Revised Risk Management Policy and Framework. Report by Head of Finance

Transcription

1 Audit Committee 29 April 2010 Item No 7 Revised Risk Management Policy and Framework Report by Head of Finance Summary A substantial review of our current Risk Management Strategy has been carried out. This report presents for comment a revised Risk Management Policy and Framework. The revised policy and framework reflects current best practice and is based around the new international standard for risk management. Much of the policy and framework reflects practice currently in use by the Council. Recommendation Required The Audit Committee is asked to: Consider and comment upon the risk management policy and framework. 1. Introduction 1.1 The County Council s current Risk Management Strategy was approved by Cabinet in September Some minor revisions were approved by the Chief Officer Group in March 2008 and were reported to this Committee in April As risk management is a dynamic discipline it is necessary to continue to review our Strategy to ensure it continues to take account of national and international developments. 1.2 A review has been carried out on our existing Strategy by the Council s Risk Manager particularly in line with the new international standard for risk management recently issued ISO The revised strategy has been consulted upon widely within the Officer community of the Council including the Chief Officer Group. This report provides the Audit Committee with an opportunity to consider and comment upon the report before it is taken to Cabinet for consideration.

2 2. Changes to Strategy 2.1 A number of changes have been necessary to ensure the language and processes agreed internationally are being met. The main change is that the Strategy is now split into two documents, a Risk Management Policy (appendix 1) and a Risk Management Framework (appendix 2). 2.2 The Policy is a short document stating the principles that the Council aspires to and the benefits that will be realised. The Framework contains the detailed arrangements and processes that will be used to meet those principles. 2.3 The new Framework brings the Council in line with the latest national and international practice and strengthens the linkages with other disciplines for example service planning, performance, procurement and audit. 3. Resource Implications 3.1 There are no resource implications arising specifically from this report. However, continuing improvement in the application of risk management with it now being embedded well within relevant services will contribute to improving the use of resources, including financial resources across services. 4. Section 17 Crime and Disorder Act 4.1 There are no direct S17 implications arising from this report. However, risk management activities across the Authority contribute significantly to the management of risk relating to crime and disorder and community safety/protection. 5. Alternative Options 5.1 There are no alternative options for the Audit Committee to consider. 6. Equality Impact Assessment 6.1 There are no impacts arising from this report. 7. Conclusion 7.1 There is a need to regularly review and update the approach being adopted for the management of risk across the Council. The appendices to this report contain the outcome of the most recent review in to the risk strategy resulting in the production of a risk management policy and an updated risk framework.

3 8. Recommendation 8.1 The Audit Committee is asked to: Consider and comment upon the risk management policy and framework. Officer Contacts: Paul Brittain, Head of Finance, or e mail paul.brittain@norfolk.gov.uk John Baldwin, Risk and Insurance Manager, , or e mail john.baldwin@norfolk.gov.uk If you need this report in large print, audio, Braille, alternative format or in a different language please contact John Baldwin, Tel: , Minicom: , and we will do our best to help.

4 WELL MANAGED RISK NORFOLK COUNTY COUNCIL S POLICY ON RISK MANAGEMENT

5 Risk Management Policy April 2010 Contents Page Introduction 2 Risk Management Principles 2 Benefits 3 Realisation 4 Review 4 1

6 Risk Management Policy April 2010 Introduction All organisations face internal and external factors and influences that make the achievement of their objectives uncertain. The effect that this uncertainty has on our objectives can be defined as risk. This Policy sets out the County Council s commitment to managing this risk. It states the principles that we will pursue with regard to risk management and outlines the benefits that we envisage will be realised by its use. Further, more in depth processes, responsibilities and accountabilities appear in the document Well Managed Risk, Norfolk County Council s Framework for Risk Management. Principles The following Principles will be aspired to across the County Council: 1. Risk management creates and protects value We will ensure that risk management contributes to the demonstrable achievement of our objectives at all levels and the improvement of our performance in, for example, health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, customer services, project and partnership management, business continuity, governance and reputation. 2. Risk management is an integral part of all our organisational processes We will ensure that risk management is part of the responsibilities of our management and an integral part of all of our processes, including strategic and service planning and all financial, partnership, project and change management processes. 3. Risk management is part of our decision making We will ensure that risk management helps decision makers make informed choices, prioritise actions and distinguish between alternative courses of action. 4. Risk management explicitly addresses uncertainty We will ensure that risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. 5. Risk management is systematic, structured and timely We will ensure that a systematic, structured and timely approach to risk management contributes to efficiency and to consistent, comparable and reliable results. 2

