DERBYSHIRE COUNTY COUNCIL AUDIT COMMITTEE. 30 July Report of the Deputy Chief Executive and Head of Corporate Finance

Transcription

1 In preparing this report the relevance of the following factors has been considered: prevention of crime and disorder, equality of opportunity; and legal, financial, environmental, health, respect for human rights, personnel and property considerations. DERBYSHIRE COUNTY COUNCIL AUDIT COMMITTEE 30 July 2007 Report of the Deputy Chief Executive and Head of Corporate Finance RISK MANAGEMENT 1. Purpose of the Report To approve the updated Risk Management Policy Statement & Strategy and Corporate Risk Register. 2. Information and Analysis The Policy Statement and Strategy are reviewed periodically, and changes are made to reflect the continuing development and embedding of risk management across the authority. The changes reflect the following developments: The establishment of the Audit Committee which has specific responsibility for risk management within the Authority The role of the Chair of Audit Committee and the Deputy Chief Executive as Risk Champions in the Authority The significant role of Chief Officers and Chief Officer Group in promoting and monitoring risk management at a strategic and operational level The ways in which risk management is embedded in the culture, financial planning and workings of the Council. In particular the significant developments in managing the risks associated with major corporate projects and significant partnerships The updated corporate risk register reflects the latest exercise across all Departments. 1

2 Embedding Risk Management Since the last review, work has continued in developing risk management across major projects and partnerships. Events have included a risk workshop on Local Area Agreements resulting in the development of new risk register and further work is planned with partners to cover risk from a multi-agency perspective. A Risk adjustment workshop has also been held as part of the evaluation of the Waste Management Project to determine a risk adjusted price in relation to the participants submissions. Chief Officers are aware that risk considerations should be included in Cabinet and CABCO reports in respect of strategic policy decisions and project initiation documents. 3. OFFICERS RECOMMENDATION That the updated Risk Management Policy Statement and Strategy, and Corporate Risk Register, be approved. GERALD TOMMY Deputy Chief Executive GRAHAM HUNT Head of Corporate Finance 2

3 Derbyshire County Council Risk Management Policy Statement The Authority adopts a proactive approach to Risk Management consistent with the principles of Best Value and Comprehensive Performance Assessment. The Council is committed to the effective management of risk in order to:- Safeguard its employees, service users, members, pupils, tenants and all other persons to whom the Council has a duty of care Ensure compliance with statutory obligations Preserve and enhance service delivery Protect its physical assets and resources Maintain effective control of public funds Promote the image and reputation of the Council Support the quality of the environment It is the responsibility of all members, employees and partners to be aware of risk in carrying out their duties, recognising that such risk, if uncontrolled, can result in a drain on resources that could be better directed to service provision and achieving the Council s objectives. The Risk Management strategy sets out the framework that the Council has established. The Policy has the full support of the Council Members and Chief Executive, who are committed to embedding a culture of risk management awareness throughout the County Council. July

4 RISK MANAGEMENT STRATEGY CONTENTS 1. Introduction 2. Objectives 3.0 Framework 3.1 Corporate, Strategic and Cross Cutting Risks 3.2 Departmental Risks 3.3 Project and Partnership Risks 3.4 Monitoring 3.5 Embedding 4.0 Roles, Responsibilities and Resources 4.1 Chair of Audit Committee 4.2 Elected Members Council, Cabinet, Audit and Scrutiny Committees 4.3 Chief Executive 4.4 Deputy Chief Executive 4.5 Head of Corporate Finance 4.6 Chief Officers and Chief Officer Group 4.7 Operational Managers 4.8 All employees, contractors and partners 4.9 Risk Manager 4.10 Risk Management Group 4.11 Strategic Risk Review Team 4.12 Project/Partnership Boards 4.13 Internal Audit 5.0 Funding Appendix A: References and further reading Appendix B: Strategic and Operational Risks 4

