Risk Management Strategy by lpn12535


More Info
									          Risk Management


Risk and Insurance Team
Email: RiskAndInsurance@lambeth.gov.uk
                                         Version: July 2010

This strategy outlines the Council’s overall approach to risk management
providing a means to recognise that effective management of risk enhances
the Council’s ability to:

   •   Deliver corporate, strategic, partnership and programme objectives

   •   Safeguard the Council’s assets and protect the Council’s reputation

   •   Keep risk management firmly embedded within the culture of the

   •   Build upon best practice guidance, external requirements, and deliver
       innovative risk management solutions

Risk management is an important aspect of all our lives. We are all exposed
to risk daily, at work and in our private lives, and often manage it
subconsciously. We need to ensure that we think about it actively in the way
that we deliver services as a council and in conjunction with or through our

Partners, elected members and senior management have overall
responsibility to managing risk with/for the Council. However, we all have a
part to play in managing risk. Whether you are working at a Member level,
Non-Executive director level or at a management level, as part of a team
delivering services or in partnership with the Council (such as Lambeth First,
Local Strategic partnership (LSP) and more), this strategy should help you to
understand your part in the bigger picture.

The aim of this strategy is to sustain an environment where risk management
is an integral part of all of the Council’s key governance processes including;

                                      2 of 33
service planning, budget setting, project management, management
processes and the general culture of the authority. This result in better quality
decision making that leads to a reduction in costs, an increase in the quality of
services and encourages innovation.

The strategy is also about continuing to work closely with our partners and
stakeholders to develop joint risk management solutions and to share our
experience and knowledge in managing threats and opportunities.

                             Strategy Vision Statement

         To become the leading council in the way that we proactively manage
      opportunities and threats and to be an exemplar of good practice, working in
        partnership with our stakeholders in developing and embedding our risk
                               management processes.

The Council has a statutory responsibility to have in place satisfactory
arrangements for managing risks as laid out under section 4 of the Accounts
and Audit Regulations 2003 (amended 2006):

“The relevant body shall be responsible for ensuring that the financial
management of the body is adequate and effective and that the body has
a sound system of internal control which facilitates the effective
exercise of that body's functions and which includes arrangements for
the management of risk.”

The effectiveness of the Council’s risk management arrangements is
assessed annually as part of the Annual Governance Statement (AGS) which
is signed off by the Chief Executive and Leader of the Council. As part of the
AGS, a Statement of Internal Control (SIC) is produced which will highlight
any identified significant control weaknesses and the actions that are to be
taken to address these.

                                         3 of 33


This strategy builds on and replaces earlier versions of the risk management
strategy, and is intended to be a high level document that provides a framework to
support the Council’s statutory responsibility for managing risk. It allows the
Council to further strengthen and improve its approach to risk management
enhancing its ability to deliver its strategic and operational aims and objectives

The ‘risk managed’ toolkit sets out in greater detail the processes by which threats
and opportunities are identified and managed within the London Borough of
Lambeth (LBL).

There are three main strategic aims of this strategy which are set out below:

   Strategic aim 1: To maintain and further develop a systematic and
                       consistent risk management approach

   Strategic aim 2: To provide a strategic lead and champion risk
                       management with the Council’s partners and

   Strategic aim 3: To take a lead on developing and replicating best
                    practice in risk management

                                        4 of 33
Effective risk management

The effective management of risk affects every business unit and service across
the Council, as well as every employee. This strategy provides the framework to
ensure that risks across the Council are managed in a co-ordinated manner and
that appropriate tools, training and guidance are made available to all staff and

The key benefits to the Council of a co-ordinated approach to risk management

•   An increased focus on what needs to be done (and not done) to meet

•   More effective allocation of resources

•   More satisfied stakeholders and reduced complaints

•   Better ability to justify decisions taken and reduced risk of mistakes

•   Supports innovation, value for money and potential quality improvements in
    service delivery

•   Protects and enhances the Council’s reputation

•   Reduction of the Council’s insurance costs

•   Accountability reflected through management oversight and comprehensive
    controls as part of an assurance framework

•   Improved audit reports that enforce a consistent approach to service provided

This strategy enables the Council to take a proactive stance to risk management
ensuring that less time is spent reacting to situations and more time is spent
taking advantage of opportunities.

                                        5 of 33

Managing Risk

There is increasing pressure on the Council to demonstrate that it is managing all
of its business risks and that risk management is embedded across the
organisation. Lambeth Council operates in an environment where it needs to be
able to meet its statutory obligations and deliver high quality services in an
efficient and cost-effective manner.

The Council’s success in managing risk and uncertainty has a direct impact on
the achievement of its business objectives. Service delivery can be improved and
innovated through taking well considered and managed risks (opportunities),
however service delivery can be affected where risks are taken without fully
understanding or managing them.

Success or failure in achieving the Council’s corporate objectives depends on
many factors, but perhaps the most important and wide ranging is the quality of
decisions that are made. These decisions will range from those relating to
strategic issues affecting many of those that live, work and visit the borough to
everyday operational matters affecting only a localised area or service.

