The Corporate Select Committee is asked to note the attached report.

Transcription

1 CORPORATE SELECT COMMITTEE RISK MANAGEMENT Report Author: Peter Grimshaw Internal Audit Manager Executive Member: Councillor John Faulkner Agenda Item September PURPOSE This is a regular report to advise members of the Risk Management activities in the Council to enable the Committee to ensure that that risk are being effectively and actively managed. 2. RECOMMENDATIONS The Corporate Select Committee is asked to note the attached report. 3. BACKGROUND In accordance with good management practice and to improve corporate governance, the Council has developed a risk management framework, which incorporates a policy, strategy, action plan, toolkit and a risk register. The CPA assessment in 2004 identified that risk management was not yet embedded in the Council and that risk minimisation could not be demonstrated sufficiently, especially for larger projects / partnerships. Through embedding risk management into the culture of the Council, these two issues will be addressed. Risk Management is seen as a key feature of good corporate governance practices and is an integral part of the CPA process through the use of resources assessment that will be undertaken on the Council. 4. ISSUES AND ANALYSIS The Council needs to be seen to be pro active with regard to embedding risk management into its culture. 5. IMPLICATIONS There are no resources, legal, Human Rights Act, Equal Opportunities environmental Issues or Community Safety other than those identified in the Policy. 6. BACKGROUND PAPERS Background papers are held in the Internal Audit Section and are available for members

2 RISK MANAGEMENT 1. INTRODUCTION 1.1 Risk Management is: systematic application of policies, procedures, methods and practices to the tasks of identifying, analysing, evaluating, treating, reviewing and monitoring risk (i.e. incorporates risk analysis and risk management). This provides a disciplined environment for proactive decision making 1.2 This process should maximise opportunities and minimise possible adverse consequences. The aim is to reduce the frequency of adverse events occurring and to minimise the consequences should the event occur. Taking risks can also be seen as an opportunity to develop a service further. 1.3 The Council has been pro-active in the development of risk management, adopting a policy, strategy, timetable and toolkit in June This has been further developed with the introduction of business plans which require business managers to identify and evaluate key risks in their service area. 1.4 What is needed now is to build upon the firm foundation that has been established for risk management and to develop the process and practices further, especially with regard to the two issues identified above. The Council will then be able to demonstrate that risk management is embedded in the culture of the Council. 1.5 Further details of the risk management approach used in the Council can be seen on the Intranet at: Risk Management. 2. TAKING RISK MANAGEMENT FORWARD 2.1 In the next few months the Risk Register will be developed further by effectively having three categories of risk within the Register: Strategic Risks Risks which have been identified by Members and Senior management as being potentially damaging to the achievement of the Council s objectives These risks need to be identified, assessed and managed at a corporate level, though responsibility could be delegated. Corporate Operational Risks Risks that have been identified within individual service areas but whose theme is common across the Council; or Are so important corporately that there needs to be a corporate view on how they should be managed. These risks will need to be reviewed by the Management Team for a corporate decision to be made how to manage them corporately (if at all) and how this will interface with management of them at an service level Service Operational Risks 12.2

3 These are risks, which should be managed by officers who are responsible for operating and maintaining services. These risks may have to be managed within any constraints that are imposed corporately where they have been identified as a Corporate Operational Risk. The relevant business manager will be responsible for maintaining the risk register for their business area within their business plans. 2.2 It is hoped that by breaking the risk register down this way attention can be focused on those risks with a high potential impact on the Council. 2.3 Directors, Heads of Service and Business Managers need to take ownership and responsibility for risk management in their areas of responsibility. This will include: a) Being pro active in undertaking risk assessments, with the support of the Internal Audit Manager and the Insurance Officer where appropriate. b) Identifying, assessing and taking appropriate action for risks. c) Reviewing risk assessments periodically to ensure that they are still appropriate, relevant and reflect the current situation and that necessary action is identified and action taken. E.g. when a scheme moves from the planning stage to the development stage the risk assessment should be reviewed and revised as necessary. 2.4 The Council has adopted an approach to project management and a key feature of this is the identification and evaluation of risks at each state of a project. Details of the Council s approach to project management can be found on the Intranet at: the project management site. 3. RISK REGISTER 3.1 Services will be responsible for maintaining their own risk register as part of their service business plans. Corporately there will be register of: Corporate Operational Risks identified from the service business plans; and Corporate Strategic Risks identified by the Corporate Management Team. 3.2 It is the responsibility or services to review risks in their area with the support of the Audit Manager and the Insurance Officer. Some services do regularly review the content of the risk register and revise the assessments. Progress on risk assessments and reviews will be monitored on a monthly basis by the Programme Board, as part of the overall framework for monitoring the Business Plans. A summary of risks identified in the business plans can be seen at Appendix A. 12.3

4 4. RAISING THE PROFILE OF RISK MANAGEMENT 4.1 To assist in raising the profile of risk management and to re-evaluate risks the Risk Management Group has started to examine risks in specific service areas. A time table has been prepared to review service risks.. Presentations have already been given to the Group by: ICT, Pavilion Gardens, Environmental Services and Parks. 4.2 These reviews will hopefully stimulate debate about risk management and allow for members of the Group to objectively consider the risks in particular service areas including: Objectively commenting on o Risks identified, o The assessment o Mitigation o Appropriateness of action being taken Identifying other potential risks. Identifying if risks have a corporate context. Being able to assess if the risks relating to then also impinge on other service areas including their own. 4.3 The Insurance Officer will discuss operational risks with each business manager and the Business Manager Audit will take the lead on developing the Corporate Operational Risk Register and the Strategic Risk Register. 4.4 To aid the Council in this task there will be some risk management workshops facilitated by Zurich Municipal Management Services. The Corporate Management Team will discuss strategic risks at a workshop on September 29 th. Twelve business managers will discuss their service risks at one to one meetings with the facilitator from Zurich on either October 3 rd or 4 th. Details of the business areas participating can be seen at Appendix A. 5. CONCLUSION 5.1 The Council has built a firm foundation on which to develop its risk management practices. There is a need to develop this further through a commitment to risk management from Members and Directors downwards so as to assist in embedding it into the culture of the Council. 5.2 There is a need to consider risks at both corporate strategic, corporate operational and operational levels within the Council and to take necessary action. The risks need to be considered strategically within service delivery, business planning, projects and partnerships. Risks must also be constantly reviewed. 12.4

5 Analysis of Risks identified in Business Plans May 2005: Appendix A 12.5 Business Area TOTAL Human Resource Other Resource Reputation ICT Business Continuity / Systems Legislation Site / Building Partnerships Administration Benefits Building Control Conservation Corporate Team Cultural Services Customer Services Democratic Services 0 Development Control Economic Development Environmental Health Environmental Services Estates Finance Forward Planning ICT Internal Audit Legal Leisure Parks Pavilion Gardens Personnel Revenues TOTAL Other