7 Risk Management Policy April Risk management is based on the best available information We will ensure that the inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. 7. Risk management takes human and cultural factors into account We will ensure that risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder the achievement of our objectives. 8. Risk management is transparent and inclusive We will ensure the appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the County Council, in order that risk management remains relevant and up-to-date. 9. Risk management is dynamic, iterative and responsive to change We will ensure that risk management continually anticipates and responds to change. 10. Risk management facilitates continual improvement of the County Council We will develop and implement processes to improve our risk management maturity alongside all other aspects of the County Council. 11. Risk management will be adequately resourced We will ensure that the necessary resources are established and provided in order to deliver excellent risk management. Benefits We expect that when the above principles are being conclusively met through enhanced risk management practice the following benefits will be realised; increased likelihood of achieving our objectives encouragement of proactive management awareness of the need to identify and treat risk throughout the Council improved identification of threat events better compliance with relevant legal and regulatory requirements improved governance improved stakeholder confidence and trust an established and reliable basis for decision making and planning improved controls effective allocation and use of resources for risk treatment improved operational effectiveness and efficiencies 3

8 Risk Management Policy April 2010 enhanced health and safety performance and environmental protection improved loss prevention and incident management improved organisational resilience. Realisation The realisation of these principles and benefits will be achieved by the operation of enhanced risk management arrangements. The document Well Managed Risk a Framework for Risk Management contains the accountabilities and responsibilities for risk management, the risk management approach and the reporting and performance measurement arrangements. This Policy and its associated framework document take account of the new international standard ISO for risk management. Compliance with these documents will ensure that the County Council achieves excellence in its approach to and management of risk. Review This Policy and other supporting documents will be reviewed annually. David White Chief Executive Daniel Cox Leader of the Council 4

9 WELL MANAGED RISK NORFOLK COUNTY COUNCIL S FRAMEWORK FOR RISK MANAGEMENT

10 Contents Page Introduction 1 Context 1 Risk appetite and tolerance 1 Roles and responsibilities 2 The Overall Risk Management Process 5 Communicate and Consult 6 Training 6 The Core Phase 6 When should the core phase occur 7 Stage 1 - Establishing the context 7 Stage 2 - Risk identification 8 Stage 3 - Risk analysis 8 Stage 4 - Risk evaluation 9 Stage 5 - Risk treatment 9 Recording risks 10 Monitor and Review 10 Review 10 Risk Escalation Criteria 11 Reporting 12 Performance 13 Process Indicators 14 Decision making 14 Conclusion 14 Appendix 1 Risk Management Aids and Tools 15 Risk categories 15 Impact and likelihood criteria 17 Generic Risk Impact Criteria Model 18 Project Risk Impact Criteria 20 Likelihood Criteria Model 20 Risk matrix 21 Risk tolerance 21 Cost/benefit analysis 22 Prioritisation matrix 23 Appendix 2 Risk Recording Documents 24 Form 1 25 Form 1 guidance notes 26 Form 2 27 Form 2 guidance notes 28 Appendix 3 Glossary 29

11 RISK MANAGEMENT FRAMEWORK INTRODUCTION In Norfolk County Council s Risk Management Policy document Well Managed Risk we set out our principles with regard to managing our risks. In this Framework document we provide the detailed arrangements and processes that will be used to meet those principles. The Framework is based on the new international standard for risk management ISO CONTEXT In carrying out its objectives the County Council faces internal and external factors that make the successful achievement of these objectives uncertain. Risk arises because our objectives are pursued against this uncertain background. We therefore define risk as; The effect of uncertainty on our objectives To illustrate, risk isn t the chance of flooding but the chance that the flooding will disrupt or affect our objectives. The definition however clearly places risk in the context of what we wish to achieve i.e. our objectives. As risk is very much concerned with our objectives, the management of it will be closely linked to the creation of our strategic, service, project and partnership objectives and plans. The established processes for the creation of these plans will act as an anchor for the risk management process. Risk is also implicit in the decisions we make; how we make those decisions will affect how successful we are in achieving our objectives. Decision making is, in turn, an integral part of day to day existence and is particularly prominent in times of change. Risk management therefore is very closely linked with the management of change and to decision making. Our risk management process will be continuous and will support internal and external change. The risk management process will be fully integrated with the normal business management processes across the authority. RISK APPETITE AND TOLERANCE Risk appetite refers to the County Council s unique attitude towards risk taking, which in turn dictates the amount of risk that it considers acceptable. As a result, risk appetite refers to our willingness to tolerate a particular level of exposure to specific risks or risk groups. The appetite is also a function of our capacity to bear risk which should not be exceeded. The appetite for a particular service/project should be scaled in line with the Council s overall appetite as part of the Establishing the Context stage. 1

