Revised Risk Management Policy and Framework. Report by Head of Finance

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Revised Risk Management Policy and Framework. Report by Head of Finance"

Transcription

1 Audit Committee 29 April 2010 Item No 7 Revised Risk Management Policy and Framework Report by Head of Finance Summary A substantial review of our current Risk Management Strategy has been carried out. This report presents for comment a revised Risk Management Policy and Framework. The revised policy and framework reflects current best practice and is based around the new international standard for risk management. Much of the policy and framework reflects practice currently in use by the Council. Recommendation Required The Audit Committee is asked to: Consider and comment upon the risk management policy and framework. 1. Introduction 1.1 The County Council s current Risk Management Strategy was approved by Cabinet in September Some minor revisions were approved by the Chief Officer Group in March 2008 and were reported to this Committee in April As risk management is a dynamic discipline it is necessary to continue to review our Strategy to ensure it continues to take account of national and international developments. 1.2 A review has been carried out on our existing Strategy by the Council s Risk Manager particularly in line with the new international standard for risk management recently issued ISO The revised strategy has been consulted upon widely within the Officer community of the Council including the Chief Officer Group. This report provides the Audit Committee with an opportunity to consider and comment upon the report before it is taken to Cabinet for consideration.

2 2. Changes to Strategy 2.1 A number of changes have been necessary to ensure the language and processes agreed internationally are being met. The main change is that the Strategy is now split into two documents, a Risk Management Policy (appendix 1) and a Risk Management Framework (appendix 2). 2.2 The Policy is a short document stating the principles that the Council aspires to and the benefits that will be realised. The Framework contains the detailed arrangements and processes that will be used to meet those principles. 2.3 The new Framework brings the Council in line with the latest national and international practice and strengthens the linkages with other disciplines for example service planning, performance, procurement and audit. 3. Resource Implications 3.1 There are no resource implications arising specifically from this report. However, continuing improvement in the application of risk management with it now being embedded well within relevant services will contribute to improving the use of resources, including financial resources across services. 4. Section 17 Crime and Disorder Act 4.1 There are no direct S17 implications arising from this report. However, risk management activities across the Authority contribute significantly to the management of risk relating to crime and disorder and community safety/protection. 5. Alternative Options 5.1 There are no alternative options for the Audit Committee to consider. 6. Equality Impact Assessment 6.1 There are no impacts arising from this report. 7. Conclusion 7.1 There is a need to regularly review and update the approach being adopted for the management of risk across the Council. The appendices to this report contain the outcome of the most recent review in to the risk strategy resulting in the production of a risk management policy and an updated risk framework.

3 8. Recommendation 8.1 The Audit Committee is asked to: Consider and comment upon the risk management policy and framework. Officer Contacts: Paul Brittain, Head of Finance, or e mail John Baldwin, Risk and Insurance Manager, , or e mail If you need this report in large print, audio, Braille, alternative format or in a different language please contact John Baldwin, Tel: , Minicom: , and we will do our best to help.

4 WELL MANAGED RISK NORFOLK COUNTY COUNCIL S POLICY ON RISK MANAGEMENT

5 Risk Management Policy April 2010 Contents Page Introduction 2 Risk Management Principles 2 Benefits 3 Realisation 4 Review 4 1

6 Risk Management Policy April 2010 Introduction All organisations face internal and external factors and influences that make the achievement of their objectives uncertain. The effect that this uncertainty has on our objectives can be defined as risk. This Policy sets out the County Council s commitment to managing this risk. It states the principles that we will pursue with regard to risk management and outlines the benefits that we envisage will be realised by its use. Further, more in depth processes, responsibilities and accountabilities appear in the document Well Managed Risk, Norfolk County Council s Framework for Risk Management. Principles The following Principles will be aspired to across the County Council: 1. Risk management creates and protects value We will ensure that risk management contributes to the demonstrable achievement of our objectives at all levels and the improvement of our performance in, for example, health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, customer services, project and partnership management, business continuity, governance and reputation. 2. Risk management is an integral part of all our organisational processes We will ensure that risk management is part of the responsibilities of our management and an integral part of all of our processes, including strategic and service planning and all financial, partnership, project and change management processes. 3. Risk management is part of our decision making We will ensure that risk management helps decision makers make informed choices, prioritise actions and distinguish between alternative courses of action. 4. Risk management explicitly addresses uncertainty We will ensure that risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. 5. Risk management is systematic, structured and timely We will ensure that a systematic, structured and timely approach to risk management contributes to efficiency and to consistent, comparable and reliable results. 2

7 Risk Management Policy April Risk management is based on the best available information We will ensure that the inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. 7. Risk management takes human and cultural factors into account We will ensure that risk management recognises the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder the achievement of our objectives. 8. Risk management is transparent and inclusive We will ensure the appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the County Council, in order that risk management remains relevant and up-to-date. 9. Risk management is dynamic, iterative and responsive to change We will ensure that risk management continually anticipates and responds to change. 10. Risk management facilitates continual improvement of the County Council We will develop and implement processes to improve our risk management maturity alongside all other aspects of the County Council. 11. Risk management will be adequately resourced We will ensure that the necessary resources are established and provided in order to deliver excellent risk management. Benefits We expect that when the above principles are being conclusively met through enhanced risk management practice the following benefits will be realised; increased likelihood of achieving our objectives encouragement of proactive management awareness of the need to identify and treat risk throughout the Council improved identification of threat events better compliance with relevant legal and regulatory requirements improved governance improved stakeholder confidence and trust an established and reliable basis for decision making and planning improved controls effective allocation and use of resources for risk treatment improved operational effectiveness and efficiencies 3

8 Risk Management Policy April 2010 enhanced health and safety performance and environmental protection improved loss prevention and incident management improved organisational resilience. Realisation The realisation of these principles and benefits will be achieved by the operation of enhanced risk management arrangements. The document Well Managed Risk a Framework for Risk Management contains the accountabilities and responsibilities for risk management, the risk management approach and the reporting and performance measurement arrangements. This Policy and its associated framework document take account of the new international standard ISO for risk management. Compliance with these documents will ensure that the County Council achieves excellence in its approach to and management of risk. Review This Policy and other supporting documents will be reviewed annually. David White Chief Executive Daniel Cox Leader of the Council 4

9 WELL MANAGED RISK NORFOLK COUNTY COUNCIL S FRAMEWORK FOR RISK MANAGEMENT

10 Contents Page Introduction 1 Context 1 Risk appetite and tolerance 1 Roles and responsibilities 2 The Overall Risk Management Process 5 Communicate and Consult 6 Training 6 The Core Phase 6 When should the core phase occur 7 Stage 1 - Establishing the context 7 Stage 2 - Risk identification 8 Stage 3 - Risk analysis 8 Stage 4 - Risk evaluation 9 Stage 5 - Risk treatment 9 Recording risks 10 Monitor and Review 10 Review 10 Risk Escalation Criteria 11 Reporting 12 Performance 13 Process Indicators 14 Decision making 14 Conclusion 14 Appendix 1 Risk Management Aids and Tools 15 Risk categories 15 Impact and likelihood criteria 17 Generic Risk Impact Criteria Model 18 Project Risk Impact Criteria 20 Likelihood Criteria Model 20 Risk matrix 21 Risk tolerance 21 Cost/benefit analysis 22 Prioritisation matrix 23 Appendix 2 Risk Recording Documents 24 Form 1 25 Form 1 guidance notes 26 Form 2 27 Form 2 guidance notes 28 Appendix 3 Glossary 29

