Risk Management & Business Continuity Manual

Transcription

1 ANNEX C Risk Management & Business Continuity Manual Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page 1 of 14

2 Contents Purpose 3 Introduction 3 Risk Appetite 4 Procedure for escalation reporting process 5 Service Plans and Projects 6 Roles and Responsibilities 7-8 Risk & Business Continuity Management Outcomes 9-10 Equality Impact Assessment 10 Glossary of Terms 12 Budget 13 Quality Assurance 13 Review 13 Addendums Risk and Business Continuity Policy Risk Management Process Business Continuity Process Risk and Business Continuity Steering Group Terms of Reference Draft V.10 Page 2 of 14

3 1 Purpose 1.1 This is the Milton Keynes Council Risk Management and Business Continuity Manual Plan It sets out the processes that the Council has in place to ensure the effectiveness of risk management and business continuity across the Council at a time of increasing pressure on budgets and performance. 1.2 Effective Risk Management and Business Continuity will allow us to: Increase confidence in achieving the priorities and outcomes at all levels Agree levels of acceptable threats and how these will be handled Reduce the potential for lost opportunities Ensure the Council is resilient and has plans in place to ensure continuity of service(s) 1.3 Ultimately, effective risk management and business continuity forms an important element of good business management and service provision and will ensure that the Council maximises its opportunities and minimises the impact of the risks it faces, thereby improving the ability to deliver the priorities and ultimately improve outcomes for residents. 1.4 The Council recognises the need to improve the resilience of the organisation against known and perceived threats, risks and disruption to both planned and unplanned events and it does this by employing the expertise within the Risk and Business Continuity Team. This team oversees the management of the process to ensure Risk and Business Continuity is embedded into the culture of the organisation. 1.5 Corporate Leadership Team and senior management have the responsibility to ensure that Milton Keynes Council manages its risks and is protected in the event that a disruption occurs which may have a detrimental effect on its services. Everybody has a responsibility for both Risk and Business Continuity Management. 2 Introduction 2.1 Aims and Objectives The aim of this strategic plan is to improve the Council s ability to deliver its strategic priorities by managing its threats, enhancing its opportunities and creating an environment that allows innovation and adds value Objectives: (1) Ensure the management of risk is embedded as part of the Council s culture (2) Provide a consistent and accessible means of recording risk evaluations and action plans which facilitates the sharing of risk information. Draft V.10 Page 3 of 14

4 (3) Ensure a framework for identifying, evaluating controlling reviewing and reporting risks across the Council is implemented and consistent in all areas of the Council (4) Allow risks to be understood and prevent a risk averse culture approach within the Council (5) Ensure the Council s resilience to the risks arising from its partners, contractors and supply chain (6) Communicate the Council s approach to Risk Management and its alignment with Service Planning to stakeholders (7) Ensure the Council s approach includes full compliance with Business Continuity provisions within the Civil Contingencies Act 2004 (8) Ensure that all services have an agreed and managed set of documents (Business Continuity Plan) to help them cope with any interruption to normal service processes. 3 Risk Appetite 3.1 Risk Appetite refers to the Council s unique attitude towards risk taking, which in turn dictates the amount of risk that it considers acceptable. The Council s risk tolerance threshold has been agreed by Corporate Leadership Team (CLT) and is set out below in Figure 1; 5 Above the line Report 4 Likelihood Below the line Monitor Consequence Figure 1 MKC Risk Tolerance Threshold Figure 1 illustrates that any threat, which scores residually 1 above a 10, should be specifically managed, monitored and reported (see the section on Reporting for details) and further action taken to manage the threat down to 2 an acceptable level. 1 A residual score takes in to account active controls i.e. it is the level of risk still remaining after mitigating action has been implemented 2 Programmes and Projects may choose a different risk appetite. Draft V.10 Page 4 of 14