12 Another key step to applying a risk appetite is the creation of risk tolerance thresholds for the County Council as a whole. The County Council has agreed a three band risk tolerance approach upper, middle and lower. More details on these bands appear on page 21. ROLES AND RESPONSIBILITIES The County Council is a large and complex organisation. It is essential therefore that we provide clarity regarding what should be done and by whom. The table below contains details of roles and responsibilities at all levels across the Council. Role Responsibilities Cabinet Approve the Council s Risk Management Policy and Framework Consider risk management implications when making decisions Send consistent messages on the Council s values and behavior and seize opportunities to reinforce these. Member Risk Champion Gain an understanding and promote risk management and its benefits throughout the Council Ensure Members take risk management into consideration when making decisions and seize opportunities to reinforce this. Audit Committee Provide proactive leadership and direction on risk management governance issues and champion risk management throughout the council and ensure that the Cabinet is kept sufficiently informed to enable it to approve the Council s Risk Management Policy and Framework and that adequate insurance exists where appropriate Consider the effectiveness of the system of risk management arrangements Consider an annual report and quarterly reports with respect to risk management including, an opinion on the adequacy and effectiveness of the Council s risk management, any corporately significant issues arising, and receive assurance that action has been taken as necessary Receive assurances that action is being taken on risk related issues identified by both internal and external auditors and other inspectors Independent scrutiny of the authority s financial and nonfinancial performance to the extent that it affects the authority s exposure to risk Report annually to full Council as per the Financial Overview and Scrutiny Panels Regulations. Receive and challenge reports on risk management, primarily departmental and service risk registers, from Departmental Management Teams 2

13 Chief Officers Group Departmental Management Teams Departmental Risk Coordinators Corporate Risk Management Team Understand their department s key risks and ensure sufficient action is being taken to control them. Overall accountability and responsibility for leading the delivery of the Council s Risk Management Policy and Framework Ensuring the key risks to corporate objectives are identified, recorded and managed Reviewing and updating corporate/strategic risks quarterly Take collective and individual ownership of identified key corporate/strategic risks Ensuring the effectiveness of risk management activity is measured and is producing the benefits identified Establish a culture and working practices which promote openness, learning and personal development. Accountability and responsibility for leading the delivery of the Council s Risk Management Framework in their department Ensuring key risks to service objectives, project and partnership objectives under their control are identified, recorded and managed Ensuring those risks having a corporate impact are reported and considered for inclusion in the Corporate Risk Register by Chief Officers Group Reviewing and updating risks at least quarterly including controls and progress Reporting to Overview and Scrutiny Panels twice per year Take collective and individual ownership of identified key service risks Ensure a risk aware culture is built across their department Ensuring the effectiveness of risk management activity is measured and is producing the benefits identified. Work with their Director, Heads of Service, Managers and Team Leaders to ensure the RM Policy and Framework is embedded in departmental planning, performance, project and partnership management Assist management teams to identify and record all key risks to service, project and partnership objectives Monitor and review risks against performance Administer the process for the reviews of risks Assist with the compilation of reports to Overview and Scrutiny Panels Ensure that appropriate departmental, service, project and partnership risks are escalated when necessary Be the link between departmental activity and the Corporate Risk Management Team Represent their department on the Risk Management Coordinators Group. Design and drive the implementation of the Corporate Risk Management Policy and Framework Ensure appropriate awareness, training and development is 3

14 available in order to improve competence in risk management across the authority Assist with and facilitate risk identification and assessment workshops Provide advice and assistance in specific circumstances as required Ensure an appropriate system is available for recording and monitoring risks at all levels Continuously monitor the effectiveness of the Risk Management Framework across the authority Ensure that the risk management process is subject to review at departmental and corporate levels regularly Provide reports to Audit Committee on key risks to the authority. Internal Audit Produce a risk based audit plan that takes into account the corporate, departmental, service, project and partnership risks identified across the authority Provide an informed opinion on the effectiveness of the Risk Project/ Partnership Boards Management Framework across the authority. Ensure the active involvement of key stakeholders in the identification and management of risk where appropriate Set and confirm the project s/partnership s risk appetite with regard to risk impact levels Understand their project s/partnership s key risks and ensure sufficient action is being taken to manage them Make decisions with regards to risk control options suggested by the Project/Partnership Manager Maintain a close watch over the continued viability of the Business Case Notify programme management or other higher authority of any risks that affect the project s ability to meet corporate or programme objectives. Project/ Partnership Ensure key risks to project/partnership objectives are identified, recorded and managed Managers Take account of any external risks notified by Project/Partnership Board Ensuring the project s/partnership s risk register is reviewed at appropriate stages of the project/partnership Report key risks and mitigation progress to the Project/Partnership Board or Project Sponsor Ensure risks that are beyond the Project/Partnership Boards ability to control are escalated to a higher authority Review and recommend changes to the risk management approach based on lessons learnt. Risk Owners Identify and implement risk treatment that will bring the risk/s they own to a tolerable level Regularly review the progress of the risk treatment actions Report on the risk treatment progress to the responsible body 4

