Risk Audit and Assurance Report - Quarter 3 Update 2013/14

Transcription

1 Report title Risk Audit and Assurance Report - Quarter 3 Update 2013/14 Meeting Governance, Performance and Audit Committee 4 March 2014 Date Report by Head of Strategy and Performance 7 February 2014 Document Number FEP 2207 Public Summary This report provides an updated monitoring position on the Authority s risk management framework including the risk audit programme and supporting assurance work which has taken place during quarter three 2013/14. Recommendations That the Committee: 1. Notes the content of this report with regard to on-going risk management activities and reviews the information as necessary to fulfil its monitoring and oversight responsibilities; and 2. Notes that the three separate reports on risk, business continuity and governance will be combined into one report as from quarter four, 2013/14.

2 Introduction/Background 1. Strategic risk management enables the Authority to plan for, anticipate, manage, and mitigate risks which have the potential to seriously impact upon the services provided by the organisation. As a fire and rescue service, many of our activities are naturally underpinned by a range of hazards, but it is only through the evaluation of the chance or probability of harm associated with those hazards (i.e. by undertaking a risk assessment) that we are able to accurately understand the risk they pose to the organisation. 2. Risk management is a process which seeks to identify, evaluate and manage these risks in a structured way. A robust strategic risk management framework enables the Authority to take sufficient action, which could involve prevention of significant risks and/or reduction of the impact of those that do occur by putting adequate risk mitigation controls in place. 3. As the assessment of risk and the implementation of controls is largely an internal function, the Authority s internal audit function currently provide independent verification to make sure that the appropriate risks are being identified and prioritised, that they are rated correctly and that evidence for the risk controls in place can be checked. 4. This Committee has a responsibility, to monitor the Authority s risk management system, framework and control environment to ensure that it is fit for purpose (FEP1913). Accordingly, this report shows the updated monitoring position regarding the organisation s risk audit and assurance activity as at the end of quarter three, 2013/14 (period to end December 2013). 5. This report also includes the risk performance indicators and an update on the Authority s risk appetite.. Officers have reviewed how risk, continuity and governance information is reported to the Committee. Given the relationship between the three areas, officers will combine the three separate reports into one report from quarter four, 2013/14. This will reduce any duplication and provide a more concise and structured overview for Members. Corporate risk register 7. The Authority s corporate risks are set out in Appendix 1 to this report. Corporate risks are those which officers have identified could have a serious impact on how the Authority operates. These corporate risks were last reported to the Committee in November 2013 (FEP217) as part of the monitoring report for quarter two, 2013/ Over the past quarter, a new risk has been identified by the Director of Finance and Contractual Services that has since been incorporated into the corporate risk register. This new risk relates to the national Emergency Services Mobile Communications Programme (ESMCP). The ESMCP is a cross departmental programme currently sitting within the Home Office. Its purpose is to procure an Emergency Services Network (ESN) to replace the current Airwave communication system that is used by all the emergency services. 9. The new corporate risk (CRR15) has been defined as, The national programme to replace Airwave with the Emergency Services Network (ESN) by 2017 fails to deliver a solution for the provision of radio and data communications which is both affordable in the long term and which delivers the complete functionality required by LFB. 10. The main uncertainty with regards to the new risk relates to the affordability of the programme, the levels of coverage, resilience and availability that the ESN will have and the timeline in which Page 2 of 8