The Council is aware that some risks will always exist and will never be
eliminated. The Council also recognises that it has a responsibility to manage
risks and supports a structured and focused approach to managing them through
regular development of the risk management strategy. In this way, the Council will
achieve its corporate objectives and enhance the value of services it provides to
its community

                                        6 of 33
What is risk management?

Risk management is a business discipline that the public, private and third
sectors use to effectively manage potential opportunities and threats to the
organisation achieving its objectives.

It is a key part of the strategic and performance management processes and
the Council’s assurance and controls/compliance arrangements.

Risks can be looked at as ‘events waiting to happen’. A hazard such as an
unguarded machine or a slippery path will remain just a hazard so long as no
one goes near them. It is only when people are introduced into the equation –
and there is the possibility of someone being injured – that hazards become

When referring to risk management however, we use the expression ‘risk’ far
more widely than merely to refer to hazards. The definition of risk from the
Australian Standard AS/NZS 4360:1999 is:
“Risk is the chance of something happening that will have an impact on

The public risk management association’s (ALARM) definition of risk is:
                 “The effect of uncertainty on objectives”

The definition of risk from HM Treasury is:
    “Risk is the uncertainty of outcome, whether positive opportunity or
  negative threat, of actions and events. It is the combination of likelihood
                and impact, including perceived importance.”

Managing risk therefore covers all these areas which can include a loss or
damage to the Council or move the Council forward in achieving its objectives.

                                         7 of 33
The Council has adopted the following definition of risk ;

“An uncertain event or set of events that, should it occur, will have an effect
on the achievement of objectives”.

“A risk is measured in terms of a combination of the likelihood of a
perceived threat or the opportunity occurring and the magnitude of its
impact on objectives”

There is no mystery about risk management, but there is a lot of jargon. It
really is about business decision making and enabling the process of taking
risk. The key questions that need to be considered as part of the process

      •   Risk identification – what is the risk?

      •   Risk evaluation – what is the worst case scenario and how likely is the
          risk to happen?

      •   Risk control – can we do anything to mitigate or better manage the

      •   Risk monitoring – Are we reviewing the risk to check if anything has
          happened to alter the risk?

      •   Contingency/business continuity planning – what plans can we put
          in place in case the worst happens?

      •   Cost/benefit analysis – does the cost of managing the risk outweigh
          the benefits to be achieved?

    OGC Management of Risk

                                         8 of 33
Risk management objectives

The objectives of Lambeth’s risk management strategy are to:

   •   Enable corporate, strategic, programme and partnership objectives to
       be achieved in the optimum way and to control negative factors or
       opportunities which would impact on the Council’s success;

   •   For risk management to be seen as an integral element of the Council’s

   •   Recognises that the Council has a responsibility to manage risks and
       support a structured and focused approach that includes risk taking in
       support of innovation to add value to service delivery;

   •   Comply with the statutory requirements for the compilation of the Annual
       Governance Statement;

   •   Be in a better position to anticipate and respond to changing social,
       environmental and legislative requirements;

   •   Protect the public image of the Council;

   •   Provide a framework, procedures, tools, training and guidance to enable
       everyone to manage risk in the best way;

   •   Become one of the leading councils in risk management and be an
       exemplar of good practice;

   •   Save money and redirect resources to key areas, ensuring continuity of

                                       9 of 33
How these objectives will be achieved

These objectives will be achieved by:

   •   Maintaining clear roles, responsibilities and reporting lines within the
       Council for risk management, including Risk Champions and Risk
       Coordinators duties;

   •   Ensuring that Members, the Strategic Leadership Board (SLB), external
       regulators and the public at large can obtain necessary assurance that the
       Council is mitigating the risks of not achieving key priorities, and is thus
       complying with good corporate governance;

   •   Incorporating risk management considerations into internal audit

   •   Providing opportunities for shared learning on risk management across
       the Council and its strategic partners;

   •   Ensuring that risk management continues to be incorporated into all
       decision making processes of the Council and its partners;

   •   Offering a platform for identifying, prioritising and detailing control
       measures for Council-wide and partnership cross cutting risks;

   •   Ensuring all risks arising from any projects are fully identified, assessed
       and managed in accordance with the Council’s project management

   •   Ensuring that corporate, strategic, operational, partnership, project risks
       are discussed on a regular basis as part of relevant meetings, including
       team meetings and staff one-to-ones;

   •   Preparing and keeping up to date business continuity and recovery plans
       for all areas where there is the potential for an incident to have an impact
       on the Council and its business capacity;

   •   Monitoring arrangements on an on-going basis;

   •   Measuring what we do.

