Risk Management Strategy Risk and Insurance Team Email: RiskAndInsurance@lambeth.gov.uk Version: July 2010 Preface Summary This strategy outlines the Council’s overall approach to risk management providing a means to recognise that effective management of risk enhances the Council’s ability to: • Deliver corporate, strategic, partnership and programme objectives successfully • Safeguard the Council’s assets and protect the Council’s reputation • Keep risk management firmly embedded within the culture of the organisation • Build upon best practice guidance, external requirements, and deliver innovative risk management solutions Risk management is an important aspect of all our lives. We are all exposed to risk daily, at work and in our private lives, and often manage it subconsciously. We need to ensure that we think about it actively in the way that we deliver services as a council and in conjunction with or through our partners. Partners, elected members and senior management have overall responsibility to managing risk with/for the Council. However, we all have a part to play in managing risk. Whether you are working at a Member level, Non-Executive director level or at a management level, as part of a team delivering services or in partnership with the Council (such as Lambeth First, Local Strategic partnership (LSP) and more), this strategy should help you to understand your part in the bigger picture. The aim of this strategy is to sustain an environment where risk management is an integral part of all of the Council’s key governance processes including; 2 of 33 service planning, budget setting, project management, management processes and the general culture of the authority. This result in better quality decision making that leads to a reduction in costs, an increase in the quality of services and encourages innovation. The strategy is also about continuing to work closely with our partners and stakeholders to develop joint risk management solutions and to share our experience and knowledge in managing threats and opportunities. Strategy Vision Statement To become the leading council in the way that we proactively manage opportunities and threats and to be an exemplar of good practice, working in partnership with our stakeholders in developing and embedding our risk management processes. The Council has a statutory responsibility to have in place satisfactory arrangements for managing risks as laid out under section 4 of the Accounts and Audit Regulations 2003 (amended 2006): “The relevant body shall be responsible for ensuring that the financial management of the body is adequate and effective and that the body has a sound system of internal control which facilitates the effective exercise of that body's functions and which includes arrangements for the management of risk.” The effectiveness of the Council’s risk management arrangements is assessed annually as part of the Annual Governance Statement (AGS) which is signed off by the Chief Executive and Leader of the Council. As part of the AGS, a Statement of Internal Control (SIC) is produced which will highlight any identified significant control weaknesses and the actions that are to be taken to address these. 3 of 33 Chapter 1 Introduction This strategy builds on and replaces earlier versions of the risk management strategy, and is intended to be a high level document that provides a framework to support the Council’s statutory responsibility for managing risk. It allows the Council to further strengthen and improve its approach to risk management enhancing its ability to deliver its strategic and operational aims and objectives successfully. The ‘risk managed’ toolkit sets out in greater detail the processes by which threats and opportunities are identified and managed within the London Borough of Lambeth (LBL). There are three main strategic aims of this strategy which are set out below: Strategic aim 1: To maintain and further develop a systematic and consistent risk management approach Strategic aim 2: To provide a strategic lead and champion risk management with the Council’s partners and stakeholders Strategic aim 3: To take a lead on developing and replicating best practice in risk management 4 of 33 Effective risk management The effective management of risk affects every business unit and service across the Council, as well as every employee. This strategy provides the framework to ensure that risks across the Council are managed in a co-ordinated manner and that appropriate tools, training and guidance are made available to all staff and partners. The key benefits to the Council of a co-ordinated approach to risk management are: • An increased focus on what needs to be done (and not done) to meet objectives • More effective allocation of resources • More satisfied stakeholders and reduced complaints • Better ability to justify decisions taken and reduced risk of mistakes • Supports innovation, value for money and potential quality improvements in service delivery • Protects and enhances the Council’s reputation • Reduction of the Council’s insurance costs • Accountability reflected through management oversight and comprehensive controls as part of an assurance framework • Improved audit reports that enforce a consistent approach to service provided This strategy enables the Council to take a proactive stance to risk management ensuring that less time is spent reacting to situations and more time is spent taking advantage of opportunities. 