5 3.2 An established Risk Appetite enables the Council to prioritise risk management action by focussing response planning, monitoring and control activities on the risks that are deemed highest. 3.3 It is recognised that the Council might be prepared to accept a higher than usual proportion of risk in one area if the balance of risk is acceptable, and if the potential benefits are great. Risk Appetite can therefore be varied for specific risks. 3.4 It should be noted that some risks are unavoidable and it is not within the ability of the organisation to completely manage them to a tolerable level - for example many organisations have to accept that there is a risk arising from terrorist activity which they cannot control. In these cases the Council has made Business Continuity Plans to alleviate these associated pressures. 3.5 The risk appetite will be monitored by the Risk and Business Continuity Team and will be formally reviewed in conjunction with the Risk and Business Continuity Steering Group alongside the review of this Strategic Plan. 4 Risk Procedure for Escalation - Reporting Process 4.1 Risk Escalation A cyclical process of risk reporting and escalation has been agreed by CLT. A Quarterly timetable has been established that has been aligned to the CLT Performance Challenge sessions with Assistant Directors. The process will be communicated to staff on a regular basis Following each quarters CLT Challenge session a quarterly overview report will be presented to CLT, including a review of the Council s Strategic Risks The key elements to support this process are set out below; Risk Owners will review their risks in GRACE (both Service and Project) to an agreed quarterly timetable aligned to the CLT Challenge sessions. A member of the Risk and Business Continuity Team will meet with every Assistant Director at least once per quarter to review each Service Groups key risks. Assistant Directors will be required to review the risks above the agreed Risk Tolerance Threshold at service, team and project level, taking action on any risks which require attention. Assistant Directors will identify the top risks to be submitted to the Challenge sessions for each Service Group including any risks requiring escalation to CLT. The above reviews will include consideration of Business Continuity arrangements. Service Group risks will be sent to the relevant Director and presented to the next CLT Challenge session. The CLT Challenge session will review the Service Group risks. CLT will review the Strategic Risks and a summary of all Service Group risks every quarter following that quarters CLT Performance Challenge sessions. Draft V.10 Page 5 of 14

6 The Risk and Business Continuity Team will highlight any common themes appearing across the Council and any key gaps in risk assessments. A summary report will then be submitted to the next scheduled Audit Committee. 5 Risk, Business Continuity and Service Plans 5.1 The effective management of risk and business continuity is an essential part of Service Planning and Performance Management. As such the Corporate Leadership Team have agreed a method of aligning the Risk Management and Business Continuity processes to the Service Planning Process. This is set out below in Figure 2. Figure 2 Alignment of Risk Management to Service Planning 1 Risk Management Service Planning Business Continuity Planning Corporate Strategic Risk Council Plan Corporate Plan Service Group Top Risks Service Group Plan Service Group Plan Operational Risks Team Plan Operational Plan Draft V.10 Page 6 of 14

7 5.2 Risks at each Service Planning level should be adequately assessed and recorded in GRACE, with a report from GRACE to be appended to the relevant Service Plan. 5.3 This alignment produces an embedded Risk and Business Continuity Management structure across all levels of the Council that is considered and reviewed at the same time as the Service Plans, during appraisals, one to one reviews and team meetings. 5.4 This requires Services to ensure that their risks, both threats and opportunities, are regularly reviewed and that this review is documented in GRACE. Risk and Projects 5.5 Projects are typically more risky than everyday business as usual; it is therefore essential that risks are considered from the outset and managed effectively throughout the project. As such, the Risk and Business Continuity Team work very closely with the Council s Portfolio Office to ensure projects have the correct support they need to effectively manage their risks. 5.6 The Quarterly risk reporting process applies to all projects and reports from GRACE should be appended to Highlight Reports. 5.7 Projects Boards may choose that they want to receive reports on risk more frequently than once per quarter. This should be agreed in advance and form part of the START document. 6 Roles and Responsibilities 6.1 Everyone in the Council should have an awareness of Risk and Business Continuity Management. We all need to be aware of the roles and responsibilities in identifying and managing risks and responding to business continuity incidents. 6.2 Clear identification of roles and responsibilities will ensure the successful adoption of Risk and Business Continuity Management and demonstrates that these two services are embedded into the culture of the Council enabling the organisation to be risk aware and resilient. Cabinet Appoint a Member to gain understanding and promote Risk and Business Continuity Management and their benefits throughout the Council. Ensure that decisions taken in Cabinet Reports have been adequately reviewed for risks both threats and opportunities. Draft V.10 Page 7 of 14

