Risk Management Strategy

Transcription

1 Appendix 1 London Fire and Emergency Planning Authority London Fire Brigade Risk Management Strategy Our Risk Management Strategy, together with our underpinning risk management framework and performance management arrangements, support the Authority s aim to make London a safer city, as set out in our combined integrated risk management plan (IRMP) and corporate plan, the London Safety Plan. Our vision is supported by six aims which in turn are underpinned by strategic objectives, commitments and targets that cover the Authority s main activities. Executive summary This risk management strategy is part of a suite of performance management documents which show how we intend to shape the work we do and join our activities together to achieve our aims and objectives within the London Safety Plan. This document sets out the way we will continue to manage risk. Its purpose is to show clearly how we will deal with uncertainty to ensure continuity of service, support effective decision making, improve resource efficiency and deliver value for money. The risk management strategy directly supports all our strategic aims by making sure that our strategic objectives are met by addressing any risks that may prevent the successful delivery of those objectives. This strategy is split into two parts: (1) the foundations and structures upon which the risk management framework is based; and (2) the areas of development to continually improve the framework. What is risk and risk management? Risk can be defined as the combination of the probability of an event and its consequences. Put simply, this is the likelihood and impact of an event or incident. Typically, this will be the likelihood and impact of a negative event, however a risk can also be about the likelihood and impact of a positive (opportunity) event. Risk management is a process which seeks to identify, evaluate and manage these risks in a structured way. Strategic risk management enables the Authority to plan for, anticipate, manage, and mitigate risks which have the potential to seriously impact upon the services provided by the organisation. As a fire and rescue service, many of our activities are naturally underpinned by a range of hazards, but it is only through the evaluation of the chance or probability of harm associated with those hazards (i.e. by undertaking a risk assessment) that we are able to accurately understand the risk they pose. A robust strategic risk management framework enables the Authority to take sufficient action, which could involve prevention of significant risks and/or reduction of the impact of those that do occur, by putting adequate risk mitigation controls in place. Risk management context This is the third Risk Management Strategy produced by the Authority and provides further development actions in order to secure continual improvement and delivery of our corporate objectives. This third strategy has the following top 3 priority outcomes: 1. More intelligent use of existing risk information 2. Accurate, proportionate risk data to inform decision making 3. Challenge the existing risk management structure (and mechanisms) to ensure it adds value to the Brigade The action plan to this Strategy details how these priorities will be delivered. Risk Management Strategy 2014/ of 16

2 Section 1 - Risk management framework and structures Overview The work of the fire and rescue service is centred on risk based activities. We remain a unique service dedicated to training our staff to deal with risk, enabling them to make sound risk based decisions on the incident ground. However, to assume that all risk is the same; that risk only threatens the organisation; and that risk is to be eliminated at all costs, will result in less innovation to develop the performance of LFB both internally and externally. It is clear that management decisions need to be made on the basis of good consistent risk information risk management is a part of good management overall and that a sound understanding of the possible consequences (both positive and negative) combined with a forecast of the likely outcomes of taking action should be undertaken. A wide range of risks occur by accident, mishap or mistake rather than by design. Many mistakes are not caused by individual error but as a result of an underlying system failure. This can be an external or internal system failure leading to undesirable impacts (e.g. breaches of safety, fraud, and non-delivery of services, etc.). Most worrying would be those unexpected events that result from a lack of clear policy, deficient working practices (including those with key suppliers), poorly defined responsibilities, inadequate communications, or staff working beyond their competence. The challenge is to reduce, as far as is practicable, the potential for such events, by being proactive in the management of risk. The Brigade s risk management framework is based on the ISO Risk Management Framework. This sets out the 5 elements required as follows: (1) mandate and commitment, (2) design of the framework for managing risk, (3) implementing risk management, (4) monitoring and review of the framework; and (5) continual improvement of the framework. This strategy deals with the mandate and commitment to the risk management framework (element 1) and the continual improvement of the framework (element 5). Elements 2-4 are addressed through the Risk Management Manual (available for staff on Hotwire) and describes the day to day risk assessment procedures for managing and monitoring risk. Mandate and commitment Our risk management framework is mandated by the Authority and is designed to support the achievement of the corporate aims. It is based on the following key commitments: There is Corporate Management Board and management commitment to, and leadership of, the risk management framework Risk management will support the organisation in achieving its corporate, departmental and operational aims and objectives. The Brigade will continue to develop its risk management framework to include the formal application of the risk management process to all areas of its business. There is widespread employee participation and consultation in the risk management process to ensure that risks are proactively identified and managed at every level. To create and protect value. To address uncertainty and inform decision making To provide for a systematic and structured framework for managing risks of all types. There are appropriate resources available, including people, knowledge and budget. Progress against this strategy is monitored, reviewed and reported. The strategy is reviewed periodically to ensure it is aligned with the objectives and challenges facing the organisation and reflects relevant changes in the internal and external contexts (i.e. the London Safety Plan). Risk Management Strategy 2014/ of 16