5 of 33 Chapter 2 Managing Risk There is increasing pressure on the Council to demonstrate that it is managing all of its business risks and that risk management is embedded across the organisation. Lambeth Council operates in an environment where it needs to be able to meet its statutory obligations and deliver high quality services in an efficient and cost-effective manner. The Council’s success in managing risk and uncertainty has a direct impact on the achievement of its business objectives. Service delivery can be improved and innovated through taking well considered and managed risks (opportunities), however service delivery can be affected where risks are taken without fully understanding or managing them. Success or failure in achieving the Council’s corporate objectives depends on many factors, but perhaps the most important and wide ranging is the quality of decisions that are made. These decisions will range from those relating to strategic issues affecting many of those that live, work and visit the borough to everyday operational matters affecting only a localised area or service. The Council is aware that some risks will always exist and will never be eliminated. The Council also recognises that it has a responsibility to manage risks and supports a structured and focused approach to managing them through regular development of the risk management strategy. In this way, the Council will achieve its corporate objectives and enhance the value of services it provides to its community 6 of 33 What is risk management? Risk management is a business discipline that the public, private and third sectors use to effectively manage potential opportunities and threats to the organisation achieving its objectives. It is a key part of the strategic and performance management processes and the Council’s assurance and controls/compliance arrangements. Risks can be looked at as ‘events waiting to happen’. A hazard such as an unguarded machine or a slippery path will remain just a hazard so long as no one goes near them. It is only when people are introduced into the equation – and there is the possibility of someone being injured – that hazards become risks. When referring to risk management however, we use the expression ‘risk’ far more widely than merely to refer to hazards. The definition of risk from the Australian Standard AS/NZS 4360:1999 is: “Risk is the chance of something happening that will have an impact on objectives.” The public risk management association’s (ALARM) definition of risk is: “The effect of uncertainty on objectives” The definition of risk from HM Treasury is: “Risk is the uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.” Managing risk therefore covers all these areas which can include a loss or damage to the Council or move the Council forward in achieving its objectives. 7 of 33 1 The Council has adopted the following definition of risk ; “An uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives”. “A risk is measured in terms of a combination of the likelihood of a perceived threat or the opportunity occurring and the magnitude of its impact on objectives” There is no mystery about risk management, but there is a lot of jargon. It really is about business decision making and enabling the process of taking risk. The key questions that need to be considered as part of the process include: • Risk identification – what is the risk? • Risk evaluation – what is the worst case scenario and how likely is the risk to happen? • Risk control – can we do anything to mitigate or better manage the risk? • Risk monitoring – Are we reviewing the risk to check if anything has happened to alter the risk? • Contingency/business continuity planning – what plans can we put in place in case the worst happens? • Cost/benefit analysis – does the cost of managing the risk outweigh the benefits to be achieved? 1 OGC Management of Risk 8 of 33 Risk management objectives The objectives of Lambeth’s risk management strategy are to: • Enable corporate, strategic, programme and partnership objectives to be achieved in the optimum way and to control negative factors or opportunities which would impact on the Council’s success; • For risk management to be seen as an integral element of the Council’s culture; • Recognises that the Council has a responsibility to manage risks and support a structured and focused approach that includes risk taking in support of innovation to add value to service delivery; • Comply with the statutory requirements for the compilation of the Annual Governance Statement; • Be in a better position to anticipate and respond to changing social, environmental and legislative requirements; • Protect the public image of the Council; • Provide a framework, procedures, tools, training and guidance to enable everyone to manage risk in the best way; • Become one of the leading councils in risk management and be an exemplar of good practice; • Save money and redirect resources to key areas, ensuring continuity of service. 9 of 33 How these objectives will be achieved These objectives will be achieved by: • Maintaining clear roles, responsibilities and reporting lines within the Council for risk management, including Risk Champions and Risk Coordinators duties; • Ensuring that Members, the Strategic Leadership Board (SLB), external regulators and the public at large can obtain necessary assurance that the Council is mitigating the risks of not achieving key priorities, and is thus complying with good corporate governance; • Incorporating risk management considerations into internal audit reviews; • Providing opportunities for shared learning on risk management across the Council and its strategic partners; • Ensuring that risk management continues to be incorporated into all decision making processes of the Council and its partners; • Offering a platform for identifying, prioritising and detailing control measures for Council-wide and partnership cross cutting risks; • Ensuring all risks arising from any projects are fully identified, assessed and managed in accordance with the Council’s project management methodology; • Ensuring that corporate, strategic, operational, partnership, project risks are discussed on a regular basis as part of relevant meetings, including team meetings and staff one-to-ones; • Preparing and keeping up to date business continuity and recovery plans for all areas where there is the potential for an incident to have an impact on the Council and its business capacity; • Monitoring arrangements on an on-going basis; • Measuring what we do. 10 of 33 Outcomes of good risk management For individuals or any size organisation, good risk management can bring many benefits, some of which are briefed below: • Able to satisfy government regulations (e.g. Corporate manslaughter act, Health and safety act, etc); • Strong Corporate responsibility; • Compliance