8 Corporate Leadership Team/Chief Executive Agree Milton Keynes Council s Risk and Business Continuity Management Manual, adopting overall responsibility for the Council s Risk and Business Continuity Management. Manage and review the Corporate Strategic Risks Review the risk process and risks arising from Service Groups as part of the CLT Performance Challenge sessions (or other process) Monitor key programme and project risks through the Portfolio Office reporting arrangements Ensure that the Council complies with the Corporate Governance requirements, including the Annual Governance Statement and the Civil Contingencies Act 2004 Ensure that the Council has adequate business continuity plans in place at all levels where appropriate Take part in annual Business Continuity Rehearsals. CLT and core function managers will form a Senior Incident Management team that will be convened in the event a serious incident. Ensure risk lessons are understood and disseminated, in regard to difficult issues that arise Audit Committee Ensure a robust Risk Management and Business Continuity process is in place throughout the Council. Agree and endorse the Risk Management and Business Continuity Strategic Plan. Review and comment on the annual Risk and Business Continuity Report issued by the Risk and Business Continuity Team. Ensure risk lessons are understood and disseminated, in regard to difficult issues that arise. Review Risk Registers for any matters of specific concern. Programme/Project Managers To ensure programme/project risk registers are maintained using GRACE. To ensure risks are assessed from the Council s perspective. To contact the R&BC team to ensure a consistent approach to risk management from the onset of a programme/project. Risk Management & Business Continuity Team Support the Council and its services in the effective development, implementation and review of the Council s Risk Management and Business Continuity processes. Proactively promote and communicate risk management and business continuity to services Undertake risk management and business continuity activity through training, rehearsals and direct support across the whole organisation Ensure compliance with legislation, Civil Contingencies Act 2004 Monitor the effectiveness of the Risk and Business Continuity Strategic Plan Report routinely to CLT and Audit Committee on arising risks (Horizon scanning) Draft V.10 Page 8 of 14

9 Service Group Leads\Assistant Directors Review their risks with Heads of Service Ensure that services complete risk assessments using the agreed methodology Ensure that the GRACE database is kept up to date for their service areas Ensure the production, rehearsal and maintenance of Business Continuity Plans for their Services are up-to-date. To be a member of the Divisional Incident Management Team Head of Service Ensuring staff are aware of their roles and responsibilities with relation to both risk and business continuity. Use risk management to inform outcomes in the Service Planning process. Report systematically and promptly to their Assistant Directors any perceived new risks or opportunities, delayed actions of failings in existing control measures. Using the agreed system of alignment with Service Planning report to their AD s on the progress of Actions Plans/mitigations. Update GRACE by reviewing risk owners, scoring, mitigations and action plans. Participation in the production, rehearsal and maintenance of Incident Management and/or Business Continuity Plans for their Services are up-to-date. To be a member of the Incident Management Team. 7 Risk and Business Continuity Management Outcomes 7.1 To support the strategic plan, the key objectives for the next 3 years are set out below to develop the risk maturity level/direction of travel of the organisation. These outcomes are based on best practice and follow the CIPFA guidelines. The ongoing strategy will always ensure that MKC will fulfil its obligations under the Civil Contingencies Act Level 2011/ / /14 LEADERSHIP & MANAGEMENT Do senior management and Members support and promote risk and business continuity management? STRATEGY & POLICY Are there clear strategies and policies for risk and business continuity? PEOPLE Are people equipped and supported to Quarterly risk reviews with senior management and Audit Committee and Cabinet. Senior management enforcing the use of risk management as a business tool to ensure informed decision making. Quarterly review of BC requirements with AD s. New strategy and policy written and agreed Establishment of Steering Committee. Training established as requirement for all new staff. Target End 2011 Senior management and Members proactively engaged in the management of risks. Risk becomes a fundamental tool within change management processes. Senior management have full awareness of Strategic BC plans and respective roles and responsibilities through scenario based rehearsal. Strategic Plan and policy reviewed to ensure compliance Steering Committee proactively support the development of R&BC. All relevant employees Target End 2012 Senior management and Members use risk management to continually improve the services offered by MKC. Embedded business continuity throughout the organisation. Full review of Strategic Plan and policy (what is working and what needs to be amended/added) Risks managed utilising full functionality within GRACE enabling R&BC team to provide analytical reports to Target End 2013 Draft V.10 Page 9 of 14