5 1.0 INTRODUCTION What is Risk Management? Risk Management is the practice of identifying, analysing and controlling in the most effective manner all threats to the achievement of the strategies, objectives and operational activities of an organisation. It is recognised that a certain level of risk is necessary if the Council is to move forward. A structured and systematic approach to risk will enable it to be accepted within the context of sound financial management and encourage innovation. The Risk Management Process The Organisation's Strategic Objectives Risk Assessment Risk Analysis Risk Identification Risk Description Risk Estimation Risk Evaluation Risk Reporting Threats and Opportunities Internal and External Audit Decision Risk Treatment Residual Risk Reporting Monitoring AIRMIC, ALARM, IRM: 2002 (A Risk Management Toolkit has been developed to guide managers through the risk management process Available on DNet) 5

6 The Council recognises that all aspects of business risk must be effectively managed. As part of the Council s Corporate Governance arrangements, risk management provides for a planned and systematic approach to the identification and quantification of risks and the appraisal of options for managing and controlling such risks. The Risk Management Policy Statement and Strategy document aim to provide a framework within which these risks can be managed. Effective Risk Management will help to ensure that the Council achieves its corporate aims and objectives by effectively managing the risks inherent in implementing the Council s strategies; delivering services; ensuring best use of resources; and continuity of service. 2.0 OBJECTIVES The objectives of the risk management strategy are to; Embed risk management into the culture of the Council. Improve Strategic and Operational Management Improve the quality and reliability of services, leading to more satisfied citizens and fewer complaints Manage risk in accordance with best practice. Anticipate and respond to changing social, environmental, legislative, political, economic, technological, competitive and citizen requirements. Manage change effectively Encourage innovation Prevent injury, damage and losses, reducing the cost of risk Prevent disruption to services Protect the council s reputation Raise awareness of the need for risk management These objectives will be achieved by; Ownership of risk by members, departments, individuals and partners Establishing clear roles and responsibilities and reporting lines within the Council Providing relevant training on risk management to Members and employees, of the authority, that supports the development of wider management competencies Use of the risk management toolkit by managers Seeking best practice through inter-authority groups and other professional bodies like Association of Local Authority Risk Managers (ALARM). Disseminating published risk management information to members and employees as appropriate Incorporating risk management into strategic and local partnership working, corporate, service and business planning Integrating into budget process Maintaining the risk management framework to ensure cyclical process 6

7 Continuing to monitor arrangements on an ongoing basis Producing reports to Members on risk management activities. 3.0 FRAMEWORK 3.1 Corporate, Strategic and Cross-cutting risks Strategic and operational risks are set out diagrammatically in Appendix B. An exercise will be undertaken at least annually, co-ordinated by the strategic review team (see 4.10) following the Council s scoring methodology. The aim will be to identify the key risks and critical success factors, from the departmental risk registers. These will be detailed in the strategic risk register, which should detail the key risks. This exercise will provide members and chief officers with a central record of Corporate Risks, to ensure financial and political consideration is given to risks in the service planning and budget process and the long term financial plan. 3.2 Departmental Risks Departments will undertake a risk profiling exercise at least annually, as part of service planning and use risk assessment matrices to assess probability and consequences to; Review Corporate Risks in context of their service Identify Service Specific Risks Identify New and Emerging Risks Rank all their risks in context of delivery of service Prioritise risks for management action. Monitor previous mitigation strategies. Identify Risk Mitigation Strategies Assign Responsibilities Set Time-scales Evaluate Budget Implications Factor into budget process Factor Risk Management implications into Service Plans Feedback progress to the Strategic Risk Review team for inclusion in Corporate Risk Register 3.3 Project and Partnership Risks Risk registers for all major project and significant partnership risks will be developed and up-dated at planning, development and implementation stages. Departments will also consider the risk implications relating to other projects and partnerships and include them in departmental registers, as appropriate. The Risk Management Toolkit (part of the corporate Project Appraisal Toolkit) and the Partnership Toolkit are available to assist managers in undertaking these appraisals. 7