                                         10 of 33
Outcomes of good risk management

For individuals or any size organisation, good risk management can bring many
benefits, some of which are briefed below:

   •   Able to satisfy government regulations (e.g. Corporate manslaughter act,
       Health and safety act, etc);

   •   Strong Corporate responsibility;

   •   Compliance with the Council’s financial and contractual regulations;

   • Helps teams to achieve goals and objectives;

   • Improves reputation;

   • Helps to safeguard against financial loss;

   • Increases competitiveness (e.g. against other agencies);

   • Reduces the chances of failure/take over/winding up of the organisation;

   • Minimises the chances and effects of injury, loss of job etc. for individuals;

   • Reduces disruptions to key stakeholders;

   •   Able to identify and exploit opportunities within the projects and services.

Note: this is not an exhaustive list

                                       11 of 33

Statutory requirements

Corporate governance requires that risk management be ‘embedded’ in the
culture of the Council.

The Council is also responsible for ensuring that its business is conducted in
accordance with the law and proper standards, and that public money is
safeguarded and properly accounted for and used economically, efficiently
and effectively.

The Council has a duty under the Local Government Act 1999 to make
arrangements to secure continuous improvement in the way in which its
functions are exercised, having regard to a combination of economy,
efficiency and effectiveness.
In discharging this overall responsibility, the Council is responsible for putting in
place proper arrangements for the governance of its affairs and facilitating the
effective exercise of its functions, which include arrangements for the
management of risk.

Effective risk management is an ongoing process with no overall end date as new
risks (threats and opportunities) arise all the time. The risk management strategy
sets out key objectives for the improvement of risk management across a three
year rolling period. However, the strategy is updated on an annual basis to ensure
that it remains fit for purpose.

                                         12 of 33
The Risk Management Policy

The risk management policy is a one page summary of the main objectives and
the need for risk management.

The policy is designed to briefly explain the benefits of risk management, the
principles and objectives of risk management and the Council’s compliance

Joint ownership by both the Chief Executive and the Leader of the Council will
help support a culture where risk management is embedded, managed and
reported accordingly.

See Appendix A for the Risk management Policy

                                       13 of 33
Strategic Vision

                               Vision Statement

      To become the leading council in the way that we proactively manage
        opportunities and threats and to be an exemplar of good practice,
         working in partnership with our stakeholders in developing and
                   embedding our risk management processes.

By following the approach to risk management set out in this strategy, the
Council seeks to minimize the threats with the potential to affect the delivery
of its corporate objectives, thereby improving the services that it delivers and
enhancing the lives of those that live, work and visit Lambeth.

The key benefits of our approach to risk management will be:

  •   Reduced incidence of mistakes/uninformed decision making

  •   Common view of risk management with key partners and across major

  •   Greater transparency in decision making

  •   Increased focus on what needs to be done (or stopped) to meet

  •   Supporting innovation

  •   More satisfied stakeholders/partners

  •   Greater control of costs – demonstrating value for money

  •   Enhanced ability to justify actions taken

  •   Improved performance management

  •   Protects and enhances the reputation of Lambeth Council

                                    14 of 33
Strategic Aims

The main aims of this strategy is to encourage staff and partners, to make
decisions based on a risk, to ensure staff have access to appropriate tools,
training and support to enable them to effectively practice risk management,
strengthen the Council’s ability to deliver successful partnerships and to lead on
risk management nationally. This will by achieved through our three strategic aims
as outlined below.

Strategic aim 1: To maintain and further develop a systematic and consistent risk
management approach which will ensure appropriate and robust arrangements, tools
and training are in place across all areas of the Council to allow for the effective
identification, recording and management of opportunities and threats.

This means:

Transforming service delivery, by managing threats and realising opportunities;

Embedding risk management to create an environment and culture where risk
management becomes an integral part of service delivery and planning;

Achieving better quality decision making through making risk management an
integral part of governance processes;

Minimising possible failure through risk identification and performance management;

Having suitably skilled and trained staff who are advocates for risk management
across the Council;

Review existing methodology and improving the monitoring and reporting process.

                                           15 of 33
Strategic aim 2: To provide a strategic lead and champion risk management with
the Council’s partners and stakeholders, including Lambeth First, (Lambeth’s LSP)
who are delivering the targets set out in the LAA, Lambeth schools and other key
partners, to allow for the effective joint management of threats and opportunities.

This means:

Having partnership risk registers that are up-to-date and managed;

Being an ambassador for the Council, ensuring that risk management is addressed on
external boards;

Incentivising schools, to minimise threats and maximise opportunities;

Risk ranking our estates, to support excellent service delivery;

Developing joint solutions with our partners to improve risk management.

Strategic aim 3: To take a lead on developing and replicating best practice in risk
management allowing better outcomes for the Council through improved risk
assessment, decision making and effective controls, including the realisation of

This means:

Joint working with our partners/stakeholders to deliver better services to the

Regular benchmarking, adapting best practice to improve risk management;

Lead on innovative projects to enhance risk management awareness and practices
within the Council and its partners;

Active participation externally to help shape the future of risk management within the
public sector;

Developing our internal pool of risk expertise through job competencies, training, tools
and professional development.