with the Council’s financial and contractual regulations; • Helps teams to achieve goals and objectives; • Improves reputation; • Helps to safeguard against financial loss; • Increases competitiveness (e.g. against other agencies); • Reduces the chances of failure/take over/winding up of the organisation; • Minimises the chances and effects of injury, loss of job etc. for individuals; • Reduces disruptions to key stakeholders; • Able to identify and exploit opportunities within the projects and services. Note: this is not an exhaustive list 11 of 33 Chapter 3 Statutory requirements Corporate governance requires that risk management be ‘embedded’ in the culture of the Council. The Council is also responsible for ensuring that its business is conducted in accordance with the law and proper standards, and that public money is safeguarded and properly accounted for and used economically, efficiently and effectively. The Council has a duty under the Local Government Act 1999 to make arrangements to secure continuous improvement in the way in which its functions are exercised, having regard to a combination of economy, efficiency and effectiveness. In discharging this overall responsibility, the Council is responsible for putting in place proper arrangements for the governance of its affairs and facilitating the effective exercise of its functions, which include arrangements for the management of risk. Effective risk management is an ongoing process with no overall end date as new risks (threats and opportunities) arise all the time. The risk management strategy sets out key objectives for the improvement of risk management across a three year rolling period. However, the strategy is updated on an annual basis to ensure that it remains fit for purpose. 12 of 33 The Risk Management Policy The risk management policy is a one page summary of the main objectives and the need for risk management. The policy is designed to briefly explain the benefits of risk management, the principles and objectives of risk management and the Council’s compliance requirements. Joint ownership by both the Chief Executive and the Leader of the Council will help support a culture where risk management is embedded, managed and reported accordingly. See Appendix A for the Risk management Policy 13 of 33 Strategic Vision Vision Statement To become the leading council in the way that we proactively manage opportunities and threats and to be an exemplar of good practice, working in partnership with our stakeholders in developing and embedding our risk management processes. By following the approach to risk management set out in this strategy, the Council seeks to minimize the threats with the potential to affect the delivery of its corporate objectives, thereby improving the services that it delivers and enhancing the lives of those that live, work and visit Lambeth. The key benefits of our approach to risk management will be: • Reduced incidence of mistakes/uninformed decision making • Common view of risk management with key partners and across major projects • Greater transparency in decision making • Increased focus on what needs to be done (or stopped) to meet objectives • Supporting innovation • More satisfied stakeholders/partners • Greater control of costs – demonstrating value for money • Enhanced ability to justify actions taken • Improved performance management • Protects and enhances the reputation of Lambeth Council 14 of 33 Strategic Aims The main aims of this strategy is to encourage staff and partners, to make decisions based on a risk, to ensure staff have access to appropriate tools, training and support to enable them to effectively practice risk management, strengthen the Council’s ability to deliver successful partnerships and to lead on risk management nationally. This will by achieved through our three strategic aims as outlined below. Strategic aim 1: To maintain and further develop a systematic and consistent risk management approach which will ensure appropriate and robust arrangements, tools and training are in place across all areas of the Council to allow for the effective identification, recording and management of opportunities and threats. This means: Transforming service delivery, by managing threats and realising opportunities; Embedding risk management to create an environment and culture where risk management becomes an integral part of service delivery and planning; Achieving better quality decision making through making risk management an integral part of governance processes; Minimising possible failure through risk identification and performance management; Having suitably skilled and trained staff who are advocates for risk management across the Council; Review existing methodology and improving the monitoring and reporting process. 15 of 33 Strategic aim 2: To provide a strategic lead and champion risk management with the Council’s partners and stakeholders, including Lambeth First, (Lambeth’s LSP) who are delivering the targets set out in the LAA, Lambeth schools and other key partners, to allow for the effective joint management of threats and opportunities. This means: Having partnership risk registers that are up-to-date and managed; Being an ambassador for the Council, ensuring that risk management is addressed on external boards; Incentivising schools, to minimise threats and maximise opportunities; Risk ranking our estates, to support excellent service delivery; Developing joint solutions with our partners to improve risk management. Strategic aim 3: To take a lead on developing and replicating best practice in risk management allowing better outcomes for the Council through improved risk assessment, decision making and effective controls, including the realisation of opportunities. This means: Joint working with our partners/stakeholders to deliver better services to the community; Regular benchmarking, adapting best practice to improve risk management; Lead on innovative projects to enhance risk management awareness and practices within the Council and its partners; Active participation externally to help shape the future of risk management within the public sector; Developing our internal pool of risk expertise through job competencies, training, tools and professional development. 