Risk Management Strategy and Guidelines



Similar documents
Operational Risk Management in a Debt Management Office

Bridgend County Borough Council. Corporate Risk Management Policy

Risk Management Policy

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

RISK MANAGEMENT STRATEGY

Risk Management Within an Organisation

A Risk Management Standard

Risk Management Policy Adopted by:

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

PROCESS FOR RISK ASSESSMENT

Project Risk Analysis toolkit

RISK AND OPPORTUNITY MANAGEMENT STRATEGY

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

Internal Audit Strategic and Annual Plans 2015/16

POLICY : CORPORATE RISK MANAGEMENT

Risk Management guide

Following up recommendations/management actions

Operational Risk Management Program Version 1.0 October 2013

RISK MANAGEMENT STRATEGY

Risk Management Framework

Operational Risk Publication Date: May Operational Risk... 3

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

CONTROLLED DOCUMENT. Number: Version Number: 4. On: 25 July 2013 Review Date: June 2016 Distribution: Essential Reading for: Information for:

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

Bedford Group of Drainage Boards

Federal Bureau of Investigation s Integrity and Compliance Program

ERM Program. Enterprise Risk Management Guideline

Northern Ireland Blood Transfusion Service

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Compliance Management Framework. Managing Compliance at the University

The Risk Management strategy sets out the framework that the Council has established.

The Lowitja Institute Risk Management Plan

Council Meeting Agenda 27/07/15

Sound Practices for the Management of Operational Risk

CORP RISK MANAGEMENT POLICY & METHODOLOGY

Hazard Identification, Risk Assessment and Management Procedure. Documentation Control

RISK MANAGEMENT. Authors: Phil McNaull / Lorraine Loy Approved By: PME and Court Date: December 2008 Version: 4.0 1

Business Continuity Policy

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

Risk Management Framework

V1.0 - Eurojuris ISO 9001:2008 Certified

Risk Management Policy

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

Royal Borough of Kensington and Chelsea. Data Quality Framework. ACE: A Framework for better quality data and performance information

1.20 Appendix A Generic Risk Management Process and Tasks

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Risk Management Policy and Process Guide

Project Risk Management

Risk Management Policy

Subject ST9 Enterprise Risk Management Syllabus

ISMS Implementation Guide

Revised Risk Management Policy and Framework. Report by Head of Finance

Checklist for Operational Risk Management

b) The management plans and policies which the Authority requires the Provider to develop maintain and use to manage the operation of this Contract;

Policy : Enterprise Risk Management Policy

Risk Management Primer

Group Risk Management Policy

Frequently Asked Questions in Identifying and Assessing Prospective Risks

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Risk Management Framework

WFP ENTERPRISE RISK MANAGEMENT POLICY

LEVEL 5. Advanced Diploma in Purchasing and Supply. Senior Assessor s Report. July Risk Management and Supply Chain Vulnerability L5-02

Negative Risk. Risk Can Be Positive. The Importance of Project Risk Management

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

RISK MANAGEMENT STRATEGY

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

OAKPARK SECURITY SYSTEMS LIMITED. Health & Safety Policy. Requests or suggestions for amendment to this procedure

Operational Risk Management Policy

Audit Committee, 28 November. HCPC Project Risk Management. Executive summary and recommendations. Introduction

Risk Management. Group Standard

How to gather and evaluate information

PROJECT RISK MANAGEMENT

RISK MANAGEMENT POLICY AND PROCEDURES

Risk Management Statement, Strategy and Policy. Index. Risk Management Statement page 2. Risk Management Strategy page 2

Complaints Policy. Controlled Document Number: Version Number: 6 Controlled Document Sponsor: Controlled Document Lead: Approved By:

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Risk Management & Business Continuity Manual

How To Ensure That Sovini Is A Successful Business

ESM Management Comments on Board of Auditors Annual Report to the Board of Governors for the period ended 31 December 2014

Enterprise-Wide Risk Assessment

Business Continuity (Policy & Procedure)

Capital Market Services UK Limited Pillar 3 Disclosure

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

STRESS TESTING GUIDELINE

How To Manage Risk In Ancient Health Trust

Transcription:

Swale Borough Council Risk Management Strategy and Guidelines Status: Final Originating Date: January 2008 Date Ratified: February 2008 (Audit Committee) Next Review Date: January 2009 Accountable Member: Accountable Director: Author: Leader Chief Executive Head of Audit Page 1 of 7