3 To facilitate continual improvement. The context for the risk management framework The context for the Brigade s risk management framework is defined by external and internal influences. These parameters include everything from the legal and regulatory requirements that are externally imposed on the Brigade, through to other less tangible internal factors, such as the organisation s culture. Any changes to the parameters that have been used to define the Brigade s risk context must be carefully considered in view of the risk management framework and, where necessary, prompt a review of this document. Roles and responsibilities Our strategy is to continue to help the organisation broaden its understanding of risk, from one that has naturally needed to focus on incident based operational risk, to one that considers all risks to the brigade as a whole, both corporate and operational, especially those that may affect the achievement of its strategic objectives. The roles and responsibilities of individuals and groups to implement the strategy are as follows: The Authority The London Fire and Emergency Planning Authority to hold the Corporate Management Board accountable for the effectiveness of risk management by officers. The Governance Performance and Audit Committee to monitor the Risk Management Strategy action plan and receive regular updates on the risk management framework including the risk audit programme and supporting assurance work. to the Authority and London. They give a view on the medium to long term risks facing the Authority and London that might impact on the service provided, including assumptions in respect of government policy, financing, business change and partnership working. The Head of Strategy and Performance to provide a strategic lead on corporate risk matters for the Authority, and provide support to the Corporate Management Board. Works closely with internal audit to ensure our risk framework and risk management are appropriately audited. Also responsible, where appropriate, for feeding key local risks into the corporate risk register. Issues guidance and information about the risk management process. Heads of Service are essential to the risk management process, to champion risk management within their departments, and identify local risks and maintain local risk registers. The Director of Finance and Contractual Services (via the Internal audit function) may review and report on department and corporate risk management processes as part of the corporate governance agenda. Borough commanders manage risk in their areas, and particularly in relation to partnership working locally. Project leads/sponsors identify project specific risks likely to impact on the successful delivery of project deliverables. All staff have a responsibility to identify opportunities as well has hazards/risks in performing their day to day duties and taking appropriate action to take advantage of opportunities or limit the likelihood and impact of risks. This includes making their manager aware of opportunities or hazards/risks identified. The Corporate Management Board (Commissioner, Deputy Commissioner and Directors) own corporate risks and scan for new risks Risk Management Strategy 2014/ of 16

4 Identifying and managing risks The Authority will manage risks at four levels corporate, department, borough and project as follows: Corporate Risks at the corporate level are those which would have a serious and potentially devastating impact on how we operate. Corporate risks tend to be those that would be noticeable by the public and would generate significant media coverage in the event of the risk occurring. Corporate risks normally impact across the range of our risk impact criteria (especially reputation) and can include strategy level risks in terms of decisions made about which direction the organisation should be following. Controls for corporate risks will normally be cross-cutting and will be split across a number of departments or business areas. Risk ownership is required at the highest level (Commissioner, Deputy Commissioner or Director level) in order provide the appropriate leadership, scrutiny and management of the risk. Department Risks at the departmental level are those which would have a potentially serious impact for the department concerned, however the end result of these risks would not necessarily impact the organisation overall. They may still be noticeable by other departments and could affect other areas of work, especially where departments are jointly delivering an initiative, however the biggest impact of the risk would be felt within the relevant department. Controls for departmental risks will, in the majority, sit within the department affected, however a few significant controls may still be situated in other business areas. Risk ownership at this level is normally assigned to the Head of Service, however some specific risks may be assigned to other senior officers especially in specialist subject areas. Borough Risks at the borough level are those which would have a potentially serious impact on the delivery of the service in that borough, however the impact of these risks would not necessarily impact the organisation overall unless several Boroughs were to suffer from the same risk occurrence (at this point, management of the aftermath of the risk would fall to the departmental and possibly the corporate level). Controls for the borough risks will normally sit with either the Borough Commander, Station Manager or Watch Manager depending on the type of activity concerned, however some controls may also be delivered centrally such as policies or management of funds. Risk management tends to be overseen by the relevant Borough Commander and as such it would be expected that the Borough Commander would be the risk owner for the majority of risks. However, in some cases this may be escalated to the Area Deputy Assistant Commissioner or devolved to a Station Manager. Project Project risk management follows the same principles as those defined in this document and uses the same risk assessment matrix to evaluate project risks. In most cases project risks remain within the project and are assigned to a designated member of the project team, but can also be escalated to either the departmental or the corporate level via the project sponsor who is responsible for the aggregated project risk. Risk Management Strategy 2014/ of 16