16 of 33 This Strategy and the Sustainable Community Strategy and Corporate Plan Lambeth Council shares a vision with its partners for the borough, documented in the Our 2020: Lambeth’s Sustainable Community Strategy (SCS). The Council has a clear set of priorities in a Corporate Plan covering short-, medium- and long-term ambitions. Its integrated service and financial planning system allows the Council to identify and resource priorities effectively over a three year period. The process is outcome-focussed, reflects the ambitions in the Sustainable Community Strategy and the Local Area Agreement (LAA), is informed by the needs of its communities and is flexible enough to adapt to new pressures and challenges as they arise. The Council, working with strategic partners and local communities, set out the following six priorities: • A safer Lambeth with strong communities • More opportunities for children and young people • Better housing and flourishing local economies • Respect for our environment • Developing personalised care services • Serving our customers well All threats and opportunities that are identified and recorded within the Council’s risk register and can be referenced to one of the six priorities. 17 of 33 Roles and Responsibilities The London Borough of Lambeth is fully committed to developing a culture where risk is effectively and appropriately managed throughout the organisation. As a result there is a greater strategic emphasis, which has led to: • The Strategic Leadership board nominating the Executive Director of Finance and Resources; and • Cabinet nominating Executive Member for Finance and Resources to provide the lead roles for risk management and championing it at a leadership level. In support of this, each department has a nominated divisional director to act as the champion for risk and to represent their department at the quarterly risk champions meetings. Departments also have risk coordinators to support the risk champions and to focus on the operational elements of risk management. Dedicated risk management resources are provided by the risk and insurance team, within the Finance & Resources department. The risk manager and the risk management officers are responsible for establishing and maintaining an effective risk management framework and developing appropriate guidance, tools and systems that allow for risks to be identified, recorded and managed, in accordance with best practice. The role of the risk management team is primarily that of an advisory, support, and critical friend function and they are supported by the risk champions and the risk coordinators from across all Council departments. The ultimate responsibility for risk management lies with the Leader of the Council and the Chief Executive, however, it must be stressed that risk management is the responsibility of everyone working in Lambeth, to identify and manage risks within their area of activity. 18 of 33 Chapter 4 The risk management process Introduction Essentially risk management is the process by which risks are identified, evaluated, and controlled. It is about managing resources wisely, evaluating courses of action to support decision making, protecting clients from harm, safeguarding assets and the environment and protecting the organisation’s public image. Whenever an activity takes place, there will be an outcome that will either be success or failure. In undertaking the activity there will be a number of factors which needs to be right to determine whether the activity is a success or not, or to put it the other way round, there are a number of risk factors which, if they are not managed properly, will result in failure rather than success. Risk Management is fundamentally a business planning tool designed to provide a methodical way for addressing risk. It is about: • Identifying the objectives and what can go wrong • Acting to avoid it going wrong or to minimise the impact if it does • Give rise to opportunities and to reduce threats. 19 of 33 The risk management process is broken down into five steps illustrated below: Figure 1: Lambeth's risk management cycle 20 of 33 Step 1: Clarify Objectives It is difficult to think about risk in isolation, so the first step is to be clear about the objectives, and key deliverables. The first step of the risk management process requires information about the (planned) activity. This will include understanding: What are the departments/project/partnership objectives? What is the scope of the activity? What assumptions have been made? Who are the stakeholders? Where does the activity sit within the departmental/project/partnership structure? This includes: • Making sure that everyone is clear about the relationship between the service and its wider environment; • Identifying internal and external stakeholders; • Understanding the Council and its capabilities, as well as its goals and objectives and strategies that are in place to achieve them. 21 of 33 Step 2: Identify and Analyse risks The aim of this step is to identify the risks to the (planned) activity that may effect the achievement of the objective(s), which can lead to either reduced performance or increased benefits. Wide consultation is required from all levels of management and staff and will include asking the following questions: What will prevent the achievement of the stated objectives? Has it gone wrong before? Who should own this risk? When should we start managing this risk? I.e. when is the risk likely to materialise? Note: There is often confusion between the terms ‘risk’ and ‘issue’. An issue is a concern that either cannot be avoided or has already happened – for example, failed to deliver service within time scale. This is a known outcome, whereas a risk may not actually materialise. To identify risks at different levels of the organisation, workshops and training sessions are facilitated by the risk management team. There are, however, many other methods that can be used for risk identification, such as questionnaires, SWOT analysis (strengths, weaknesses, opportunities