Health & Safety meetings at various levels • At Leadership Team meetings • By the Council’s external auditors • By the Council’s insurance provider • By considering the causes of accidents, incidents and near misses • By ad hoc risk reviews undertaken internally or by external consultants • By risk management literature received from various sources • Through discussion at individual team meetings • From the results of inspections undertaken • By examining complaints received. 2 Analyse the Risk This is the process of reviewing the risks identified so that similar risks can be grouped and classified according to the likelihood of them occurring and the impact they would have. Measures of likelihood Description Example Detail Description Almost certain, is expected to occur in most High circumstances. Greater than 80% chance. Likely, will probably occur in most Significant circumstances. 50% - 80% chance. Possible, might occur at some time. Medium 20% - 50% chance. Unlikely, but could occur at some time. Low Less than 20% chance. 20
  25. 25. Measures of Impact Description Example Detail Description Critical impact on the achievement of objectives and overall performance. Critical opportunity to innovate/improve performance High missed/wasted. High impact on costs and/or reputation. Very difficult to recover from and possibly requiring a long term recovery period. Major impact on costs and objectives. Substantial opportunity to innovate/improve performance missed/wasted. Serious impact Significant on output and/or quality and reputation. Medium to long term effect and expensive to recover from. Waste of time and resources. Good opportunity to innovate/improve performance missed/wasted. Moderate impact on Medium operational efficiency, output and quality. Medium term effect which may be expensive to recover from. Minor loss, delay, inconvenience or interruption. Opportunity to innovate/make Low minor improvements to performance missed/wasted. Short to medium term effect. The descriptions are applied as follows: • Firstly the likelihood and impact of the risks identified will need to be considered based on an evaluation of the effectiveness of existing controls to give the risk now. • Then there will need to be consideration of what the target risk is. This is the level of risk that you are aiming to manage the risk down to, over time with any added controls that may be introduced. 3/4 Profile and Prioritise Action / Risk toleration The Councils risk toleration is based upon the likelihood and impact of risks. Firstly the likelihood and impact of the risks / opportunities identified will need to be considered as if no controls exist – this will give the inherent risk. Secondly the likelihood and impact of the risks will then need to be considered based on an evaluation of the effectiveness of existing controls to give the residual risk now. Then there will need to be consideration of what the target risk is. This is the level of risk that you are aiming to manage the risk down to, over time. Once the inherent risks have been classified they need to be mapped onto the matrix as shown in this example. The colours are a “traffic light” system that will show how controls in place have influenced 21
  26. 26. where residual risks now are mapped. For example, the inherent risk could place a risk within the red zone, but because controls in place are evaluated as being effective and consistently applied the residual risk could fall within the yellow or green zone. The mapping will need to be repeated to record the inherent, residual and target risks. High 7,8 LIKELIHOOD Significant 1 2 11 Medium 9, 12 10 Low 3 5, 6 4 Low Medium Significant High I M P A C T Risk Toleration Table Once the risks have been plotted onto the matrix (as above) the requirement for further action is based on the following agreed risk toleration table. The table identifies at what level of risk the Council will take additional action Key: Immediate control improvement to be made to enable business goals to Severe be met and service delivery maintained/improved. Action Plan to be completed. Close monitoring to be carried out and cost effective control Material improvements sought to ensure service delivery is maintained. Action Plan to be completed Tolerable Regular review, low cost control improvements sought if possible. 5/6 Determination and Control of risks This aspect of the process involves: • Assessing whether to accept, reduce, prevent, transfer or eliminate the risk, or agree contingency measures if and when the risk occurs, or how to respond to the opportunity, based on the availability of resources: • Documenting the reasons for the decision taken; • Implementing the decision; 22
