Risk and Management Strategy

Document Sample
Risk and Management Strategy Powered By Docstoc
					Risk Management
Bassetlaw District Council

          July 2010

CONTEXT ................................................................................................................. 3

Strategy background and context                                                                 3

What is risk management?                                                                        4

What is risk appetite?                                                                          4

Links to corporate planning                                                                     5

Benefits of risk management                                                                     5

STRATEGIC APPROACH TO RISK MANAGEMENT ............................................... 7

Risk management, emergency planning and business continuity                                     7

Links to Corporate Governance                                                                   8

Links to Financial Management                                                                   10

THE RISK MANAGEMENT PROCESS ................................................................... 11

The risk management cycle                                                                       11

Stage 1 – Identification of the risks                                                           11

Stage 2 – Analysing the risks                                                                   12

Stage 3 – Risk Profiling and prioritisation                                                     13

Stage 4 – Action Planning                                                                       14

Stage 5 – Monitoring risk management                                                            15

Roles and responsibilities                                                                      16

MONITORING AND REVIEW ................................................................................. 19

APPENDIX 1 – CATEGORIES OF RISK ................................................................. 21

APPENDIX 2 – SAMPLE RISK REGISTER ............................................................ 22

APPENDIX 3 – RISK MATRIX SCORING DEFINITIONS ........................................ 23

APPENDIX 4 - SAMPLE MANAGEMENT ACTION PLAN ....................................... 24

APPENDIX 5 - TOOLKIT                                                                                                   25

APPENDIX 6 - TERMS OF REFERENCE - RISK MANAGEMENT GROUP                                                                27


Strategy background and context
This strategy document replaces (and incorporates details from) the previous
Risk Management Strategy and the Risk Management Protocol. This document
encapsulates the way risk management will be undertaken consistently
throughout the organisation.

A two-page “toolkit” guide that will be issued to managers (See Appendix 5)
accompanies the strategy.

Risk Policy Statement

The Council promotes continuous improvement and strives to be efficient and
effective in all areas of service delivery. This requires the adoption of new ways of
working and a willingness to change which sometimes has risks associated with it.

The Council needs to ensure that such risks are only taken when justified and with a
detailed knowledge and understanding of their possible impact upon the Council, its
reputation, its assets, its stakeholders and the community. Through this culture of
progressive improvement, risk management will increase the success of the Council
in delivering best outcomes for the people of Bassetlaw.

The Council strives for the highest standards of corporate governance and
recognises risk management as a key component of its governance and assurance
framework. It is a requirement of the Council that its key proposals and objectives
are examined to consider the potential risks to their achievement. This will involve
systematic risk identification and analysis of both strategic and operational risks, as
well as any risks arising from the delivery of Council objectives through partnership

The Council accepts its legal and moral duties in taking informed decisions about
how best to control and minimise the downside of risk, whilst still maximising
opportunity and benefiting from positive risks. The Council will ensure that Members
and Officers understand their responsibility to identify risks and their possible

Aims and objectives of the Strategy


The aim of this Strategy is to improve the Council’s ability to deliver its strategic
priorities and other objectives. We will do this by managing threats, enhancing our
opportunities and creating an environment that adds value to ongoing operational


The objectives of this Strategy are to:

•   Fully integrate risk management into the culture and strategic planning process of
    the Council;
•   Ensure that the framework for identifying, evaluating, controlling, reviewing,
    reporting and communicating risks across the Council and in our community is
    comprehensive and is implemented and understood by all relevant staff;
•   Communicate the Council’s approach to risk management to stakeholders;
•   Ensure consistency and co-ordination of risk management activity across the
•   Ensure that the Executive, Corporate Management Team (CMT) and external
    regulators can obtain necessary assurance that the Council is considering and
    mitigating against the risks of not achieving objectives, and thus delivering this
    element of good corporate governance;
•   Ensure that when working in partnership with others the Council applies
    equivalent risk management practices to these arrangements;
•   Enhance the business resilience of the Council

What is risk management?

