TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT



Similar documents
Risk Management Strategy & Implementation Plan

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

A Risk Management Standard

Risk Management Policy and Process Guide

Following up recommendations/management actions

The Risk Management strategy sets out the framework that the Council has established.

Transport for London. Projects and Planning Panel

Council Meeting Agenda 27/07/15

Avondale College Limited Enterprise Risk Management Framework

Bridgend County Borough Council. Corporate Risk Management Policy

Risk Management Policy. Corporate Governance Risk Management Policy

Risk Management Plan template <TEMPLATE> RISK MANAGEMENT PLAN FOR THE <PROJECT-NAME> PROJECT

Risk Management Plan

People Strategy 2013/17

Confident in our Future, Risk Management Policy Statement and Strategy

TRANSPORT FOR LONDON CORPORATE PANEL

RISK MANAGEMENT STRATEGY

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

Bedford Group of Drainage Boards

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager

Contract and Vendor Management Guide

1.1 Terms of Reference Y P N Comments/Areas for Improvement

Group Risk Management Policy

Risk Management Policy Adopted by:

Operational Risk Management in a Debt Management Office

ENTERPRISE RISK MANAGEMENT FRAMEWORK

TRANSPORT FOR LONDON SAFETY, HEALTH AND ENVIRONMENT ASSURANCE COMMITTEE

Risk Management Framework

Maturity Model. March Version 1.0. P2MM Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce

Auditing data protection a guide to ICO data protection audits

COMPLIANCE CHARTER 1

Risk Management Strategy and Guidelines

Risk Management Policy

Risk Management Policy

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Enterprise Risk Management

Risk Management Strategy

How To Write A Risk Management Policy For The University Of Kerry

Sample risk committee charter

Policy Document Control Page

National Approach to Information Assurance

Shepway District Council Risk Management Policy

RISK MANAGEMENT STRATEGY and FRAMEWORK. Including risk assessment, risk register, risk management process, risk committee and risk awareness training

Information security controls. Briefing for clients on Experian information security controls

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

Supplier & Contract Management System (SCMS)

How To Manage Risk At Atb Financial

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed.

Introduction to TTC s Enterprise Risk Management (ERM) Program. TTC Audit and Risk Management Committee

PM Governance. Executive Team ADCA ADCA

Risk Management Within an Organisation

INCIDENT POLICY Page 1 of 13 November 2015

RISK MANAGEMENT STRATEGY

MAGENTA KEYLINE IS A CUTTER GUIDE, DO NOT PRINT. PLEASE SET TRAPPING THROUGHOUT

Risk Management Statement, Strategy and Policy. Index. Risk Management Statement page 2. Risk Management Strategy page 2

Relationship Manager (Banking) Assessment Plan

Enterprise Risk Management Framework Strengthening our commitment to risk management

Queensland recordkeeping metadata standard and guideline

WHY HAS THIS REPORT COME TO THE MEMBER DEVELOPMENT PANEL? The Strategy was last refreshed in 2012 and needs to remain relevant and fit for purpose.

The report rated this area Substantial Assurance and made 2 housekeeping recommendations.

Internal Audit Quality Assessment Framework

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

Royal Borough of Kensington and Chelsea. Data Quality Framework. ACE: A Framework for better quality data and performance information

Solihull Clinical Commissioning Group

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

Trust Board Report. Review of the effectiveness of the IM&T Committee

Business Continuity Management

Essex Clinical Commissioning Groups. Business Continuity Management System. Scope and Policy

Project, Programme and Portfolio Management Delivery Plan 6

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

ENTERPRISE RISK MANAGEMENT POLICY

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

RISK MANAGEMENT POLICY

Compliance Policy AGL Energy Limited

HEALTH SAFETY & ENVIRONMENT MANAGEMENT SYSTEM

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

3.2 Our customers and users tell us that they want four things:

CORP RISK MANAGEMENT POLICY & METHODOLOGY

Our risk management framework Reviewed quarterly by our executive committee

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

High Quality Care for All Measuring for Quality Improvement: the approach

London Legacy Development Corporation s Statement of Risk Appetite September 2015

Risk Management Policy

Review of the Assurance and Approval Processes applicable to Investment Projects Progress Update

Lancashire County Council Information Governance Framework

Internal Audit Strategic and Annual Plans 2015/16

Transcription:

AGENDA ITEM 4 TRANSPORT FOR LONDON AUDIT COMMITTEE SUBJECT: STRATEGIC RISK MANAGEMENT PROGRESS REPORT DATE: 3 MARCH 2009 1 PURPOSE AND DECISION REQUIRED 1.1 The purpose of this paper is to update the Audit Committee on progress with the ongoing development of TfL s risk management process, general risk arrangements and revised Risk Management Policy. The Committee is asked to note the report and approve the revised Risk Management Policy. 2 BACKGROUND 2.1 The risk management arrangements for the Group are mature and are embedded within the key business processes, for example, the Business Management Review (BMR) performance review process. This level of maturity was reflected in the level 4 score in risk management, granted by the Audit Commission in its last annual Use of Resources review. However, there remains a small number of areas where development work is ongoing these include integration of the risk and performance arrangements and risk training and awareness. Highlighted below are some recent developments in the risk management arrangements. 3 CORPORATE RISK MANAGEMENT PROCESS Risk Management Policy 3.1 The Risk Management Policy, which was last reviewed and approved by the Committee in January 2007, has recently been revised to reflect the adoption of a strategic risk appetite for the Group and also an approach to partnership risk. The requirement for adequate partnership risk arrangements is covered by the final bullet point in section 4 of the policy and the risk appetite model is included as Appendix 3 to the policy. The Committee is requested to approve the revised policy which is attached as an appendix to this report. Risk Management Training 3.2 The content of the risk management training programme has been reviewed and updated following its first full year of operation. This review has covered the one-day business manager training course and the E-learning risk module and this was undertaken jointly with TfL s third-party training partner, PM Professional. No significant changes to content have resulted from this review, improvements have largely related to format and delivery. 1

3.3 A publicity campaign will be initiated in March to re-launch the E-learning module across the Group. More risk courses are planned for next year as there is currently a waiting list for attendance. One major development in terms of delivery will involve integration with the risk management element of the Pyramid initiative, which provides training for the project management community. Currently, the Pyramid risk training is a two-day course which does not cover all of the elements of the one-day business manager risk course. However, from April 2009 both project and non-project staff will all attend the business manager risk course, with project staff attending a further day s Pyramid training in project risk tools and techniques. 3.4 One of the objectives of the business manager risk course is for attendees to cascade their learning experience to their staff and colleagues when they return to their offices. To obtain a better understanding as to the extent that this cascade training is being used by attendees, a specific question is being added to the on-line feedback questionnaire that is sent three months after course attendance. This will be monitored going forward. Risk Management Software 3.5 As part of a general upgrade to the Active Risk Management (ARM) software, an upgrade to the Active Risk Manager ARM Reporting Services module is also being installed. Following this upgrade, the full range of reporting functionality will be available to users for the first time. 3.6 Discussions are taking place with Strategic Thought, the providers of the ARM software, on the future functionality, configuration and licence arrangements for the system. This should provide a strategy by which TfL will be able to use ARM to the full based upon a more effective partnership approach with the supplier. Risk Reporting 3.7 The standard Risk Map report now includes the risk descriptions. This is intended to provide report recipients with a greater level of detail on risk content and drivers. 4 MODAL RISK DEVELOPMENTS Surface Transport 4.1 An exercise has been performed within the mode that has mapped the key operational, project and strategic risks to the directorate objectives. This ensures that risks are captured and reported in one place rather than in a number of processes it also further embeds risk into the performance review and reporting arrangements. London Rail 4.2 London Rail s strategic risks have been reviewed and approved by the Executive Team. Significant work is in hand to provide London Rail users of 2

ARM with a tailored environment that best meets their business needs but within an overall TfL ARM structure. London Underground 4.3 As with other processes and systems, the risk management arrangements for Metronet are being integrated into LUL s standard approach. This includes the updating of project and other relevant manuals. Integration of risk reporting and review has already been achieved. A timeframe for all other aspects is currently being agreed. 5 RECOMMENDATION 5.1 The Committee is asked to NOTE the report and approve the revised Risk Management Policy. 6 CONTACT Contact: John Burton, Head of Corporate Governance and Risk Management Phone: 020 7126 3026 3

APPENDIX Risk Management Policy 1

1. PURPOSE This paper sets out a recommended policy for risk management within TfL. The purpose is to ensure that all risks within TfL are appropriately identified, evaluated, managed and reported. Management information will be clear and consistent. Risks will be escalated to the appropriate level of management to enable both functional and strategic risk reviews. An effective risk management process will help TfL to achieve its strategic objectives. Non-achievement of key objectives could have significant impact upon: Delivery of the Mayor s Transport Strategy; Reputation; and Operational effectiveness and efficiency. 2. DEFINITIONS Risk Combination of the likelihood of an event and its impact Risk Map Graphical representation of the impact and likelihood of identified risks (TfL standard is 5X5 range, covering High, Medium and Low definitions) Risk Register A list of risks for a particular business area, capturing risk details, mitigation strategies, further actions and ownership Risk workshop A group brainstorming session to identify and evaluate risks Key Risk Representatives Nominated individuals in directorates and key business areas trained to promote the risk management policy, act as first point of contact and maintain the risk map and register Risk appetite Defined acceptable limits for risk exposure, for either individual or aggregate risk. Appendix 3 shows TfL s appetite model 2