10 manage risk and business continuity well? PARTNERSHIP, SHARED RISK & RESOURCES PROCESSES Are there effective arrangements for managing risks with partners? PROCESSES Does the organisation have effective risk and business continuity management processes to support the business? RISK HANDLING & ASSURANCE Are risks handled well and does the organisation have assurance that risk and business continuity management is delivering successful outcomes and supporting creative risk-taking? OUTCOMES & DELIVERY Does risk and business continuity management contribute to achieving outcomes? Member training schedule established. E Learning available. Project Managers training. Senior management and operational teams to have completed desk-based BC scenario. Liaison with Procurement Team to establish database for all suppliers with details of reliance from and to MKC. Ensure Mouchel have effective BC plans. Risks arising from partnerships are assessed Clear processes for R&BC developed. GRACE established as database to record and manage risks across the Council. Investigate use of potential databases to record and store BC Plans. R&BC team involved in initial stages of any programme of work or project. Quarterly AD reviews include review of Action Plans for Service Level risks. Quality checks in place for Corporate Dashboard Projects and Service Planning. BC Plans are reviewed. R&BC team to be involved with OTP Board to consider risks through transformation and resultant service continuity issues (dependency mapping). Quality checks in place for Corporate Dashboard Projects and Service Planning. RM becomes part of all Cabinet and Committee reports. Services to be aware of what they require for continuity of service. have the skills to manage risks to the Council (using GRACE). All Project Managers have attended training. All Members on Committees or with delegated powers have attended Risk Management training. Supply chain resilience established for all suppliers of services to MKC. BC Plans reviewed with critical suppliers. Establish continual exercising of plans with Mouchel. All relevant employees to proactively use GRACE to manage risks to MKC. All Committee Reports include/attach GRACE risk report. Database established and maintained for all BC Plans. Provide assurance that risks are being adequately managed and resilience is in place(in line with best practice). Quarterly report to CLT moves from the process of RM to the effectiveness of the Actions Plans and Risk Mitigations. BC Report on the resilience of plans. RM integral to the decision making process. BC Plans allow for services to have confidence in continuity of service. Senior Management. Training in RM maintained for all Members and established for all new Members as part of the induction process. BC Plans reviewed for all suppliers. BC Plans agreed for critical suppliers to be aligned with MKC BC requirements and rehearsed as appropriate. All Council activities have entries in GRACE that are regularly reviewed. R&BC team to carry out cross-cutting analysis of risks. All Committee Reports refer to GRACE database for Members to review. Council moves from being a risk adverse organisation to one that is risk aware. Information obtained from GRACE provides a database of measures that can be used to generate risk mitigations. BC Plans are rehearsed and improved taking into account dependencies. Effective risk management enctheages achievement of Corporate Objectives. 7.2 Budget There is no specifically allocated budget for the promotion, training or development of Risk Management & Business Continuity. However, it has been agreed that any savings made on the Council s insurance covers will be used to: Fund the Risk and Business Continuity Team to provide training to staff across the organisation Promote Business Continuity Planning and resilience to the wider business community, to comply with the Council s legal duties under the Civil Contingencies Act 2004 (via the Milton Keynes Business Resilience Forum). Draft V.10 Page 10 of 14

11 Publicise the Risk and Business Continuity newsletter (Risk & Reward) Upgrade of the Risk Management Software system (GRACE) Purchase/development of any new software that may be necessary to create robust business continuity plans Ensure that the Risk and Business Continuity Team receive an adequate level of training and development in order to ensure their levels of professionalism are kept up-to-date. 7.3 Quality Assurance Governance is the system by which the Council controls their functions and relates to the community. The Risk Management and Business Continuity Strategic Plan forms part of the Council s Corporate Governance arrangements In order to ensure the performance of Risk Management and Business Continuity the following measures will be taken: 7.4 Review Quarterly review of the risk register by the Corporate Leadership Team. Annual end of year Report to the Audit Committee, including progress made in the previous twelve months and action plans for the forthcoming twelve months. Regular (at least every two years) Audit of the process and data. Regular (at least every two years) benchmarking against other similar local authorities It is recognised that Risk Management and Business Continuity processes need to be constantly reviewed. In the changing face of Local Government both known and yet to become apparent, Risk Management and Business Continuity will become an increasingly complex and essential element of a successful organisation. The Risk Management and Business Continuity Policy & Strategic Plan will be reviewed on an annual basis to ensure that it still meets the requirements of the Council. 8 Equalities Impact Assessment Decision Title: Risk & Business Continuity Management Strategic Plan Author: John Pettitt Date: 1 st July 2011 a) Is this a key decision as defined by the Forward Plan ( a major planning decision or one that affects a sizeable number of staff? (Significant) Yes / No By sizeable we mean a decision that is a general change for all staff even if it effects only some, a decision that would affect over 50 people or a decision that is specifically about a protected characteristic b) Does the decision affect people with one or more of the equality Yes / No Draft V.10 Page 11 of 14