5 Section 2 Areas for development (continual improvement) Where we are now The organisation has made significant strides in its understanding and application of strategic risk management. There is a supporting risk management framework and a wide range of risk information available, helping to inform decisions about where the organisation needs to place resources and manage expectations and pointing to likely sources of uncertainty in the future. Risk information has been integrated into performance reporting so that it is considered in the round against aims, corporate commitments, indicators, targets, projects and budgets. Culture The organisation is no newcomer to dealing with risk. Long before the risk management framework existed, the organisation was well versed in risk assessment, particularly in the area of dynamic risk decision making on the incident ground. Having a risk management strategy has helped deliver continual improvement and commitment to risk management. A vocabulary of risk has been established within the Authority. Very few discussions now take place without consideration of risk and what measures there are/need to be in order to manage the area of uncertainty in the best possible way. Going forward The major challenge for strategic risk management for the future is to make sure that it remains relevant and continues to add value to the organisation. In acknowledging how far we have come, we must be careful not to stagnate so that risk management does not merely become a process for recording our concerns. Risk management is in place to support the achievement of our objectives. As such, it needs to be proportionate to the requirements of the organisation and reflect the resources available. In gathering our risk information, we must be sure that we concentrate on the clear priorities for the organisation. Risk management needs to focus on active risks and threats to the Brigade and not become confused by the inclusion of peripheral matters. As some of the information has existed for a long time, we will continue to challenge and revisit these risks to ensure that the most important priorities are reflected. Leadership, roles and responsibilities Risk management is as much about empowerment, supporting innovation and seizing opportunities through informed decision making as it is about defending against negative threats and preventing adverse things from happening. In order for this empowerment to happen, the risk management framework requires clear leadership commitment and defined roles and responsibilities. These responsibilities have been clearly defined in Section 1 of this strategy. Making smarter use of available risk information One of the key developments arising from LSP5 is the commitment to producing an annual assessment of risk with regards to the incident profile of London. We will consider whether the annual assessment could be used to shape our approach to strategic risk management, in particular, whether operational risk information can be used to inform decisions about organisational priorities and resource allocation. We will also consider using the annual assessment of risk to develop our approach to borough risk registers, and the risk management priorities at a borough level. Our business continuity framework is another source of risk information for the Brigade, and during the lifetime of this strategy, we will investigate how information and risk assessments made about our key products and services can be used to inform our corporate risks. Risk Management Strategy 2014/ of 16