15 Be in a position to influence the risk treatment being put in to place. Managers Understand and act upon the key risks that could significantly impact on the achievement of their service/team objectives Encourage staff to be open about risk so that treatment actions can be agreed Undertake an assessment of risk as part of all key plans and projects and record on risk register Report any identified unnecessary or unworkable risk controls to risk owners All Staff Have an understanding of risks and regard risk management as part of their everyday activities, including risk identification and reporting of risks that could affect objectives. THE OVERALL RISK MANAGEMENT PROCESS To establish the principles set out in our Risk Management Policy we have set in place an appropriate risk management process. The graphic below shows a visual representation of this. Stakeholder Input Communicate and Consult The Overall Risk Management Process Establish the Context Identify Risks Analyse Risks Evaluate Risks Treat Risks Recording (Risk Registers) Core Phase Monitor and Review Management Teams Risk Owners Members The Process includes all of the core and organisational arrangements that are required to ensure the process is embedded into our normal day to day business practices. The following paragraphs provide the detail for these arrangements. 5

16 Communicate and Consult The risk management process cannot exist without an appropriate means of communication between all internal and external stakeholders. This will require consultation with all persons with a vested interest in the risks to our objectives at whatever level we are assessing. This may include the public, partners, project boards and sponsors, management teams and other specialists whose initial assistance may be required to identify and analyse risks. Communication and consultation should occur at all stages of the core phase of the risk management process. Training For the process to be successful it is essential that persons involved are appropriately aware of this Framework and are competent to apply it. Basic training on the principles of risk management and details of our processes is available in an E Learning module accessed via our Learning Hub. All personnel directly involved in the risk management process must complete this module. Additionally, and to ensure that risk management is embedded in our normal business practice, our training courses on service planning, financial planning and project and partnership management all refer to the need to manage risk, with references as to how. The Corporate Risk Management Team is available to assist management teams at all levels and can be requested to facilitate risk workshops, provide face to face training and to provide general assistance on any aspect of risk management. The Core Phase This is the basic process of identifying, analysing, evaluating and treating risks. It will involve persons from various levels, e.g. Chief Officers, management teams, project boards and teams, partnership boards etc. The Core Phase provides officers and members with an improved understanding of risks that could affect the achievement of their objectives and the adequacy and effectiveness of existing controls. It provides the basis for decisions about the most appropriate approach to be used to treat risks. The Core Phase is made up of five stages clearly shown in the graphic below: 6

17 Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Establish the Context What do we need to take into account and our objectives? Identify the Risks What might happen? How, when and why? Analyse the Risks What will this mean for our objectives? Evaluate the Risks Which risks need treating and our priority for attention? Treat the Risks How should we best deal with them? Record (RM software system) When Should the Core Phase Occur? The core phase should occur at the following occasions: Setting Corporate and Service Objectives (service planning) Creating Project Business Cases Creating Partnership Business Cases Procuring and/or commissioning goods or works Setting Annual Budgets Prior to key decision making Policy Making and Review. The process is also essential when reviewing external and internal influences throughout the year; hence it is a dynamic process. Stage 1 Establish the Context Establishing the context defines the basic parameters for managing risk and sets the scope and criteria for the rest of the process. This first stage is an essential precursor to risk identification. It will involve consideration of: What we are looking at, corporate or service objectives, project or partnership objectives, budgets or policies, procurement or commissioning, options for decisions. It is important also to consider the critical activities within the department which have been agreed through the Business Continuity process Who will be involved, be they internal and external stakeholders, they should all be considered as they may have a valuable contribution to the rest of the process Who will be responsible for the process, define responsibilities for review, monitoring and reporting The risk criteria and appetite, whether it s political, economic, legal, environmental, etc. The impact criteria to be included and how they will be measured (appetite) The risk tolerances, the criteria by which you will decide if a risk needs treatment and the criteria for deciding when a risk is tolerable or acceptable. If looking at partnership risk, which partners processes will be adopted 7