and treats), Brainstorming sessions (also using prompt words) and more. During the identification stage the following information is gathered: • Risk description (Cause Risk Effect) • Type of risk – for example, political, financial reputation, etc, and • Risk owner 22 of 33 Risk Ownership Having identified and defined the risks, it is essential that someone "owns" them (i.e. the risk owner). This is not the same as being responsible to carry out any actions which may be needed to control the risk (i.e. the control owner). However, without a named individual taking a lead responsibility, it is unlikely that risk management actions will be followed through. For that reason, this person should be, where possible: • someone who has the ability to influence the outcome of the event, one way or another; • A primary person who is accountable for the delivery in the area where the risk would have an impact. In reality, the individuals selected would be accountable for managing the risk which affects the objective, whether explicitly named or not. "Ownership" of the risk within the context of risk management framework simply formalises their responsibilities. 23 of 33 Step 3: Assess Risks The main reason for assessing risks are to distinguish between those risks which require comprehensive action to manage, and other risks which can be more easily managed. When risks are assessed they need: 1. Firstly, clear about the source of risk (Step 2), then 2. Determine the likelihood that the risk will occur and the potential impact. (See Figure 2), and 3. Finally, generate risk scores to establish priority levels Determining the likelihood and impact The likelihood (or probability) and impact (or severity) of the event occurring is always a question of judgement, as with ‘identifying risk. Knowledge, expertise and common sense helps during this decision making process. Other areas which can be utilised include • Past records, • Expert judgments, and • Any relevant published material. LBL uses a 4 point scale when measuring the likelihood and impact. The multiple of these scores is placed on a risk matrix, which represents the council’s ‘Appetite’ for risk. By placing this score on the 4 x 4 risk matrix (see Figure 2) will produce a risk profile. This is translated into the appropriate colours to help prioritise the management, attention and actions required for the risk. Note: All scores are subjective and it is recommended that scoring is agreed at team meetings, rather than an individual judgment. 24 of 33 Risk Appetite The Risk matrices is used to help prioritise risks and assist risk owners in the actions they need to take to either reduce the scores (for threats) or increase the scores (for opportunities). The dark line (risk tolerance threshold) sets the position at which immediate action is required. This line may vary from time to time depending on board/management approval. For example - a project or a partnership may vary the tolerance in line with their priority levels. The matrices below show the Council's risk appetite, as approved in the September 2009 Corporate Committee. For Threats: The colour scheme Red, Amber and Green is used to indicate the importance of the risk, with Red threats being the risks which need more attention. Figure 2.1: Lambeth Council's Risk Matrix for Threats 25 of 33 For Opportunity: The colour scheme Gold, Silver and Bronze is used to indicate the importance of the risk, with Gold opportunities being the risks which need more attention. Figure 2.2: Lambeth Council's Risk Matrix for Threats Variations in the tolerance line Risks will be escalated according to the levels set out below. It is recommended that all programmes/projects adopt a similar approach to help managers focus on the key risks at the relevant meetings: • Strategic Leadership Board (SLB) - Council risks score 32 only • Risk Champions - Council risks score 24 & above • Departmental Leadership Teams - Department risk scores 16 & above • Divisional Management Teams - Divisional risk scores 8 & above • Sub-Division Teams - All team risks Corporate risks will be reviewed at all risk review meetings with the Risk Champions and SLB approving the final list. Corporate Committee will receive a copy of the corporate risk register as part of their quarterly meetings. 26 of 33 Step 4: Address Risks Without this step, risk management would be no more than a bureaucratic process. Addressing risk involves taking practical steps to manage and control it. Not all risks need to be dealt with in the same way. The common risk response outlined below should help in considering the range of options available when responding to risks. Importantly, when agreeing actions to control risk, consideration is required on whether the actions themselves introduce new risks or affect other people in ways which they need to be informed about. For threats, a fallback plan will need to be carried out to minimize the negative impact. For opportunities, a forward plan will need to be carried out to maximise the positive impact. Threat responses Responses should be implemented that limit the effect of the threats to the extent that consequences of the response actions do not increase the likely value of the overall risk score. • Accept: An informed decision to accept the likelihood and consequence of a particular risk, e.g. the ability to do anything about some risk may be limited, or the cost of taking any action may be disproportionate to the potential benefit; • Avoid: An informed decision not to become involved in a risk situation. This can be challenging as LBL may not be able to avoid risks associated with its statutory functions, e.g. changing objectives; • Transfer: Shifting the responsibility or burden for the loss to another party, e.g. through insurance; • Reduce: A selective application of management action, by applying internal control to reduce either the likelihood or the impact, or both, designed to contain risk to accept levels, e.g. mitigation action, contingency planning and more. 27 of 33 Opportunity Response Aim is to improve one or more objectives in such a way that the cost and implications of the response actions