6 Risk and performance Risk information has been integrated into the performance management reporting suite so that risk information can be considered in the round against other performance indicators. We will continue the integration of risk management into normal business operations so that there is a greater understanding of how risk management supports the achievement of corporate objectives in the round. Risk appetite The organisation adopted an approach to risk appetite in 2010, setting out a statement of its risk appetite. Although risk management remains a largely subjective judgement (tempered by experience, expert opinion and wider consensus), risk appetite provides the means to assess whether the organisation (and component parts) are operating within acceptable limits. In line with other public sector organisations, the risk appetite of the Brigade can be summarised as being low to low-medium. The Authority s risk appetite statement is set out as an annex to this strategy. A standard risk tolerance threshold has been set for corporate risks and the departments, with some selecting a higher or lower risk tolerance limit depending upon their specific risk exposure. We will also investigate how to strengthen the link between risk management activity, risk information and decision making to ensure the effective delivery of services which are efficient. We will look to improve the quality of the collation and recording of risk information and include the development of risk information as part of the wider Information Strategy. We will continue to raise awareness of the risk information that is available to support performance management. This enables the Authority to produce corporate and department risk profiles to assess the risk management priorities for the Brigade. Where performance is said to be within the threshold, a business case for taking on more risk (through assessment of desirable outcomes) can be made. Where performance is said to be outside the threshold, risk management prioritisation measures can be taken (e.g. relocation of staff, funding or expertise) to manage the risk back to within acceptable limits or options can be considered as to whether the risk can be transferred, terminated or tolerated at its current rating. Where organisational performance as a whole exceeds the risk tolerance limit, consideration will be given to providing a full stop on further change activity which may introduce more risk into the organisation. Both the risk appetite and risk profile of the organisation will be regularly monitored by the Corporate Management Board through performance reports and formally reviewed on an exceptions basis to check that the risk appetite remains appropriate to deliver the organisation s objectives in light of internal and external drivers, events and constraints. Risk Management Strategy 2014/ of 16

7 Risk awareness In order to continue the development and application of risk management, staff need to be exposed to good practice. We will continue to achieve this through a variety of communication methods including corporate publications, the intranet site (Hotwire), the use of information management (borough) days, and other existing forums such as regular departmental and borough meetings to improve risk management. Governance and reporting Governance and risk management are strongly linked. The risk management framework identifies the key controls that are integral to our governance processes. The Governance, Performance and Audit Committee and Corporate Management Board (CMB) will receive timely and regular reports, as appropriate, to monitor the effectiveness of the system of risk management so that assurance is given regarding the identification of the most prominent risks and associated status (and progress) of control measures. Where necessary, departmental risk information will be escalated to CMB for decision as to whether the status of a risk needs to be elevated to a strategic one. The strategic risk team will also continue to review risk information to ensure it is relevant and is useful to meet the needs of the organisation. Projects and positive risk Project management provides the structure and process for positive risk management to take place and the strategic risk team has worked closely with the Project Management Office (PMO) to ensure that risk assessments for projects are in line with the corporate standard. The PMO provides the best practical application of a positive risk tool and we will continue to work closely with the PMO on risk matters through the lifetime of this strategy. Areas for improvement Since the last strategy, the risk management framework has undergone an internal audit. The results of the audit were positive with substantial assurance given to the framework. The audit also put forward recommendations to further strengthen the framework. These recommendations related to: Providing quality assurance and health checks Updating the risk management strategy and issuing a policy Outlining risk management responsibilities Linking risk information These areas for improvement will be pursued as part of this strategy. We will also implement the recommendations of a recent internal review of business management processes which focussed on proportionality and on reducing production and monitoring burdens. This will include exploring the current structure for the risk management framework, and investigating whether moving to a structure of risks to reflect the governance required for each (e.g. whether managed corporately), departmentally, or at borough, station or team level), would better aid our understanding and management of risk. External links We will continue to work with others to develop our own thinking and application behind risk management. This will include working with our appointed risk contractors. Where it is deemed beneficial for the profile of the London Fire Brigade then we will seek to network and obtain membership of relevant professional bodies to further understanding of risk management in the fire service and across the public sector. Risk Management Strategy 2014/ of 16

8 We will continue to work with specialist groups to help raise the standard of risk management in our own sector. We will also contribute to the ALARM and the Fire Special Interest Group as appropriate. Risk Management Strategy 2014/ of 16