3 the programme is expected to deliver. Accordingly, the likelihood and impact scores for this risk have been established as likely (three) and significant (two) respectively. This means that the overall risk score is six, making this new risk an amber corporate risk. The corporate risk appetite 11. Risk appetite is the amount of risk, broadly, that an organisation is willing to accept in pursuit of its objectives. It reflects the organisation s history and risk management philosophy and, in turn, influences the organisation s culture and risk management style. The better able we are to manage our risks in accordance with our risk appetite, the more we can use this information (i.e. are we within our risk appetite or exceeding it?) to aid decision making. 12. Our approach to risk appetite and the resulting risk appetite statement was originally agreed by the Authority in June 2010 (FEP154) and the statement now forms part of the Authority s Annual Governance Statement. Overall, the Authority s risk appetite can be described as low to lowmedium. Risk appetite is formally applied at two levels within the organisation: the corporate level and the departmental level. The corporate level is reported quarterly as a matter of course to the Committee. The departmental level is reported on an exceptions only basis if there are any issues of significant concern which merit the attention of the Committee. 13. By taking the corporate risks and plotting them on the standard risk matrix (see Figure 1), it is possible to provide an overall picture of the corporate risk profile. By acknowledging that the Authority s risk appetite is low to low-medium, it is possible to represent this by drawing a line on the risk matrix. This becomes the standard risk threshold. Risks which then appear in the green area and amber risks which are unlikely (2x3) and/or significant (3x2) are then said to be within acceptable limits. 14. So that informed risk taking can take place, risks may still appear above the standard risk threshold line so long as the overall risk ratio does not exceed nine per cent of the risk threshold set. However, risks that are rated as very likely and catastrophic (4x4), very likely and major (4x3) or likely and catastrophic (3x4) will still be deemed to be outside acceptable limits, even if they are within the nine per cent ratio. These risks will be subject to extra scrutiny to check that the rating is correct, whether the activity can be pursued (in the case where a choice has been made to take a risk) and what immediate management action can be taken to bring the risk to within more acceptable limits. 15. The current corporate risk profile is shown in Figure 1. The large numbers inside the matrix show the number of corporate risks at that rating (e.g. there are 3 corporate risks with a likelihood rating of 2 (unlikely) and an impact rating of 3 (major)). The smaller numbers refer to the Corporate Risk Identifier (e.g. CRR1, CRR2): Page 3 of 8

4 Likelihood Figure 1 The summary corporate risk profile quarter /14 Very Likely 4 1 CRR13 Likely 3 CRR5, CRR7, CRR8, CRR10, CRR14,CRR15 Unlikely 2 3 CRR1, CRR2, CRR3, Very Unlikely 1 Minor 1 Significant 2 Major 3 Catastrophic 4 Impact 1. At the moment, the overall position of the corporate risks shows that the organisation remains at an amber status with 10 per cent of risks over the standard risk threshold line. 17. The one risk which remains above the line is CRR13 A breakdown in industrial relations affects our ability to deliver the service. This risk remains at a high red rating in spite of control measures such as the industrial relations framework, owing, in part, to the current environment whereby unions are more likely to take industrial action over a range of matters which are; (a) part of the Authority s current change management initiatives; and, (b) over matters which are outside of the Authority s direct control (i.e. pension change proposals). The status of this risk has been confirmed by the recent audit conducted by our external risk auditors. 18. The impact of this risk is that the Authority is just exceeding the green status in risk appetite terms and management focus remains on CRR13 to improve the status of this risk. However, officers are satisfied that, overall, the organisation is operating within acceptable limits. 19. Members will recall from the previous report to the Committee that there is currently a national dispute between the Fire Brigades Union (FBU) and the Government over the Government s proposed pension reforms. Since the last report to the Committee, the FBU have held a further eight strikes, with the most recent of these taking place on the 3 January As with the strike that took place on the 25 September 2013, the Authority implemented its contingency arrangements for the duration of the strike periods and deployed its Emergency Fire Crew Capability (EFCC) in order to provide a contingency level of operational service across London. Page 4 of 8

5 20. Throughout the recent strike periods these arrangements continued to demonstrate their effectiveness, and also provided the Authority with assurance that the controls that are in place to mitigate the impacts associated with this risk are appropriate. 21. Further detail on industrial action and the recent strike periods has been provided in the business continuity management update report for quarter three, which is also on the agenda for today s Committee meeting. Risk audit programme/transfer to MOPAC 22. In order to validate the risk information identified and contained within the Authority s risk management system, a risk audit programme has been carried out each year. The last risk audit programme focussed on selected corporate risks. The background to how the programme was compiled has been provided in previous reports to the Committee. 23. Members will recall from the previous Committee report that the programme has now concluded, and that responsibility for auditing the effectiveness of the organisation s risk management arrangements has now transferred to the Mayor s Office for Policing and Crime(MOPAC) under the shared service arrangement. The MOPAC audit programme provides continuity in terms of risk auditing with thematic audits (e.g. protective security, attendance management, etc.) considering risks in the round. The MOPAC programme also includes a review of the Authority s risk management process during 2013/ The outcomes of MOPAC audits are already reported to the Committee so Members will continue to have sight of recommendations and actions arising as a result of the risk based audit approach. The latest MOPAC progress report is also on the agenda for today s Committee meeting. 25. As noted in the previous risk audit and assurance report (FEP217), outstanding recommendations relating to the industrial relations risk (CRR13), which was the last corporate risk audited under the old risk audit programme, are now reported to Committee in the MOPAC report. Risk performance indicators 2. Risk performance indicators are designed to give a visual representation of the information which provides the background to this report. The current indicators are attached at Appendix 2 to this report and display the content of the Authority s risk management system in terms of the number and status of the corporate and departmental risks. This content is summarised on a rolling quarterly basis over the previous 12 months. Head of Legal and Democratic Services comments 27. The Head of Legal and Democratic Services has reviewed this report and has no comments. Director of Finance and Contractual Services comments 28. This report includes a new risk (CRR15) against the national programme to replace Airwave with the Emergency Services Network by A risk against this programme was also included in the Budget Update Report (FEP2194) and this is set out below: 29. DCLG will replace the existing Airwave contracts, which expire between 201 and 2020 as part of the Emergency Services Mobile Communications Programme. There could be significant financial pressures to LFEPA under any new contract provision. The current contract is subsidised and DCLG have notified LFEPA that its share of this will be 827k in 2013/14. DCLG may be Page 5 of 8