                                           16 of 33
This Strategy and the Sustainable Community Strategy and
Corporate Plan

Lambeth Council shares a vision with its partners for the borough,
documented in the Our 2020: Lambeth’s Sustainable Community Strategy

The Council has a clear set of priorities in a Corporate Plan covering short-,
medium- and long-term ambitions. Its integrated service and financial planning
system allows the Council to identify and resource priorities effectively over a
three year period. The process is outcome-focussed, reflects the ambitions in the
Sustainable Community Strategy and the Local Area Agreement (LAA), is
informed by the needs of its communities and is flexible enough to adapt to new
pressures and challenges as they arise.

The Council, working with strategic partners and local communities, set out the
following six priorities:

    •   A safer Lambeth with strong communities

    •    More opportunities for children and young people

    •   Better housing and flourishing local economies

    •    Respect for our environment

    •   Developing personalised care services

    •    Serving our customers well

All threats and opportunities that are identified and recorded within the
Council’s risk register and can be referenced to one of the six priorities.

                                       17 of 33
Roles and Responsibilities

The London Borough of Lambeth is fully committed to developing a culture where
risk is effectively and appropriately managed throughout the organisation. As a
result there is a greater strategic emphasis, which has led to:

    •    The Strategic Leadership board nominating the Executive Director of
         Finance and Resources; and

    •    Cabinet nominating Executive Member for Finance and Resources

to provide the lead roles for risk management and championing it at a leadership

In support of this, each department has a nominated divisional director to act as
the champion for risk and to represent their department at the quarterly risk
champions meetings. Departments also have risk coordinators to support the risk
champions and to focus on the operational elements of risk management.

Dedicated risk management resources are provided by the risk and insurance
team, within the Finance & Resources department. The risk manager and the risk
management officers are responsible for establishing and maintaining an effective
risk management framework and developing appropriate guidance, tools and
systems that allow for risks to be identified, recorded and managed, in
accordance with best practice.

The role of the risk management team is primarily that of an advisory, support,
and critical friend function and they are supported by the risk champions and the
risk coordinators from across all Council departments.

The ultimate responsibility for risk management lies with the Leader of the Council
and the Chief Executive, however, it must be stressed that risk management
is the responsibility of everyone working in Lambeth, to identify and manage
risks within their area of activity.

                                       18 of 33

The risk management process

Essentially risk management is the process by which risks are identified,
evaluated, and controlled. It is about managing resources wisely, evaluating
courses of action to support decision making, protecting clients from harm,
safeguarding assets and the environment and protecting the organisation’s
public image.

Whenever an activity takes place, there will be an outcome that will either be
success or failure. In undertaking the activity there will be a number of factors
which needs to be right to determine whether the activity is a success or not,
or to put it the other way round, there are a number of risk factors which, if
they are not managed properly, will result in failure rather than success.

Risk Management is fundamentally a business planning tool designed to
provide a methodical way for addressing risk. It is about:

   •   Identifying the objectives and what can go wrong

   •   Acting to avoid it going wrong or to minimise the impact if it does

   •   Give rise to opportunities and to reduce threats.

                                      19 of 33
The risk management process is broken down into five steps illustrated below:

Figure 1: Lambeth's risk management cycle

                                                                 20 of 33
Step 1: Clarify Objectives

It is difficult to think about risk in isolation, so the first step is to be clear about the
objectives, and key deliverables. The first step of the risk management process
requires information about the (planned) activity.

This will include understanding:

        What are the departments/project/partnership objectives?

        What is the scope of the activity?

        What assumptions have been made?

        Who are the stakeholders?

        Where does the activity sit within the departmental/project/partnership

This includes:

    •   Making sure that everyone is clear about the relationship between the
        service and its wider environment;

    •   Identifying internal and external stakeholders;

    •   Understanding the Council and its capabilities, as well as its goals and
        objectives and strategies that are in place to achieve them.

                                           21 of 33
Step 2: Identify and Analyse risks

The aim of this step is to identify the risks to the (planned) activity that may effect
the achievement of the objective(s), which can lead to either reduced
performance or increased benefits.

Wide consultation is required from all levels of management and staff and will
include asking the following questions:

       What will prevent the achievement of the stated objectives?

       Has it gone wrong before?

       Who should own this risk?

       When should we start managing this risk? I.e. when is the risk likely to

Note: There is often confusion between the terms ‘risk’ and ‘issue’. An issue is a
concern that either cannot be avoided or has already happened – for example,
failed to deliver service within time scale. This is a known outcome, whereas a risk
may not actually materialise.

To identify risks at different levels of the organisation, workshops and training
sessions are facilitated by the risk management team. There are, however, many
other methods that can be used for risk identification, such as questionnaires,
SWOT analysis (strengths, weaknesses, opportunities and treats), Brainstorming
sessions (also using prompt words) and more.

During the identification stage the following information is gathered:

   •   Risk description (Cause       Risk      Effect)

   •   Type of risk – for example, political, financial reputation, etc, and

   •   Risk owner

                                         22 of 33
Risk Ownership
Having identified and defined the risks, it is essential that someone "owns" them
(i.e. the risk owner). This is not the same as being responsible to carry out any
actions which may be needed to control the risk (i.e. the control owner). However,
without a named individual taking a lead responsibility, it is unlikely that risk
management actions will be followed through.