9 Likelihood Annex to the Risk Management Strategy 2014/2017 Risk Appetite Statement Risk appetite Risk appetite is the amount of risk that we are prepared to tolerate in order to meet our objectives and reflects our attitude towards risk taking as an organisation. LFB s risk appetite can be described as low to low-medium. Informed risk taking is permitted provided that the overall risk ratio does not exceed nine per cent of the threshold set for the specific business area (e.g. corporate or departmental). Risks that are rated as very likely and catastrophic (4x4), very likely and major (4x3), likely and catastrophic (3x4) or unlikely and catastrophic (2x4) will still be deemed to be outside acceptable limits, even it they are within the nine per cent ratio. These risks will be subject to extra scrutiny to check that the rating is correct, whether the activity can be pursued and what immediate management action can be taken to bring the risk to within more acceptable limits. Purpose of the statement This statement sets out the thinking and guidelines behind our risk appetite and the boundaries on the amount of risk that can be accepted within the organisation. It should be read alongside the Risk Management Strategy. Risk appetite is formally applied at two levels within the organisation: the corporate level and the departmental level. The corporate level At a corporate level, the summary corporate risk profile defines the risk appetite threshold for the organisation as a whole. The summary corporate risk profile The summary corporate risk profile is plotted on the standard risk threshold. The standard risk threshold is shown below and the threshold represented by a thick black line, allows all green risks, and amber level risks that are unlikely (2x3) and/or significant (3x2), to be within acceptable limits. Very Likely 4 Likely 3 Unlikely 2 Very Unlikely 1 Minor 1 Significant 2 Impact Major 3 Catastrophic 4 Risk Management Strategy 2014/ of 16

10 The departmental level At a departmental level, the risk threshold has been determined through consultation with the Head of Service and compared to the standard risk threshold. All departments have agreed that the standard risk threshold provides an appropriate risk appetite for the departmental risk exposure, with the following exceptions: Information and Communications Technology (ICT) ICT has selected a higher risk threshold than the standard risk threshold in that risks rated as very unlikely and catastrophic (1x4) will deemed to be within acceptable limits. This is based on the knowledge that any ICT outage can impact the Brigade to a considerable extent however provided the likelihood assessment is correct (i.e. Very Unlikely), then the risk can be tolerated. Procurement Procurement has selected a lower risk threshold than the standard risk threshold in that risks that are deemed to be unlikely and major (2x3) will be deemed to be outside acceptable limits. This is based on the regulation of procurement and contract management work in particular, and the fact that major impacts could breach statutory requirements and would be beyond the acceptable risk appetite level for the department. Operations and Mobilising Mobilising Section Mobilising has selected a lower risk threshold than the standard risk threshold in that risks that are deemed to be likely and significant (3x2) will be deemed to be outside acceptable limits. Owing to the critical nature of the service to the Brigade, a lower likelihood acceptance level has been set for this section. Tolerance levels The following tolerance levels have been set to determine whether the risk profile of the corporate risks or a department is performing within acceptable threshold limits: 0 per cent of risks above the threshold Amber status the risk profile is low. Risk ratings should be scrutinised and departmental practices reviewed to ensure that risks are not being over controlled. Between 1-9 per cent of risks above the threshold Green status the risk profile is within acceptable limits. Between 10% - 24 per cent of risks above the threshold Amber status the risk profile is exceeding acceptable limits. Over 25 per cent of risks above the threshold Red status the risk profile is too high. Risk ratings should be scrutinised to ensure that risks are not inflated in terms of likelihood and/or impact. Monitoring Risk thresholds will be monitored by Strategy and Performance and reported to Performance CMB. Scrutiny will focus on areas where risks have exceeded thresholds in excess of a tolerance of 25 per cent or where risk profiles have remained static for an extended period of time (generally longer than six months), and the reasons why. In the event that a risk (corporate level) or department has exceeded the risk appetite level agreed, it is expected that the principles of Exceptions to Risk Appetite Levels will have been followed as set out below. Additionally, as described above, risks that are rated as very likely and catastrophic (4x4), very likely and major (4x3) or likely and catastrophic (3x4) will still be deemed to be outside acceptable limits, even it they are within the nine per cent. These risks will be subject to extra scrutiny to check that the rating is correct, whether the activity can be pursued and what immediate management action can be taken to bring the risk to within more acceptable limits. Risk examples beyond tolerance Risk appetite can be a difficult concept to apply and is sometimes seen to have theoretical rather than practical application. In order to help with understanding as to what risk appetite looks like in practice, the following provides examples of risks which the Brigade would not tolerate. Risk Management Strategy 2014/ of 16