SWALE BOROUGH COUNCIL RISK MANAGEMENT STRATEGY AND GUIDELINES 1. POLICY 1.1 Swale Borough Council will actively manage risk to contribute to meeting its objectives and statutory obligations. All staff and members have a responsibility to identify and take action to manage risks. 2. DEFINITIONS Risk is an event or uncertainty that may enhance (ie opportunity) or impede our ability to achieve objectives effectively. An Internal Control is a means of reducing a risk rather than living with it or transferring it to a third party. The whole system of risk management can be considered a system of internal control. Inherent risk is risk in the absence of any management actions to control it. Residual risk is the risk that remains after management responds to a risk. Strategic risks are those that need to be taken into account in decisions about medium to long-term key business objectives. Operational risks are those that managers and staff will encounter in the daily course of their work. Risk management is the management of integrated or holistic business risk in a manner consistent with the virtues of best value, economy, efficiency and effectiveness. In essence it is about making the most of opportunities (making effective and consistent decisions) and about achieving objectives once those decisions are made. This is achieved through: controlling risk (to avoid, eliminate or reduce) transferring risk living with risk 3. STRATEGIC RISK MANAGEMENT ACTIVITY 3.1 With regard to the Corporate Plan priorities a strategic risk assessment is formulated which is periodically reviewed and refreshed by the Performance Board (consisting of Executive members and senior officers). Actions relating to strategic risks and emerging strategic issues are monitored at monthly meetings of the Performance Board. Page 2 of 7

4. CORPORATE GOVERNANCE AND OPERATIONAL RISK REGISTER 4.1 There is a regulatory requirement for the Council to conduct a review of the effectiveness of its system of internal control and to publish an Annual Governance Statement with it s annual accounts. To support this process, Heads of Service must ensure that completed operational risk logs and associated management action plans exist for all services under their control and produce an annual assurance statement for their services by 30 April each year. 4.2 Those assigned the responsibility for producing and maintaining operational risk logs in consultation with their teams need to identify and assess risks and opportunities (upside risks) associated with their service using the prescribed risk log template and to formulate action plans to address any significant issues arising. The completed risk logs should then be presented to the Head of Service and Head of Audit. Thereafter managers will be required to review risk logs to update progress in action plans and consider emerging risks and issues. 4.3 When producing service plan updates to Management Team, Heads of Service will refer to operational risk logs to identify significant current (and emerging) performance and risk issues (upside and downside) and propose actions to address them thus linking operational with strategic risk and performance management activity. 4.4 To assist managers the following examples are attached a) Operational Risk Template b) Risk Aide Memoir c) Risk Management Process Chart Further advice can be sought from the Head of Internal Audit. If required/ desired workshops with teams can be arranged. 5. THE RISK MANAGEMENT PROCESS 5.1 The risk management process consists of the following stages : - 1. Identifying risks / potential opportunities 2. Evaluating risks 3. Controlling risks 4. Monitoring and review The risk management process should be recorded in the form of a risk log (see example attached as appendix a) Identifying risk/ potential opportunities 5.2 The service to be risk assessed needs to be clearly defined together with associated customer focussed objectives and targets linked to Corporate Plan priorities in order to consider potential events that could enhance or impede their achievement or incur financial, physical or reputational loss. Page 3 of 7

5.3 Brainstorming and SWOT (strengths, weaknesses, opportunities and threats) analysis either individually or as team are useful methods for initially identifying key risks associated with specific services. 5.4 To ensure a clear understanding of each risk it is useful to define each risk in 3 elements namely :- Contributing factors (vulnerability), Event (Trigger) Potential consequences/ effect For example a wet and slippery poolside floor (contributing factor) causing a customer to fall (event) and injure themselves, leading to litigation and bad publicity (consequences). a complicated application form (contributing factor) causing an applicant to make errors or omissions (event) leading to over or under claim of entitlement/ financial loss and/or re-work (consequences). Evaluating Risks 5.5 Once identified and clearly defined each inherent risk should then be assessed (scored) in terms of it s likelihood of occurrence (probability) and it s potential impact on the organisation if it occurs (importance/ consequences) in accordance with the following matrix and scoring definitions. L I K E L I H O O D 6 5 4 3 2 1 1 2 3 4 IMPACT Page 4 of 7

