Mid Suffolk District Council. Risk Management Strategy

Transcription

1 Mid Suffolk District Council Risk Management Strategy uthor Claire Reynolds and udit Officer (Lead for Risk Management) Version Control V1 30 October 2006 pproved by Executive Committee V2 October/ November 2007 Reviewed V3 February 2009 Revised approved by Executive Committee V4 March 2010 Revised - 1 -

2 Contents 1 Background 1.1 What is Risk Management? 1.2 Why is it important? 2 How Risk Management will be effectively achieved 2.1 Leadership, roles and responsibilities 2.2 Risk Management objectives 2.3 The Risk Management Framework 3 guide to Risk Management 3.1 The four steps of Risk Management 3.2 Step 1 Identify the risks & opportunities 3.3 Step 2 ssess the risks & opportunities 3.4 Step 3 Manage and control the risks & opportunities 3.5 Step 4 Recording and reviewing the risks & opportunities 4 The relationship with Internal udit and Management and Finance 4.1 The connection between Risk Management and Internal udit 4.2 The connection between Risk Management and Management and Finance 5 Risk and Partnerships 5.1 Managing risks within Partnerships 6 Opportunity Risk (positive risks) 6.1 Managing opportunities - 2 -

3 1 Background s a result of financial scandals in the 1980s and 1990s a series of reports recommended that Corporate Governance, of which Risk Management is an integral part, be introduced in large private sector organisations. Following reports from the udit Commission (Worth the Risk) this expectation extended to the public sector. The Society of Local uthority Chief Executives (SOLCE) and CIPF recognised the importance of Risk Management to the Modernising genda. uthorities were required to develop a Code of Corporate Governance and Risk Management was included within this Code. Risk Management is also one of the areas assessed by the udit Commission as part of the Use of Resources ssessment within the Comprehensive rea ssessment. 1.1 What is Risk Management? Risk Management is the process of identifying those significant risks that will affect the achievement of the Council s corporate and operational objectives, and also identifying risks arising from new opportunities, and then finding an appropriate method of managing those risks. Risk Management is not about eliminating all risks and it is not about avoiding change Risk Management is exactly that, taking risks, but managing them appropriately. 1.2 Why is it important? Effective Risk Management means that many of the foreseen risks to the Council can be controlled before they happen, by tolerating, treating, terminating or transferring the risk. By using Risk Management, positive opportunities can be identified for the Council, for example, taking slightly more risk to achieve more outcomes. Some of the benefits that can be expected from effective Risk Management are: - Improved performance; - chievement of objectives through a structured system; - Enhanced reputation and public confidence; - Early warning of problems; - Prioritisation of resources; - Making the most of new opportunities as know how to manage the risks involved; - Savings preventing costly mistakes before they happen. 2 How Risk Management will be effectively achieved? Risk Management will be achieved by ensuring that there is buy in from top to bottom i.e. from Members down to staff everyone has a role to play. It will be ensured that there is an effective Risk Management Strategy and that it is embedded within the culture of the Council. Risk Management can be embedded by having a clear direction and process, which is explained in more detail in the following sections. MSDC has a specific lead for Risk Management within and udit, who can provide guidance, advice and training

4 2.1 Leadership, Roles & Responsibilities Members - To have regard to Risk Management implications in decision-making. - To appoint a Risk Management Champion. Executive Committee - To approve the Risk Management Strategy. - To ensure that the Risk Management Strategy is implemented to ensure that risks are appropriately managed. - To have regard to Risk Management implications in decision-making. - Receive six-monthly reports on the corporate risks to the Council. (These will be integrated with performance and financial information). Scrutiny Committee - Receive an annual corporate risk report. Management Board - Review progress on identification and management of corporate risks through quarterly reports from and udit. - Identify corporate risks and ensure there is ownership and that these risks are tolerated, treated, terminated or transferred. - Demonstrate a commitment to embedding Risk Management across the Council. and udit / Risk Management Lead - Review the Risk Management process / strategy annually and obtain approval from Executive Committee. - Provide facilitation, training and support to promote and embed a Risk Management culture throughout the Council. - ssist management in identifying, analysing and controlling the risks they encounter. - Liaise with other internal and external bodies (including key partners) to highlight further risks to the Council and obtain best practice. - Review the Risk Register. - Provide reports to Management Board and Executive Committee as required. - To highlight to Heads of Service where risks are not being appropriately managed and to escalate to Management Board where concerns continue. - To submit evidence to the udit Commission, on the management of risks and the respective outcomes. - Notify the Insurance Officer of any issues that may affect the insurance policies and levels of cover. - Monitor risk implications of all committee reports/policies. Heads of Service - Monitor risks for their Service rea. - Identify new risks within the Service rea, including those risks arising from new opportunities or partnerships. - Decide whether to terminate, transfer, treat or tolerate the risks within their service area (see pages 9/10 for further clarification). If treating, to instigate controls and allocate responsibility for control to staff. - Include significant risks highlighted during risk assessments in the Risk Register. - Ensure compliance with the Risk Management Strategy. - Ensure that staff are made aware of Risk Management and their role in the process. Promote Risk Management in the workplace. - Nominate appropriate staff for Risk Management training. - Ensure that any risks are included within reports going to Council / Committees to allow Members / Management Board to make informed decisions