For that reason, this person should be, where possible:

   •   someone who has the ability to influence the outcome of the event, one
       way or another;

   •   A primary person who is accountable for the delivery in the area where the
       risk would have an impact.

In reality, the individuals selected would be accountable for managing the risk
which affects the objective, whether explicitly named or not. "Ownership" of the
risk within the context of risk management framework simply formalises their

                                         23 of 33
Step 3: Assess Risks

The main reason for assessing risks are to distinguish between those risks which
require comprehensive action to manage, and other risks which can be more
easily managed.

When risks are assessed they need:

    1. Firstly, clear about the source of risk (Step 2), then

    2. Determine the likelihood that the risk will occur and the potential impact.
        (See Figure 2), and

    3. Finally, generate risk scores to establish priority levels

Determining the likelihood and impact

The likelihood (or probability) and impact (or severity) of the event occurring is
always a question of judgement, as with ‘identifying risk. Knowledge, expertise
and common sense helps during this decision making process. Other areas which
can be utilised include

    •   Past records,

    •   Expert judgments, and

    •   Any relevant published material.

LBL uses a 4 point scale when measuring the likelihood and impact. The multiple
of these scores is placed on a risk matrix, which represents the council’s ‘Appetite’
for risk.

By placing this score on the 4 x 4 risk matrix (see Figure 2) will produce a risk
profile. This is translated into the appropriate colours to help prioritise the
management, attention and actions required for the risk.

Note: All scores are subjective and it is recommended that scoring is agreed at
team meetings, rather than an individual judgment.

                                         24 of 33
Risk Appetite

The Risk matrices is used to help prioritise risks and assist risk owners in the
actions they need to take to either reduce the scores (for threats) or increase the
scores (for opportunities).

The dark line (risk tolerance threshold) sets the position at which immediate action
is required. This line may vary from time to time depending on
board/management approval. For example - a project or a partnership may vary
the tolerance in line with their priority levels.

The matrices below show the Council's risk appetite, as approved in the
September 2009 Corporate Committee.

For Threats: The colour scheme Red, Amber and Green is used to indicate the
importance of the risk, with Red threats being the risks which need more attention.

Figure 2.1: Lambeth Council's Risk Matrix for Threats

                                           25 of 33
For Opportunity: The colour scheme Gold, Silver and Bronze is used to
indicate the importance of the risk, with Gold opportunities being the risks which
need more attention.

Figure 2.2: Lambeth Council's Risk Matrix for Threats

Variations in the tolerance line
Risks will be escalated according to the levels set out below. It is recommended
that all programmes/projects adopt a similar approach to help managers focus on
the key risks at the relevant meetings:

   •   Strategic Leadership Board (SLB)              - Council risks score 32 only
   •   Risk Champions                                - Council risks score 24 & above
   •   Departmental Leadership Teams                 - Department risk scores 16 & above
   •   Divisional Management Teams                   - Divisional risk scores 8 & above
   •   Sub-Division Teams                            - All team risks

Corporate risks will be reviewed at all risk review meetings with the Risk
Champions and SLB approving the final list. Corporate Committee will receive a
copy of the corporate risk register as part of their quarterly meetings.

                                          26 of 33
Step 4: Address Risks

Without this step, risk management would be no more than a bureaucratic
process. Addressing risk involves taking practical steps to manage and control it.

Not all risks need to be dealt with in the same way. The common risk response
outlined below should help in considering the range of options available when
responding to risks.

Importantly, when agreeing actions to control risk, consideration is required on
whether the actions themselves introduce new risks or affect other people in ways
which they need to be informed about.

For threats, a fallback plan will need to be carried out to minimize the negative
impact. For opportunities, a forward plan will need to be carried out to maximise
the positive impact.

Threat responses

Responses should be implemented that limit the effect of the threats to the extent
that consequences of the response actions do not increase the likely value of the
overall risk score.

   •   Accept: An informed decision to accept the likelihood and consequence of
       a particular risk, e.g. the ability to do anything about some risk may be
       limited, or the cost of taking any action may be disproportionate to the
       potential benefit;
   •   Avoid: An informed decision not to become involved in a risk situation.
       This can be challenging as LBL may not be able to avoid risks associated
       with its statutory functions, e.g. changing objectives;
   •   Transfer: Shifting the responsibility or burden for the loss to another party,
       e.g. through insurance;
   •   Reduce: A selective application of management action, by applying
       internal control to reduce either the likelihood or the impact, or both,
       designed to contain risk to accept levels, e.g. mitigation action,
       contingency planning and more.

                                        27 of 33
Opportunity Response

Aim is to improve one or more objectives in such a way that the cost and
implications of the response actions increase the likely value of improvement.

   •    Ignore: Choosing to ignore the opportunity if the cost of seizing it will
        increase budget agreements. A basic cost benefit analysis could be done
        to determine if the opportunity is worth pursuing.