18 Example risk criteria including risk types, likelihood and impact matrices, risk treatment cost/benefit matrices, can be found in Appendix 1. These will greatly assist you through all stages of the core phase. Stage 2 Identify the Risks The purpose of this stage is to identify what might happen or what situations could exist that might affect the achievement of our objectives and what that effect might be. It may help to consider risks in categories e.g. legal, political, financial, technological, etc. A full range of categories is provided in Appendix 1. The question we need to ask is what could possibly present itself in the course of delivering our objectives which has the capacity to prejudice the successful delivery of the objective? To aid identification of risks it may help to study historical data for example, absence rates, incident rates, sickness rates, financial reports, performance reports, external assessments and public consultation. In addition we should ask if the risk could impact on a corporately agreed critical activity. Once identified we need to consider to what extent they will affect our objective (impact) It is important that the risk is clearly described, this will include what the event or situation may be, how it could affect us, when it could affect us, why it could affect us and to what extent. The fuller the description the easier it will be to estimate impact and likelihood scores. It is also important that we assemble the correct persons to carry out this stage. This means those with knowledge of the objectives, for example management teams, project/partnership boards, project/partnership managers, procurement officers, health and safety advisors and other stakeholders with a vested interest in the success of the objectives. Methods to complete this stage include, brainstorming workshops, one-to-one interviews, historical information and lessons learnt logs. All risk information identified at this stage should be recorded; persons are free to choose how to do this, however Appendix 2 includes a form (Form 1) that can be used for this purpose prior to it being added to the County Council s risk management recording software. Stage 3 Analyse the Risks Risk analysis is concerned with developing an understanding of each risk, its consequences and the likelihood of those consequences. It provides an input to risk 8

19 evaluation and to decisions on whether a risk needs to be treated and on the most appropriate risk treatment method. Understanding existing controls and their effectiveness is a vital part of risk analysis and must be explored before impact and likelihood judgements are made. Existing controls should be identified and recorded; this can be achieved by developing the Form 1 or other method used to initially record each risk. (See Appendix 2) From the risk description and bearing in mind the existing controls it should be possible to determine a score for the level of impact or consequence the risk could have. The impact levels or appetite should have been agreed at Stage 1. The template matrices in Appendix 1 are essential to this process. From the risk description and bearing in mind any existing controls it should possible to determine a score for the likelihood of the consequences of each risk. The template matrices in Appendix 1 are essential to this process. Multiplying the impact and likelihood scores provides a final risk score. At this point each risk should be allocated a risk owner, identify and record on Form 1. This should be an individual who thereafter becomes responsible for managing each risk. The risk owner should be in a position to influence any treatment measures that may be necessary. Stage 4 Evaluate the Risks Risk evaluation involves making a decision about the level or priority of each risk. Risks are prioritised for attention by placing them into the following bands relating to their final risk scores: Upper Band (16-25) Risks in this band are so significant that risk treatment is mandatory Middle Band (6-15) Where costs and benefits are taken into account and balanced against potential consequences Lower Band (1-5) Where the level of risk is regarded as negligible, or so small that no risk treatment is needed. The cost/benefit process is described in Appendix 1. Stage 5 Treat the Risks Once a risk has been evaluated a decision needs to be made on treatment. This involves either improving existing controls or developing and implementing new controls. There are a number of treatment options for example: Avoid: Decide not to start or continue with an activity that gives rise to the risk. Stop the activity or find a different way of doing it. This is often limited though in terms of strategic risks. 9

20 Treat: Transfer: Tolerate: Take actions to reduce the impact, e.g. contingency arrangements. Take action to reduce the likelihood e.g. alternative systems, increased training, physical improvements to premises etc. Share the exposure, either totally or in part, with a partner or contractor, or through insurance. Any partnership will need to be carefully monitored as it may not be possible to transfer all risks and certain aspects may remain, such as health and safety liability and loss of reputation. The value of risk management is recognising that it may be appropriate to place an activity at risk yet continue with it. Additional control actions will need to be SMART i.e. specific, measurable, achievable, realistic and timely. They will also require control owners who will be responsible to the risk owner for their completion. Target risk scores i.e. those levels of risk that we are prepared to tolerate following additional controls, will need to be set as well as the date by which these can be achieved. The risk recording system will collect this information and will be used to monitor progress. All information regarding additional controls can be recorded initially on Form 2 available at Appendix 2. Recording Risks All risk management activity should be recorded and accessible. The risk management software system is the ultimate tool for the collection and analysis of all risk management information derived from the core phase. However there is a need for an initial manual system of information collection during the core phase. Template Forms 1 and 2 have been designed to assist with this process and are available in Appendix 2. However other means can be used providing the same level of information is gathered. Monitor and Review Review The review process takes place at various levels. The following table highlights the way our review process will operate. What How By Whom When Individual Risks Review risk to ensure still valid, is risk treatment working, are target dates still valid. Does risk need to be escalated. Has risk level increased or decreased? Risk Owner No specific frequency, depends on risk 10