11 RISK MANAGEMENT FRAMEWORK INTRODUCTION In Norfolk County Council s Risk Management Policy document Well Managed Risk we set out our principles with regard to managing our risks. In this Framework document we provide the detailed arrangements and processes that will be used to meet those principles. The Framework is based on the new international standard for risk management ISO CONTEXT In carrying out its objectives the County Council faces internal and external factors that make the successful achievement of these objectives uncertain. Risk arises because our objectives are pursued against this uncertain background. We therefore define risk as; The effect of uncertainty on our objectives To illustrate, risk isn t the chance of flooding but the chance that the flooding will disrupt or affect our objectives. The definition however clearly places risk in the context of what we wish to achieve i.e. our objectives. As risk is very much concerned with our objectives, the management of it will be closely linked to the creation of our strategic, service, project and partnership objectives and plans. The established processes for the creation of these plans will act as an anchor for the risk management process. Risk is also implicit in the decisions we make; how we make those decisions will affect how successful we are in achieving our objectives. Decision making is, in turn, an integral part of day to day existence and is particularly prominent in times of change. Risk management therefore is very closely linked with the management of change and to decision making. Our risk management process will be continuous and will support internal and external change. The risk management process will be fully integrated with the normal business management processes across the authority. RISK APPETITE AND TOLERANCE Risk appetite refers to the County Council s unique attitude towards risk taking, which in turn dictates the amount of risk that it considers acceptable. As a result, risk appetite refers to our willingness to tolerate a particular level of exposure to specific risks or risk groups. The appetite is also a function of our capacity to bear risk which should not be exceeded. The appetite for a particular service/project should be scaled in line with the Council s overall appetite as part of the Establishing the Context stage. 1

12 Another key step to applying a risk appetite is the creation of risk tolerance thresholds for the County Council as a whole. The County Council has agreed a three band risk tolerance approach upper, middle and lower. More details on these bands appear on page 21. ROLES AND RESPONSIBILITIES The County Council is a large and complex organisation. It is essential therefore that we provide clarity regarding what should be done and by whom. The table below contains details of roles and responsibilities at all levels across the Council. Role Responsibilities Cabinet Approve the Council s Risk Management Policy and Framework Consider risk management implications when making decisions Send consistent messages on the Council s values and behavior and seize opportunities to reinforce these. Member Risk Champion Gain an understanding and promote risk management and its benefits throughout the Council Ensure Members take risk management into consideration when making decisions and seize opportunities to reinforce this. Audit Committee Provide proactive leadership and direction on risk management governance issues and champion risk management throughout the council and ensure that the Cabinet is kept sufficiently informed to enable it to approve the Council s Risk Management Policy and Framework and that adequate insurance exists where appropriate Consider the effectiveness of the system of risk management arrangements Consider an annual report and quarterly reports with respect to risk management including, an opinion on the adequacy and effectiveness of the Council s risk management, any corporately significant issues arising, and receive assurance that action has been taken as necessary Receive assurances that action is being taken on risk related issues identified by both internal and external auditors and other inspectors Independent scrutiny of the authority s financial and nonfinancial performance to the extent that it affects the authority s exposure to risk Report annually to full Council as per the Financial Overview and Scrutiny Panels Regulations. Receive and challenge reports on risk management, primarily departmental and service risk registers, from Departmental Management Teams 2

13 Chief Officers Group Departmental Management Teams Departmental Risk Coordinators Corporate Risk Management Team Understand their department s key risks and ensure sufficient action is being taken to control them. Overall accountability and responsibility for leading the delivery of the Council s Risk Management Policy and Framework Ensuring the key risks to corporate objectives are identified, recorded and managed Reviewing and updating corporate/strategic risks quarterly Take collective and individual ownership of identified key corporate/strategic risks Ensuring the effectiveness of risk management activity is measured and is producing the benefits identified Establish a culture and working practices which promote openness, learning and personal development. Accountability and responsibility for leading the delivery of the Council s Risk Management Framework in their department Ensuring key risks to service objectives, project and partnership objectives under their control are identified, recorded and managed Ensuring those risks having a corporate impact are reported and considered for inclusion in the Corporate Risk Register by Chief Officers Group Reviewing and updating risks at least quarterly including controls and progress Reporting to Overview and Scrutiny Panels twice per year Take collective and individual ownership of identified key service risks Ensure a risk aware culture is built across their department Ensuring the effectiveness of risk management activity is measured and is producing the benefits identified. Work with their Director, Heads of Service, Managers and Team Leaders to ensure the RM Policy and Framework is embedded in departmental planning, performance, project and partnership management Assist management teams to identify and record all key risks to service, project and partnership objectives Monitor and review risks against performance Administer the process for the reviews of risks Assist with the compilation of reports to Overview and Scrutiny Panels Ensure that appropriate departmental, service, project and partnership risks are escalated when necessary Be the link between departmental activity and the Corporate Risk Management Team Represent their department on the Risk Management Coordinators Group. Design and drive the implementation of the Corporate Risk Management Policy and Framework Ensure appropriate awareness, training and development is 3

14 available in order to improve competence in risk management across the authority Assist with and facilitate risk identification and assessment workshops Provide advice and assistance in specific circumstances as required Ensure an appropriate system is available for recording and monitoring risks at all levels Continuously monitor the effectiveness of the Risk Management Framework across the authority Ensure that the risk management process is subject to review at departmental and corporate levels regularly Provide reports to Audit Committee on key risks to the authority. Internal Audit Produce a risk based audit plan that takes into account the corporate, departmental, service, project and partnership risks identified across the authority Provide an informed opinion on the effectiveness of the Risk Project/ Partnership Boards Management Framework across the authority. Ensure the active involvement of key stakeholders in the identification and management of risk where appropriate Set and confirm the project s/partnership s risk appetite with regard to risk impact levels Understand their project s/partnership s key risks and ensure sufficient action is being taken to manage them Make decisions with regards to risk control options suggested by the Project/Partnership Manager Maintain a close watch over the continued viability of the Business Case Notify programme management or other higher authority of any risks that affect the project s ability to meet corporate or programme objectives. Project/ Partnership Ensure key risks to project/partnership objectives are identified, recorded and managed Managers Take account of any external risks notified by Project/Partnership Board Ensuring the project s/partnership s risk register is reviewed at appropriate stages of the project/partnership Report key risks and mitigation progress to the Project/Partnership Board or Project Sponsor Ensure risks that are beyond the Project/Partnership Boards ability to control are escalated to a higher authority Review and recommend changes to the risk management approach based on lessons learnt. Risk Owners Identify and implement risk treatment that will bring the risk/s they own to a tolerable level Regularly review the progress of the risk treatment actions Report on the risk treatment progress to the responsible body 4

15 Be in a position to influence the risk treatment being put in to place. Managers Understand and act upon the key risks that could significantly impact on the achievement of their service/team objectives Encourage staff to be open about risk so that treatment actions can be agreed Undertake an assessment of risk as part of all key plans and projects and record on risk register Report any identified unnecessary or unworkable risk controls to risk owners All Staff Have an understanding of risks and regard risk management as part of their everyday activities, including risk identification and reporting of risks that could affect objectives. THE OVERALL RISK MANAGEMENT PROCESS To establish the principles set out in our Risk Management Policy we have set in place an appropriate risk management process. The graphic below shows a visual representation of this. Stakeholder Input Communicate and Consult The Overall Risk Management Process Establish the Context Identify Risks Analyse Risks Evaluate Risks Treat Risks Recording (Risk Registers) Core Phase Monitor and Review Management Teams Risk Owners Members The Process includes all of the core and organisational arrangements that are required to ensure the process is embedded into our normal day to day business practices. The following paragraphs provide the detail for these arrangements. 5

