APPENDIX 5 POLICY : CORPORATE RISK MANAGEMENT 1 Scope This is a Service wide policy. 2 Aims and Objectives Lancashire Combined Fire Authority provides services to a diverse range of people and organisations, in an ever-changing environment. As such the potential for disruption to services or the loss or damage to assets from a vast range of risks is inherent. Therefore, it is essential that the Authority takes appropriate action to minimise the potential for loss or damage through active risk management. 3 Policy POLICY STATEMENT Risk Management is the process of identifying significant risks to the achievement of the organisation s strategic and operational objectives, evaluating their potential consequences and implementing the most effective way of controlling them. RISK MANAGEMENT OBJECTIVES The risk management policy is designed to safeguard the achievement of the Service s objectives through the effective control of risks, which threaten their achievement. In addition the policy is intended: To ensure best value and best practice are achieved in the management of risks. To regard compliance with legal and regulatory requirements as a minimum standard. To identify and respond to changing social, environmental and legislative requirements. 1
To prevent injury, damage and loss to stakeholders and employees or their property. To reduce the overall cost of risk. To integrate risk management into the culture of the Authority. To support staff in their efforts to manage the risks to which they are exposed. To ensure compliance with the Authority s Code of Corporate Governance. RESPONSIBILITIES The variety of risks to which the Authority is exposed is such that a multi-layered approach will need to be adopted to ensure full integration of the risk management culture into all levels of the Authority. Elected Members have the responsibility to ensure the implementation of appropriate risk management structures and processes, and to provide sufficient resources to meet agreed objectives. An elected member sits in the Risk Management Group, to ensure appropriate member input to this group. The Audit Committee has overall responsibility for risk management within the Authority. It is responsible for agreeing the risk management strategy and the risk management policy, as well as reviewing the risk register on a regular basis. This culminates in the Committees consideration of the Annual Governance Statement, which includes reference to risk management arrangements. The Executive Board has overall responsibility for ensuring that the Authority manages risk effectively through the development of a comprehensive risk management strategy and policy and those decisions taken by both the Authority s Members and management give full consideration to the risks associated with those policies. The Service Management Team is responsible for reviewing departmental risks on a regular basis. The Services Risk Management Group is responsible for developing, implementing and reviewing a risk management strategy, setting out the specific programmes, procedures and activities designed to ensure that policy objectives are met, for reviewing actions taken to address key risks and for updating/reviewing the risk register. The Group is also responsible for reviewing departmental risk registers to ensure that any key risks are included on the risk register. Heads of Departments and other Service Management are each responsible for ensuring that proper procedure are in place to effectively identify, evaluate and manage risks within their Service areas. All departments should prepare and maintain a departmental risk register, based on the analysis, in line with this policy and the scoring mechanisms outlined NB: All major projects undertaken will have an associated project risk register as per the Project Management Framework. Heads of Departments and other Service Management should make recommendation as to which departmental risks are transferred to the risk register. Individual managers and employees are each charged with the effective management of the risks associated with their particular roles and duties, and for 2
ensuring that significant risks are identified to senior management as soon as they become known. The risk management group is available to support this activity through the provision of training, information and technical assistance as required. RISK MANAGEMENT PROCESS The basis principles of risk management are the identification analysis, control and monitoring of risks. The processes associated with these are: Risk Identification In order to enable risk to be effectively managed, the nature of the risk must first be identified. This can be done by reviewing the Services/Departments strategic, operational and project objectives and identifying all significant risks, which could impact upon their achievement. This also includes risks associated with business continuity issues. Risk Analysis Once risks have been identified they need to be assessed in terms of their likelihood and their potential impact on the Service/Department/Project. Based on this assessment the risks which require the greatest level of management can be identified, i.e. those with a high likelihood of occurrence and the severity of impact, with the overall risk assessment being the combination of the two scores, as set out below (Note, the risk scores are a guide only and some subjective judgement may be required to better reflect the magnitude of the overall risk): Likelihood 5 4 Certain Almost certain Very likely 5 10 15 20 25 4 8 12 16 20 3 Likely 3 6 9 12 15 2 Unlikely 2 4 6 8 10 1 Rare/Very Unlikely 1 2 3 4 5 Minor Noticeable Significant Critical Catastroph ic 1 2 3 4 5 Impact The overall scores represent the relative importance of the combination of impact and likelihood. This feeds a traffic light system which categories risk, in order to identify the relative priorities and the need for action, as follows: 3