8 3.4 Monitoring Progress of actions in the risk registers will be monitored by the strategic risk review team and reported to the Risk Management Group, Chief Officers and Members annually. 3.5 Embedding Risk management will be embedded into the culture of the Council by: Risk Management section on Dnet which is accessible to members and employees Articles in workforce and payslip enclosures to raise awareness of risk management and the role of all employees. Chief Officers include risk management as a regular item on Departmental Management Team agendas, to ensure the risk registers are kept up to date and allow discussions on any changes in the risk profile. A risk awareness toolkit for Members that can be accessed by DNet Awareness and training sessions for members and employees. Chief Officers including risk considerations in Cabinet and CABCO reports in respect of strategic policy decisions and project initiation documents. 4.0 Roles, Responsibilities and Resources 4.1 Chair of Audit Committee Member Risk Champion for risk management taking responsibility with the Deputy Chief Executive for embedding risk management throughout the Council 4.2 Elected Members - Council, Cabinet, Audit and Scrutiny Committees Approve the risk management strategy, framework and process Help to identify strategic, corporate and cross-cutting risks Consider the risks included in the corporate risk register and be aware of how they are being managed Consider risk management priorities as part of the budget process Monitor progress on managing all risks included in the corporate risk register Receive reports on risk management activity Approve expenditure on risk management projects as required by financial regulations Agree the levels of risk the authority is willing to accept in the context of sound financial management, whilst recognising that a certain level of risk is necessary to encourage innovation 8

9 4.3 Chief Executive To take a lead in ensuring that risk management is embedded in the culture and management of the authority. 4.4 Deputy Chief Executive Officer Risk Champion for risk management taking responsibility with the Chair of Audit Committee for embedding risk management throughout the Council To review key reports to Cabinet to ensure that risk management considerations are included 4.5 Head of Corporate Finance To chair the risk management group Be part of the Strategic Review Team (see 4.10) 4.6 Chief Officers and Chief Officer Group Provide a strategic overview of the risk management arrangements Recommend to members a corporate risk management strategy, framework and process Identify and quantify the risks that may impact adversely on the delivery of corporate and service objectives Consider departmental risks in service delivery planning and agree risks to form the corporate risk register Agree risk mitigation actions for all risks to which the department is exposed, with defined time scales and responsibilities. Maintain and update corporate and departmental risk registers Monitor progress on managing risks and linkages to performance management Ensure that risk management considerations are included in all service/business plans Ensure that risk management considerations are included in all Cabinet and CABCO reports in respect of strategic policy decisions and project initiation documents Identify new and emerging risks Embed risk management within their operations and awareness amongst employees, assisted by the risk manager Receive reports on risk management activity 4.7 Operational Managers Manage risk in the context of their service delivery Implement the approved programme of risk mitigation Use the risk management toolkit as appropriate Receive training in risk management 9

10 4.8 All employees, contractors and partners Promote the council s risk management strategy and ensure that it is implemented at all levels of the Authority Work with Chief Officers and the council s Risk and Insurance Manager to; Maintain risk awareness in carrying out their duties and raise issues with managers/supervisors Contribute to the risk management process To manage risk effectively in their job Identify and share best practice 4.9 Risk Manager o Identify the principal risks facing the authority and agree a corporate risk ranking o Identify existing risk mitigation strategies o Formulate and agree future mitigation strategies, define time-scales and identify officers responsible for implementation of strategies o To review progress at agreed intervals and report to chief officers and members as required o Maintain and update the corporate risk register Facilitate the development of risk registers for major corporate projects and significant partnerships and ensure that they are reviewed and up-dated at the planning, development and implementation stages of the project/partnership. Be part of the Strategic review Team (see 4.10) To co-ordinate the work of the Risk Management Group Identify best risk management practice through contact with other risk management professionals and membership of external bodies, such as the Association of Local Authority Risk Managers. To share experiences and good practice on risk across the council Identify new and emerging risks Produce good practice risk management guidelines and advice for members and officers of the authority Support the delivery of training programmes 4.10 Risk Management Group The group is chaired by the Head of Corporate Finance and comprises of representatives from all departments, together with the Risk Manager and officers from Derbyshire Constabulary and Derbyshire Fire and Rescue. The group meets as required to deal with council wide issues and formulate draft corporate policies and procedures. Members of the group will be consulted on proposals for significant expenditure. 10