16 Communicate and Consult The risk management process cannot exist without an appropriate means of communication between all internal and external stakeholders. This will require consultation with all persons with a vested interest in the risks to our objectives at whatever level we are assessing. This may include the public, partners, project boards and sponsors, management teams and other specialists whose initial assistance may be required to identify and analyse risks. Communication and consultation should occur at all stages of the core phase of the risk management process. Training For the process to be successful it is essential that persons involved are appropriately aware of this Framework and are competent to apply it. Basic training on the principles of risk management and details of our processes is available in an E Learning module accessed via our Learning Hub. All personnel directly involved in the risk management process must complete this module. Additionally, and to ensure that risk management is embedded in our normal business practice, our training courses on service planning, financial planning and project and partnership management all refer to the need to manage risk, with references as to how. The Corporate Risk Management Team is available to assist management teams at all levels and can be requested to facilitate risk workshops, provide face to face training and to provide general assistance on any aspect of risk management. The Core Phase This is the basic process of identifying, analysing, evaluating and treating risks. It will involve persons from various levels, e.g. Chief Officers, management teams, project boards and teams, partnership boards etc. The Core Phase provides officers and members with an improved understanding of risks that could affect the achievement of their objectives and the adequacy and effectiveness of existing controls. It provides the basis for decisions about the most appropriate approach to be used to treat risks. The Core Phase is made up of five stages clearly shown in the graphic below: 6

17 Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Establish the Context What do we need to take into account and our objectives? Identify the Risks What might happen? How, when and why? Analyse the Risks What will this mean for our objectives? Evaluate the Risks Which risks need treating and our priority for attention? Treat the Risks How should we best deal with them? Record (RM software system) When Should the Core Phase Occur? The core phase should occur at the following occasions: Setting Corporate and Service Objectives (service planning) Creating Project Business Cases Creating Partnership Business Cases Procuring and/or commissioning goods or works Setting Annual Budgets Prior to key decision making Policy Making and Review. The process is also essential when reviewing external and internal influences throughout the year; hence it is a dynamic process. Stage 1 Establish the Context Establishing the context defines the basic parameters for managing risk and sets the scope and criteria for the rest of the process. This first stage is an essential precursor to risk identification. It will involve consideration of: What we are looking at, corporate or service objectives, project or partnership objectives, budgets or policies, procurement or commissioning, options for decisions. It is important also to consider the critical activities within the department which have been agreed through the Business Continuity process Who will be involved, be they internal and external stakeholders, they should all be considered as they may have a valuable contribution to the rest of the process Who will be responsible for the process, define responsibilities for review, monitoring and reporting The risk criteria and appetite, whether it s political, economic, legal, environmental, etc. The impact criteria to be included and how they will be measured (appetite) The risk tolerances, the criteria by which you will decide if a risk needs treatment and the criteria for deciding when a risk is tolerable or acceptable. If looking at partnership risk, which partners processes will be adopted 7

18 Example risk criteria including risk types, likelihood and impact matrices, risk treatment cost/benefit matrices, can be found in Appendix 1. These will greatly assist you through all stages of the core phase. Stage 2 Identify the Risks The purpose of this stage is to identify what might happen or what situations could exist that might affect the achievement of our objectives and what that effect might be. It may help to consider risks in categories e.g. legal, political, financial, technological, etc. A full range of categories is provided in Appendix 1. The question we need to ask is what could possibly present itself in the course of delivering our objectives which has the capacity to prejudice the successful delivery of the objective? To aid identification of risks it may help to study historical data for example, absence rates, incident rates, sickness rates, financial reports, performance reports, external assessments and public consultation. In addition we should ask if the risk could impact on a corporately agreed critical activity. Once identified we need to consider to what extent they will affect our objective (impact) It is important that the risk is clearly described, this will include what the event or situation may be, how it could affect us, when it could affect us, why it could affect us and to what extent. The fuller the description the easier it will be to estimate impact and likelihood scores. It is also important that we assemble the correct persons to carry out this stage. This means those with knowledge of the objectives, for example management teams, project/partnership boards, project/partnership managers, procurement officers, health and safety advisors and other stakeholders with a vested interest in the success of the objectives. Methods to complete this stage include, brainstorming workshops, one-to-one interviews, historical information and lessons learnt logs. All risk information identified at this stage should be recorded; persons are free to choose how to do this, however Appendix 2 includes a form (Form 1) that can be used for this purpose prior to it being added to the County Council s risk management recording software. Stage 3 Analyse the Risks Risk analysis is concerned with developing an understanding of each risk, its consequences and the likelihood of those consequences. It provides an input to risk 8

19 evaluation and to decisions on whether a risk needs to be treated and on the most appropriate risk treatment method. Understanding existing controls and their effectiveness is a vital part of risk analysis and must be explored before impact and likelihood judgements are made. Existing controls should be identified and recorded; this can be achieved by developing the Form 1 or other method used to initially record each risk. (See Appendix 2) From the risk description and bearing in mind the existing controls it should be possible to determine a score for the level of impact or consequence the risk could have. The impact levels or appetite should have been agreed at Stage 1. The template matrices in Appendix 1 are essential to this process. From the risk description and bearing in mind any existing controls it should possible to determine a score for the likelihood of the consequences of each risk. The template matrices in Appendix 1 are essential to this process. Multiplying the impact and likelihood scores provides a final risk score. At this point each risk should be allocated a risk owner, identify and record on Form 1. This should be an individual who thereafter becomes responsible for managing each risk. The risk owner should be in a position to influence any treatment measures that may be necessary. Stage 4 Evaluate the Risks Risk evaluation involves making a decision about the level or priority of each risk. Risks are prioritised for attention by placing them into the following bands relating to their final risk scores: Upper Band (16-25) Risks in this band are so significant that risk treatment is mandatory Middle Band (6-15) Where costs and benefits are taken into account and balanced against potential consequences Lower Band (1-5) Where the level of risk is regarded as negligible, or so small that no risk treatment is needed. The cost/benefit process is described in Appendix 1. Stage 5 Treat the Risks Once a risk has been evaluated a decision needs to be made on treatment. This involves either improving existing controls or developing and implementing new controls. There are a number of treatment options for example: Avoid: Decide not to start or continue with an activity that gives rise to the risk. Stop the activity or find a different way of doing it. This is often limited though in terms of strategic risks. 9

20 Treat: Transfer: Tolerate: Take actions to reduce the impact, e.g. contingency arrangements. Take action to reduce the likelihood e.g. alternative systems, increased training, physical improvements to premises etc. Share the exposure, either totally or in part, with a partner or contractor, or through insurance. Any partnership will need to be carefully monitored as it may not be possible to transfer all risks and certain aspects may remain, such as health and safety liability and loss of reputation. The value of risk management is recognising that it may be appropriate to place an activity at risk yet continue with it. Additional control actions will need to be SMART i.e. specific, measurable, achievable, realistic and timely. They will also require control owners who will be responsible to the risk owner for their completion. Target risk scores i.e. those levels of risk that we are prepared to tolerate following additional controls, will need to be set as well as the date by which these can be achieved. The risk recording system will collect this information and will be used to monitor progress. All information regarding additional controls can be recorded initially on Form 2 available at Appendix 2. Recording Risks All risk management activity should be recorded and accessible. The risk management software system is the ultimate tool for the collection and analysis of all risk management information derived from the core phase. However there is a need for an initial manual system of information collection during the core phase. Template Forms 1 and 2 have been designed to assist with this process and are available in Appendix 2. However other means can be used providing the same level of information is gathered. Monitor and Review Review The review process takes place at various levels. The following table highlights the way our review process will operate. What How By Whom When Individual Risks Review risk to ensure still valid, is risk treatment working, are target dates still valid. Does risk need to be escalated. Has risk level increased or decreased? Risk Owner No specific frequency, depends on risk 10