high red (a score of 15 or more) medium amber ( score of between 7 and 14) low green (a score of less than7) In order to assess this the following criteria should be applied: Likelihood Probability 5 Certain/Almost certain Greater than 90% 4 Very likely 65% to 90% 3 Likely 35% to 65% 2 Unlikely 5% to 35% 1 Rare/Very Unlikely Less than 5% 1 2 3 4 5 Minor Noticeable Significant Critical Catastrophic Financial 0k - 100k - 100k 250K Service No impact No impact Provision Health Safety Objectives KPIs & Cuts & bruises No impact on objectives No impact on Key Performa nce Indicators Broken bones/illness departmental objectives not met Key Performance Indicators not met by less than 10% 250k - 1m 1m - 2m 2m+ Services reduced but still able to meet statutory duties Loss of life/ major illness One objective not met Key Performance Indicator not met by between 10% & 20% Reputation - - Adverse local media leader Government Relations - - Poor assessments Services suspended and unable to meet statutory duties for a short period Significant loss of life/ major illness Two objectives not met Key Performance Indicators not met by between 20% and 50% Adverse national publicity Service taken over temporarily Services suspended and unable to meet statutory duties for a long period Major loss of life/ large scale major illness objectives not met Key Performance Indicators not met by more than 50% Adverse national publicity for an extended period Service taken over permanently 4
Risk Mitigation Risk mitigation is the process of taking action to minimise the likelihood of the risk event occurring, the frequency with which it might occur and/or reducing the severity of the consequence should it occur. This will involve for example risk avoidance, risk transfer and/or introduction of operating controls. The controls already in place and any additional controls required will be identified and recorded for each of the key risks. (Note the benefit of controls should always be evaluated against the additional cost of these). Risk Recording The risks and control measures will be recorded in a Risk Register in the prescribed format. A process for review of the risks and related controls will be established, to assess how effective the policy has been. The register will contain the following information: Description of risk Assessment of likelihood and impact to determine the risk score Controls in place Controls planned Risk owner Review date Risk Review and Monitoring Corporate and departmental risk registers should be maintained on a regular basis by updating them to reflect changes to existing risks, or to reflect the identification of new risks. On as rolling basis departmental risk registers will be presented to Service Management Team, including a recommendation as to which risk are referred to the Risk Management Working Group for inclusion the risk register. Where risks are referred to the Risk Management Working Group the relevant risk owner must submit a report detailing: What the risk is What the inherent risk is What action has been taken to mitigate against it, including any change since the risk was last reported What the level of residual risk is What further action is recommended and the timeframe for this The Corporate Risk Management Working Group will consider risks flagged up by departmental managers and agree remedial or mitigating actions, determining the overall priority and monitoring progress until such time as the risk is effectively brought under control and can be discharged from the risk register. An audit trail of all changes to the risk register should be maintained. The risk register will be reviewed on an annual basis by the Audit Committee and the success of the control measures evaluated. 5
Note: Projects risks are monitored by the project manager regularly through the life of the project via the Project Risk register and therefore additional reports are not required. The Inclusion of Risk Management Implications in Reports Risk Management implications must be included in all reports so that these can be taken into account in the decision making process. As such a separate section should be inserted in all Committee/Management Team reports in which the author states what, if any, risks have been identified and how these will be managed. If no risks have been identified a statement should be made to that effect. Opportunity Risk The above process deals with risk relating to threats to the organisations achievement of objectives. In addition to these there are also opportunity risks. These arise where there is uncertainty in terms of the outcome of issues, but where there is a potential opportunity to improve services dependant upon the final outcome. In these instances a similar process should be undertaken to that described above: Identify the opportunity Identify which objective it links into Identify what likelihood and impact arising from this are Identify what controls are in place to ensure the opportunity materialises in a positive way Identify an owner to progress and monitor this An example of this is the potential to second lifing of crew cabs and bodies. This provides an opportunity to reduce costs and improve our environmental impact. These would mitigate against the risk of inefficient use of resources and also the impact of our actions on the environment. However, at the present time more work is required and we need to explore more fully the long term cost implications of implementing this policy. Ultimately a decision may need to be made considering the cost of taking the opportunity against the benefits received. In this case if the long term costs of second lifing cabs and bodies does not deliver any savings it may still be work considering from an environmental impact. If, on the other hand it costs more in the long term a decision would need to be made as to whether the additional costs were outweighed by the environmental benefits. 4 Equality and Diversity Impact Assessment The changes do not impact on the previous Equality and Diversity impact assessment which did not identify any issues for further consideration. 5 Reference Documents None 6
6 Approval Agency Audit Committee 7
7 Approval Dates This Policy was originally approved in March 2006 This version was approved in Jan 2011 This version takes effect from Jan 2011 This Policy was reviewed in Jan 2011 Next review date March 2012 8 Policy Sponsor Director of Finance 9 Diversity and Equality Statement Lancashire Fire and Rescue Service is committed to the principles of diversity and equality and the elimination of discriminatory practices. These principles are applied to the treatment of all individuals, whether members of the public, or own staff, be those fire officers, support staff or volunteers. This policy will be implemented in a non-discriminatory manner. Members of Lancashire Fire and Rescue Service administering this policy are responsible for ensuring that in their application, those to whom the policy applies, shall not receive less favourable treatment because of their age, colour, disability, ethnic or national origin, gender reassignment, marital status, nationality, race, religion, sex or sexual orientation. 8