Shepway District Council Risk Management Policy

Transcription

1 Shepway District Council Risk Management Policy

2 Contents Section 1 Risk Management Policy Updates and amendments Definition Policy statement Objectives... 3 Section 2 Risk Management Strategy Introduction What is risk management? The benefits of good risk management Types of risk corporate, operational and partnership Risk management cycle Risk identifying, analysing and profiling Mitigating actions to control the risk Reporting and monitoring risk Risk review Responsibility for risk management Mitigating/ treating risk Accept/ tolerating risk Removal of risk from the register

3 Section 1 Risk Management Policy 1. Updates and amendments This policy and strategy have been updated to reflect changes to the council s internal processes, and best practice. Key amendments include: Updating the scoring matrix. Ensuring the risk timetable and risk responsibilities reflect the council s processes and structures. Updating the risk definitions, approach to risk tolerance and the approach to reviewing risk. 2. Definition Risk Management is the planned and systematic approach to the identification, evaluation, and control of risk. The objective of risk management is to secure the assets of the organisation and to ensure the continued financial and organisational well-being of the council. 3. Policy statement Shepway District Council is committed to adopting best practices in the identification, evaluation and cost effective control of risks to ensure that they are reduced to an acceptable level or eliminated, and also maximise opportunities to achieve the council s vision. It is acknowledged that some risks will always exist and will never be fully mitigated. All employees must understand the nature of the risk and accept responsibility for risks associated with their area of work. The adoption of this policy helps Shepway District Council demonstrate its commitment to a policy of managing risk wherever it may arise. 4. Objectives The council s risk management objectives are to: Integrate risk management into the culture of the council. Manage risk in accordance with best practice. Ensure compliance with health and safety, insurance and legal requirements as a minimum standard. Prevent injury and damage and reduce the cost of risk. Inform policy and operational decisions by identifying risks and their likely impact. These objectives will be achieved by: Defining the roles and responsibilities of officers and councillors in relation to risk. Including risk management issues when writing reports and considering decisions. Continuing to demonstrate the application of risk management principles in the activities of the council, its employees and councillors. Providing training as necessary. Maintaining documented procedures of the control of risk and provision of suitable information training and supervision. 3

4 Preparing contingency plans to secure business continuity where there is a potential for an event having a major impact upon the council s ability to function. Maintaining effective communication and the active involvement of councillors and officers. Monitoring arrangements continually and seeking continuous improvement. 4

5 Section 2 Risk Management Strategy 1. Introduction 1.1 Good risk management will help identify and deal with key corporate risks facing the organisation in the pursuit of its goals and is a key part of good management, not simply a compliance exercise. 2. What is risk management? 2.1 It is the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities. (A Risk Management Strategy by the Institute of Risk Management) 2.2 In layman terms, risk management is about ensuring that processes, projects, services and activities are delivered in the best possible manner, while reducing the probability of failure. 3. The benefits of good risk management 3.1 Good risk management supports the achievement of our objectives and has a crucial role to play in ensuring that Shepway District Council is well run. 3.2 The key benefits of a systematic approach to risk management are: Protects and enhances the reputation of Shepway District Council It provides a framework for future activity to take place in a consistent and controlled manner Enables improved decision making Contributes to a more efficient use of capital and resources Assists in the protection and enhancement of assets Optimises operational efficiency 4. Types of risk corporate, operational and partnership 4.1 Risk Management is integral to corporate planning, specific projects, and service management. Categories of risk to be considered are: 4.2 Corporate risks These are risks that need to be taken into account when looking at the medium to long term objectives of the council. These risks can be categorised as follows: Political those associated with a failure to deliver either local or central government policy. Economic those affecting the ability of the council to meet its financial commitments. Social those relating to the effects of demographic changes on the council s ability to deliver its objectives. Technological includes the consequences of internal technological failures on the council s ability to deliver its objectives. Legislative those associated with current or potential changes in national or European law. Environmental those relating to environmental consequences of progressing the council s corporate objectives. 5