5 ll Employees - Have an understanding of Risk Management, including the identification and reporting of risks. - ssist the Service in putting controls in place where it has been decided to treat the risk. - ssist with risk assessments. - ttend Risk Management training and support Risk Management where required. - Ensure that any risks are included within reports going to Council / Committee to allow members / Management Board to make informed decisions. and udit / Internal udit Lead - Have an awareness of the Risk Management process. - Inform the and udit Officer with a lead for Risk Management of newly issued audit reports and associated risks. - Consult the Risk Register when creating the annual udit Plan. and udit / Management Lead - Have an awareness of the Risk Management process. - Inform the and udit Officer with a lead for Risk Management of significant risks resulting from poor performance. 2.2 Risk Management Objectives - Embed Risk Management into the culture of the Council. - Manage risk in accordance with best practice. - Be responsive to changing social, environmental and legislative requirements whilst effectively managing the related risks and opportunities. - Reduce the impact and cost of risk by either terminating, treating, tolerating or transferring the risk (see pages 9/10 for further clarification). - Enhance opportunity where possible by weighing up the risk and what can be gained. 2.3 The Risk Management Framework - Risks are identified from a number of sources (Members, Management, Partners, udit Reports, monitoring etc). Service areas have a responsibility to identify the risks associated with service delivery, new initiatives etc any corporate risks should be reported to the Risk Management Lead within and udit who will identify the risk owner and then the following process will apply; - Identify the risk owners, give a risk score using the matrix and identify control for the risks i.e. a task aimed to reduce or eliminate the risk (unless to be tolerated); - Enter the risks into the Risk Register within Excel; - Update the risk register according to work progress and re-score using the matrix; - and udit will overview and monitor the Risk Register on a regular basis and provide guidance

6 3 Guide to Risk Management There are four basic steps to Risk Management, which are explained in more detail below. Risk Registers are maintained in the form of Excel spreadsheets (see ppendix 1 for an example). 3.1 The four steps to Risk Management There are four simple steps to achieve effective Risk Management, Step 1 identify the risk, Step 2 assess the risk, Step 3 Manage or control the risk, Step 4 Review and report on the risk. The diagram below illustrates this cycle:- Step 1 - Identify the Risk Step 4 - Review & Report on the Risk Step 3 - Manage and Control the Risk Step 2 - ssess the Risk Step 1 Identify the Risk Highlight those risks that will prevent the Council / Service meeting its objectives (including any risks that may arise from new opportunities). This can be done thorough any number of ways e.g. risk assessments, service planning, working groups etc. Risks can be identified as Corporate or Operational. Corporate risks are those risks that affect the Council as a whole and prevent the Council from meeting its objectives, particularly those objectives within the corporate or strategic plans. Operational risks are those risks that prevent the services within the Council from meeting their objectives and every day working practices

7 Operational risks will mainly be those risks that are highlighted by service areas and corporate risks will mainly be highlighted by those overall factors that affect us as a whole Council. Internal and external functions / factors can influence the risks that we face. Dedicated and udit Officers meet quarterly with their respective Heads of Service to update their operational risk registers. The and udit Officer leading Risk Management will collate the information and is responsible for updating the corporate risks. It is possible for risks to be highlighted by any means, for example: - New legislation / guidance; - Training / more aware of issues; - Risk assessments either being reviewed or carried out on new processes; - Information from the public; - Partnerships; - New ventures, or opportunities; - udit reports; - Committee papers These give just a few ideas of where risks could be highlighted (please see the Risk Checklist in ppendix 2 for prompts to help identify new risks). Once highlighted these risks must be fed into the Risk Register. The organisation must be open to new and changing risks at all times as these can appear in any number of places. Risks involving partnerships and contracts must also be considered. Has a partnership / contract considered the risk environment in the same way that the Council would? Has this been discussed and resolved with risks being allocated to either side of the party? When venturing into a new partnership these are some of the questions that should be considered. It is important to ensure that the actual risk has been identified, not just the consequence or the impact. The risk is what will happen if the objective is not achieved. Examples:- Objective Ensure that lone workers are supported and are safe Cause Not having a sufficient lone working policy in place. Risk ttack on lone workers. Consequence Staff are hurt / traumatised and the Council could be liable. (Fictitious risk) Or, Use the alternative way of thinking about identifying the risk - Loss to Failure of Failure to Lack of Partnership with - 7 -