increase the likely value of improvement. • Ignore: Choosing to ignore the opportunity if the cost of seizing it will increase budget agreements. A basic cost benefit analysis could be done to determine if the opportunity is worth pursuing. • Exploit: Identifying and seizing multiple benefits. Refers to changing an activity’s scope, supplier or specification to achieve a beneficial outcome without changing the objectives or specification. • Share: application of pain/gain formula where both parties share the gain (with pre-agreed limits) if the cost is less than the share plan; or share the pain if cost exceeds. By description, this method of treatment can also be used for threats as well. Note: most action taken to manage risk has an associated cost. When considering actions make sure that the cost is proportionate to the risk that it is controlling. Choosing whether to eliminate or innovate Innovation by its very nature involves taking risks, and as a consequence, places greater demand on all of us to ensure that those risks are well managed. One of the key aims of risk management is to ensure that the process supports innovation, not by preventing it - but rather helping to take well thought through risks that maximise the opportunities of success. Good risk management is about being “risk aware" not "risk averse"!! 28 of 33 Step 5: Monitor and Review Few risks will remain static. New stakeholders and corporate initiatives may affect the department, programme, partnership’s risks and existing ones may continually change in terms of their interest and influence. E.g. some risks cease to exist once a key milestone has passed during the life cycle of the project. Once risks have been identified and appropriate controls and action plans are put in place to manage them, it is essential to routinely monitor their status. The Council’s risk tool helps risk owners to record, manage and monitor risks. It is also able to produce various reports for analysis, including risk registers. Each manager will have access to their risk data and is responsible for keeping it up to date. Automatic e-mail reminders are sent from risk system to remind risk and control owners to review and update actions as appropriate. As a guide, risks should be reviewed using the following criteria however owners will need to make good judgment on reviewing their risks: Programmes, projects and Standard Review partnerships Red and 1-3 months Monthly Gold risks Amber and 3 months Monthly Silver risks Green and 6 months Quarterly Bronze risks Note: At least annually, each risk register should be reviewed in its entirety. 29 of 33 Risk reporting framework It is essential that risk management is used as a tool to assist good management and to provide assurances to relevant officers that adequate measures have been taken to manage risk. To support this, risk management has been integrated into the corporate, strategic and operational business planning process. By using the risk methodology, key risks facing the Council or a particular service (in the delivery of their objectives) will be identified. This helps to ensure that risks in the delivery of the corporate plan are identified and managed. Risk Escalation Escalation of risks ensures that managers have a clearer picture on risks or issues facing service areas. This helps in the overall decision making process by allowing senior staff to allocate resources, where available, or review underperforming areas and being able to hold officers to account. The following chart shows the reporting process of the risk registers. Risks are typically identified from bottom–up process with information also flowing from top- down Corporate Committee Strategic Leadership Board Risk Champions Risk Coordinators Departmental Leadership Teams… Figure 3: Risk escalation process 30 of 33 Risk Registers Risk registers will reflect levels of the Council as listed below: Corporate risk register The corporate risk register will be used to record and monitor risks considered significant for the Council. This will flow from the Departmental risk registers. This register will become a public document after quarterly review from Strategic Leadership Board and Corporate Committee. Departmental risk register Departments will be responsible for their own risk register which will flow from their respective divisional risk registers. This register will be challenged and moderated quarterly by the respective Departmental Leadership Teams (DLTs). Divisional risk register Divisions will also be responsible for their own risk register. This register will be challenged and moderated quarterly by the respective Divisional management teams. Divisional registers will also contain risks OF the partnership, programme/project, which divisional team will be sponsoring or working with. Partnership/Programme/Project risk registers Where it is considered appropriate, major programmes/projects and partnerships will produce and maintain their own risk registers, and be responsible for updating this on a quarterly basis. The registers will contain the risks TO the partnership/programme/project, i.e. risks which are internally focussed on the partnership/programme/project. Note: All risk registers should be recorded on the Council’s electronic risk recording tool 31 of 33 Further information and guidance All of the above is covered in more detail in the Lambeth ‘Risk management toolkit’, which provides a detailed methodology on the risk management process, designed to be easy for managers and officers to use when managing their risks. The toolkit also contains details on the categories of risk, details on how to articulate a risk and further information on the criteria for likelihood and impact ratings. The toolkit can be accessed internally via the Council’s intranet pages. 