6 Competitive those affecting the competitiveness of the service and/or its ability to deliver best value. Customer those associated with the failure to meet the current and changing needs and expectations of customers. Reputation those relating to public confidence and failure to recruit high calibre staff. 4.3 Operational risks These are identified and managed through the service plans which are written by Heads of Service and annually reviewed. These are risks that managers and staff will encounter in the daily course of their work and can be categorised as follows: Professional those associated with the particular nature of each profession. Financial those associated with financial planning and control and the adequacy of insurance cover. Legal those related to possible breaches of legislation, breach of contract, negligence, etc. Physical those related to fire, security, accident, prevention and health and safety. Contractual those associated with the failure of contractors to deliver services or products to agreed cost and specification. Technological those relating to reliance on operational equipment. Environmental those relating to pollution, noise or the energy efficiency of ongoing service operations. Human Resources those relating to staff issues. 4.4 Partnership risks Shepway District Council works with a range of partners to deliver services. It is important that those partners are brought into the risk management framework to ensure that risks to the council are not overlooked. The primary risks are: Financial failure to understand the potential financial liabilities associated with partnership arrangements. Reputation loss of public confidence. Contractual contract requirements not delivered. Legal failure to understand the potential legal liabilities associated with partnership arrangements. Service failure the associated risk of increased costs. 5. Risk management cycle 5.1 There are a number of steps in the cycle of identifying and managing risks within the council. These should be as follows: Identifying risks a need to identify the potential risks that may arise if informed decisions are to be made about policies or service delivery methods. Analysing risks available data should be used to provide information to help assess the probability of any risk arising or the potential impact on activities undertaken. Profiling risks risks can be profiled according to their probability and severity. 6

7 Prioritising action based on the approach to risk action determined on the tolerance and aversion to risk, balanced against the availability of limited resources. Determining action on risk a course of action can then be determined on whether the risk should be avoided, eliminated, reduced, transferred or accepted. Controlling risk once the appropriate action is determined for each risk, the process of controlling that risk can commence. This will either involve minimising/eliminating the risk and/or alleviating its potential impact. Monitoring and reporting on progress progress in managing risks should be monitored and reported so that losses are minimised and intended actions are achieved. Reviewing risk management needs to be seen as a continuous process. It is essential that the incidence of risk be reviewed to see whether it has changed over time. Review Identify Monitor & report Analyse Control Profile Action Prioritise 6. Risk identifying, analysing and profiling 6.1 Risk assessment is about asking: What can go wrong? What is the likelihood of it going wrong? What is the impact should it go wrong? What can be done to mitigate the risk? 7

8 6.2 This five point approach can be applied to decisions made every working day, at all levels of the council. The risk ratings then provide an overall ranking for each risk. 6.3 Risks are rated out of 5 for their likelihood and potential impact. These two figures are multiplied together to give the risk score. This is shown in the Risk Scoring Matrix below. Likelihood Definite Very likely Possible Unlikely Highly unlikely Negligible Low Medium High Very High Impact 7. Mitigating actions to control the risk 7.1 There are four ways to control the risk: Treat/ mitigate identify and put in place mitigating actions that reduce the risk to an acceptable level. Transfer the risk is transferred to a third party (e.g. contractual agreement/ insurance). The financial risk may be transferred, however a reputational risk may remain with the authority. Tolerate/ accept the level of the risk is low compared to the advantages to be gained by taking the course of action that involves the risk. Terminate stop the activity or function that gave rise to the risk. 8. Reporting and monitoring risk 8.1 The Corporate Risk Register is the document which requires the identified risk owner to provide a risk description, a risk score and an overview of the mitigating actions. 8.2 The Corporate Risk Register is updated three times a year. The risk likelihood and impact scores are reassessed and the mitigating actions are reviewed to ensure they are still valid. 8.3 Shepway District Council reports risk by exception. This means the risk register is focused on those risks that are changing and those that are high risk (scoring 16+). Risks won t appear on the register if the council has put in place the only mitigating actions available and risk is unlikely to change. This approach allows senior managers and members to focus on the key risks to the authority and its services. 8.4 Operational/ service risks are reviewed regularly at service or departmental meetings and are formally reviewed and reported in tandem with Service Plan updates. The risks associated with the achievement of the objectives in service plans are assessed by Heads of Service in conjunction with their teams and 8

9 approved by the relevant Corporate Director. Where operational/service risks are significant they are reported to CMT to be considered for inclusion in the Corporate Risk Register. 8.5 The timetable for reporting risk management is as follows: Three times a year provide updated risk register showing risks are being actively managed Annually o Review of the council s Corporate risks (responsibility of the Corporate Management Team) o Review the service risks as part of the service planning process o Review the risks of delivering services in partnership with other organisations. 9. Risk review 9.1 The following process is used to review the risk register: Review identified risks to determine that they are still relevant Review risk owners to ensure the correct people are named Review the controls which have been put in place to ensure that they continue to mitigate the risk Review the risk likelihood and impact to ensure the risk score is still accurate 10. Responsibility for risk management 10.1 Clear identification of roles and responsibilities is paramount to ensuring the successful adoption of risk management and its embedding into the culture of the council. Role and responsibilities are detailed below: Cabinet and Elected Members To oversee the effective management of risk throughout the council. To gain an understanding of risk management and its benefits. To require officers to develop and implement an all encompassing approach to risk management. To consider the issues contained with the council s strategic risk register. 9