21 Corporate Risk Registers Departmental and Service Risk Registers Project/Partnership Risk Registers The Risk Management Framework The Risk Management Framework (or parts thereof) The Risk Management Framework To monitor progress of risk treatments and to add or remove risks from register To monitor progress of risk treatments and to add or remove risks from register or escalate existing risks To monitor progress of risk treatments and to add or remove risks from register or escalate existing risks Carry out a Self- Assessment of Risk Performance at Departmental and Corporate Levels To assure operating effectively To assure operating effectively Chief Officers Group Departmental and Service Management Teams Project/Partnership Managers Corporate Risk Management Team and Departmental Risk Coordinators Norfolk Audit Services Audit Commission Quarterly At least Quarterly As agreed by Project/Partn ership Boards Annually As required As required Risk Escalation Criteria The County Council operates at three levels, corporate, departmental/service and project/partnership level. In order to ensure that risks are managed at the appropriate level we have set criteria against each level of risk. The tables below provide the criteria. Corporate Risks Risks at this level will be recorded and managed via the corporate risk register. Risks placed on this register will have the following characteristics: Risks identified by Chief Officers Group and members that impact directly on our corporate objectives Risks that are beyond the scope of individual departments to manage because they go across more than one or all departments and require control actions by COG and cabinet. Risks identified at project level that should they occur would impact on a corporate objective and need COG or cabinet management intervention. Risks associated with contextual review, i.e. horizon scanning risks with a corporate aspect. Risks with significant political, reputation or financial impact that require COG overview or management. 11

22 Departmental Risks Risks at this level will be recorded and managed via the departmental and/or service risk registers. Risks placed on these registers will have the following characteristics: Risks identified by departmental or service management teams that impact directly on departmental or service objectives Risks identified at project or partnership level that should they occur would impact on departmental objectives or priorities and need departmental management team intervention. Project/Partnership Risks Risks at this level will be recorded and managed via the project/partnership risk register. Risks placed on these registers will have the following characteristics: Risks that impact on individual project/partnership objectives but can be managed by the project/partnership board, manager or team Risks that impact on departmental objectives and targets but can be managed by the project/partnership board, manager or team. Personnel managing risk at all levels need to review their risks regularly against these criteria to ensure the risks are being managed at the appropriate level. Reporting The reporting process takes place at various levels. The following table highlights the way our reporting process will operate. Full Council Who What By Whom When Audit Committee Receive reports on risk management progress Receive reports on key corporate risks and progress on their treatment. Audit Committee Corporate Risk Manager Annually Quarterly Overview and Scrutiny Panels Receive reports on corporate risk management performance Receive Reports on key portfolio risks and progress on their treatment. Corporate Risk Manager Departmental Risk Coordinator Annually 6 Monthly Receive Report on departmental risk management performance Departmental Risk Coordinator Annually 12

23 Project/Partnership Boards The Public Chief Officers Group Receive reports on key project or partnership risks and progress on their treatment. Access to reports on risk management progress Receive reports on key corporate risks and progress on their treatment. Project/Partnership Manager All Committee and Panel minutes Corporate Risk Manager As detailed by Board Ongoing anytime access Quarterly Departmental Management Teams Receive reports on corporate risk management performance Receive reports on key service risks and progress on their treatment. Corporate Risk Manager Departmental Risk Coordinator Annually At least Quarterly Receive reports on departmental risk management performance Departmental Risk Coordinator Annually Performance As risk management is firmly set in the context of uncertainties to our objectives, it is clear that if we don t manage the risk from uncertainties our performance against our objectives will suffer. Therefore risk and performance are closely aligned. Measuring outcomes in terms of risk management is a difficult task. What we are in fact measuring is the avoidance and impact of hypothetical events that are of course hypothetical. However the ultimate measure of effective risk management is that the Council: Has resilience to deliver its services and corporate objectives Is protected from the possibility of being impacted upon by an unforeseen threat Is protected from the possibility of a foreseen threat having significantly greater impact than anticipated Is able to take cost effective measures to reduce or eliminate the effects of threats; and Is able to identify, and take maximum advantage of any identified opportunities The County Council will use process indicators to monitor the success of the Risk Management Policy and Framework. 13

24 Process Indicators The percentage of key decision reports to member panels and Cabinet that include effective risk assessment The percentage of staff and members receiving risk management awareness and process training The percentage of major projects with good operational risk management The percentage of significant partnerships with good operational risk management All key risk registers (corporate and departmental) are fully reviewed at least annually Risk Management Audit Reports are acceptable Departmental and corporate risk management self-assessment reports show improvement Decision Making One of the benefits mentioned in our Risk Management Policy is an established and reliable basis for decision making and planning. To enable achievement of this outcome the authors of all reports to member panels and cabinet requiring a decision from a number of options must ensure that each option is risk assessed in accordance with this Framework. This will provide additional information to members in order that the correct decision is reached. CONCLUSION The Risk Management Process contained within this Framework will provide a standardised and consistent approach to the management of risk. The process will become integrated with other processes for example, strategic, service and financial planning, policy making, performance management, project and partnership management, health and safety management, procurement and commissioning, business continuity and emergency planning. The process will also link strongly with our internal audit function providing a basis for the creation of audit plans. 14

