London Legacy Development Corporation s Statement of Risk Appetite September 2015



Similar documents
Risk Management Strategy

RISK MANAGEMENT STRATEGY

Risk Management Policy and Process Guide

Confident in our Future, Risk Management Policy Statement and Strategy

REPORT 4 FOR DECISION. This report will be considered in public

PM Governance. Executive Team ADCA ADCA

The Risk Management strategy sets out the framework that the Council has established.

1.20 Appendix A Generic Risk Management Process and Tasks

V1.0 - Eurojuris ISO 9001:2008 Certified

Risk Management Policy and Framework

The Lowitja Institute Risk Management Plan

Project Risk Analysis toolkit

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

Bridgend County Borough Council. Corporate Risk Management Policy

CONTROLLED DOCUMENT. Number: Version Number: 4. On: 25 July 2013 Review Date: June 2016 Distribution: Essential Reading for: Information for:

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

Bedford Group of Drainage Boards

A Risk Management Standard

RISK AND OPPORTUNITY MANAGEMENT STRATEGY

WFP ENTERPRISE RISK MANAGEMENT POLICY

POLICY : CORPORATE RISK MANAGEMENT

Corporate Risk Management Policy

Risk Management Framework

Northern Ireland Blood Transfusion Service

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

RISK MANAGEMENT POLICY AND STRATEGY. Document Status: Draft. Approved by. Appendix 1. Originator: A Struthers. Updated: A Struthers

Risk Management Policy

GREATERLONDONAUTHORITY

Risk Management Policy

Group Risk Management Policy

RISK MANAGEMENT STRATEGY

Shepway District Council Risk Management Policy

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

RISK MANAGEMENT POLICY

Integrated Risk Management Policy

Risk Management Within an Organisation

ANNUAL REPORT ON THE TREASURY MANAGEMENT SERVICE AND PRUDENTIAL INDICATORS 2008/09

Business Continuity Management Framework

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Risk Management Procedure

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

TRANSPORT FOR LONDON SAFETY, HEALTH AND ENVIRONMENT ASSURANCE COMMITTEE

Council Meeting Agenda 27/07/15

How To Manage Risk In Ancient Health Trust

Gateway review guidebook. for project owners and review teams

Managing Risk Control Environment and Responsibilities

SNH/11/11/B CORPORATE RISK MANAGEMENT POLICY AND RISK REGISTER

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

Project Risk Management. Presented by Stephen Smith

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

UK Sport Gold Event Series Investment Guide

RISK MANAGEMENT POLICY

Audit, Risk Management and Compliance Committee Charter

Risk Management Strategy

TURF ISN T THE ONLY THING THAT SHOULD BE GREEN TRAINING AND CERTIFICATION FROM SGS

The report rated this area Substantial Assurance and made 2 housekeeping recommendations.

Risk Management. Group Standard

ERM Program. Enterprise Risk Management Guideline

Relationship Manager (Banking) Assessment Plan

Human Resources & Facilities Services. Service Delivery Plan 2014/15. Overview of the Human Resources Service

AFTRS Health and Safety Risk Management Policy

Version: 3.0. Effective From: 19/06/2014

GOLDSMITHS University of London COUNCIL. FINANCE AND RESOURCES COMMITTEE 18 March 2014

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework

PROGRESS THROUGH PARTNERSHIP MAKING A DIFFERENCE GUIDANCE PERFORMANCE MANAGEMENT FRAMEWORK AND CONTINUOUS IMPROVEMENT

Risk Management Statement, Strategy and Policy. Index. Risk Management Statement page 2. Risk Management Strategy page 2

Risk Management Plan template <TEMPLATE> RISK MANAGEMENT PLAN FOR THE <PROJECT-NAME> PROJECT

Managing Risk in Procurement Guideline

Risk Management & Business Continuity Manual

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

Job Description. Position Information. Information Services Operations Co-ordinator. Council Overview

Risk Management Strategy

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

APPENDIX 50. Enterprise risk management - Risk management overview

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

ROYAL HOLLOWAY, UNIVERSITY OF LONDON

Title: Rio Tinto management system

Business Continuity Management Policy

The Gateway Review Process

RISK MANAGEMENT POLICY. Version 3

13 ENVIRONMENTAL AND SOCIAL MANAGEMENT SYSTEM

Policy : Enterprise Risk Management Policy

Risk Management. Policy

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Transcription:

London Legacy Development Corporation s Statement of Risk Appetite September 2015 Appendix 1 1. INTRODUCTION 1.1 Her Majesty s Treasury uses the Orange Book definition of risk management The amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time. Risk appetite provides the means to assess whether an organisation (and its component parts) are operating within acceptable limits. 1.2 This paper sets out the Legacy Corporation s statement of risk appetite. Defining and understanding the Corporation s risk appetite helps to aid good decision making through understanding what types of risk are acceptable and striking a balance between risk and reward. 2. STATEMENT OF RISK APPETITE 2.1 Within its framework of evidence-based and well-controlled decision-making, the Legacy Corporation is currently willing to adopt a higher risk appetite in some areas in order to fulfil the Legacy Corporation s mission to use the once-in-a-lifetime opportunity of the London 2012 Games and the creation of Queen Elizabeth Olympic Park to develop a dynamic new heart for east London, creating opportunities for local people and driving innovation and growth in London and the UK. 2.2 These areas of higher risk include. Major developments with senior political support (including in some cases financial underwriting (e.g. Olympicopolis); innovations, where outputs can be evidenced and evaluated (e.g. e.g. enhancements to improve AMO performance); undertaking small exploratory and enabling projects to learn and to gather evidence (e.g. investing in feasibility studies); taking action spending to save - to maximise investments where performance is poor (e.g. enhancements to improve AMO performance) and remaining assertive on performance management (e.g. the decision to change operators for 3 Mills Studios); and developing potential sources of partnership and/or commercial income, providing there is a focus on best value for money and that reputational risk can be satisfactorily managed (e.g. Here East). 2.3 Through procurement and commercial negotiations the Legacy Corporation passes on a proportion of risk and reward to third parties, in particular to venue operators. This constitutes a medium risk appetite. 2.4 The Legacy Corporation has a low risk appetite around transparency and control of governance and finance, health and safety and security and this will not change.

3. DEFINING RISK APPETITE 3.1 The Legacy Corporation measures individual risks against a risk matrix (see Appendix 1). This plots likelihood against consequence for each risk and generates a Red, Amber, Green (RAG) rating: green equates to low; amber to medium; and red to high. Therefore when looking at risk appetite the likelihood of the risk occurring is as important as the consequence. 3.2 As a guide, the consequence of high, medium and low risks can be defined as below, based on HM Treasury guidance: High: The consequence of risks materialising would be severe. Some immediate action is required to mitigate the risk plus the development of a comprehensive action plan. Medium: the consequence of risks materialising would have moderate impact on day-to-day delivery. Some immediate action might be required to address risk impact, plus the development of an action plan. Low: the consequence of risks materialising would have a minor impact, no immediate action is required but and action plan should be actively considered. 3.3 The below sets out risk appetite for various areas of the Corporation. Governance processes Low risk appetite Policy compliance Low risk appetite Financial processes Low risk appetite Health and Safety Low risk appetite Equalities and inclusion Low risk appetite Procurement Low risk appetite Sustainability Low risk appetite Planning service (PPDT) Low risk appetite Real Estate developments Medium to high risk appetite Construction projects (not H&S elements) Medium risk appetite Security and facilities management Low risk appetite Venue operators Medium risk appetite** Events (not H&S elements) Medium risk appetite Social regeneration projects Low risk appetite Spend to scope High risk appetite Investment to return High risk appetite * Olympicopolis has a high risk appetite given its senior political support. Other Real Estate developments such as Chobham Manor and East Wick and Sweetwater have a medium risk appetite ** apart from activities to address lower than anticipated performance, e.g. AMO performance where enhancements could be high risk. 4. APPLICATION OF THE CORPORATION S RISK APPETITE 4.1 Risk appetite applies at the corporate, directorate and project level. At the corporate level it refers the overall exposure to risk the organisation is willing to accept; and at the directorate and project level to the level of risk beyond which a programme / project would not be considered viable.