11 4.11 Strategic Risk Review Team (Head of Corporate Finance, Risk and Insurance Manager, and Risk Manager) Review the Risk Management policy and strategy at least annually to reflect best practice and initiate improvements Meet at least annually with departments to review risk registers Collate the changes to the departmental registers and ensure that the corporate risk register is amended to reflect these changes Report the outcomes to Chief Officer Group and Members 4.12 Project/Partnership Boards Receive reports on risk management activity Review and monitor the risks identified on the relevant project/partnership risk registers, ensuring that suitable controls are in place and working, or that plans are being drawn up to bring in further controls. Ensuring the active management of key stakeholders in the management of risk where appropriate Internal Audit Prepare Strategic and Operational Audit Plans taking account of those risks identified in Corporate/Departmental Risk Registers together with underlying financial, operational and reputational risks resulting from the Authority's activities Monitor changing risk profiles based on audit work undertaken, adapt future audit work to reflect these changes and inform Chief Officers and the Risk 5.0 Funding and Insurance Manager accordingly Evaluate compliance with the corporate risk management strategy Review the Authority's risk management arrangements and associated systems The Corporate Risk Register will inform the annual budget setting process and long term financial plan. The Council will determine annually the budget to support risk management capital and revenue expenditure. Requests from departments and establishments, for financial support for risk management measures will be considered in accordance with the risk ranking mechanisms determined by the members (see 4.1). Departments and establishments will be expected to evidence their commitment to the measures they are proposing through contributions from their capital and/or revenue budgets. 11

12 References and further reading Accounts Commission for Scotland (1999), Shorten the odds: A guide to understanding and managing risk, Association of Local Authority Risk Managers (ALARM) and SOLACE. Chance or Choice Association of Local Authority Risk Managers (Feb 2001) Risk Management: A key to success Audit Commission (2001) Worth the risk: improving management in local government CIPFA & SOLACE - Corporate Governance in Local Government: A Keystone for Community Governance Framework Institute of Chartered Accountants (Sept 1999) Implementing Turnbull: A Boardroom Briefing HM Treasury - Management of Risk: A Strategic Overview Institute of Chartered Accountants (Sept 1999) Internal Control: Guidance for Directors on the Combined Code Report of the Chief Executive (13 Feb 2002) Corporate Governance: Risk Assessment (Strategic Policy & Budget Websites The Accounts Commission for Scotland The Association of Local Authority Risk Managers 12

13 Terms used to categorise business risk in Local Government Business Risks Strategic Risks Competitive Customer / Citizen Economic Environmental Legislative Political Social Technological Service Delivery Cost - Best Value Quality - Best Value Needs Expectations Budgetary Insurance Large Scale Investment Energy Efficiency Pollution Recycling Landfill Emmissions Weather Conditions Appliance Or Non Appliance Of National Or European Law Delivery Of Local Policy Or Central Government Policy Loss Of Reputation Change In Demography Or Residential Change Or Socio- Economic Trend Council Wide Technological Change Internal Wide Technological Failure Operational Risks Policies, Aims,Strategies Contractual Environmental Financial Breach Of Contract (Cost) Breach Of Contract (Specification) Breach Of Contract (Delivery) Noise Pollution Service Operation Local Pollution Energy Efficiency Resource Wastage Weather Conditions Pure Risk- Cash Speculative / Investment Risk Human Resource Qualifications Training Availability Funding Legal Physical Professional Technological Breach Of Statutory Duty Breach Of Discretionary Duty Accident Prevention Fire Health & Safety Motor/Plant/ Equipment Security Housing Financial Social Environmental Legal Loss Of Reputation Failure Of Local I.T. APPENDIX A