25 APPENDIX 1 Risk Categories RISK MANAGEMENT AIDS AND TOOLS Categories are widely used to identify sources of risk, some will be of greater concern at the corporate level and some at the departmental/service level, however there is no clear distinction and all levels of management should be concerned, to varying degrees, with the majority of categories. These categories will assist at the risk identification stage in order to provide prompts to help identify risks. Risks can of course fall into one or more categories. Category Description Indicative Guidelines (examples only) Political Those associated with a failure to deliver either local or central government policy. Unforeseen Policy changes Not meeting government agenda Too slow or failure to modernise Decision based on incorrect information Unfulfilled promises to electorate Community planning Procurement/ Commissioning Economic Those concerned with letting large contracts, purchasing new ICT systems, commissioning services Those affecting our ability to meet our financial commitments. Including internal and external budgetary pressures, the failure to purchase adequate insurance or the consequences of proposed investment decisions. oversight/errors Unclear business cases Failing to vet providers Lack of market capacity Inappropriate contract awarding Failing to manage and monitor contracts Non compliance with procurement policies Poor contract specification or deficiencies General/regional economic problems Missed business and service opportunities Failure of major projects Failure to prioritise, allocate appropriate budgets and monitor 15

26 Social Technological Legislative Environmental Those relating to the effects of changes in demographic, residential or socio-economic trends. Those associated with our capacity to deal with the pace/scale of technological change, or our ability to use technology to address changing demands. Those associated with current or potential changes in national or European law. Those relating to the environmental consequences of progressing our corporate objectives (e.g. in terms of energy, efficiency, pollution, recycling, climate change, etc). Inadequate control over expenditure or income Inadequate insurance cover Failing to meet the needs of disadvantaged communities Failures in partnership working Problems in delivering life long learning Impact of demographic change Crime and disorder Breach of confidentiality Failure in communications Insufficient disaster recovery for key data/systems Failure of corporately significant technology related project Breach of security of networks and data Failure to comply with ICT Security Policy Inadequate response to new legislation Not meeting statutory duties or deadlines, e.g. H&S, data protection, etc. Failure to implement legislative change Misinterpretation of legislation Exposure to liability claims Impact on sustainability initiatives Impact of planning and transportation policies Noise, contamination and pollution Crime and Disorder Act implications Inefficient use of energy and water Incorrect storage/disposal of waste 16

27 Competitive Customer Reputation Partnership Those affecting the competitiveness of our service (in terms of cost or quality) and/or its ability to deliver best value. Those associated with the failure to meet the current and changing needs and expectations of our customers and citizens. Those relating to public confidence and failure to recruit high calibre staff. Those associated with working in partnership with another organisation. Take over of services by government Failure of bids for government funds Failure to show value for money Accusations of anticompetitive practices Lack of appropriate consultation Bad public and media relations Significant service failure Adverse media attention Policies misunderstood or misinterpreted Negative implications identified by others which have not been previously considered Failure to keep partners on side Breach of confidentiality Lack of business continuity plans Failure to maintain and upkeep land and property Poor selection of partner Failure of partner to deliver Bad management of partnership working Impact and Likelihood Criteria Once a risk has been identified it is essential to determine the level of impact and likelihood and so determine the total level of each risk. Impact and likelihood criteria are set at Stage 1 Establishing the Context of the core phase. The criteria will differ depending on the level we are looking at. To illustrate this point consider a risk that results in an impact of a 5,000 loss. Whether this is insignificant or extreme to our objective depends on the level of budget we are working with. If it is a project with a budget of 10,000 then this loss represents 50% of our budget and would be extreme. However if our budget was 500,000 then this loss represents only a 1% loss and therefore may be assessed as minor. It is essential therefore that a risk appetite is set each time we begin the core phase. This will involve setting impact criteria. To assist with this we have produced two impact criteria models. The first is a standard for all corporate and departmental 17

28 level risks; it may need to be adjusted for service or partnership risks. The second is for use when analysing risks from projects. 1. Generic Risk Impact Criteria Model The graphic on the next page shows a model that is set at a corporate and departmental level, it should be used as is when analysing corporate/strategic or departmental level risks. Most of it will also be applicable to lower service and partnership levels with a possible financial adjustment being necessary.. 18