6 unwilling to continue to subsidise any future system. In addition a project team may be required to deliver any new system into the Authority. Sustainable development implications 30. There are no sustainable development implications associated with this report. Staff side consultations undertaken 31. Staff side consultation was undertaken for the review of the industrial relations risk. Further consultation will take place to implement recommendations from the audit action plan as necessary. Equalities implications 32. Fairness, equality and diversity are promoted and supported by both the risk audit programme and overarching risk management framework in line with Authority policy. List of Appendices to this report: 1. Appendix 1 - Corporate risks; and 2. Appendix 2 - Risk performance indicators. LOCAL GOVERNMENT (ACCESS TO INFORMATION) ACT 1985 List of background documents 1. Risk Audit and Assurance Report 2013/14 Quarter 1 and 2 Updates FEP212, 217; 2. Risk Audit and Assurance Reports 2012/13 FEP1949, 2002, 2053 & 2108; 3. Risk Audit and Assurance Reports 2011/12 FEP1794, 1844, 1877; 4. Annual Governance Statement FEP2125; 5. Annual Governance Statement FEP154;. Statement on Internal Control Quarter 1 Update FEP1102; 7. Reconstitution of Committees, Standing Orders, Allowances and Related Matters FEP1913; and 8. Reconstitution of Committees 2007/8 FEP1037. Proper officer Contact officer Telephone Head of Strategy and Performance Daniel Ingram x30071 daniel.ingram@london-fire.gov.uk Page of 8

7 Corporate risks Appendix 1 The current corporate risks for the London Fire Brigade are as follows: Risk Code Risk Description Score CRR1 CRR2 A death or serious injury occurs as a result of our staff not operating a safe system of work Disconnect between top, middle and junior management leads to a lack of consistent leadership affecting our ability to manage and change behaviours CRR3 Failure or perceived failure to deliver the service CRR5 Ability to effect change is limited leading to poor / ineffective resource management CRR7 Failure of a significant contractual relationship impacts on the delivery of services CRR8 Failure to develop and maintain equity across the Brigade CRR10 The current economic climate requires strategic decisions that impact on the Brigade s ability to budget effectively CRR13 A breakdown in industrial relations affects our ability to deliver the service 12 CRR14 CRR15 A risk averse culture within the organisation lessens our ability to deliver efficient and effective services The national programme to replace Airwave with the Emergency Services Network (ESN) by 2017 fails to deliver a solution for the provision of radio and data communications which is both affordable in the long term and which delivers the complete functionality required by LFB Page 7 of 8

8 Number Percentage Number Risk performance indicators Appendix 2 Chart 1. RAG status of corporate risks 2013/14: This shows the number of corporate risks on the Corporate Risk Register and the status of the risks overall (red = high, amber = medium, green = low). The graph shows information over the past year on a rolling quarterly basis RAG Status of Corporate Risks Q4 (12/13) Q1 (13/14) Q2 Q3 Quarter Chart 2. RAG status of corporate current controls 2013/14: This shows the status by percentage of corporate controls currently managing the corporate risks. 100% 90% 80% 70% 0% 50% 40% 30% 20% 10% 0% 2. RAG Status of Corporate Current Controls Q4 (12/13) Q1 (13/14) Q2 Q3 Quarter Chart 3. RAG status of department risks (with current controls) 2013/14: This shows the number and status of departmental risks from the departmental risk registers once current controls have been applied RAG Status of Dept Risks (with Current Controls) Q4 (12/13) Q1 (13/14) Q2 Q3 Quarter Page 8 of 8