4.2 When risk appetite is defined rigidly it can impede innovation and make an organisation overly cautious. It can also fail to reflect the complexity and diversity of decision making in an organisation such as LLDC. However as general rules, the Legacy Corporation: - will not tolerate risks rated red on the risk scoring matrix where they are avoidable other than in exceptional circumstances that should be agreed formally by the Executive Management Team. These are more likely to apply in areas shown with a medium or high risk appetite in section 3; - has zero tolerance for risks that cannot be mitigated for a number of areas set out below; and - has a relatively high tolerance for risk flowing from the delivery and communication of strategic and Mayoral priorities, and in particular where the work is innovative and with the potential to catalyse broader beneficial outcomes. Where a given project is proposing to tolerate a relatively high-level of risk, the rationale must be outlined within the project approval documentation or, if they emerge whilst in delivery, reported to the Executive Management Team. 4.3 Risks that would not be tolerated: As a guide the below table sets out risks that would not be tolerated, this is for illustration and is not exhaustive: Risk category Risk would not be tolerated where: Political the Corporation is directly associated with extremist, hate speech or discriminatory beliefs Economic the Corporation s financial stability is compromised investment or capital outlay exceeds delegated authority limits Safety and there is a significant increase in the potential for injury or death Wellbeing the wellbeing of any staff group, contractor or visitor is seriously compromised Environmental the Corporation s activities cause irreparable harm to the environment Legal the Corporation breaches its statutory responsibilities Corporation activities are deemed to be unlawful Operations Operational practices threaten community safety Resilience assets are compromised Systems Core ICT systems/equipment are compromised, targeted or unavailable Reputation The Corporation s standing in the community or with partners is significantly compromised in the long term 5. RISK MANAGEMENT PROCESSES 5.1 The Legacy Corporation has a well-established process of ensuring that risk management is controlled, shared and dynamic through monthly reporting on Execview and support to this process by the Programme Management Office (PMO). Risks are reported up to directorate level, through team meetings, for the attention of the relevant Executive Director. Directorate level risk workshops are undertaken by the PMO regularly, at the request of Executive Directors. The biggest risks to the Corporation are reported up to the corporate level: the corporate risk register is owned by the Executive management team and is reported to every Audit Committee and to the Board through dashboard reporting of the top risks and an annual risk

review. The Chief Executive has asked that EMT risk workshops are held ahead of all Audit Committee meetings. 5.2 Larger projects such as Olympicopolis and the Stadium have individual QRAs to monitor financial risks against contingency. The corporate QRA brings together financial risks (drawn from Execview by the PMO and updated regularly with risk owners) which may call on corporate contingency and this is reported and reviewed at each meeting of the Corporation s change board to help monitor calls on contingency. 5.3 Existing and new risks are measured against the agreed risk appetite and any risks which exceed the Corporation s risk appetite for that particular area will be escalated to sit at the Directorate level for the attention of the relevant Executive Director. The Executive Director is responsible for either ensuring that the mitigation plan is effective in preventing or reducing the impact of the risk, or for escalating the risk to the Corporate level. Risk appetite is also considered by EMT and the Board when making a decision whether to go ahead with a proposed project or activity. 5.4 Risk appetite will be reviewed at least annually by EMT to check that the risk thresholds in place are appropriate. In reviewing the risk thresholds, consideration will be given to a number of factors, including, but not limited to: Changes to the organisational strategy (and therefore the corporate objectives); Changes in the market e.g. construction inflation could make our risk appetite for construction projects lower as they are more costly; Availability of capacity to manage new risks, and the cost effectiveness of the risk management; Occurrences of high level (red) risks within the past 12 months; Breaches of current risk thresholds in the past 12 months and the reasons why; Review of the control environment including results from external and internal audits and inspections and the levels of assurance obtained from these; Changes to the way the service operates; and Changes due to political policy and initiatives. Any changes to the Corporation s risk appetite would be reported to the Audit Committee. 5.5 The risk appetite will be communicated to staff through briefings at team meetings and to new staff through the induction process. Annexes: Annex 1: Legacy Corporation s risk likelihood and consequence scoring matrix

Annex 1: Legacy Corporation s risk likelihood and consequence scoring matrix Output