32 of 33 Chapter 5 Action Plan Delivering the strategy The objectives set out within the action plan are those that have been identified in order to deliver the three strategic aims of the strategy. All objectives have been designed to improve risk management processes across the Council, addressing identified areas of weakness and building on best practice to ensure that risk management is embedded throughout the Council. Strategic aim 1: To maintain and further develop a systematic and consistent risk management approach that will ensure appropriate and robust arrangements, tools and training are in place across all areas of the Council to allow for the effective identification, recording and management of opportunities and threats. Strategic aim 2: To provide a strategic lead and champion risk management with the Council’s partners and stakeholders includes partnership working including the Lambeth Strategic Partnership, who are delivering the targets set out in the LAA, Lambeth schools and other key partners, to allow for the effective joint management of threats and opportunities. Strategic aim 3: To take a lead on developing and replicating best practice in risk management which will allow for better outcomes for the Council through improved risk assessment, decision making and effective control and through the realisation of opportunities, whilst also quantifying the financial cost of poor risk management decisions. The Strategic aims are covered in more detail in the ‘Risk management action plan’, which can be accessed internally via the Council’s intranet pages. 33 of 33 Appendix A LONDON BOROUGH OF LAMBETH’S RISK MANAGEMENT POLICY STATEMENT LONDON BOROUGH OF LAMBETH (LBL) RECOGNISES AND ACCEPTS ITS RESPONSIBILITY1 TO MANAGE RISKS EFFECTIVELY IN A STRUCTURED MANNER IN ORDER THAT LBL WILL BETTER ACHIEVE ITS CORPORATE AND PARTNERSHIP OBJECTIVES AND ENHANCE THE VALUE OF SERVICES IT PROVIDES TO THE COMMUNITY. In pursuit of this aim LBL has adopted a risk management strategy that captures the following key objectives: • Enable corporate, strategic, programme and partnership objectives to be achieved in the optimum way and to control risks and maximise opportunities which could impact on LBL’s success; • LBL recognises its has a responsibility to manage risks and support a structured and focused approach that includes risk taking in support of innovation to add value to service delivery. • Risk management is seen as an integral element of the LBL culture; These key objectives will be achieved by: • Establishing clear roles, responsibilities and reporting lines for risk management • Ensuring that Cabinet Members, the Strategic Leadership Board (SLB), external regulators and the public at large can obtain necessary assurance that the Council is mitigating the risks of not achieving key priorities and managing opportunities to deliver more value to the community, and is thus complying with good corporate governance; • Providing opportunities for shared learning on risk management across the Council and its strategic partners; • Monitoring arrangements on an on-going basis APPETITE FOR RISK “LBL seeks to minimise unnecessary risk and manage residual risk to commensurate with its status as a public body. However, the LBL will positively decide to take risks in pursuit of its ambitions for its community where it has sufficient assurances that: i. The risks have been properly identified and assessed; ii. The risks will be appropriately managed, including the taking of appropriate actions and the regular review of risk(s); iii. The potential benefits accruing to the community justify the level of risk to be taken.” APPROVED BY: Derrick Anderson (Chief Executive) Steve Reed (Council Leader) 1 Accounts and Audit Regulations 2003 (as amended) Appendix B - Roles and responsibilities It is vital that everybody within Lambeth understands the role that they play in effective risk management. Every member and officer is responsible for ensuring effective risk management. To help clarify an individual's responsibility for risk management within their role, a set of risk management competencies has been developed and is available for inclusion within individual job descriptions. The role of the risk management team is primarily that of an advisory, support and critical friend function and to support this, the following structure has been established: Role Responsibilities LSP • Participate (as appropriate) in the identification, assessment, planning and management of threats and opportunities; • Understand the Risk management Policy and Strategy and their accountabilities; • Implement the risk management processes within their areas of responsibility; • Ensure risk management is at the heart of decision making and key information is delivered through executive groups; • Promote good risk management within the partnership. Cabinet and Elected • Owns the Councils Risk management Policy; members • Defines the overall risk appetite for the organisation; • Reviews the corporate risk register; • Reviews the departmental risks within there are of leadership; • To take reasonable steps to consider the risks involved in the decisions agreed; • To regularly discuss new and existing risks with the relevant Executive director. Role Responsibilities Corporate • Monitors the effective development and operation of risk committee management and corporate governance in the Council; • Monitors and acts on escalated corporate risks under the direction of the Chief Executive; • Oversee and approves the councils risk management policy and strategy; • Receives quarterly updates on threats and opportunities which impact on the Council’s corporate objectives. Risk management • Defines the Risk Management Policy; sponsors (Executive • Sponsors risk management at corporate level with members and Director of F&R and officers; the Cabinet member • Oversees the corporate risk register process. for F&R) Strategic Leadership • Ensures that Risk Registers, a risk review process and an Board (SLB) escalation process are in place for designated parts of the Council; • Owns individual corporate risks (as delegated by the Chief Executive); • Identifies the need for investment to fund, promote and oversee the implementation of the risk management strategy; • Ensures participation in the delivery of risk management within the organisation; • Establishes a Risk Champions group as a sub-group of the board; • Identifies risks and approves corporate risk as escalated from risk champions; • Agrees the involvement