8 Development of. Leads to. Resulting in. s per the example above:- Failure to have a sufficient lone working policy in place leads to a possible attack on lone workers resulting in staff being hurt / traumatised and the Council possibly being liable. Step 2 ssess the Risk - Rate each risk according to its impact and probability to enable risks to be prioritised. Once risks have been identified they must be rated based on the impact and probability of the risk occurring. There is no exact science to this, but it does give an indication of what the higher risks are to allow prioritisation. The following matrix gives the risk scoring:- Impact Disaster 4 4 (Medium) 8 (High) 12 (very High) Bad 3 3 (Low) 6 (Medium) 9 (High) Noticeabl e 16 (Very High) 12 (Very High) 2 2 (Low) 4 (Medium) 6 (Medium) 8 (High) Minimal 1 1 (Low) 2 (Low) 3 (Low) 4 (Medium) Rare or Occasional never Often Frequent Probability / Frequency ction to be taken: Very High Risk = Controls must be put in place immediately High Risk = Controls must be in place as a priority Medium Risk = Controls must be put in place as quickly as possible Low Risk = Controls to be put in place if / when have resources

9 The following descriptions of the impact and probability may help with determining where the risks lies (please note that this is only a guide):- Impact Disaster - Loss of service delivery for more than 7 days or MSDC unable to continue business; - Loss of life; - Serious injury; - Extensive media coverage. Bad - Disruption to MSDC, affecting the public (loss of service between 48 hours and 7 days); - Serious injury; - Local and national press coverage; Noticeable - Disruption to MSDC, affecting the public (for no more than 48 hours); - Serious injury; - Local press coverage; Minimal - Some disruption to internal business (no loss of public service); - Minor or no injuries; - Minimal / no reputational damage; Frequency Frequent - Occurs on a regular basis i.e. monthly, bi-monthly, has a regular pattern. Often - Occurs several times throughout the year. Occasional - Happens once or twice throughout the year. Rare or never - Sporadic, no pattern can be determined. Step 3 Manage and Control ssess what is already in place to manage the risk and planning to put further controls in place if required (use the 4 T s to determine if will tolerate, terminate, transfer or treat the risk). This would also include maximising any positive opportunities. Identify how the risk is currently controlled and then what gaps there are, how these can be addressed and who by. Risks can be managed in the following ways:- - Tolerating The benefits gained by undertaking the process causing the risk, outweigh the costs involved to mitigate the risk entirely, or there is no justification of the expense involved in introducing measures to control the risk, therefore it is simply accepted that there is a risk. The level at which a risk is tolerated is called the risk appetite. Even though risk may be tolerated, it should continue to be recorded and monitored. - Treating Control the risk as much as possible to bring it back to an acceptable level that can be tolerated

10 - Terminating To get rid of the risk altogether by either controlling it fully or not doing the task causing the risk, so that there is no risk. - Transferring Transfer the risk to another party so that they become responsible, for example insurance. If insurance is an option this should be discussed with the Risk Lead, who will in turn seek the expertise of the Insurance Officer (CSD). - Remember more risk can be taken if it is felt that the benefits in doing so would outweigh the risk itself. The idea of Risk Management is not to become risk adverse, but to ensure that risks are managed i.e. Risk Management. Step 4 Review and Report Ensuring that control measures remain appropriate and also incorporating new risks into the Risk Register. Reporting on the progress of the risk and any significant changes to management. It is important that risks to the Council are recorded to ensure that they are managed and reviewed effectively. Risk Management is an ongoing process and corporate risks should be reported to the Risk Lead promptly. and udit Officers will work with Heads of Service and Management to review their risks on a quarterly basis and reassess the scoring to determine if the risk has increased or decreased. The Risk Management Lead within and udit will review this process and also review the Corporate Risk Register. To note that any tasks that are associated with a corporate risk must have the approval of Management Board prior to being extended. ny operational risks that escalate to become corporate risks should be reported to and udit. The most up-to-date Operational and Corporate Risk Registers are available on the Council s shared Collaboration drive, which is accessible to all. The publicity of these registers enables the sharing of best practice and common awareness of all risks facing the authority. There is also a step 5 Risk Management is an ongoing process. lthough risks have been identified they are not just left in the register, the Service / allocated person should monitor progress against the action to be taken to address the risk and the risk should be re-scored where the action to be taken has been started / finished. ny risks removed from the Risk Register are archived and therefore remain in the system to provide a complete audit trail. Risk Management is an ongoing process to help identify those risks that will stop the Council from meeting objectives and to help do something to control those risks and do so in a structured manner. This is the purpose of Risk Management