Risk Management can be defined as:

 “The management of integrated or holistic business risk in a manner
 consistent with the virtues of economy, efficiency and effectiveness. In
 essence it is about making the most of opportunities (making the right
 decisions) and about achieving objectives once those decisions are made.
 The latter is achieved through controlling, transferring and living with risks”

 ZMMS/SOLACE, Chance or choice? July 2000

Risk management is therefore essentially about identifying and managing significant
obstacles and weaknesses that exist within the organisation. When the obstacles
have been identified the next stage is to prioritise them and compare their level of
priority against the organisation’s appetite to risk. Once prioritised it is essential that
steps are taken to then effectively manage those key obstacles/risks. The aim is that
major obstacles or blockages that exist within the organisation can be mitigated to
provide the council with a greater chance of being able to achieve its objectives.

What is risk appetite?

Risk appetite is defined as the amount of risk that an organisation is prepared to
tolerate (or be exposed to) at any point in time.

Identification of risk appetite is an essentially subjective (rather than an objective or
scientific) issue but nevertheless is an important stage in formulating the overall risk
strategy. The level of an organisation’s risk appetite will in part determine the
response to specific risks: decisions about mitigating countermeasures, risk reduction
or transferral of risk should be taken in conjunction with an identification of the
amount of residual risk that can be tolerated after actions have been
taken or countermeasures have been set in place.

The approach by Bassetlaw District Council is to set some predefined gradings on
the risk matrix e.g. Red, Amber, Green. It is these gradings that signify the required
level of response to the risk e.g. RED risks must by managed as a matter of urgency.

These gradings are communicated through the strategy toolkit and are reviewed

Having said this, it is very likely that risk appetite will vary according to the situation:
there will be some areas where high risk/reward options will be appropriate, (for
example where a service needs to be radically transformed), and other areas where
the organisation will want to limit its exposure to risk (for example where the objective
is the continued delivery of a service on a consistent, uninterrupted basis, or where
the consequences are potentially catastrophic).

Links to corporate planning

Risk management needs to be seen as a strategic tool that is an essential part of
effective and efficient management and planning.

There are clear links between corporate planning and risk management. These are:

•   Each priority and objective identified in the corporate plan is a target that the
    Council’s activities will aim to achieve. During the lifetime of the plan there will be
    direct and indirect threats to this achievement and these are the risks.
•   Incorporating risk management action plans into corporate and departmental
    plans avoids the omission of important risk control activity. The resources for risk
    management can also be considered at the same time that the budget for the
    plans are set so that a shortfall is less likely to be incurred.
•   During reviews of performance and service delivery plans the actions taken to
    control risks can be monitored and the profile of risks reviewed to reflect any

Risk management will, by adding to the business planning and performance
management processes, strengthen the ability of the Council to achieve its objectives
and enhance the value of the services provided.

However it is also something that the council is required to do, for example the
CIPFA/SOLACE framework on Corporate Governance requires the Council to make
a public assurance statement annually (statement of internal control), on amongst
other areas, the Council’s risk management strategy, process and framework.

Benefits of risk management

Risk Management is a key part of corporate governance, which is the way an
organisation manages its business, determines strategy and objectives and goes
about achieving those objectives. It is a key ingredient of the Annual Governance
Statement. Good risk management will help identify and deal with the key risks
facing the Council in pursuit of its goals.

The benefits of good risk management include:

    •   Effective operational performance

        Better outcomes and reduced costs by means of more efficient and effective
        deliveries. The achievement of strategic corporate priorities is enhanced with
        reduced scope for disasters and surprises. There is improved working with
        external agencies and stakeholders, added value across service areas,
        improved internal controls, consistent management of risk and opportunities

        resulting in improved service delivery, communication, consensus and

•       Improved financial performance

        More certainty of financial objectives being achieved, reduced level of error
        and fraud, increased capacity though reduction in decisions that need
        reviewing or revising, and a decreased number and impact of critical risks and

•       Opportunity Risk Management

        Better and evidence-based assessment of potential strategies, and clearer
        understanding of the community impact of lost opportunities.

•       Improved corporate governance and compliance systems

        Improved Annual Governance Statement which is better substantiated and
        demonstrated, increased public satisfaction, fewer regulatory visits and
        reduction in legal challenges.

•       Improved human resources management

        Reduced staff turnover, absenteeism and stress.