14 Derbyshire County Council Corporate Risk Register - July 2007 Brief outline of highest ranking risks. Risks are scored on a scale from 1 to 25 The following risks all scored at least 12. Old Score (1-25) New Score (1-25) Risk Mitigation Risk Description Portfolio Impact (1-5) Impact (1-5) Score (1-25) Impact (1-5) Probability (1-5) Score (1-25) Comments from previous review Updated Comments/Progress 1 Single Status - Implementation Strategic Policy issues - costs, equal pay claim risks, rate of progress Equal pay claims substantially resolved. Job evaluation process continuing. Prima facie equal pay claims substantially resolved. There are approximately 40 EP grievances registered. Procedure agreed to consider these. 2 Failure to meet statutory waste management targets Major Budgetary Implications over the longer term Strategic Policy & Sustainable Communities Project Risk Register has been updated. ISOS process complete, with three companies short listed as preferred bidders to start the ISDS. Currently producing Output Specification, Inter-authority Agreement, Payment Mechanism. Communications strategy being developed Job evaluation process continuing. Change to Hay scheme reported to Cabinet on 5th June Job evaluation implementation not on target with significant risk of not implementing by April Project Risk Register has been updated. The three companies short listed have submitted five proposals that are currently being evaluated at ISDS stage. Risk adjustment workshop undertaken on 4th July, to arrive at risk adjusted contract price. Communications strategy has been drafted. With the refusal of planning permission for the development of an in vessel composting facility at Grassmoor risks are regarded as increasing. Vigorous site identification search has been undertaken and preferred sites are currently being assessed. A LATS strategy is also being developed.

15 3 Maintaining CPA Excellent Status (Potential loss of freedoms e.g. grant flexibility) Strategic Policy 4 Continuity of partnership/outsourcing Strategic Policy arrangements Piloting local area working arrangements in 6 areas, report to Cabinet Sept 06 to roll out to remaining 3 areas. Peer review by external agencies October January 2007 Stakeholder survey has just been undertaken Work on rolling out partnership protocol and toolkit progressing, including review of critical partnerships. Peer review carried out January 2007 Initial Set Up meeting with CA and JAR Assessors taken place Corporate Self Assessment submitted to Audit Commission. Analysis week to take place in early July 2007 with full Corporate and JAR Assessment to take place the first two weeks in September 2007 Work progressing on the development of an electronic database to store information on all partnerships involving the Council. Implementation of protocols and plan. Further embedding of key processes. 5 Local Area Agreement Strategic Policy Report to Audit Committee on progress - October Monitoring of targets due shortly. LAA Risk Workshop undertaken on the 16th April 2007, with development of a risk register. Further risk workshops proposed with LAA boards. Authority one of 17 areas chosen to participate in new LAA Feasibility Testing. This will provide an opportunity to influence and shape the development of new LAAs which will be introduced from Summer 2008 onwards

16 6 Failure to deliver BSF Programme Including Gap in BSF funding from only 50% new build allowed and some under funding on construction costs Children s Service and School Planning and Support Following negotiations with the DfES confirmation has been received from the Minister of State that the Authority's first BSF will be expanded to include an additional 6 schools. 17th October 2006 Cabinet meeting Schools and programme risk registers in place and regularly being reviewed. Positive Gateway Review in March Strategy for Change approved May OBC submitted May approved by Partnership for Schools, awaiting approval approved the additional 6 schools and the from Project Review Group (due 18th July establishment of a Local Education Partnership (LEP). Updated Risk Register being taken to Project Board. Outline Business Case is due to be submitted in Feb ). Successful Bidders Day on the 8th June 2007, with lots of interest from the market. OJEU Contract Notice to be published 30th July Following Competitive Dialogue procurement process. 8 Funding Availability & Budget Overspends Economic downturn Service pressures Impact of Demographic Changes including schools Demand for social care services. Escalating cost of service provision. All Portfolios Continue & monitor existing strategies. Cross council efficiency drive launched to achieve cashable savings in 2008/9 and beyond (Cabinet report 17th April 2007), supported by Invest to Save Budget approved by Cabinet 30th January 2007 There are several key outcomes and risks, as set out in the Forward Financial Plan: Autumn announcement on future local authority spending totals (CSR07), Government requirements on the level of efficiency savings, Level of recognition within CSR07 of rising social care costs, Inflation levels and the impact on pay awards, risk for economic growth if interest rates raised too far