of the risk manager, internal audit and risk champions as appropriate. Role Responsibilities Finance Strategy • Ensures that risk management process is consistent across Board with Risk departments; Champions • Approves recommendations from Departmental Leadership Teams (DLT) and Departmental Management Teams (DMT); • Monitors and reviews high level risks and issues,, escalating to SLB as appropriate; • Ensures that risk is managed effectively within departments and service areas; • Provides risk management recommendations through the internal audit process; • Provides a forum for the discussion on risks and issues raised by risk registers, environmental condition, and internal and external audits. Head of Risk • Establishes the purpose, terms of reference, agenda, frequency Champions of meetings and reporting protocols of the risk champions; • Chairs the Finance Strategy Board with Risk champions. Agrees what level of risk information will be communicated to SLB and how corporate risks will be escalated to SLB between meetings, when circumstances dictate. Risk Champions • Main contact for the department on the subject of risk and its management, including liaising with the Risk Manager; • Oversees the corporate approach to risk management within their department; • Represents their department on risk related events, including corporate committee and SLB scrutiny; • Ensures risk is managed effectively in each division in accordance with the agreed corporate strategy; • Reviews corporate, strategic, operational, project, partnership risks and provides a challenge to departments, making Role Responsibilities recommendations where appropriate; • Take recommendations and updates from DLT’s on risks/issues; • Identifies training needs and notifies such needs to the Risk Coordinator. Risk Coordinators • Responsible for co-coordinating the risk management strategy & activities within their department, seeking support from the Risk and insurance team as necessary; • Prepares and facilitate risk meetings/workshops; • Prepares risk management reports for risk champions; • Reviews corporate, strategic, operational, project, partnership risks and to provide a challenge to divisions and make recommendations where appropriate; • Promotes benefits of risk management within their department and communicates corporate information and requirements; • Identifies training needs and notifies such needs to the appropriate manager. Risk Manager and • Ensures the Risk Management Policy is implemented; the Risk • Develops plans to improve the management of risk; Management Team • Develops risk management guidance and training and supports Risk champions and Risk coordinators in delivering their role; • Ensures appropriate staff and Members are adequately trained in risk management; • Carries out ongoing management of risk maturity assessments. Departmental • Ensures department is identifying and managing corporate, Leadership Teams strategic, operational, project and partnership risks effectively; (DLT’s) and • Reviews and challenges risk registers for their departments on a Departmental quarterly basis; Management Teams Role Responsibilities (DMT’s) • Make recommendations on risks/issues to escalate to SLB; • Set priorities for dealing with unacceptable risks and to reduce risks; • Ensure that risk management roles and responsibilities are included within appropriate job descriptions. Divisional Directors/ • Participates (as appropriate) in the identification, assessment, Heads of service / planning and management of threats and opportunities; service managers • Understands the Risk management Policy and Strategy and their accountabilities; • Maintenance of the risk register in their area of responsibility, ensuring that all risks are added to the councils risk register; • Escalating risks of a corporate nature to the attention of their DLT; • Undertakes risk assessments for their service in relation to service / business planning and budget setting process; • Establishes training requirements with regard to the strategy implementation; • Identifies partnership and contractual arrangements where there are shared risks, ensuring these are recorded and properly managed; • Reviews risks and risk assessments on a regular basis and discuss the management of risks with relevant team members. Programme, project, • Participates (as appropriate) in the identification, assessment, strategic and planning and management of threats and opportunities; operational boards • Understands the Risk management Policy and Strategy and their and senior accountabilities; responsible owners • Implements the risk management processes within their areas of responsibility; • Escalates programme/project, strategic and operational risks as Role Responsibilities appropriate; • Records and put in place controls to eliminate or reduce risks before new projects are implemented; • Identifies partnership and contract arrangements where there are shared risks and ensure that these are recorded and managed properly. Risk/control • Ensures effective action is taken to manage risk; measure owners • Ensures the integrity of information recorded on the risk register; • Oversees control measures and reviews proposed mitigating actions; • Monitors progress against mitigating actions; • Reports to their DLT on changes in risks to ‘red’ risk status. Internal Audit • Understands the Risk management Policy and Strategy; • Supports and reviews the risk management process; • Focus internal audit work on significant risks; • Provides the risk team with updates on risks identified from audits; • Provides assurance on risk management across the council based upon reviews through audit risk assessments. All Council • Becomes aware of the Risk Management Policy and Strategy; employees • Understands their responsibilities in managing risk; • Participates (as appropriate) in the identification, assessment and control of threats and opportunities; • Immediately reports to their manager any incident, accident or ‘near misses or any other concerns that they may have with regards to risks.
Pages to are hidden for
"Risk Management Strategy"Please download to view full document