3. ORGANISATIONAL SCOPE The risk management policy will cover all types of risk across TfL, ensuring that all significant risks are escalated for consideration by the appropriate level of management. 4. POLICY STATEMENT TfL s objectives in relation to the management of risk are to: Improve awareness and understanding of risk and the need for effective risk management; Integrate and embed risk management into the organisation s culture; Manage risk in accordance with best practice; and Anticipate and respond to changing social, environmental and legislative requirements. These objectives will be achieved through: Implementing the TfL Risk Management Process; Incorporating risk management into the business planning process; Internal Audit reviewing and reporting on the effectiveness of risk management, and Ensuring that TfL have adequate risk assessment mechanisms in place to consider all risks affecting TfL where it is involved as a partner in a noncontractual arrangement. As part of this process, risk documentation must be maintained and retained in accordance with the TfL policy on retention of documents. 5. POLICY CONTENT 5.1 Outline Description Risk management is the direct responsibility of all managers within TfL. All business units will be required to maintain a risk map and risk register (attached as appendices 1 and 2). Local arrangements should ensure that all risks are identified, evaluated and prioritised. The top 10-15 significant risks for each Directorate should be captured and fed into the strategic risk reporting process. Within this overall framework managers can continue with any detailed risk management systems or procedures they already have in place. 3

5.2 Reporting Mechanisms Summarised risk information is to be reported to the Commissioner, Business Management Reviews, Audit Committee and to SHEC. Reporting arrangements are detailed in the TfL Risk Management Process. Papers that discuss the details of risks faced by the business and the means by which they are being managed will be kept private. 5.3 Roles and Responsibilities Audit Committee - Set risk management policy on behalf of the Board - Review, monitor and provide assurance on the risk management process and framework SHEC - Strategic review of safety risk Panels - Forums for discussion, advice and guidance on key risks Risk Management Group (RMG) - Meet on a quarterly basis to review TfL s strategic risks - Review current emerging risks for inclusion on strategic risk register - Recommend changes to risk process for approval by Chief Officers and the Audit Committee Chief Officers - Visibly support and promote the risk management policy - Implement the risk policy within their own directorates / business units - Be actively involved in the identification and analysis of strategic risks - Encourage staff to be open and honest when identifying risks and missed opportunities - Ensure that risk management forms part of all major projects and change management initiatives - Monitor and review the status of risks and mitigating actions Risk Owner - To take responsibility for a nominated risk, monitoring and reporting on progress of planned mitigating actions and assurance activities Action Owner - To ensure successful completion of further mitigating actions as recorded on the risk register Internal Audit - Provide assurance to the Audit Committee on the effectiveness of risk management within TfL - Provide advice and guidance on the risk management process - Produce a risk-based internal audit plan Head of Corporate Governance and Risk Management - Develop and implement the Risk Management Policy and Strategy and the risk management processes - Take the lead in identifying and agreeing an 4

Head of Group Insurance approach to risk appetite that works at group and modal level - Project manage the development of risk reporting to the Audit Committee, Board and senior management - Providing support and leadership to the modes on risk management process, risk models and software tools; - Act as the first point of contact for any part of the organisation looking for support in relation to risk management - To design and implement insurance policy and strategy - Provide practical mitigation advice and insurance management to all functions - Maintain an overview and awareness of the Group risk profile 5.4 Required Outcomes The policy and supporting process are to be delivered in phases based upon an annual Risk Management Plan approved by the Audit Committee. This will deliver risk management arrangements that will provide increasingly mature risk analysis and reporting mechanisms. 6. PROCEDURES The detailed procedures supporting this policy are documented in the TfL Risk Management Process. 7. APPROVAL The Audit Committee approves this policy on behalf of the Board. 8. REVIEW The policy will be reviewed annually. 9. POLICY OWNER This policy is owned by Howard Carter, General Counsel. 5

10. CONTACT DETAILS Points of detail and general questions should be addressed to: John Burton, Head of Corporate Governance and Risk Management. 11. RELATED DOCUMENTATION Code of Corporate Governance (the overall governance framework for TfL wherein risk management is a key principle); and A Risk Management Standard - issued jointly by the Institute of Risk Management (IRM), the Association of Local Authority Risk Managers (ALARM) and the Association of Insurance Risk Managers (airmic). (The recognised industry standard with which this policy complies.) 6

APPENDIX 1 Objective: High level objective(s) Mode / Business Area Risks Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 Risk 7 Risk 8 Likelihood High High Medium Low Critical Low Low Low Medium High Impact Recommended that number of risks is kept to a maximum of 20 with 10 to 15 regarded as preferable High 7

APPENDIX 2 SUGGESTED RISK MATRIX Business Unit RISK MANAGEMENT Identified Risk Number Risk Risk Owner Risk Analysis Impact Like lihood Risk Score Risk Management Strategy Mitigations / Controls Effectiveness Assurance Action Plan Further Action Required Person Responsible / Date Risk Mitigation Status Risk description Risk detail Risk causes Risk effects 8

APPENDIX 3 Key Strategic Risk Appetite Strategic Risk Map Level of residual risk is unacceptable. Top priority action plans to be produced to reduce risk to an acceptable level - wherever this is within TfL s control High CRITICAL While the level of risk is not considered to be totally unacceptable, further risk mitigation will be addressed as a high priority - with action plans in place for reduction. As a general principle, risks will be mitigated to as low a level as possible (towards the bottom left of the map) - but only as far as the benefits gained from risk reduction outweigh the costs of mitigating the risk. L i k e l i h o o d High Medium Low Low Low Low Medium High Impact High 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information