21 Corporate Risk Registers Departmental and Service Risk Registers Project/Partnership Risk Registers The Risk Management Framework The Risk Management Framework (or parts thereof) The Risk Management Framework To monitor progress of risk treatments and to add or remove risks from register To monitor progress of risk treatments and to add or remove risks from register or escalate existing risks To monitor progress of risk treatments and to add or remove risks from register or escalate existing risks Carry out a Self- Assessment of Risk Performance at Departmental and Corporate Levels To assure operating effectively To assure operating effectively Chief Officers Group Departmental and Service Management Teams Project/Partnership Managers Corporate Risk Management Team and Departmental Risk Coordinators Norfolk Audit Services Audit Commission Quarterly At least Quarterly As agreed by Project/Partn ership Boards Annually As required As required Risk Escalation Criteria The County Council operates at three levels, corporate, departmental/service and project/partnership level. In order to ensure that risks are managed at the appropriate level we have set criteria against each level of risk. The tables below provide the criteria. Corporate Risks Risks at this level will be recorded and managed via the corporate risk register. Risks placed on this register will have the following characteristics: Risks identified by Chief Officers Group and members that impact directly on our corporate objectives Risks that are beyond the scope of individual departments to manage because they go across more than one or all departments and require control actions by COG and cabinet. Risks identified at project level that should they occur would impact on a corporate objective and need COG or cabinet management intervention. Risks associated with contextual review, i.e. horizon scanning risks with a corporate aspect. Risks with significant political, reputation or financial impact that require COG overview or management. 11

22 Departmental Risks Risks at this level will be recorded and managed via the departmental and/or service risk registers. Risks placed on these registers will have the following characteristics: Risks identified by departmental or service management teams that impact directly on departmental or service objectives Risks identified at project or partnership level that should they occur would impact on departmental objectives or priorities and need departmental management team intervention. Project/Partnership Risks Risks at this level will be recorded and managed via the project/partnership risk register. Risks placed on these registers will have the following characteristics: Risks that impact on individual project/partnership objectives but can be managed by the project/partnership board, manager or team Risks that impact on departmental objectives and targets but can be managed by the project/partnership board, manager or team. Personnel managing risk at all levels need to review their risks regularly against these criteria to ensure the risks are being managed at the appropriate level. Reporting The reporting process takes place at various levels. The following table highlights the way our reporting process will operate. Full Council Who What By Whom When Audit Committee Receive reports on risk management progress Receive reports on key corporate risks and progress on their treatment. Audit Committee Corporate Risk Manager Annually Quarterly Overview and Scrutiny Panels Receive reports on corporate risk management performance Receive Reports on key portfolio risks and progress on their treatment. Corporate Risk Manager Departmental Risk Coordinator Annually 6 Monthly Receive Report on departmental risk management performance Departmental Risk Coordinator Annually 12

23 Project/Partnership Boards The Public Chief Officers Group Receive reports on key project or partnership risks and progress on their treatment. Access to reports on risk management progress Receive reports on key corporate risks and progress on their treatment. Project/Partnership Manager All Committee and Panel minutes Corporate Risk Manager As detailed by Board Ongoing anytime access Quarterly Departmental Management Teams Receive reports on corporate risk management performance Receive reports on key service risks and progress on their treatment. Corporate Risk Manager Departmental Risk Coordinator Annually At least Quarterly Receive reports on departmental risk management performance Departmental Risk Coordinator Annually Performance As risk management is firmly set in the context of uncertainties to our objectives, it is clear that if we don t manage the risk from uncertainties our performance against our objectives will suffer. Therefore risk and performance are closely aligned. Measuring outcomes in terms of risk management is a difficult task. What we are in fact measuring is the avoidance and impact of hypothetical events that are of course hypothetical. However the ultimate measure of effective risk management is that the Council: Has resilience to deliver its services and corporate objectives Is protected from the possibility of being impacted upon by an unforeseen threat Is protected from the possibility of a foreseen threat having significantly greater impact than anticipated Is able to take cost effective measures to reduce or eliminate the effects of threats; and Is able to identify, and take maximum advantage of any identified opportunities The County Council will use process indicators to monitor the success of the Risk Management Policy and Framework. 13

24 Process Indicators The percentage of key decision reports to member panels and Cabinet that include effective risk assessment The percentage of staff and members receiving risk management awareness and process training The percentage of major projects with good operational risk management The percentage of significant partnerships with good operational risk management All key risk registers (corporate and departmental) are fully reviewed at least annually Risk Management Audit Reports are acceptable Departmental and corporate risk management self-assessment reports show improvement Decision Making One of the benefits mentioned in our Risk Management Policy is an established and reliable basis for decision making and planning. To enable achievement of this outcome the authors of all reports to member panels and cabinet requiring a decision from a number of options must ensure that each option is risk assessed in accordance with this Framework. This will provide additional information to members in order that the correct decision is reached. CONCLUSION The Risk Management Process contained within this Framework will provide a standardised and consistent approach to the management of risk. The process will become integrated with other processes for example, strategic, service and financial planning, policy making, performance management, project and partnership management, health and safety management, procurement and commissioning, business continuity and emergency planning. The process will also link strongly with our internal audit function providing a basis for the creation of audit plans. 14

25 APPENDIX 1 Risk Categories RISK MANAGEMENT AIDS AND TOOLS Categories are widely used to identify sources of risk, some will be of greater concern at the corporate level and some at the departmental/service level, however there is no clear distinction and all levels of management should be concerned, to varying degrees, with the majority of categories. These categories will assist at the risk identification stage in order to provide prompts to help identify risks. Risks can of course fall into one or more categories. Category Description Indicative Guidelines (examples only) Political Those associated with a failure to deliver either local or central government policy. Unforeseen Policy changes Not meeting government agenda Too slow or failure to modernise Decision based on incorrect information Unfulfilled promises to electorate Community planning Procurement/ Commissioning Economic Those concerned with letting large contracts, purchasing new ICT systems, commissioning services Those affecting our ability to meet our financial commitments. Including internal and external budgetary pressures, the failure to purchase adequate insurance or the consequences of proposed investment decisions. oversight/errors Unclear business cases Failing to vet providers Lack of market capacity Inappropriate contract awarding Failing to manage and monitor contracts Non compliance with procurement policies Poor contract specification or deficiencies General/regional economic problems Missed business and service opportunities Failure of major projects Failure to prioritise, allocate appropriate budgets and monitor 15

26 Social Technological Legislative Environmental Those relating to the effects of changes in demographic, residential or socio-economic trends. Those associated with our capacity to deal with the pace/scale of technological change, or our ability to use technology to address changing demands. Those associated with current or potential changes in national or European law. Those relating to the environmental consequences of progressing our corporate objectives (e.g. in terms of energy, efficiency, pollution, recycling, climate change, etc). Inadequate control over expenditure or income Inadequate insurance cover Failing to meet the needs of disadvantaged communities Failures in partnership working Problems in delivering life long learning Impact of demographic change Crime and disorder Breach of confidentiality Failure in communications Insufficient disaster recovery for key data/systems Failure of corporately significant technology related project Breach of security of networks and data Failure to comply with ICT Security Policy Inadequate response to new legislation Not meeting statutory duties or deadlines, e.g. H&S, data protection, etc. Failure to implement legislative change Misinterpretation of legislation Exposure to liability claims Impact on sustainability initiatives Impact of planning and transportation policies Noise, contamination and pollution Crime and Disorder Act implications Inefficient use of energy and water Incorrect storage/disposal of waste 16