12 protected characteristics? (Relevant) Protected Characteristics are: Age, Disability, Gender Reassignment, Pregnancy and Maternity, Race, Religion and Belief, Gender, and /or Sexual Orientation. Locally we have added Deprived / Socio Economic Disadvantage Groups Draft V.10 Page 12 of 14

13 Glossary of Terms - Business Continuity Business Continuity ( BC ) The strategic, tactical and operational capability of the Council to plan for and respond to incidents and business disruptions in order to continue service/operations. Business Continuity Plan ( BCP ) A documented collection of procedures and information that is developed compiled and maintained in readiness for use in an incident to enable the Council to continue to deliver its critical services at an acceptable level. Business Continuity Management The holistic management process that identifies potential threats to the Council and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and services. Business Continuity Management System Part of the overall management system that implements, operates, monitors, reviews, maintains, and improves business continuity. (Risk & Business Continuity Team) Business Impact Analysis The process of analysing business functions and the effect that a business disruption might have upon them. Critical Activities Those activities which have to be performed to deliver the key services and which enable the Council to meet the most important and time sensitive objectives. Emergency Planning Development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of civil emergency. (Emergency Planning Unit) Exercise Rehearse the roles of team members and staff, and test the recovery or continuity of the Council s systems (e.g. technology, telephony, administration) to demonstrate business continuity competence and capability. Incident An event and/or perception that has the capacity to lead to loss of or a disruption to the Council s operations, services or functions which, if not managed, can escalate into an emergency, crisis or disaster. Incident Management Plan ( IMP ) A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resource, services and actions needed to implement the incident management process. Resilience The ability of the Council to resist being affected by an incident. Stakeholder Individual or group having an interest in the performance or success of the Council e.g. citizens of Milton Keynes, partners, employees, members, government and regulators. Draft V.10 Page 13 of 14

14 Glossary of Terms - Risk Management Action Plan A forward plan of specific actions (new controls) planned to further reduce the residual risk score. Control Measure that is in place now, and working, to minimise the risk and reduce the residual risk score. Control Strategic Plan Approach that you are taking to the management of a particular risk. i.e. Treat Threat/ Tolerate Threat/ Transfer Threat/ Terminate Threat/ Seek Opportunity/ Ignore Opportunity GRACE Governance, Risk And Control Evaluation software used by the Council to record, manage and report on all risk registers. Horizon Scanning Systematic examination of potential threats, opportunities and likely future developments which are at the margins of current thinking and planning. Opportunity An uncertain event that could have a favourable impact on objectives or benefits. Potential Consequence Outcomes that may occur if a risk were to be realised. Raw Risk Score A worst case scenario score for a risk, assuming no controls are in place. Residual Risk Score The level of risk still remaining after active controls have been implemented. Risk An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. 3 Risk Management Systematic application of principles, approach and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. 4 Risk Owner Individual responsible for the management and control of all aspects of individual risks, including the implementation of the controls taken in respect of each risk. Risk Register A record of all identified risks relating to an initiative, including their status and history. See GRACE. Risk Review Regular monitoring and update of individual risks, recorded formally on GRACE. Threat An uncertain event that could have a negative impact on objectives or benefits. Trigger Possible causes for a risk. Vulnerability (Likelihood) An assessment of the current situation as to how probable you believe it is that the risk will occur. 3 Office of Government Commerce (OGC), Management of Risk (M_o_R) Guidance For Practitioners, OGC, M_o_R Guidance For Practitioners, 2007 Draft V.10 Page 14 of 14