Risk Audit and Assurance Report - Quarter 3 Update 2013/14



Similar documents
Risk Management Strategy

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

RISK MANAGEMENT POLICY (Revised October 2015)

London Legacy Development Corporation s Statement of Risk Appetite September 2015

Bridgend County Borough Council. Corporate Risk Management Policy

Internal Audit Strategic and Annual Plans 2015/16

Charnwood Borough Council. Corporate Performance Management Framework

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

River Stour (Kent) Internal Drainage Board Risk Management Strategy and Policy

RISK AND OPPORTUNITY MANAGEMENT STRATEGY

POLICY : CORPORATE RISK MANAGEMENT

ARGYLL AND BUTE COUNCIL SUPPORT SERVICES REVIEW 15 DECEMBER 2011 SUMMARY REPORT

LONDON BOROUGH OF SOUTHWARK

Achieve. Performance objectives

Risk Management Guide

Risk Management Within an Organisation

Bedford Group of Drainage Boards

Department of Health INFORMATION ASSURANCE SUMMARY REPORTS. The purpose and scope of this review

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed.

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

PM Governance. Executive Team ADCA ADCA

I attach the following documents in response:

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Shepway District Council Risk Management Policy

Construction (Design and Management) Regulations 2007

Performance Management Unit. Performance Management Framework

INVESTING IN REFORM INVESTING IN STOCKPORT DRAFT BUSINESS CASE

Scottish Borders Council. Local Scrutiny Plan 2015/16

RISK MANAGEMENT STRATEGY

Solvency II Own risk and solvency assessment (ORSA)

Corporate Risk Management Policy

External Performance Assessment Improvement Plan 2006/8 - Monitoring 6

Business Continuity Policy

V1.0 - Eurojuris ISO 9001:2008 Certified

Confident in our Future, Risk Management Policy Statement and Strategy

Business Continuity Policy. Version 1.0

Head of Internal Audit:

Shared service centres

Risk Management Policy and Procedures

PDNPA Project Management Peak District National Park Authority Internal Audit Report 2014/15

Waveney Lower Yare & Lothingland Internal Drainage Board Risk Management Strategy and Policy

Project Management Toolkit Version: 1.0 Last Updated: 23rd November- Formally agreed by the Transformation Programme Sub- Committee

Risk Management Strategy and Guidelines

Risk Management Framework

CORP RISK MANAGEMENT POLICY & METHODOLOGY

Appendix A Scoring for all Corporate and Project Risks Matrix

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA

Fundamental Performance Review Partnership Working 4

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Risk Management Policy and Process Guide

Risk Methodology. Contents. Introduction The Risk Management Structure The Risk Management Cycle Methodology...

Guidance for Industry: Quality Risk Management

DIRECTOR OF PEOPLE & ORGINAISATIONAL DEVELOPMENT NICK MERNOCK EMPLOYEE SUCCESSION PLANNING STRATEGY

Richmond-upon-Thames Performance Management Framework

Medium Term Financial Strategy 2016/17 to 2020/21

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

Financial Health Assessment of Non-college Organisations

Business Planning & Budgetary Control 2012/13

Strategic Alliance. Business Continuity Policy

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

Risk Management. Policy

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF THE IT STRATEGY AND IMPLEMENTATION CONTROL FRAMEWORK

1 PURPOSE AND SUMMARY 1.1 This report seeks approval to consult on the draft 2015/ /20 Revenue Financial Plan.

LFRS Business Continuity Planning

GUIDE TO IMPLEMENTING A REGULATORY FOOD SAFETY AUDITOR SYSTEM

IT Services Risk Management Strategy

Commonwealth Risk Management Policy

Compliance Management Framework. Managing Compliance at the University

Solihull Clinical Commissioning Group

Status of Report: Public Agenda Item: 10. The Chief Fire and Rescue Officer and the Treasurer

CABINET. 24 March 2015

Risk Management & Business Continuity Manual

PROCESS FOR RISK ASSESSMENT

CHESHIRE FIRE AUTHORITY SUBJECT : DRAFT BUDGET, COUNCIL TAX AND MEDIUM TERM FINANCIAL PLAN

Purpose of Report To present a revised corporate risk register as at May 2013

Project, Programme and Portfolio Management Delivery Plan 6

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Corporate governance framework and toolkit for working in partnerships

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Internal Audit Report. Chief Executive s Unit. Review of Contract Management

Risk Management Strategy

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

RISK MANAGEMENT POLICY. Version 3

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

A review of service reform in Scottish fire and rescue authorities

Council, 14 May Information Governance Report. Introduction

Occupational pension scheme governance

Business Plan for Financial Management and Business Effectiveness Unit - May 2011 to 30 September 2013

Lauren Sundararajan, CFE, Internal Audit Manager

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework

Hertsmere Borough Council. Data Quality Strategy. December

The report rated this area Substantial Assurance and made 2 housekeeping recommendations.