11 Risk impact Risk would not be tolerated where: category/type Political the brigade is directly associated with extremist, hate speech or discriminatory beliefs Economic the brigade s financial stability is compromised investment or capital outlay exceeds delegated authority limits Safety and Wellbeing there is a significant increase in the potential for injury or death the wellbeing of any staff group is seriously compromised Environmental the Brigade s activities cause irreparable harm to the environment the long term sustainable development of the Brigade is compromised Legal the Brigade breaches its statutory responsibilities Brigade activities are deemed to be unlawful Operations Operational practices threaten community safety Resilience assets are compromised Systems Core ICT systems/equipment are compromised, targeted or unavailable Opportunity The pursuit of the opportunity leads to unsustainable or unacceptable long term impacts Reputation The Brigade s standing in the community or with partners is significantly compromised in the long term The above table is not exhaustive and has been based on the impact categories used by the Brigade. It is provided for reference and as a guide to indicate where further risk management action (which includes the termination of the activity) may need to take place to prevent impacts which are beyond the Brigade s tolerance levels. Exceptions to the risk appetite levels This statement outlines the approach taken to define risk appetite and the current accepted levels of risk that will be tolerated at the corporate and departmental level. Variations from the risk thresholds are not to be actively encouraged as the risk appetite statement provides the grounds for consistency and assurance. However, there are times when the risk thresholds may need to be exceeded by more than the agreed tolerance figure on an extraordinary basis in order to achieve a desired outcome. This may be particularly relevant in the event of a business continuity incident. In the event of such an event, the Continuity Management Team will set out the extraordinary risk tolerance parameters required in order to resolve the incident. There will be a post-incident debrief of the decisions made and this will be reported to Corporate Management Board to determine if the response and risk levels tolerated were correct in order to provide lessons learnt for future events. In all other circumstances (i.e. non-emergency), the following criteria will apply for applications to exceed the tolerances for risk thresholds: Where proposed changes to a corporate risk mean that the corporate risk threshold tolerance level is exceeded (i.e. above 25 per cent), the Head of Strategy and Performance will alert both the risk owner and the Board. In considering whether to accept the higher risk status, the Board must consider compliance with risk thresholds across the organisation as a whole and acceptance of the exceeded risk level should only be accepted if the risk assessment indicates that the majority of impact categories for the corporate risk are within their acceptable limits (i.e. minor or significant only). Where a change to a departmental risk profile exceeds the risk threshold for that department, the Head of Service should escalate the matter to both their Director and the Head of Strategy and Performance. Where it is agreed that the evaluation of the risk profile is correct, the change should be presented to the next Performance Risk Management Strategy 2014/ of 16

12 CMB (or CMB meeting, whichever is sooner) so that a decision upon whether to tolerate the exception can be made. In considering whether to accept the higher risk status, the Board must consider the potential impacts of the risk and the risk profile of the organisation as a whole. Any changes (temporary or permanent) to the risk thresholds must be agreed with the Board and reported back to the Head of Strategy and Performance so that the appropriate controls and changes to reporting levels can be made. Risk appetite review/refresh Risk appetite will be reviewed on an exceptions basis to check that the risk thresholds in place are appropriate. In reviewing the risk thresholds, consideration will be given to a number of factors, including, but not limited to: Availability of capacity to manage new risks, and the cost effectiveness of the risk management; Occurrences of high level (red) risks within the past 12 months; Breaches of current risk thresholds in the past 12 months and the reasons why; Review of the control environment including results from external and internal audits and inspections and the levels of assurance obtained from these; Changes to the way the service operates; and Changes due to political policy and initiatives. Any changes arising from the review of thresholds will be submitted to the Corporate Management Board for approval. Risk Management Strategy 2014/ of 16

13 Action Plan to support the Risk Management Strategy 2014/2017 Strategy Commitment Action/Task Expected outcome and action deadline 1. Making smarter use of available risk information (1a) We will consider whether the new annual assessment of risk (which will be Review output of annual assessment of risk when available (expected by March 2015) Up to date information relating to risk in London By end of March reported to the Strategy Committee) can Assess extent of relationships between Report back to GPAC through the regular risk inform our approach to strategic risk annual assessment of risk and strategic risk monitoring report with recommended actions. management and risk management priorities management framework and agree benefits By end of June at a borough and/or corporate level, and to and possible extent of forging stronger links potentially explore a stronger link between between the two areas. strategic risk management and integrated risk management planning. (1b) We will strive to make better links between the business continuity framework and strategic risk framework, including investigating how information about key products and services can be used to inform our corporate risks. Review the eight key products and services in the corporate business continuity plan to test their criticality and the extent to which they relate to the corporate risks. Assess the critical activities that support the (revised) key products and services. Introduce/amend risks to ensure that any gaps in the Brigade s continuity arrangements are managed (to include further actions in departmental plans) Confirmation/revision of key products and services. By end of June Updated critical activities that support key products and services. By end of October Supporting risks (and control measures) / activities to support achievement of critical activities. By end of March 2016 Risk Management Strategy 2014/ of 16