27 Competitive Customer Reputation Partnership Those affecting the competitiveness of our service (in terms of cost or quality) and/or its ability to deliver best value. Those associated with the failure to meet the current and changing needs and expectations of our customers and citizens. Those relating to public confidence and failure to recruit high calibre staff. Those associated with working in partnership with another organisation. Take over of services by government Failure of bids for government funds Failure to show value for money Accusations of anticompetitive practices Lack of appropriate consultation Bad public and media relations Significant service failure Adverse media attention Policies misunderstood or misinterpreted Negative implications identified by others which have not been previously considered Failure to keep partners on side Breach of confidentiality Lack of business continuity plans Failure to maintain and upkeep land and property Poor selection of partner Failure of partner to deliver Bad management of partnership working Impact and Likelihood Criteria Once a risk has been identified it is essential to determine the level of impact and likelihood and so determine the total level of each risk. Impact and likelihood criteria are set at Stage 1 Establishing the Context of the core phase. The criteria will differ depending on the level we are looking at. To illustrate this point consider a risk that results in an impact of a 5,000 loss. Whether this is insignificant or extreme to our objective depends on the level of budget we are working with. If it is a project with a budget of 10,000 then this loss represents 50% of our budget and would be extreme. However if our budget was 500,000 then this loss represents only a 1% loss and therefore may be assessed as minor. It is essential therefore that a risk appetite is set each time we begin the core phase. This will involve setting impact criteria. To assist with this we have produced two impact criteria models. The first is a standard for all corporate and departmental 17

28 level risks; it may need to be adjusted for service or partnership risks. The second is for use when analysing risks from projects. 1. Generic Risk Impact Criteria Model The graphic on the next page shows a model that is set at a corporate and departmental level, it should be used as is when analysing corporate/strategic or departmental level risks. Most of it will also be applicable to lower service and partnership levels with a possible financial adjustment being necessary.. 18

29 Level 1. Insignificant 2. Minor 3. Moderate 4. Major 5. Extreme Descriptor Service Delivery Little disruption to services Some disruption to services Significant disruption to services Health & Safety No Injury Minor injury Violence or threat or serious injury Financial Loss Loss of < 25,000 Loss of 25,000 - Loss of 175, , ,000 Budget Overspend Unplanned change in service delivery due to budget overspend < 100,000 Unplanned change in service delivery due to budget overspend 100, ,000 Unplanned change in service delivery due to budget overspend 500, m Loss of services for more than 48 hours but less than 7 days Extensive or multiple injuries Loss of 500,000-1m Unplanned change in service delivery due to budget overspend 1m - 3m Loss of services for > 7 days Fatality Loss of > 1m Unplanned change in service delivery due to budget overspend > 3m Performance No effect on delivering corporate objective fully Little effect on achieving corporate objective Partial failure to achieve corporate objective Significant impact on achieving corporate objective Non delivery of corporate Objective Reputation Environment No damage to reputation Insignificant environmental damage Minimal damage to reputation (minimal coverage in local press) Minor damage to local environment Significant coverage in local press Moderate damage to local environment Coverage in national press Major damage to local environment Extensive coverage in national press and on TV Requires resignation of Director, Chief Exec or Leader of the Council Significant damage to local or national environment. 19

30 2. Project Risk Impact Criteria Model Almost all projects can be assessed using the three categories, schedule/time, costs and performance/quality of end product. These are notional but should work for most projects. Alter if deemed necessary. Impact Criteria Schedule Costs Project Performance/Quality Score <2 weeks delay <1% of budget Cosmetic impact only 1 Insignificant 2 weeks 1 month 1%-<2% Some minor elements of objectives affected 1 month-<2 months 2%-<8% Significant areas of some objectives affected 2 months-<4 months 8%-<12% Wide area impact on some objectives, >4 months delay >12% of budget Significant failure resulting in the project not meeting its objectives 2 Minor 3 Moderate 4 Major 5 Extreme Likelihood Criteria Model When considering likelihood it is essential to look back to determine if the event has happened before and how often. It is also important to consider how far ahead we wish to look i.e. could it happen in the next year, 5 years, ten years, etc. This will have a significant bearing on the risk treatment completion times and therefore our target risk score dates. Score Descriptor Definition 1 Rare The event may occur only in exceptional circumstances 2 Unlikely The event is not expected to occur 3 Possible The event might occur at some time 4 Likely The event will probably occur in most circumstances 5 Almost Certain The event is expected to occur in most circumstances 20

31 Risk Matrix Once decisions have been made on impact and likelihood scores they are then multiplied together to provide a final risk score. The matrix below is then used to plot the final risk score. This will show the risk tolerance band the risk falls into and so determine how the risk is then treated. ( Impact Almost Certain 5 Extreme 5 Major 4 Moderate 3 Minor 2 Insignificant Likelihood Likely 4 Possible 3 Unlikely Give Rare 1 Risk Tolerance Band Upper Band (Red Risks) Middle Band 6-16 (Amber Risks) Lower Band 1-5 (Green Risks) Risk Treatment Risks in this band are so significant that risk treatment is mandatory. Risks in this band require a cost/benefit analyses to take place to determine the most appropriate treatment. Where the level of risk is regarded as negligible, or so small that no risk treatment is needed. 21

32 Cost /Benefit Analysis In carrying out the cost/benefit analysis there are two parameters to consider, both of these are dealt with in the following tables and then a final score allocated which will determine if control action is appropriate. Cost Score Savings Made 1 Nil Cost 2 Minimal Cost Incurred 3 Significant Cost Incurred 4 Major Costs Incurred 5 Substantial Costs Incurred 6 Control Status Outlay for new controls will be less than anticipated savings across the organisation Cost neutral Minimal costs, including an appreciation of resource time and provision of facilities. Not exceeding 25,000. Significant costs, in terms of resources, finance, provision of facilities etc. Above 25,000 but not exceeding 100,000 Costs would be a serious concern to the recommendation s viability. Above 100,000 but not exceeding 500,000 Costs would be very heavy so very clear tangible benefits would need to be apparent. A further examination of benefits may be required. Exceeding 500,000 Benefit Score Control Status 1 Must Do: There is a legal requirement for this control action to be done, or The control action will assist the Council in the delivery of all its corporate objective/s in a clear and tangible way, which can be easily demonstrated 2 Should Do: The control action is not legally required but it does constitute best practice, or The control action will assist the Council in the delivery of one or more of its objective/s in a clear and tangible way, which can be easily demonstrated 3 Could Do: The control action is good practice, or The control action is not vital but may assist with the delivery of one or more of the Council s objectives As with the risk likelihood and impact scores, the scores for cost and benefit should be multiplied together to give a priority score. The score is then mapped on the matrix below. 22

The Risk Management strategy sets out the framework that the Council has established.

The Risk Management strategy sets out the framework that the Council has established. Derbyshire County Council Management Policy Statement The Authority adopts a proactive approach to Management to achieve Best Value and continuous improvement and is committed to the effective management

More information

Bridgend County Borough Council. Corporate Risk Management Policy

Bridgend County Borough Council. Corporate Risk Management Policy Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk

More information

MARCH 2012. Strategic Risk Policy Update March 2012 v1.10.doc

MARCH 2012. Strategic Risk Policy Update March 2012 v1.10.doc MARCH 2012 Version 1.10 Strategic Risk Policy Update March 2012 v1.10.doc Document History Current Version Document Name Risk Management Policy Statement and Strategic Framework Last Updated By Alan Till

More information

Confident in our Future, Risk Management Policy Statement and Strategy

Confident in our Future, Risk Management Policy Statement and Strategy Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents

More information

Risk Management within Chief Executives and Corporate Finance

Risk Management within Chief Executives and Corporate Finance Report to Corporate Affairs Review Panel 21 November 2007 Item No 11 Risk Management within Chief Executives and Corporate Finance Report by the Chief Executive, Director of Corporate Resources and Cultural

More information

Project Risk Analysis toolkit

Project Risk Analysis toolkit Risk Analysis toolkit MMU has a corporate Risk Management framework that describes the standard for risk management within the university. However projects are different from business as usual activities,

More information

Risk Management & Business Continuity Manual 2011-2014

Risk Management & Business Continuity Manual 2011-2014 ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page

More information

The Lowitja Institute Risk Management Plan

The Lowitja Institute Risk Management Plan The Lowitja Institute Risk Management Plan 1. PURPOSE This Plan provides instructions to management and staff for the implementation of consistent risk management practices throughout the Lowitja Institute

More information

Bedford Group of Drainage Boards

Bedford Group of Drainage Boards Bedford Group of Drainage Boards Risk Management Strategy Risk Management Policy January 2010 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise

More information

Audit & Scrutiny Committee

Audit & Scrutiny Committee Page 1 Annual Risk Management Report Audit & Scrutiny Committee Agenda Item: 09 Date of Meeting 23 February 2016 Officer Chief Executive Subject of Report Annual Risk Management Report Executive Summary

More information

RISK MANAGEMENT POLICY & FRAMEWORK. \\vmfileserver02\company\council\judy\risk Management\Risk Management Framework 2013 (2).