•       Improved Partnership Working

        More transparent risk management arrangements will promote common
        understanding with partners, and will reveal vulnerabilities to the achievement
        of objectives.

    • Improved Internal Control Framework

         The use of risk management techniques by Internal Audit focuses control
         and compliance investigation in the areas of greatest vulnerabilities.

    • Improved Business Resilience

         Internal and community risk registers assist in the preparation of business
         resilience plans. These increase the reliability of service delivery, and assist
         in tackling community disasters.

    • Improved insurance management

         Reduced cost of insurance premiums and number and level of claims, and a
         reduced number of uninsured losses.

    •   (j) Improved Performance

         Increased levels of accountability and prioritisation, which feeds into the
         performance management framework.

Strategic approach to risk management

Risk management, emergency planning and business continuity

It is vital for the success of risk management that the roles of each are clearly
understood. The diagram below sets out to demonstrate the differences.

Risk management is about trying to identify and manage those risks which are more
likely to occur and where the impact on strategic objectives can be critical or even

             Business continuity planning, risk
           management and emergency planning

           general risks            business
                                                         crisis situation
             facing your           continuity
                                                          / emergency
            organisation                 risks

    not all general risks will prevent           not all emergencies will prevent

    service continuity                           service continuity

Business continuity is about trying to identify and put in place measures to protect
your priority functions against catastrophic risks that can stop your organisation in its
tracks. There are some areas of overlap e.g. where the I.T infrastructure is not robust
then this will feature as part of the organisation risk assessment and also be factored
into the business continuity plans. Business continuity is about managing those
issues, which can stop the council from delivering.

Emergency planning is about managing those incidents that can impact on the
community (in some cases they could also be a business continuity issue) e.g. a
plane crash is an emergency, it becomes a continuity event if it crashes on the office!

Links to Corporate Governance

Bassetlaw District Council strives for the highest standards of corporate governance
and recognises risk management as a key component of its governance and
assurance framework. It is a requirement of the Council that its key proposals and
objectives are examined to consider the potential risks to their achievement. “Key
proposals and objectives” include those in the Council Plan and those vital to the
delivery of essential Council services. The process will involve systematic risk
identification and analysis of both strategic and operational risks, and risks of
partnership working. This Risk Management Strategy forms part of the Council’s
corporate governance arrangements.

Internal Control

Internal controls are those elements of an organisation (including resources,
systems, processes, culture, structure and tasks) that, taken together, support the
achievement of objectives. Internal financial control systems form part of the wider
system of internal controls.

A council’s system of internal control is part   of its risk management process and has
a key role to play in the management of          significant risks to the fulfilment of its
business objectives. For example, the            Council’s policy and decision-making
processes require all Council reports to         include an option appraisal and risk
assessment of alternative courses of action.

Performance Management

Risk management is closely aligned to Performance Management. The management
and mitigation of risk is an important strand in performance management.

Health & Safety

The Council’s Health and Safety Policy is also a key component of the Council’s
structure of controls contributing to the management and effective control of risks
affecting staff, contractors, volunteers, service users, and the general public.

Internal Audit

The Internal Audit function is a component, and custodian of, the Council’s system of
controls protecting its financial and other physical assets. The risk management
process in turn serves the Internal Audit function by enabling it to identify areas of
higher risk, and so target its resources more effectively. It uses the corporate risk
methodology to assist in drawing up the Council’s annual audit plan, and delivers risk
based auditing across the Council. It tests the effectiveness of control measures, and
offers judgement on continuing risks and weaknesses. This will be used to initiate
action plans to remedy areas of significant risk.

Business Resilience

Business Impact Analysis is used to identify the Council’s critical business
processes. These are subject to risk assessment, and where necessary included in a
business resilience plan. These provide increased resilience to the Council’s
business processes and feed back weaknesses into the risk management process
through the corporate Business Resilience Group. The plans are regularly tested to
conform to civil contingency requirements.

Emergency Planning

The Council considers both internal and external threats to its objectives and plans
with other agencies to address risks identified within their respective risk registers.
Specific plans are made and reviewed to address the highest risks and business
resilience techniques are used to make delivery of Council services more robust.

Links to Financial Management

Whilst financial risks are inextricably linked with business and strategic planning,
managing financial risk is a high priority for the Council, particularly in the context of
the general economic outlook.