17 9 Business Continuity Planning Strategic Policy 10 IT System failure Dependence on ICT for service delivery 11 ICT replacement programme Continued obsolescence Failure to Deliver Strategy Strategic Policy Strategic Policy and Budge t 12 Asbestos Strategic Policy Pandemic Flu training with departments has been carried out - subset of BCP. Annual review due in Nov 2006, with report to Cabinet Testing BCP in early 2007 Develop and strengthen BCP work, increasing awareness, providing training and testing the plan. Annual review completed in Nov 2006 with all departmental teams trained. BCP tested in early 2007 using Flu pandemic exercise. Further work agreed on Social Care Departmental plans ICT Strategy Approved by Cabinet. Still a concern in particular areas, resilience proposals need to be discussed with relevant departments and head of ICT. Corporate ICT have Cabinet approval for additional investment in resilience Cabinet approved project in Sept 06. Recruitment of Core Systems Project team underway Appointment of a permanent project team. Establishment of a Shared Services Centre (HR) located at John Hadfield House (Cabinet approval 17 April 2007). Commencement of the ( Part 2 ) review of the strategic, policy and advisory aspects of the HR & payroll functions (Cabinet approval 17 April 2007) Commencement of the procurement of replacement HR, payroll and core financials systems with an initial focus on the appointment of client-side support No change Currently following new HSE guidelines on dealing with Asbestos in CLASP buildings. Formulating policies and procedures to meet the new requirements. 13 Corporate Manslaughter Legislation Strategic Policy No change Env Services Training Sessions Completed November Serious incident response protocol agreed by Chief Officer Group 16th April 2007 and being adapted by departments

18 14 Quantity of organisation change to be delivered - children's trust, restructuring, IAG, integrated childrens systems, Mental Health and Learning Disability re-alignment Children s Service and School Planning and Support Services for Older People and Vulnerable Adults Structures in place, need to establish relationships with new PCT. Revised Older Adults Senior Management Structure and Title approved by Cabinet 19th June Derbyshire Learning Disability Services Partnership Business Plan and Future Arrangements for the management and delivery of services in Derbyshire and Derby - Cabinet Approval 19th June Failure of street lighting column (c/w and f/w) leading to collapse 16 Education White & Green Paper Requirement for Local Authorities to be commissioners rather than the providers of services to schools, with potential lack of influence on schools as no new community schools are created Sustainable Communities Strategic Policy Children s Service and School Planning and Support No change Inspection and testing surveys completed 30th May 2007, currently developing recommended strategy to address findings. Already replaced approximately 200 columns and approval for a further Cabinet report 5th July No change (Also need to include the Schools Green Paper) 17 Energy costs and maintaining supplies (interruptible supplies - though industrial first) Strategic Policy Implementation of Energy Policy Member of Carbon Trust and grant of 200k awarded Cabinet report 5th June Responding to the Climate Change Bill. Cabinet report 19th June Derbyshire Climate Change Strategy - Scoping Framework

19 Remove 7 Change Management Programme - Lack of back office integration and redesign of processes Strategic Policy Departments (who own SRD projects) encouraged to increase pace to ensure milestones are set and achieved. Strong corporate leadership associated with the efficiency drive recently launched focussing on streamlining processes and reducing the cost of service delivery