   •    Exploit: Identifying and seizing multiple benefits. Refers to changing an
        activity’s scope, supplier or specification to achieve a beneficial outcome
        without changing the objectives or specification.

   •    Share: application of pain/gain formula where both parties share the gain
        (with pre-agreed limits) if the cost is less than the share plan; or share the
        pain if cost exceeds. By description, this method of treatment can also be
        used for threats as well.

Note: most action taken to manage risk has an associated cost. When
considering actions make sure that the cost is proportionate to the risk that it is

Choosing whether to eliminate or innovate

Innovation by its very nature involves taking risks, and as a consequence, places
greater demand on all of us to ensure that those risks are well managed.

One of the key aims of risk management is to ensure that the process supports
innovation, not by preventing it - but rather helping to take well thought through
risks that maximise the opportunities of success.

       Good risk management is about being “risk aware" not "risk averse"!!

                                         28 of 33
Step 5: Monitor and Review

Few risks will remain static. New stakeholders and corporate initiatives may affect
the department, programme, partnership’s risks and existing ones may continually
change in terms of their interest and influence.

     E.g. some risks cease to exist once a key milestone has passed during the
     life cycle of the project.

Once risks have been identified and appropriate controls and action plans are put
in place to manage them, it is essential to routinely monitor their status.

The Council’s risk tool helps risk owners to record, manage and monitor risks. It is
also able to produce various reports for analysis, including risk registers.

Each manager will have access to their risk data and is responsible for keeping it
up to date. Automatic e-mail reminders are sent from risk system to remind risk
and control owners to review and update actions as appropriate.

As a guide, risks should be reviewed using the following criteria however owners
will need to make good judgment on reviewing their risks:

                                                     Programmes, projects and
                           Standard Review

      Red and
                                  1-3 months                 Monthly
      Gold risks

      Amber and
                                  3 months                   Monthly
      Silver risks

      Green and
                                  6 months                  Quarterly
      Bronze risks

Note: At least annually, each risk register should be reviewed in its entirety.

                                          29 of 33
Risk reporting framework

It is essential that risk management is used as a tool to assist good management
and to provide assurances to relevant officers that adequate measures have been
taken to manage risk.

To support this, risk management has been integrated into the corporate,
strategic and operational business planning process. By using the risk
methodology, key risks facing the Council or a particular service (in the delivery of
their objectives) will be identified. This helps to ensure that risks in the delivery of
the corporate plan are identified and managed.

Risk Escalation

Escalation of risks ensures that managers have a clearer picture on risks or
issues facing service areas. This helps in the overall decision making process by
allowing senior staff to allocate resources, where available, or review
underperforming areas and being able to hold officers to account.

The following chart shows the reporting process of the risk registers. Risks are
typically identified from bottom–up process with information also flowing from top-

                                                      Corporate Committee

                                                    Strategic Leadership Board

                                    Risk Champions

               Risk Coordinators

                                                    Departmental Leadership

Figure 3: Risk escalation process

                                         30 of 33
Risk Registers

Risk registers will reflect levels of the Council as listed below:

Corporate risk register

The corporate risk register will be used to record and monitor risks considered
significant for the Council. This will flow from the Departmental risk registers. This
register will become a public document after quarterly review from Strategic
Leadership Board and Corporate Committee.

Departmental risk register

Departments will be responsible for their own risk register which will flow from
their respective divisional risk registers. This register will be challenged and
moderated quarterly by the respective Departmental Leadership Teams (DLTs).

Divisional risk register

Divisions will also be responsible for their own risk register. This register will be
challenged and moderated quarterly by the respective Divisional management
teams. Divisional registers will also contain risks OF the partnership,
programme/project, which divisional team will be sponsoring or working with.

Partnership/Programme/Project risk registers

Where it is considered appropriate, major programmes/projects and partnerships
will produce and maintain their own risk registers, and be responsible for updating
this on a quarterly basis. The registers will contain the risks TO the
partnership/programme/project, i.e. risks which are internally focussed on the

Note: All risk registers should be recorded on the Council’s electronic risk
recording tool

                                         31 of 33
Further information and guidance

All of the above is covered in more detail in the Lambeth ‘Risk management
toolkit’, which provides a detailed methodology on the risk management process,
designed to be easy for managers and officers to use when managing their risks.

The toolkit also contains details on the categories of risk, details on how to
articulate a risk and further information on the criteria for likelihood and impact

The toolkit can be accessed internally via the Council’s intranet pages.

                                        32 of 33

Action Plan
Delivering the strategy

The objectives set out within the action plan are those that have been identified in
order to deliver the three strategic aims of the strategy. All objectives have been
designed to improve risk management processes across the Council, addressing
identified areas of weakness and building on best practice to ensure that risk
management is embedded throughout the Council.

Strategic aim 1: To maintain and further develop a systematic and consistent risk
management approach that will ensure appropriate and robust arrangements, tools and
training are in place across all areas of the Council to allow for the effective identification,
recording and management of opportunities and threats.