RISK MANAGEMENT POLICY & FRAMEWORK. \\vmfileserver02\company\council\judy\risk Management\Risk Management Framework 2013 (2). RISK MANAGEMENT POLICY & FRAMEWORK \\vmfileserver02\company\council\judy\risk Management\Risk Management Framework 2013 (2).doc 20 Page 1 of Table of Contents Risk Management Policy...3 Risk Management

More information

V1.0 - Eurojuris ISO 9001:2008 Certified

V1.0 - Eurojuris ISO 9001:2008 Certified Risk Management Manual V1.0 - Eurojuris ISO 9001:2008 Certified Section Page No 1 An Introduction to Risk Management 1-2 2 The Framework of Risk Management 3-6 3 Identification of Risks 7-8 4 Evaluation

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ROCKHAMPTON REGIONAL COUNCIL ENTERPRISE RISK MANAGEMENT FRAMEWORK 2013 Adopted 25 June 2013 Reviewed: October 2015 TABLE OF CONTENTS 1. Introduction... 3 1.1 Council s Mission... 3 1.2 Council s Values...

More information

Council Meeting Agenda 27/07/15

Council Meeting Agenda 27/07/15 3 Risk Management Framework Abstract Council s Risk Management Framework ( the Framework ) was adopted by Council in 2012. The Framework provides structure and guidance to Council s risk management activities

More information

RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014

RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014 RISK AND OPPORTUNITY MANAGEMENT STRATEGY 2013-2014 Version 1.0 October 2013 Not protectively marked INDEX PAGE NO TITLE 3 Executive Summary 4 Our Shared Vision and Priorities 5 Outline of the Risk and

More information

POLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization

POLICY. Number: 7311-10-005 Title: Enterprise Risk Management. Authorization POLICY Number: 7311-10-005 Title: Enterprise Risk Management Authorization [ ] President and CEO [ X] Vice President, Finance and Corporate Services Source: Director, Enterprise Risk Management Cross Index:

More information

Version: 3.0. Effective From: 19/06/2014

Version: 3.0. Effective From: 19/06/2014 Policy No: RM66 Version: 3.0 Name of Policy: Business Continuity Planning Policy Effective From: 19/06/2014 Date Ratified 05/06/2014 Ratified Business Service Development Committee Review Date 01/06/2016

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Effective from 4 July 2015 Version Number: 2.1 Author: Director of Planning Planning Directorate Document Control Information Status and reason for development Revised updating the

More information

Corporate Risk Management Policy

Corporate Risk Management Policy Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction

More information

Risk Management Strategy 2014-2017

Risk Management Strategy 2014-2017 Appendix 1 London Fire and Emergency Planning Authority London Fire Brigade Risk Management Strategy 2014-2017 Our Risk Management Strategy, together with our underpinning risk management framework and

More information

Risk Management Policy

Risk Management Policy Risk Management Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from December 2008 Date last amended December 2012

More information

Avondale College Limited Enterprise Risk Management Framework 2014 2017

Avondale College Limited Enterprise Risk Management Framework 2014 2017 Avondale College Limited Enterprise Risk Management Framework 2014 2017 President s message Risk management is part of our daily life, something we do regularly; often without realising we are doing it.

More information

Business Continuity Policy and Business Continuity Management System

Business Continuity Policy and Business Continuity Management System Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

More information

Risk Management Strategy

Risk Management Strategy Risk Management Strategy 2010 RISK MANAGEMENT STRATEGY 1 INTRODUCTION 1.1 What is Risk Management? 1.1.1 Risk can be defined as uncertainty of outcome (whether positive opportunity or negative threat).

More information

Risk & Opportunity Management Framework

Risk & Opportunity Management Framework Risk & Opportunity Management Framework January 2010 Version 1.0 Table of Contents 1 Preface... 14 1.1 Risk and Opportunity Management What is it?... 14 1.2 Purpose... 15 2 Risk Management Process... 15

More information

Managing Risk in Procurement Guideline

Managing Risk in Procurement Guideline Guideline DECD 14/10038 Managing Risk in Procurement Guideline Summary The Managing Risk in Procurement Guideline assists in the identification and minimisation of risks involved in the acquisition of

More information

Risk Management Framework

Risk Management Framework Risk Management Framework Category or Type Originally approved by, and date Administration and Management Vice Chancellor at VCAG on December 2008 Last approved revision October 2011 Sponsor Chief Operating

More information

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy Not Protectively Marked Item 6 Appendix B DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Management Policy The Dorset & Wiltshire Fire and Rescue Authority () is the combined fire and rescue authority for

More information

Risk Management. Policy, Strategy and Methodology

Risk Management. Policy, Strategy and Methodology Risk Management Policy, Strategy and Methodology Contents Page Number Foreword by Paul Orders, Chief Executive... 2 Foreword by Councillor Graham Hinchey, Cabinet Member for Corporate Services and Performance...

More information

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework UNOPS UNITED NATIONS OFFICE FOR PROJECT SERVICES Headquarters, Copenhagen O.D. No. 33 16 April 2010 ORGANIZATIONAL DIRECTIVE No. 33 UNOPS Strategic Risk Management Planning Framework 1. Introduction 1.1.

More information

Risk Management Policy and Framework

Risk Management Policy and Framework Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871

More information

RISK MANAGEMENT. Authors: Phil McNaull / Lorraine Loy Approved By: PME and Court Date: December 2008 Version: 4.0 1

RISK MANAGEMENT. Authors: Phil McNaull / Lorraine Loy Approved By: PME and Court Date: December 2008 Version: 4.0 1 RISK MANAGEMENT 1 Contents Introduction 2 Corporate Governance 2 Purpose of this policy 2 Policy Objectives 2 Policy Statement 3 Scope of the policy 3 What is Risk? 4 The University s Approach 4 Description

More information

A Risk Management Standard

A Risk Management Standard A Risk Management Standard Introduction This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management

More information

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise

More information

Risk Management Guide

Risk Management Guide Risk Management Guide Page(s) Introduction 3 The 5 steps to identifying risk 4 Risk Management Process - Step 1 5 Identify - Step 2 Assess Step 3 5-6 6 Control - Step 4 6 Monitor and Review -Step 5 6 Risk

More information

Risk Management Policy. Corporate Governance Risk Management Policy

Risk Management Policy. Corporate Governance Risk Management Policy Corporate Governance Risk Management Policy Approved by the Council of Ministers, May 2006 1. Background The Isle of Man Government is working to promote better risk management, with emphasis on the importance

More information

LEICESTERSHIRE COUNTY COUNCIL RISK MANAGEMENT POLICY STATEMENT 2011-2012

LEICESTERSHIRE COUNTY COUNCIL RISK MANAGEMENT POLICY STATEMENT 2011-2012 106 LEICESTERSHIRE COUNTY COUNCIL RISK MANAGEMENT POLICY STATEMENT 2011-2012 Leicestershire County Council believes that managing current and future risk, both opportunity and threat, is increasingly vital

More information

Risk Management Procedure

Risk Management Procedure Purpose of this document Develop and document procedures and work instructions for Risk Management to cover the project Stages set out in the Project Process Map. The purpose of this procedure is to identify

More information

Revenue Scotland. Risk Management Framework

Revenue Scotland. Risk Management Framework Revenue Scotland Risk Management Framework Contents 1. Introduction... 3 1.1 Overview of risk management... 3 2. Policy statement... 4 3. Risk management approach... 5 3.1 Risk management objectives...