10 Corporate Management Team To ensure that the council manages risk effectively through the development of a risk management strategy plus monitoring its implementation and development. To gain understanding of risk management and its benefits. To identify the council s key Corporate Risks and agree actions to mitigate against those risks. To promote risk management and oversee the implementation of the risk management strategy across the council. To agree any inputs and resources required supporting the work corporately. Policy and Engagement Team To support the council and its services in the effective development, implementation and review of the council s risk management processes. To ensure that the risk management processes are considered in accordance with the functions of Corporate Directors to the council as specified in the Finance Procedure Rules. To develop and promote, support and oversee the implementation of the risk management strategy across the council. To annually review the Risk Management Strategy and Policy, seeking approval from CMT, scrutiny and Cabinet should any significant amendments be required. To develop risk management controls in conjunction with Corporate Directors. To identify and communicate risk management issues to services. To assist services in undertaking risk management activity through training or direct support. Heads of Service/ Operational Management Team To manage risk effectively in their particular service areas, to consider risks to services being delivered in partnerships and to work with partnerships to develop partnership risk registers. To implement the detail of the risk management strategy. To recommend the necessary training for employees on risk management. To raise awareness with staff. To incorporate risk ownership through the appraisal scheme with employees. To share relevant information with colleagues in other service areas. To manage operational risk. Employees To manage risk effectively in their jobs. To liaise with their line manager to assess areas of risk in their job. To identify new or changing risks in their job and feed these back to their line manager. Attend risk awareness and management training as required. Be familiar with the council s Risk Management Strategy and to comply with Health and Safety procedures. 10

11 Audit and Standards Committee To provide independent assurance of the adequacy of the risk management framework and associated control environment. To monitor the effective development and operation of risk management and corporate governance in the council. Be satisfied that the authority s assurance statement including the annual governance statement properly reflect the risk environment and any actions required to improve it. Consider the effectiveness of the authority s risk management arrangements, the control environment and associated anti fraud and anti corruption arrangements and seek assurance that action is being taken to mitigate those risks identified. Resources Scrutiny Committee To contribute to and review the development of the Council s corporate management policies, including risk management and corporate governance policies and strategies. To consider the issues contained with the council s strategic risk register, as part of the council s scrutiny process. 11. Mitigating/ treating risk 11.1 The council will aim to mitigate the impact of risk by securing the council's assets, minimising injury to staff, clients, and customers, guarding against exposure to litigation, and protecting the environment from harm. The council will tolerate risks below a certain level and actively manage risks over a certain level. Where a significant risk has been identified, a detailed action plan will be produced with milestones and mitigations. Where corporate risks are considered significant, provision has been made within the council s Policy on Reserve to cover the council s potential exposure. Further information is contained within the Policy on Reserves. 12. Accept/ tolerating risk 12.1 The council aims to minimise and mitigate the risks facing the organisation but it would be naive to believe that this can be completely achieved. Moreover, the council will always face the acceptable risk problem namely, in some circumstances the council will need to take a calculated risk in order to deliver its corporate priorities or maximise the benefits of its investments. The council may also choose in some circumstances to accept a degree of risk when working in partnership with other organisations because doing so will help the council to deliver its corporate priorities and because it wants to share the benefits with its partners A degree of risk is acceptable if the benefit of a particular course of action can compensate for the associated level of risk, even though the council may not be able to mitigate the risks entirely. Determining what is an acceptable or tolerable level of risk can only be established via a thorough analysis of the associated risks on a case by case basis. Consequently, the risks associated with delivering the commitments in the Corporate Plan (or other key corporate projects) are assessed individually. 11

12 13. Removal of risk from the register 13.1 Where risk has been mitigated and the score has reduced than the risk owner can make a recommendation for the risk to be removed from the corporate register This recommendation will then be submitted to CMT where they will accept or rejected to removal of the rick from the register CMT s decision will submitted to cabinet where it can be rejected if councillors feel the risk should still be recorded and managed by the council. 12