  27. 27. • Assigning ownership to manage the risks / opportunity to specific officers; and • The completion of an Action Plan detailing existing controls, an assessment of their effectiveness and what further controls are needed, along with who is responsible for the actions (Appendix 3) Controls are the tools that managers use to manage their services. They are the methods used by managers to assure them that they are achieving their business aims and service objectives and that the service is being provided in the most efficient and effective way. The cost and robustness of existing or additional controls is a key consideration at this point and needs to be balanced against the potential consequences (reputational, financial or otherwise) if the event occurred. Actions Definition Tolerate the risk – perhaps because nothing can be done at a reasonable Acceptance cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level. Treat the risk – take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact to acceptable levels. Actions can be : • Preventative, such as physically restricting access to hazardous chemicals, insisting on two signatories, implementing authorisation limits etc. • Detective, such as quality checks, alarms, exception reports, accident Reduction reports, financial reports such as budget monitoring reports, insurance claims are a further example. These will show when something has gone wrong – perhaps a trigger event that can then alert you that the risk event is becoming more likely to occur. • Directive, such as procedure manuals, guidance notes, instructions, training. These advise on how to carry out processes safely but if they are not adhered to they will not prevent risk events occurring. Terminate the risk – by doing things differently and thus removing the risk, Prevention where it is feasible to do so. Countermeasures are put in place that either stop the threat or problem from occurring or prevent it having any impact. This is a specialised form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or Transference penalty clause, such that the impact of the risk is no longer an issue. Not all risks can be transferred this way. Ceasing to carry out the activity because preventing or reducing it would Elimination not reduce the risk to an acceptable level These are actions planned and organised to come into force as and when Contingency the risk occurs. 7 Monitoring progress This is a key stage of the risk management process. It is necessary to monitor the action plans developed at stage 4 above and to regularly report on the progress being made in managing risks / taking advantage of opportunities so that the achievement of business aims and service objectives is maximised and losses are minimised. In addition there needs to be an assessment of the effectiveness of risk management actions put in place to reduce the likelihood/impact of adverse risk events occurring. Alternative action will need to be taken if the initial action has proved ineffective. 23
  28. 28. Monitoring should take place at service level on at least a quarterly basis, and more frequently if there are many changes or the project is progressing rapidly or the project is deemed to be high risk. If the project is high risk then it should be referred regularly to the Strategic Risk Management Group for review and any assistance. A management calendar is attached as Appendix 7 that clearly identifies when actions are required during the annual risk management cycle. 24
  29. 29. Appendix 2 RISK MANAGEMENT PROCESS Political Social Reputational Managerial / Human Economic Professional Resources Legal Financial Customer / Competitive Citizen Technological Legislative / Partnership / Physical Environmental Regulatory Contractual Pressures Leadership Team Strategic Risk Identified Set Strategic Plan and Operational Risk Budget Requirements. Identified Material / Tolerable Relevant Strategic Leadership Team Add it to the Corporate Director add risk to Risk Register (May) and Operational Severe (Nov). Risk Register Items Leadership Team Severe Material / Risk Owner Annual report on updated Items Tolerable completes action risk registers. plan to manage Quarterly review of risks Strategic Risk Register Interim reports on Risk Owner progress for severe risks. completes Action Ad hoc reports where Plan to manage necessary. risks Risk Management Strategy Group • To work closely with the Directorate / officers identified by Departmental Corporate Directors to Management to promote a risk aware review and culture and embed risk management throughout manage risk the District Council. • To advise and assist on Audit Committee Executive project management Annual report on updated Annual report on updated where appropriate and risk register. risk register. advise on the corporate Interim report on progress Interim report on progress process. The Group will develop, practical for severe risks. for severe risks. approaches for Ad hoc reports where implementing risk necessary. management. 25
  30. 30. 26