More information

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management

Enterprise Risk Management Framework 2012 2016. Strengthening our commitment to risk management Enterprise Risk Management Framework 2012 2016 Strengthening our commitment to risk management Contents Director-General s message... 3 Introduction... 4 Purpose... 4 What is risk management?... 4 Benefits

More information

Integrated Risk Management:

Integrated Risk Management: Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)

More information

WEST DORSET DISTRICT COUNCIL RISK MANAGEMENT STRATEGY

WEST DORSET DISTRICT COUNCIL RISK MANAGEMENT STRATEGY WEST DORSET DISTRICT COUNCIL RISK MANAGEMENT STRATEGY As approved by the Executive Committee 7 October 2008 STRATEGY... 3 THE RISK MANAGEMENT PROCESS... 3 RISK REGISTERS... 4 BENEFITS OF RISK MANAGEMENT

More information

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY VERSION 1.0 ISSUED JULY 2015 CONTENTS Page CONTENTS VERSION CONTROL FOREWORD i ii iii POLICY 1 Scope 1 Aim and Objectives 1 Methods and Standards 1

More information

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy Page: 1 Contents 1. Purpose, Aims & Objectives 2. Accountabilities, Roles & Reporting Lines 3. Skills & Expertise 4. Embedding

More information

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: POL ENTERPRISE RISK MANAGEMENT SC51 POLICY CODE: SC51 DIRECTORATE: Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT: Executive Support Services RESPONSIBLE OFFICER:

More information

ENTERPRISE RISK MANAGEMENT NARACOORTE LUCINDALE COUNCIL GUIDELINES

ENTERPRISE RISK MANAGEMENT NARACOORTE LUCINDALE COUNCIL GUIDELINES ENTERPRISE RISK MANAGEMENT NARACOORTE LUCINDALE COUNCIL GUIDELINES December 2015 NLC Enterprise Risk Management Guidelines Contents INTRODUCTION... 3 1. Enterprise Risk Management Principles... 5 2. The

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 2014-15 April 2014 Page 1 of 17 CONTENTS 1. Introduction 2. What is risk management? 3. Risk Management Policy Statement 4. Risk Management process 5. Roles and responsibilities

More information

Shepway District Council Risk Management Policy

Shepway District Council Risk Management Policy Shepway District Council Risk Management Policy Contents Section 1 Risk Management Policy... 3 1. Updates and amendments... 3 2. Definition... 3 3. Policy statement... 3 4. Objectives... 3 Section 2 Risk

More information

Administration and General Order No. AD/1/TBC

Administration and General Order No. AD/1/TBC COUNTY DURHAM AND DARLINGTON FIRE AND RESCUE SERVICE Administration and General Order No. AD/1/TBC CORPORATE RISK MANGEMENT POLICY 1. INTRODUCTION 1.1 County Durham and Darlington Combined Fire Authority

More information

PM Governance. Executive Team ADCA ADCA

PM Governance. Executive Team ADCA ADCA Item 6.5a Action Plan against the Recommendations Made in the Review of Risk Management Arrangements by PM Governance, November 2014 Key: PM Governance Paul Moore, Risk Consultant ADCA Associate Director

More information

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC Annex 1 TITLE VERSION Version 2 Risk Management Strategy and Policy SUMMARY The policy provides the framework for the management and control of risk within the GOC DATE CREATED January 2013 REVIEW DATE

More information

RISK MANAGEMENT STRATEGY

RISK MANAGEMENT STRATEGY RISK MANAGEMENT STRATEGY 1 Introduction The purpose of this document is to outline a which facilitates the effective recognition and management of risks facing the University. The Combined Code on Corporate

More information

Review of the Management of Sickness Absence Conwy County Borough Council

Review of the Management of Sickness Absence Conwy County Borough Council Audit 2004/2005 Date: December 2005 Authors: Ros Adams and George Jones Ref: 1072A2005 Review of the Management of Sickness Absence Conwy County Borough Council Contents Summary Report Introduction 3 Background

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

Title: Rio Tinto management system

Title: Rio Tinto management system Standard Rio Tinto management system December 2014 Group Title: Rio Tinto management system Document No: HSEC-B-01 Standard Function: Health, Safety, Environment and Communities (HSEC) No. of pages: 23

More information

RISK MANAGEMENT POLICY AND PROCEDURE

RISK MANAGEMENT POLICY AND PROCEDURE RISK MANAGEMENT POLICY AND PROCEDURE SCOPE CONTEXT PURPOSE RISK MANAGEMENT FRAMEWORK Governance and Reporting Risk Statement RISK MANAGEMENT PROCESS Communicate and Consult Establish the Context Risk Identification

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective

More information

Risk Management. Policy

Risk Management. Policy Policy Risk Management Endorsed: 26 February 2014 Brief description The GPC Risk Management Policy and its supporting standards and procedures provide a framework to ensure that risks arising from our

More information

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2

UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT. Purpose of the guide... 2 UNIVERSITY OF LONDON GUIDE TO RISK MANAGEMENT Purpose of the guide... 2 Risk Management The Basics... 2 What is Risk Management?... 2 Applying Risk Management... 2 The Use of Risk Registers in Risk Management...

More information

RISK MANAGEMENT STRATEGY 2014-17

RISK MANAGEMENT STRATEGY 2014-17 RISK MANAGEMENT STRATEGY 2014-17 DOCUMENT NO: Lead author/initiator(s): Contact email address: Developed by: Approved by: DN128 Head of Quality Performance Julia.sirett@ccs.nhs.uk Quality Performance Team

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager 17.09.12

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager 17.09.12 POLICY BUSINESS CONTINUITY Policy owners Policy holder Author Head of Services Specialist Operations Contingency Planning Business Continuity Manager Policy No. 132 Approved by Legal Services 17.09.12

More information

Hazard Identification, Risk Assessment and Management Procedure. Documentation Control

Hazard Identification, Risk Assessment and Management Procedure. Documentation Control Hazard Identification, Risk Assessment and Management Procedure Reference: Date approved: Approving Body: Implementation Date: Version: 3 Documentation Control GG/CM/007 Trust Board Supersedes: Version

More information

Merthyr Tydfil County Borough Council

Merthyr Tydfil County Borough Council Merthyr Tydfil County Borough Council DRAFT Risk Management Policy & Strategy April 2014 Prepared by: Kerry O Donovan Page 1 of 47 Contents Page Numbers Foreword 3 Merthyr Tydfil County Borough Council

More information

BUSINESS CONTINUITY POLICY

BUSINESS CONTINUITY POLICY BUSINESS CONTINUITY POLICY Last Review Date Approving Body n/a Audit Committee Date of Approval 9 th January 2014 Date of Implementation 1 st February 2014 Next Review Date February 2017 Review Responsibility

More information

Performance Detailed Report. May 2008. Review of Performance Management. Norwich City Council. Audit 2007/08

Performance Detailed Report. May 2008. Review of Performance Management. Norwich City Council. Audit 2007/08 Performance Detailed Report May 2008 Review of Performance Management Audit 2007/08 External audit is an essential element in the process of accountability for public money and makes an important contribution

More information

Group Risk Management Policy

Group Risk Management Policy Group Risk Management Policy Originator: Approval date: Policy and Strategy Team Sovini Board PCHA Board OVH Board/EMT 6 th December 2013 31 st October 2013 14 th October 2013 Review date: December 2014