11 4 The relationship with Internal udit and Management 4.1 The connection between Risk Management and Internal udit There is a clear connection between the management of risks and the Internal udit function. Internal udit assess risks as part of their work and if they discover control or system weaknesses that are not being sufficiently dealt with then they will feed these risks into the Risk Register under that Service area and the Service area will then be expected to monitor and report on these added risks along with those highlighted by themselves. Internal udit will also consider the Risk Register when the annual udit Plan is produced. 4.2 The connection between Risk Management, Management and Finance There is an obvious link between Risk Management, and Finance and reporting of these areas is aligned to provide the bigger picture whilst also ensuring resources are directed to key priorities and objectives. 5 Risks and Partnerships 5.1 Managing risks within partnerships Risk management should consider risks relating to significant partnerships requiring assurances about the management of those risks. The Council aims to consider those risks associated with partnership working; organisational risks regarding partnership activities as well as risks in the partnership itself are added to the appropriate risk registers to monitor and review. 6 Opportunity risk (positive risks) 6.1 Managing opportunities Good risk management also means considering opportunities (positive risks), i.e. an uncertainty that could enhance the Council s ability to achieve its objectives. The Council aims to consider opportunity risks. n example of opportunity risk could be the national performance indicator NI 188 Climate change adaptation. Obviously climate change presents many risks but on the flip side, opportunities can be found, for example taking advantage of tourism with longer summers, less call-outs for maintenance teams to frozen pipes etc.. By managing opportunities and the risks that come with it, the Council is in a better position to improve services and provide better value for money

12 ppendix 1 Operational Risk Register Key = good = fair = poor Tolerated = risk accepted & udit Risk Description Risk Owner ssociated Task(s) Task Owner Task Target Date Scoring (1-4) Rating (1-16) December 2008 Comments 1. Perception by MSDC or SCC that audit work does not meet required standard, resulting in breakdown of partnership & udit 1. Regular meetings between SCC & MSDC & udit Ongoing Impact 2 Probability Failure to address new National Indicator requirements, could lead to non compliance & udit 1.Coordinate with Heads of Service to ensure resource is input to meet new Nis 2.Ensure new processes in place to monitor new Nis & udit & udit Ongoing Mar 09 Impact 2 Probability

13 Risk Description Risk Owner ssociated Task(s) 3. Failure to embed C throughout LGR restructure could lead to poor C risk assessments & udit Corporate Risks linked to Service rea 1. Great liaison with Organisational Development re: LSP etc 2.Regular dialogue re: arrangements for LGR authorities Task Owner Task Target Date & udit & udit Ongoing Ongoing Scoring (1-4) Impact 2 Probability 3 Rating (1-16) 6 December 2008 Comments Failure to have a Business Continuity Plan leads to lack of preparedness if services are disrupted Chief Executive 1. The BC group to review BC plan and cards 2. Participate in test exercises & udit & udit Ongoing Ongoing 4 Plans and cards reviewed. nnual review due again 09/10. Exercise Prometheus successfully carried out Oct rchived risks/tasks 1. Lack of buy in from officers could lead to difficulty embedding key disciplines & udit 1. Embed dedicated officer roles & udit Ongoing There has been considerable progress during the past year. The use of dedicated officers and rotating roles has aided this. rchived Jan

14 The Register is split into the following headings; Risk Description Description of the risk Risk Owner Owner of the risk ssociated Task(s) ny tasks assigned to the risk with the aim of managing/reducing the risk Task Owner Person responsible for managing the task Task Target Date Date task is aimed to be completed by Scoring Each risk is given a rating for impact and probability Rating The rating is calculated by multiplying the impact by probability (see matrix for further info) This field indicates progress against the task: = poor the task is behind target = fair the task is on target = good the task is ahead of target Tolerated = risk accepted Comments Comments detailing the current status of the task Operational registers also show details of any risks detailed on the corporate register, which are linked to the service area, and also details of any archived risks/tasks. Risks change over time new ones emerge or existing risks become more or less significant as a result of external or internal factors. The Risk Registers are living documents which will be regularly reviewed, monitored and updated with Management consideration on a quarterly basis

15 Quarterly Risk Checklist ppendix 2 Consider if your Service rea is facing any new risks think about the following: Have you entered into any new partnerships? Do any current partnerships have risks attached?; Have you ventured into any new opportunities/ projects recently? Do any current projects present any risks (positive/negative)? Have you had any audits recently that have raised significant issues? Have you had any other inspections that have raised significant issues? Have you had any health & safety issues / completed any risk assessments recently?; Have you issued any committee reports recently? Think on existing contracts / partnerships any issues there?; Budget / financial issues?; Legal / legislative issues?; ny staff / managerial issues?; From your performance management, are there any issues or concerns?; re there any risks that you can think of that could be transferred through insurance?; Have there been any insurance claims recently in your area? Does this insurance claim prompt possible lack of controls / high-risk areas? re there any risks emanating from your service plan? re there any risks emanating from a Strategic Forum that you attend?