  31. 31. Appendix 3 Action Plan for implementing the Risk Management Strategy. Milestone Target date Directorates/Services refine risks already identified where November 2006 they are too broad, so that they can be actively managed. (Covalent) November 2006 Introduce divisional risk champions and develop divisional risk profiles, where these do not already exist. November 2006 Develop service unit / business unit risk profiles where these do not already exist. November 2006 to Develop project risk profiles, as appropriate, where these do not already exist. April 2007 February 2007 Deliver Risk Management Training for risk champions / members of the Risk management Strategy Group. February 2007 Deliver Refresher Training to Leadership Team on Risk management Issues Deliver Risk Management Training to all Managers April 2007 to March 2006 Include risk management in staff induction. An information April 2007 leaflet explaining what risk management is and the role employees play will be issued to all current employees when the strategy is issued. Any new employees will be issued with the information leaflet upon induction. Directorates/Services to clearly identify existing controls Monthly regarding the risks identified, and the degree to which they (Covalent) are consistently applied. Directorates/Services to evaluate existing controls for the Monthly degree of mitigation the controls provide and if further (Covalent) control is desirable. Directorates/Services calculate the cost of improving Monthly controls to provide greater mitigation to establish if further (Covalent) control would be cost effective. Directorate key risks reviewed and new significant risks fed Quarterly into the corporate risk register on a quarterly basis. Leadership Team monitors agreed corporate actions and Quarterly assesses additions/deletions to corporate risk register on a quarterly basis. Directors give assurance to Chief Executive regarding Annually internal control, including the management of key risks, 27
  32. 32. Milestone Target date within their area of service delivery. Directors to ensure that risk identification is intrinsically 2006/7 service linked to service plan objectives. plans and in subsequent years. Directors to include performance on managing risks within 2006/7 performance monitoring of Service Plans and of senior performance officer’s performance contracts/plans. contracts/plans and in subsequent years. Published in Statement on Internal Control (incorporating risk Statement of management) made by Leader and Chief Executive, Accounts June approved by Members and published in Statement of 2007 Accounts Improve learning from insurance claims where appropriate. Ongoing Use the knowledge and expertise of the Health and Safety Ongoing Manager where appropriate. Ongoing Incorporate elements of the Emergency Plan where appropriate. 28
  33. 33. Appendix 4 Lichfield District Council Corporate Risk register – (Date) Headings to be used in Corporate and Directorate/Service Risk Register report are set out below and can be automatically be generated and refreshed from the Covalent system. Target Responsible Risk Code Traffic Management Approach To Current Risk Managed Assigned Portfolio Description Risk Organisational & Title Light Icon Risk Matrix By To Owners Matrix Unit 29
  34. 34. Appendix 5 Lichfield District Council Programme Risk Management Risk Register For assessing Likelihood and Impact: H = High; S = Significant; M = Medium; L = Low For Rating: S = Severe; M = Material; T = Tolerable Likeli- Description of Current Further Controls Residual Description of Risk Impact hood Rating Controls/mitigation in place Proposed and Date for Risk Identified (H,S,M,L Type of Action Required (H, S, (S,M,T) and date when Controls were Implementation Rating and Risk Owner ) M, L) last reviewed and reported (S,M,T 1. 2. 3. 30
  35. 35. Appendix 6 Lichfield District Council RISK MANAGEMENT PLAN – (Sample format) Risk Register Number Inherent Risk and Risk owner: Likelihood/Impact Objective the risk or Residual Risk opportunity is linked to Likelihood/Impact or arises from: Residual risk accepted? Y/N Consequences if the If residual risk not accepted what risk event occurred or approach has been agreed? the opportunity is Control risk Modify risk missed: Transfer risk Eliminate risk Target risk Likelihood/Impact Description of risks What main controls are currently in place? What further action is to be taken to that could prevent the Who is responsible for each main control? control, modify, transfer or objective being What action is being taken relating to each main control? eliminate the residual risk? met/opportunities that When was the last check of the effectiveness of the main controls Who is to take this further action? could be missed: in place carried out and who were the results reported to? When will the further action occur? 31
  36. 36. Appendix 7 Management Calendar Activity Who Frequency January February March April May June July August September October November December Departmental Risk Directors/ Ongoing Scenarios review Managers Include Risk on monthly Directors/ Ongoing Departmental Team Managers Meetings Departmental Risk Directors/ Register Managers Quarterly Review Nominated Officer to Directorate/ report to Strategic Service Risk Management Nominated Quarterly Group any changes Officers to Risk Register Review and Report Strategic Risk Risk Management Register to Group/ Half Yearly Leadership Team Leadership Team Report to Leadership Executive/Audit Team Half Yearly Committee /Executive Interim review Report to Executive Leadership on Corporate Risk Team Register (Severe /Executive risks) -an annual Annually report to coincide with Budget Setting and Strategic Planning process Risk Assessment of Risk major projects and Management new or significant Group/Specific Ad Hoc risks Dept/ Leadership Team 32
  37. 37. Appendix 8 Format for inserting Risk Management information into Committee Reports Risk Likelihood/ Risk Category Countermeasure Responsibility Impact 33

×