Strategic aim 2: To provide a strategic lead and champion risk management with
the Council’s partners and stakeholders includes partnership working including the
Lambeth Strategic Partnership, who are delivering the targets set out in the LAA, Lambeth
schools and other key partners, to allow for the effective joint management of threats and

Strategic aim 3: To take a lead on developing and replicating best practice in risk
management which will allow for better outcomes for the Council through improved risk
assessment, decision making and effective control and through the realisation of
opportunities, whilst also quantifying the financial cost of poor risk management decisions.

The Strategic aims are covered in more detail in the ‘Risk management action
plan’, which can be accessed internally via the Council’s intranet pages.

                                             33 of 33
Appendix A
                                        LONDON BOROUGH OF LAMBETH’S
                                  RISK MANAGEMENT POLICY STATEMENT

                                            SERVICES IT PROVIDES TO THE COMMUNITY.

In pursuit of this aim LBL has adopted a risk management strategy that captures the following key
        •     Enable corporate, strategic, programme and partnership objectives to be achieved in the optimum way and to
              control risks and maximise opportunities which could impact on LBL’s success;
        •     LBL recognises its has a responsibility to manage risks and support a structured and focused approach that includes risk
              taking in support of innovation to add value to service delivery.
        •     Risk management is seen as an integral element of the LBL culture;

These key objectives will be achieved by:
        •     Establishing clear roles, responsibilities and reporting lines for risk management
        •     Ensuring that Cabinet Members, the Strategic Leadership Board (SLB), external regulators and the public at large can
              obtain necessary assurance that the Council is mitigating the risks of not achieving key priorities and managing
              opportunities to deliver more value to the community, and is thus complying with good corporate governance;
        •     Providing opportunities for shared learning on risk management across the Council and its strategic partners;
        •     Monitoring arrangements on an on-going basis

                                                       APPETITE FOR RISK
    “LBL seeks to minimise unnecessary risk and manage residual risk to commensurate with its status
    as a public body. However, the LBL will positively decide to take risks in pursuit of its ambitions for
                                      its community where it has sufficient assurances that:

                   i.    The risks have been properly identified and assessed;
                   ii. The risks will be appropriately managed, including the taking of appropriate actions
                         and the regular review of risk(s);
                   iii. The potential benefits accruing to the community justify the level of risk to be taken.”


                  Derrick Anderson (Chief Executive)                              Steve Reed (Council Leader)

    Accounts and Audit Regulations 2003 (as amended)
Appendix B - Roles and responsibilities
It is vital that everybody within Lambeth understands the role that they play in effective risk
management. Every member and officer is responsible for ensuring effective risk

To help clarify an individual's responsibility for risk management within their role, a set of risk
management competencies has been developed and is available for inclusion within individual
job descriptions.

The role of the risk management team is primarily that of an advisory, support and critical
friend function and to support this, the following structure has been established:

 Role                     Responsibilities

 LSP                      • Participate (as appropriate) in the identification, assessment,
                             planning and management of threats and opportunities;

                          • Understand the Risk management Policy and Strategy and their

                          • Implement the risk management processes within their areas of

                          • Ensure risk management is at the heart of decision making and
                             key information is delivered through executive groups;

                          • Promote good risk management within the partnership.

 Cabinet and Elected      • Owns the Councils Risk management Policy;
                          • Defines the overall risk appetite for the organisation;

                          • Reviews the corporate risk register;

                          • Reviews the departmental risks within there are of leadership;

                          • To take reasonable steps to consider the risks involved in the
                             decisions agreed;

                          • To regularly discuss new and existing risks with the relevant
                             Executive director.
Role                   Responsibilities

Corporate              • Monitors the effective development and operation of risk
committee                management and corporate governance in the Council;

                       • Monitors and acts on escalated corporate risks under the
                         direction of the Chief Executive;

                       • Oversee and approves the councils risk management policy and

                       • Receives quarterly updates on threats and opportunities which
                         impact on the Council’s corporate objectives.

Risk management        • Defines the Risk Management Policy;
sponsors (Executive
                       • Sponsors risk management at corporate level with members and
Director of F&R and
the Cabinet member
                       • Oversees the corporate risk register process.
for F&R)

Strategic Leadership   • Ensures that Risk Registers, a risk review process and an
Board (SLB)              escalation process are in place for designated parts of the

                       • Owns individual corporate risks (as delegated by the Chief

                       • Identifies the need for investment to fund, promote and oversee
                         the implementation of the risk management strategy;

                       • Ensures participation in the delivery of risk management within
                         the organisation;

                       • Establishes a Risk Champions group as a sub-group of the

                       • Identifies risks and approves corporate risk as escalated from risk

                       • Agrees the involvement of the risk manager, internal audit and
                         risk champions as appropriate.
Role               Responsibilities

Finance Strategy   • Ensures that risk management process is consistent across
Board with Risk      departments;
                   • Approves recommendations from Departmental Leadership
                     Teams (DLT) and Departmental Management Teams (DMT);

                   • Monitors and reviews high level risks and issues,, escalating to
                     SLB as appropriate;

                   • Ensures that risk is managed effectively within departments and
                     service areas;

                   • Provides risk management recommendations through the internal
                     audit process;

                   • Provides a forum for the discussion on risks and issues raised by
                     risk registers, environmental condition, and internal and external

Head of Risk       • Establishes the purpose, terms of reference, agenda, frequency
Champions            of meetings and reporting protocols of the risk champions;

                   • Chairs the Finance Strategy Board with Risk champions. Agrees
                     what level of risk information will be communicated to SLB and
                     how corporate risks will be escalated to SLB between meetings,
                     when circumstances dictate.