Merthyr Tydfil County Borough Council

London Centre of Excellence Bids/Projects - Update. ( ) by the Head of Procurement THE REGIONAL CENTRES OF EXCELLENCE PROGRAMME

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA

Commissioning Strategy

SENIOR MANAGEMENT APPRAISAL

GOVERNMENT INTERNAL AUDIT COMPETENCY FRAMEWORK

The Risk Management strategy sets out the framework that the Council has established.

Risk Assessment Tool and Guidance (Including guidance on application)

Transcription:

Report title Risk Audit and Assurance Report - Quarter 3 Update 2013/14 Meeting Governance, Performance and Audit Committee 4 March 2014 Date Report by Head of Strategy and Performance 7 February 2014 Document Number FEP 2207 Public Summary This report provides an updated monitoring position on the Authority s risk management framework including the risk audit programme and supporting assurance work which has taken place during quarter three 2013/14. Recommendations That the Committee: 1. Notes the content of this report with regard to on-going risk management activities and reviews the information as necessary to fulfil its monitoring and oversight responsibilities; and 2. Notes that the three separate reports on risk, business continuity and governance will be combined into one report as from quarter four, 2013/14.

Introduction/Background 1. Strategic risk management enables the Authority to plan for, anticipate, manage, and mitigate risks which have the potential to seriously impact upon the services provided by the organisation. As a fire and rescue service, many of our activities are naturally underpinned by a range of hazards, but it is only through the evaluation of the chance or probability of harm associated with those hazards (i.e. by undertaking a risk assessment) that we are able to accurately understand the risk they pose to the organisation. 2. Risk management is a process which seeks to identify, evaluate and manage these risks in a structured way. A robust strategic risk management framework enables the Authority to take sufficient action, which could involve prevention of significant risks and/or reduction of the impact of those that do occur by putting adequate risk mitigation controls in place. 3. As the assessment of risk and the implementation of controls is largely an internal function, the Authority s internal audit function currently provide independent verification to make sure that the appropriate risks are being identified and prioritised, that they are rated correctly and that evidence for the risk controls in place can be checked. 4. This Committee has a responsibility, to monitor the Authority s risk management system, framework and control environment to ensure that it is fit for purpose (FEP1913). Accordingly, this report shows the updated monitoring position regarding the organisation s risk audit and assurance activity as at the end of quarter three, 2013/14 (period to end December 2013). 5. This report also includes the risk performance indicators and an update on the Authority s risk appetite.. Officers have reviewed how risk, continuity and governance information is reported to the Committee. Given the relationship between the three areas, officers will combine the three separate reports into one report from quarter four, 2013/14. This will reduce any duplication and provide a more concise and structured overview for Members. Corporate risk register 7. The Authority s corporate risks are set out in Appendix 1 to this report. Corporate risks are those which officers have identified could have a serious impact on how the Authority operates. These corporate risks were last reported to the Committee in November 2013 (FEP217) as part of the monitoring report for quarter two, 2013/14. 8. Over the past quarter, a new risk has been identified by the Director of Finance and Contractual Services that has since been incorporated into the corporate risk register. This new risk relates to the national Emergency Services Mobile Communications Programme (ESMCP). The ESMCP is a cross departmental programme currently sitting within the Home Office. Its purpose is to procure an Emergency Services Network (ESN) to replace the current Airwave communication system that is used by all the emergency services. 9. The new corporate risk (CRR15) has been defined as, The national programme to replace Airwave with the Emergency Services Network (ESN) by 2017 fails to deliver a solution for the provision of radio and data communications which is both affordable in the long term and which delivers the complete functionality required by LFB. 10. The main uncertainty with regards to the new risk relates to the affordability of the programme, the levels of coverage, resilience and availability that the ESN will have and the timeline in which Page 2 of 8