Table 1 :- Scoring Definitions Likelihood Impact Description guide 6 Very High > 70% 4 Catastrophic Cost greater than 100k or service is suspended, major reputational damage 5 High 50 70% 3 Critical Cost 50k up to 100k or service provision/ quality is severely reduced, significant reputational damage 4 Significant 30 50% 2 Medium Cost 10 to 50k or service quality/ provision reduced and/ or some objectives not met, minor reputational damage 3 Low 15 30% 1 Negligible Cost up to 10k, or minimal impact on service provision, marginal or no reputational damage 2 Very low 5 15% 1 minimal < 5% The overall risk score for each risk is determined by multiplying the likelihood score by the impact score. A score of 12 or more will be deemed as a high risk, which needs to be managed down. A score of 4 to 11 will be deemed as medium risk, which officers should seek to influence downward and monitor. A score of less than 4 will be deemed as low risk with which officers are expected to live with and monitor. Controlling Risks 5.6 Expected and actual measures to reduce each medium to high inherent risk should be identified and recorded. Examples of controls may be:- Specific actions Written guidelines/ framework/ plan Supervisory checks Validation/ verification checks Experienced/ qualified staff Clear lines of responsibility and accountability Physical controls (eg security/ access) Segregation of duties Management/ exception reporting 5.7 By analysing expected and actual measures in place, gaps and issues may arise which require consideration of further action. The residual risk once existing controls are taken into account should then be scored to assess the current risk. A target score should also be set which the resultant further actions seek to achieve. Decisions upon further action required will depend on cost/ benefit and risk appetite. The risk action plan should be specific, time bound and assigned to the risk owner. Page 5 of 7

Monitoring, review and risk escalation 5.8 Progress towards Key actions relating to high risks should be continuously monitored and reported by Heads of Service at monthly one to one meetings with their Director. Risk logs should be reviewed quarterly to assess:- Progress on risk management actions Whether risk scenarios/ profiles have changed New risks Whether risk scores have changed The adequacy of controls in view of the above Major new risks, issues or changes that could significantly impact on strategic risks, key performance targets and/ or corporate plan priorities should be escalated to the Corporate Management Team and the Performance Board via monthly reporting. 7. MAJOR PROJECTS AND NEW INITIATIVES/ PROPOSALS 7.1 Managers need to adequately consider and manage risks and opportunities associated with the projects they manage. Internal Audit will upon request, provide advice on risk and internal controls and facilitate the risk assessment process for major projects. When reporting new initiatives and proposals due consideration to risk should be explicitly included in Committee reports. 8. ROLES AND RESPONSIBILITIES 8.1 Roles and responsibilities relating to risk management are set out in the table below Table 2 Responsibility Roles Executive and member champion Approve Risk Management Strategy Promote engagement in risk management at member and officer level Seek and discuss risk assessment where appropriate (eg key decisions) in committee agenda reports Audit Committee Approve Risk Management Strategy Consider risk when approve annual audit plan Performance Board Bi monthly review strategic risk log Monthly review of outstanding strategic risk management actions within corporate improvement plan Consider significant operational risks that could impact on achievement of corporate plan priorities Page 6 of 7

Table 2 cont d Responsibility Directors/ Management Team Roles Review of risk management presented in service plans and monthly reports Escalation of risk issues to Performance Board where appropriate Consider strategic risk Head of Audit Co-ordinate risk management activity Provide advice and training on risk Incorporate risk management review within operational audits Heads of Service Review risk logs maintained by managers/ risk owners within service Maintain own operational risk logs pertinent to key corporate plan objectives within service remit Escalate risk issues where appropriate to Director/ Management Team Team leader/ risk owner Manage operational risks Compile and maintain operational risk logs and associated risk management action plans to mitigate/ reduce risk Periodically go through risk logs with staff Review and report risk issues to line manager All Staff Consider and manage risk associated with their risks and report concerns to manager Risk Management Group Meet twice yearly Consider and disseminate good practice 9. Current Developments 9.1 The Council is in the process of implementing a new performance management system (Covalent). The system will also be used directly to record and report performance information, action plans and all of the council risk management information. In due course all staff and members will have access to the system and where appropriate access to enter, update, validate and/or view only performance, action plan and risk information relevant to their areas of responsibility. Reports will be generated for monitoring purposes. In the meantime the templates in Word format prescribed in this guideline should be used to capture risk information, which will be initially be entered onto the system in bulk. January 2008 Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information