14 Strategy Commitment Action/Task Expected outcome and action deadline 2. Risk and Performance (2a) We will continue the integration of risk management into normal business operations so that there is a greater understanding of how risk management supports achievement of corporate aims and objectives. Analyse impacts of risks (corporate/departmental) against each corporate aim to ensure all controls are appropriately identified. Assessment of how far the strategic risk management framework supports the corporate aims/objectives. By end of March 2016 (2b) We will investigate how to strengthen the link between risk management activity, risk information and decision making to ensure the effective delivery of services which are efficient Assess the alignment of corporate, department, borough and project risks so that there is consistency of assessment. Ensure relationships between risks, plans and performance indicators are understood and applied at the departmental level through workshops, awareness sessions and supporting advice. Re-assess the Brigade s risk management maturity against the ALARM model and agree the required maturity level to ensure effective decision making processes taking account of risk. Review how we collate evidence of risk management activity (and report on it) to further improve risk management processes and effective delivery of services. Consistency of assessment between the different risk levels and agreed management action plan to address risks. By end of August 2016 Streamlined performance management practices. By end of March 2017 Defined actions to meet required maturity level. By end of March Strengthened audit trail between risk management activity and effective service delivery. By end of August (2c) - We will look to ensure our processes encourage the capture of current material risks to the Brigade. Conduct face to face workshops with leading risk officers to challenge and improve their understanding of risk. Annual workshop programme focussed on the right risks. Core business to run through to March Risk Management Strategy 2014/ of 16

15 Strategy Commitment Action/Task Expected outcome and action deadline (2d) We will include the development of risk information as part of the wider Information Strategy. Ensure that strategic risk information is given the same status and data quality focus as other Brigade performance information and include this in the revised Information Strategy. Confidence in risk assessments reduced subjectivity in strategic risk information. Core business to run through to March Projects and positive risk (3a) We will ensure that risk matters arising from projects are managed in line with the risk management framework and that positive risk opportunities continued to be pursued through the agreed project management framework. Develop regular review meeting with the project management office to ensure consistency of risk assessment across projects and departments. Obtain overview of project risks and assess whether they are adequately reflected in the corporate risk register. Improved links between PMO and risk management framework and the escalation/deescalation of risks. By December Consistency of assessment between project and corporate risks. By end of March Areas for improvement (4a) We will deliver the agreed recommendations from the internal audit review of the risk management framework conducted in Undertake quality assurance checks with clear guidance on identifying, assessing and monitoring risks appropriately at a departmental level. Publish and implement a Risk Management Policy. Monitor target implementation dates to determine, assess and track whether progress against the strategy is achieved See action 2(c) Review already undertaken for 2014/15 to form part of core business. Core business to run through to March Manual already issued - Supporting policy to provide procedural detail behind risk management strategy. By December 2014 Report to Governance, Performance and Audit Committee. By December 2014 (and thereafter for lifetime of strategy). Risk Management Strategy 2014/ of 16

16 Strategy Commitment Action/Task Expected outcome and action deadline Consider the skills required by staff and further development of risk management awareness in the context of a published Risk Management Policy so that all staff are made aware of their risk management responsibilities Risk management training needs analysis. By December Consider the best method for linking risks and associated controls with department planning Risk control measures in departmental action plans. By March (4b) We will explore the current structure for our risks and investigate whether to adopt a governance level approach similar to that for projects. Use the outputs from the risk maturity reassessment (see 2b above) to determine whether the current risk governance model is the most appropriate. Explore the potential for moving to an A, B, C governance risk model (like the project management office) and the advantages and disadvantages of this, compared to the existing corporate, department, borough and project model. Report on effectiveness of current arrangements to GPAC through the regular risk monitoring update. By March Implementation of new risk model or affirmation of current model as most appropriate for the Authority. By March 2017 Risk Management Strategy 2014/ of 16