the programme is expected to deliver. Accordingly, the likelihood and impact scores for this risk have been established as likely (three) and significant (two) respectively. This means that the overall risk score is six, making this new risk an amber corporate risk. The corporate risk appetite 11. Risk appetite is the amount of risk, broadly, that an organisation is willing to accept in pursuit of its objectives. It reflects the organisation s history and risk management philosophy and, in turn, influences the organisation s culture and risk management style. The better able we are to manage our risks in accordance with our risk appetite, the more we can use this information (i.e. are we within our risk appetite or exceeding it?) to aid decision making. 12. Our approach to risk appetite and the resulting risk appetite statement was originally agreed by the Authority in June 2010 (FEP154) and the statement now forms part of the Authority s Annual Governance Statement. Overall, the Authority s risk appetite can be described as low to lowmedium. Risk appetite is formally applied at two levels within the organisation: the corporate level and the departmental level. The corporate level is reported quarterly as a matter of course to the Committee. The departmental level is reported on an exceptions only basis if there are any issues of significant concern which merit the attention of the Committee. 13. By taking the corporate risks and plotting them on the standard risk matrix (see Figure 1), it is possible to provide an overall picture of the corporate risk profile. By acknowledging that the Authority s risk appetite is low to low-medium, it is possible to represent this by drawing a line on the risk matrix. This becomes the standard risk threshold. Risks which then appear in the green area and amber risks which are unlikely (2x3) and/or significant (3x2) are then said to be within acceptable limits. 14. So that informed risk taking can take place, risks may still appear above the standard risk threshold line so long as the overall risk ratio does not exceed nine per cent of the risk threshold set. However, risks that are rated as very likely and catastrophic (4x4), very likely and major (4x3) or likely and catastrophic (3x4) will still be deemed to be outside acceptable limits, even if they are within the nine per cent ratio. These risks will be subject to extra scrutiny to check that the rating is correct, whether the activity can be pursued (in the case where a choice has been made to take a risk) and what immediate management action can be taken to bring the risk to within more acceptable limits. 15. The current corporate risk profile is shown in Figure 1. The large numbers inside the matrix show the number of corporate risks at that rating (e.g. there are 3 corporate risks with a likelihood rating of 2 (unlikely) and an impact rating of 3 (major)). The smaller numbers refer to the Corporate Risk Identifier (e.g. CRR1, CRR2): Page 3 of 8

Likelihood Figure 1 The summary corporate risk profile quarter 3 2013/14 Very Likely 4 1 CRR13 Likely 3 CRR5, CRR7, CRR8, CRR10, CRR14,CRR15 Unlikely 2 3 CRR1, CRR2, CRR3, Very Unlikely 1 Minor 1 Significant 2 Major 3 Catastrophic 4 Impact 1. At the moment, the overall position of the corporate risks shows that the organisation remains at an amber status with 10 per cent of risks over the standard risk threshold line. 17. The one risk which remains above the line is CRR13 A breakdown in industrial relations affects our ability to deliver the service. This risk remains at a high red rating in spite of control measures such as the industrial relations framework, owing, in part, to the current environment whereby unions are more likely to take industrial action over a range of matters which are; (a) part of the Authority s current change management initiatives; and, (b) over matters which are outside of the Authority s direct control (i.e. pension change proposals). The status of this risk has been confirmed by the recent audit conducted by our external risk auditors. 18. The impact of this risk is that the Authority is just exceeding the green status in risk appetite terms and management focus remains on CRR13 to improve the status of this risk. However, officers are satisfied that, overall, the organisation is operating within acceptable limits. 19. Members will recall from the previous report to the Committee that there is currently a national dispute between the Fire Brigades Union (FBU) and the Government over the Government s proposed pension reforms. Since the last report to the Committee, the FBU have held a further eight strikes, with the most recent of these taking place on the 3 January 2014. As with the strike that took place on the 25 September 2013, the Authority implemented its contingency arrangements for the duration of the strike periods and deployed its Emergency Fire Crew Capability (EFCC) in order to provide a contingency level of operational service across London. Page 4 of 8

20. Throughout the recent strike periods these arrangements continued to demonstrate their effectiveness, and also provided the Authority with assurance that the controls that are in place to mitigate the impacts associated with this risk are appropriate. 21. Further detail on industrial action and the recent strike periods has been provided in the business continuity management update report for quarter three, which is also on the agenda for today s Committee meeting. Risk audit programme/transfer to MOPAC 22. In order to validate the risk information identified and contained within the Authority s risk management system, a risk audit programme has been carried out each year. The last risk audit programme focussed on selected corporate risks. The background to how the programme was compiled has been provided in previous reports to the Committee. 23. Members will recall from the previous Committee report that the programme has now concluded, and that responsibility for auditing the effectiveness of the organisation s risk management arrangements has now transferred to the Mayor s Office for Policing and Crime(MOPAC) under the shared service arrangement. The MOPAC audit programme provides continuity in terms of risk auditing with thematic audits (e.g. protective security, attendance management, etc.) considering risks in the round. The MOPAC programme also includes a review of the Authority s risk management process during 2013/14. 24. The outcomes of MOPAC audits are already reported to the Committee so Members will continue to have sight of recommendations and actions arising as a result of the risk based audit approach. The latest MOPAC progress report is also on the agenda for today s Committee meeting. 25. As noted in the previous risk audit and assurance report (FEP217), outstanding recommendations relating to the industrial relations risk (CRR13), which was the last corporate risk audited under the old risk audit programme, are now reported to Committee in the MOPAC report. Risk performance indicators 2. Risk performance indicators are designed to give a visual representation of the information which provides the background to this report. The current indicators are attached at Appendix 2 to this report and display the content of the Authority s risk management system in terms of the number and status of the corporate and departmental risks. This content is summarised on a rolling quarterly basis over the previous 12 months. Head of Legal and Democratic Services comments 27. The Head of Legal and Democratic Services has reviewed this report and has no comments. Director of Finance and Contractual Services comments 28. This report includes a new risk (CRR15) against the national programme to replace Airwave with the Emergency Services Network by 2017. A risk against this programme was also included in the Budget Update Report (FEP2194) and this is set out below: 29. DCLG will replace the existing Airwave contracts, which expire between 201 and 2020 as part of the Emergency Services Mobile Communications Programme. There could be significant financial pressures to LFEPA under any new contract provision. The current contract is subsidised and DCLG have notified LFEPA that its share of this will be 827k in 2013/14. DCLG may be Page 5 of 8