Risk Champions     • Main contact for the department on the subject of risk and its
                     management, including liaising with the Risk Manager;

                   • Oversees the corporate approach to risk management within their

                   • Represents their department on risk related events, including
                     corporate committee and SLB scrutiny;

                   • Ensures risk is managed effectively in each division in
                     accordance with the agreed corporate strategy;

                   • Reviews corporate, strategic, operational, project, partnership
                     risks and provides a challenge to departments, making
Role                Responsibilities

                        recommendations where appropriate;

                    • Take recommendations and updates from DLT’s on risks/issues;

                    • Identifies training needs and notifies such needs to the Risk

Risk Coordinators   • Responsible for co-coordinating the risk management strategy &
                        activities within their department, seeking support from the Risk
                        and insurance team as necessary;

                    • Prepares and facilitate risk meetings/workshops;

                    • Prepares risk management reports for risk champions;

                    • Reviews corporate, strategic, operational, project, partnership
                        risks and to provide a challenge to divisions and make
                        recommendations where appropriate;

                    • Promotes benefits of risk management within their department
                        and communicates corporate information and requirements;

                    • Identifies training needs and notifies such needs to the
                        appropriate manager.

Risk Manager and    •   Ensures the Risk Management Policy is implemented;
the Risk
                    •   Develops plans to improve the management of risk;
Management Team
                    •   Develops risk management guidance and training and supports
                        Risk champions and Risk coordinators in delivering their role;

                    •   Ensures appropriate staff and Members are adequately trained in
                        risk management;

                    •   Carries out ongoing management of risk maturity assessments.

Departmental        • Ensures department is identifying and managing corporate,
Leadership Teams        strategic, operational, project and partnership risks effectively;
(DLT’s) and
                    • Reviews and challenges risk registers for their departments on a
                        quarterly basis;
Management Teams
Role                    Responsibilities

(DMT’s)                 • Make recommendations on risks/issues to escalate to SLB;

                        • Set priorities for dealing with unacceptable risks and to reduce

                        • Ensure that risk management roles and responsibilities are
                          included within appropriate job descriptions.

Divisional Directors/   • Participates (as appropriate) in the identification, assessment,
Heads of service /        planning and management of threats and opportunities;
service managers
                        • Understands the Risk management Policy and Strategy and their

                        • Maintenance of the risk register in their area of responsibility,
                          ensuring that all risks are added to the councils risk register;

                        • Escalating risks of a corporate nature to the attention of their DLT;

                        • Undertakes risk assessments for their service in relation to
                          service / business planning and budget setting process;

                        • Establishes training requirements with regard to the strategy

                        • Identifies partnership and contractual arrangements where there
                          are shared risks, ensuring these are recorded and properly

                        • Reviews risks and risk assessments on a regular basis and
                          discuss the management of risks with relevant team members.

Programme, project,     • Participates (as appropriate) in the identification, assessment,
strategic and             planning and management of threats and opportunities;
operational boards
                        • Understands the Risk management Policy and Strategy and their
and senior
responsible owners
                        • Implements the risk management processes within their areas of

                        • Escalates programme/project, strategic and operational risks as
Role             Responsibilities


                 • Records and put in place controls to eliminate or reduce risks
                   before new projects are implemented;

                 • Identifies partnership and contract arrangements where there are
                   shared risks and ensure that these are recorded and managed

Risk/control     • Ensures effective action is taken to manage risk;
measure owners
                 • Ensures the integrity of information recorded on the risk register;

                 • Oversees control measures and reviews proposed mitigating

                 • Monitors progress against mitigating actions;

                 • Reports to their DLT on changes in risks to ‘red’ risk status.

Internal Audit   • Understands the Risk management Policy and Strategy;

                 • Supports and reviews the risk management process;

                 • Focus internal audit work on significant risks;

                 • Provides the risk team with updates on risks identified from

                 • Provides assurance on risk management across the council
                   based upon reviews through audit risk assessments.

All Council      • Becomes aware of the Risk Management Policy and Strategy;
                 • Understands their responsibilities in managing risk;

                 • Participates (as appropriate) in the identification, assessment and
                   control of threats and opportunities;

                 • Immediately reports to their manager any incident, accident or
                   ‘near misses or any other concerns that they may have with
                   regards to risks.

To top