29 Level 1. Insignificant 2. Minor 3. Moderate 4. Major 5. Extreme Descriptor Service Delivery Little disruption to services Some disruption to services Significant disruption to services Health & Safety No Injury Minor injury Violence or threat or serious injury Financial Loss Loss of < 25,000 Loss of 25,000 - Loss of 175, , ,000 Budget Overspend Unplanned change in service delivery due to budget overspend < 100,000 Unplanned change in service delivery due to budget overspend 100, ,000 Unplanned change in service delivery due to budget overspend 500, m Loss of services for more than 48 hours but less than 7 days Extensive or multiple injuries Loss of 500,000-1m Unplanned change in service delivery due to budget overspend 1m - 3m Loss of services for > 7 days Fatality Loss of > 1m Unplanned change in service delivery due to budget overspend > 3m Performance No effect on delivering corporate objective fully Little effect on achieving corporate objective Partial failure to achieve corporate objective Significant impact on achieving corporate objective Non delivery of corporate Objective Reputation Environment No damage to reputation Insignificant environmental damage Minimal damage to reputation (minimal coverage in local press) Minor damage to local environment Significant coverage in local press Moderate damage to local environment Coverage in national press Major damage to local environment Extensive coverage in national press and on TV Requires resignation of Director, Chief Exec or Leader of the Council Significant damage to local or national environment. 19

30 2. Project Risk Impact Criteria Model Almost all projects can be assessed using the three categories, schedule/time, costs and performance/quality of end product. These are notional but should work for most projects. Alter if deemed necessary. Impact Criteria Schedule Costs Project Performance/Quality Score <2 weeks delay <1% of budget Cosmetic impact only 1 Insignificant 2 weeks 1 month 1%-<2% Some minor elements of objectives affected 1 month-<2 months 2%-<8% Significant areas of some objectives affected 2 months-<4 months 8%-<12% Wide area impact on some objectives, >4 months delay >12% of budget Significant failure resulting in the project not meeting its objectives 2 Minor 3 Moderate 4 Major 5 Extreme Likelihood Criteria Model When considering likelihood it is essential to look back to determine if the event has happened before and how often. It is also important to consider how far ahead we wish to look i.e. could it happen in the next year, 5 years, ten years, etc. This will have a significant bearing on the risk treatment completion times and therefore our target risk score dates. Score Descriptor Definition 1 Rare The event may occur only in exceptional circumstances 2 Unlikely The event is not expected to occur 3 Possible The event might occur at some time 4 Likely The event will probably occur in most circumstances 5 Almost Certain The event is expected to occur in most circumstances 20

31 Risk Matrix Once decisions have been made on impact and likelihood scores they are then multiplied together to provide a final risk score. The matrix below is then used to plot the final risk score. This will show the risk tolerance band the risk falls into and so determine how the risk is then treated. ( Impact Almost Certain 5 Extreme 5 Major 4 Moderate 3 Minor 2 Insignificant Likelihood Likely 4 Possible 3 Unlikely Give Rare 1 Risk Tolerance Band Upper Band (Red Risks) Middle Band 6-16 (Amber Risks) Lower Band 1-5 (Green Risks) Risk Treatment Risks in this band are so significant that risk treatment is mandatory. Risks in this band require a cost/benefit analyses to take place to determine the most appropriate treatment. Where the level of risk is regarded as negligible, or so small that no risk treatment is needed. 21

32 Cost /Benefit Analysis In carrying out the cost/benefit analysis there are two parameters to consider, both of these are dealt with in the following tables and then a final score allocated which will determine if control action is appropriate. Cost Score Savings Made 1 Nil Cost 2 Minimal Cost Incurred 3 Significant Cost Incurred 4 Major Costs Incurred 5 Substantial Costs Incurred 6 Control Status Outlay for new controls will be less than anticipated savings across the organisation Cost neutral Minimal costs, including an appreciation of resource time and provision of facilities. Not exceeding 25,000. Significant costs, in terms of resources, finance, provision of facilities etc. Above 25,000 but not exceeding 100,000 Costs would be a serious concern to the recommendation s viability. Above 100,000 but not exceeding 500,000 Costs would be very heavy so very clear tangible benefits would need to be apparent. A further examination of benefits may be required. Exceeding 500,000 Benefit Score Control Status 1 Must Do: There is a legal requirement for this control action to be done, or The control action will assist the Council in the delivery of all its corporate objective/s in a clear and tangible way, which can be easily demonstrated 2 Should Do: The control action is not legally required but it does constitute best practice, or The control action will assist the Council in the delivery of one or more of its objective/s in a clear and tangible way, which can be easily demonstrated 3 Could Do: The control action is good practice, or The control action is not vital but may assist with the delivery of one or more of the Council s objectives As with the risk likelihood and impact scores, the scores for cost and benefit should be multiplied together to give a priority score. The score is then mapped on the matrix below. 22