unwilling to continue to subsidise any future system. In addition a project team may be required to deliver any new system into the Authority. Sustainable development implications 30. There are no sustainable development implications associated with this report. Staff side consultations undertaken 31. Staff side consultation was undertaken for the review of the industrial relations risk. Further consultation will take place to implement recommendations from the audit action plan as necessary. Equalities implications 32. Fairness, equality and diversity are promoted and supported by both the risk audit programme and overarching risk management framework in line with Authority policy. List of Appendices to this report: 1. Appendix 1 - Corporate risks; and 2. Appendix 2 - Risk performance indicators. LOCAL GOVERNMENT (ACCESS TO INFORMATION) ACT 1985 List of background documents 1. Risk Audit and Assurance Report 2013/14 Quarter 1 and 2 Updates FEP212, 217; 2. Risk Audit and Assurance Reports 2012/13 FEP1949, 2002, 2053 & 2108; 3. Risk Audit and Assurance Reports 2011/12 FEP1794, 1844, 1877; 4. Annual Governance Statement 2012-13 FEP2125; 5. Annual Governance Statement 2009-10 FEP154;. Statement on Internal Control Quarter 1 Update FEP1102; 7. Reconstitution of Committees, Standing Orders, Allowances and Related Matters FEP1913; and 8. Reconstitution of Committees 2007/8 FEP1037. Proper officer Contact officer Telephone Email Head of Strategy and Performance Daniel Ingram 020 8555 1200 x30071 daniel.ingram@london-fire.gov.uk Page of 8

Corporate risks Appendix 1 The current corporate risks for the London Fire Brigade are as follows: Risk Code Risk Description Score CRR1 CRR2 A death or serious injury occurs as a result of our staff not operating a safe system of work Disconnect between top, middle and junior management leads to a lack of consistent leadership affecting our ability to manage and change behaviours CRR3 Failure or perceived failure to deliver the service CRR5 Ability to effect change is limited leading to poor / ineffective resource management CRR7 Failure of a significant contractual relationship impacts on the delivery of services CRR8 Failure to develop and maintain equity across the Brigade CRR10 The current economic climate requires strategic decisions that impact on the Brigade s ability to budget effectively CRR13 A breakdown in industrial relations affects our ability to deliver the service 12 CRR14 CRR15 A risk averse culture within the organisation lessens our ability to deliver efficient and effective services The national programme to replace Airwave with the Emergency Services Network (ESN) by 2017 fails to deliver a solution for the provision of radio and data communications which is both affordable in the long term and which delivers the complete functionality required by LFB Page 7 of 8

Number Percentage Number Risk performance indicators Appendix 2 Chart 1. RAG status of corporate risks 2013/14: This shows the number of corporate risks on the Corporate Risk Register and the status of the risks overall (red = high, amber = medium, green = low). The graph shows information over the past year on a rolling quarterly basis. 12 1. RAG Status of Corporate Risks 2013-14 9 3 0 Q4 (12/13) Q1 (13/14) Q2 Q3 Quarter Chart 2. RAG status of corporate current controls 2013/14: This shows the status by percentage of corporate controls currently managing the corporate risks. 100% 90% 80% 70% 0% 50% 40% 30% 20% 10% 0% 2. RAG Status of Corporate Current Controls 2013-14 Q4 (12/13) Q1 (13/14) Q2 Q3 Quarter Chart 3. RAG status of department risks (with current controls) 2013/14: This shows the number and status of departmental risks from the departmental risk registers once current controls have been applied. 250 3. RAG Status of Dept Risks (with Current Controls) 2013-14 200 150 100 50 0 Q4 (12/13) Q1 (13/14) Q2 Q3 Quarter Page 8 of 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information