More information

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Linking Risk Management to Business Strategy, Processes, Operations and Reporting Linking Risk Management to Business Strategy, Processes, Operations and Reporting Financial Management Institute of Canada February 17 th, 2010 KPMG LLP Agenda 1. Leading Practice Risk Management Principles

More information

University of New England Compliance Management Framework and Procedures

University of New England Compliance Management Framework and Procedures University of New England Compliance Management Framework and Procedures Document data: Document type: Administering entity: Framework and Procedures Audit and Risk Directorate Records management system

More information

NSW Government ICT Benefits Realisation and Project Management Guidance

NSW Government ICT Benefits Realisation and Project Management Guidance NSW Government ICT Benefits Realisation and Project Management Guidance November 2014 CONTENTS 1. Introduction 1 2. Document purpose 1 3. Benefits realisation 1 4. Project management 4 5. Document control

More information

Risk Management Plan 2012-2015

Risk Management Plan 2012-2015 Risk Management Plan 2012-2015 This controlled document shall not be copied in part or whole without the express permission of the author or the author s representative. Revision Date Previous Revision

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

RISK ASSESSMENT MATRIX GUIDANCE NOTES

RISK ASSESSMENT MATRIX GUIDANCE NOTES RISK ASSESSMENT MATRIX GUIDANCE NOTES 1. Introduction Risk Assessment matrices provide a powerful and easy-to-use tool for the identification, assessment and control of business risk, via treatment plans.

More information

Complaints Policy. Controlled Document Number: Version Number: 6 Controlled Document Sponsor: Controlled Document Lead: Approved By:

Complaints Policy. Controlled Document Number: Version Number: 6 Controlled Document Sponsor: Controlled Document Lead: Approved By: Complaints Policy CONTROLLED DOCUMENT CATEGORY: CLASSIFICATION: PURPOSE Controlled Document Number: Version Number: 6 Controlled Document Sponsor: Controlled Document Lead: Approved By: Policy Governance

More information

Risk Management Policy and Process Guide

Risk Management Policy and Process Guide Risk Management Policy and Process Guide Status: pending Next review date: December 2015 Page 1 Information Reader Box Directorate Medical Nursing Patients & Information Commissioning Operations (including

More information

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00) Subject and version number of document: Serial Number: Business Continuity Management Policy

More information

Compliance Policy AGL Energy Limited

Compliance Policy AGL Energy Limited Compliance Policy AGL Energy Limited November 2013 Table of Contents 1. About this Document... 3 2. Policy Statement... 4 3. Purpose... 4 4. AGL Compliance Context... 4 5. Scope... 5 6. Objectives... 5

More information

CROSSHALL JUNIOR SCHOOL LIMITED RISK REGISTER FEBRUARY 2016

CROSSHALL JUNIOR SCHOOL LIMITED RISK REGISTER FEBRUARY 2016 CROSSHALL JUNIOR SCHOOL LIMITED RISK REGISTER FEBRUARY 2016 Overview The Risk Register was reviewed by the Chair of Governors for approval by the Resources Committee. Review Procedure Each of the risks

More information

Internal Audit Strategic and Annual Plans 2015/16

Internal Audit Strategic and Annual Plans 2015/16 Internal Audit Strategic and Annual Plans 2015/16 Financial Scrutiny and Audit Committee 10 February 2015 Agenda Item No 8 Summary: This report provides an overview of the stages followed prior to the

More information

Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator

Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator Risk Management Framework Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 TRIM CON: 12/1132 Administered by: Governance Coordinator Last Review Date: 2013 Next Review

More information

Risk Management Strategy and Guidelines

Risk Management Strategy and Guidelines Swale Borough Council Risk Management Strategy and Guidelines Status: Final Originating Date: January 2008 Date Ratified: February 2008 (Audit Committee) Next Review Date: January 2009 Accountable Member:

More information

Mid Suffolk District Council. Risk Management Strategy

Mid Suffolk District Council. Risk Management Strategy Mid Suffolk District Council Risk Management Strategy uthor Claire Reynolds and udit Officer (Lead for Risk Management) Version Control V1 30 October 2006 pproved by Executive Committee V2 October/ November

More information

Audit of the Test of Design of Entity-Level Controls

Audit of the Test of Design of Entity-Level Controls Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents

More information

Business Continuity Policy. Version 1.0

Business Continuity Policy. Version 1.0 Business Continuity Policy Version.0 January 206 Contents Contents Version control Foreword Policy. Scope.2 Aim and objectives.3 Methods and standards.4 Responsibilities.5 Governance.6 Training and exercises

More information

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20

More information

National Approach to Information Assurance 2014-2017

National Approach to Information Assurance 2014-2017 Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

More information

Strategic Alliance. Business Continuity Policy

Strategic Alliance. Business Continuity Policy Version 1.1 April 2016 Contents Contents Version control Foreword Policy Scope Aim and objectives Methods and standards Responsibilities Governance Training and exercises Page i ii 1 2 2 2 Version 1.1

More information

LONDON BOROUGH OF SOUTHWARK

LONDON BOROUGH OF SOUTHWARK APPENDIX 1 LONDON BOROUGH OF SOUTHWARK The annual report to the Audit & Governance Committee on Risk and Insurance for 2011/12, and the key corporate risks Presented to the Audit & Governance Committee

More information

Enterprise Risk Management Policy

Enterprise Risk Management Policy Enterprise Risk Management Policy A Framework for Managing Opportunity and Risk Date: 27 November 2015 Version: 13.0 Classification: Unclassified Authors: Julie Holland - Risk Management Facilitator Quality

More information

Project Management Guide

Project Management Guide Appendix 1 to agenda item 10 Project Management Guide 1 Introduction 1.1 Purpose This section sets out the key principles and expectations for how project management should take place at Chichester District

More information

Risk Management Policy and Procedures

Risk Management Policy and Procedures Risk Management Policy and Procedures Trust Board Approval Date 17 September 2014 Effective Date 17 September 2014 Planned Review Date July 2015 Web Access Intranet Owner Director of Finance, Business

More information

1.0 Policy Statement / Intentions (FOIA - Open)

1.0 Policy Statement / Intentions (FOIA - Open) Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies

More information

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES GOVERNMENT ACCOUNTING SECTION DEPARTMENT OF FINANCE MARCH 2004 Risk Management Guidance CONTENTS Pages List of guidelines on risk management

More information

Internal Audit Charter. June 2016

Internal Audit Charter. June 2016 Internal Audit Charter June 2016 1 Introduction 1.1 The Internal Audit Charter is a formal document that defines Internal Audit s purpose, authority and responsibility. The charter establishes Internal

More information

Project Risk Management. Presented by Stephen Smith

Project Risk Management. Presented by Stephen Smith Project Risk Management Presented by Stephen Smith Introduction Risk Management Insurance Business Financial Project Risk Management Project A temporary endeavour undertaken to create a unique product

More information

RISK MANAGEMENT STRATEGY 2013-2016

RISK MANAGEMENT STRATEGY 2013-2016 RISK MANAGEMENT STRATEGY 2013-2016 As presented and endorsed by the Mornington Peninsula Shire s Audit Committee at its meeting of 20 February, 2013 and subsequent adoption by Council at its meeting of

More information

IFAD Policy on Enterprise Risk Management

IFAD Policy on Enterprise Risk Management Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st

More information

Business Continuity Management Policy

Business Continuity Management Policy Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3

More information

South Oxfordshire District Council and Vale of White Horse District Council Risk Management Strategy

South Oxfordshire District Council and Vale of White Horse District Council Risk Management Strategy 2013 2016 South Oxfordshire District Council and Vale of White Horse District Council Risk Management Strategy 2013-2016 1 1 Context 3 SCOPE 3 WHAT IS RISK MANAGEMENT? 3 LOCAL AND NATIONAL DRIVERS 3 Business

More information