The Council’s Financial Risks are managed in a number of ways:

       •   Section 151 responsibilities;
       •   Financial Procedure Rules;
       •   Adopted CIPFA Code on Treasury Management;
       •   Compliance with Prudential Code;
       •   Financial Strategy;
       •   Budget Setting and MTFP;
       •   Section 151 robustness of estimates;
       •   Policy on reserves and balances;
       •   Budget Monitoring;
       •   Internal Audit Arrangements;
       •   Financial training;
       •   Decision making process – financial implications;
       •   Financial control environment;
       •   Sharing or transferring financial risk through insurance, contractual
           arrangements etc;
       •   Forecasting and modelling;
       •   External advice;
       •   Performance monitoring arrangements.

The risk management process

The risk management cycle

Implementing the strategy involves a 5-stage process to identify, analyse, prioritise,
manage and monitor risks as shown in figure 1.

Figure 1: The risk management cycle

                     The risk management cycle
                                     RISK IDENTIFICATION

                 MONITORING                                RISK ANALYSIS

                   RISK MANAGEMENT

Stage 1 – Identification of the risks

The first step is to identify the ‘key’ risks that could have an adverse affect or prevent
key business objectives from being met. It is important that those involved with the
process clearly understand the service or organisation’s key business objectives i.e.
‘what it wants to achieve’ in order to be able to identify ‘the barriers to achievement’.

Using Appendix 1 as a prompt, various techniques can then be used to begin to
identify ‘key’ or ‘significant’ business risks including:

•   A ‘brainstorm’ session;
•   Own (risk) experience;
•   ‘Strengths, Weakness, Opportunities and Threats’ analysis or similar;
•   Experiences of others - can we learn from others mistakes?
•   Exchange of information/best practice with other authorities, organisations or

It is also recommended that a review of published information such as service plans,
strategies, financial accounts, media mentions, inspectorate and audit reports be
used to inform this stage, as they are a useful source of information.

The identification of risk should take place for projects, partnerships, departments
and at a corporate level. Details of who contributes to this stage is explained further
in the roles and responsibilities section.

Stage 2 – Analysing the risks

The information that is gathered needs to be analysed into risk scenarios to provide
clear, shared understanding and to ensure the root cause of the risk is clarified. Risk
scenarios also illustrate the possible consequences of the risk if it occurs so that its
full impact can be assessed. There are 2 parts to a risk scenario. The cause
describes the situation and/or event (that may be perceived) that exposes the
Council to a hazard. The consequences are the events that follow in the wake of the

Figure 2: Example of the structure of a risk scenario

       Risk Scenario

     Cause                                     Consequence

     St at ement of f act or percept ion       The negat ive
     about t he organisat ion, depart ment     impact :
     or project t hat exposes it t o a         • How big?
     hazard. Include t he event t hat          • How bad?
     could or has occurred t hat result s in   • How much?
     a negat ive impact on t he object ives    • Who is af f ect ed?
     being achieved

                  Likelihood                            Impact

Each risk scenario is logged on the respective risk register being corporate,
departmental or project risk register. A sample template of the risk register is shown
in appendix 2. The purpose of the risk register is to store details of the risk, its
likelihood and impact (see stage 3) and mitigation activity. The Council intends to
use its performance management system ‘Covalent’ to electronically store all
organisational, departmental and project risks.

Stage 3 – Risk Profiling and prioritisation

Following identification and analysis the risks will need to be evaluated. This can be
undertaken through a team meeting or through a facilitated workshop. The aim of the
event is the same, participants to review the risk scenarios and decide their ranking
according to the potential likelihood of the risk occurring and its impact if it did
occur. A matrix is used to plot the risks and once completed this risk profile clearly
illustrates the priority of each risk. Appendix 3 provides guidance on the categories
used on the matrix.

When assessing the potential likelihood and impact the risks must be compared to
the appropriate objectives e.g. corporate objectives for the corporate risk profile and
departmental objectives for the departmental risk profile. The challenge for each risk
is how much impact could it have on the ability to reach the objective. This allows
the risks to be set in perspective against each other.

At the beginning of this stage a timeframe needs to be agreed. Often a 3 year time
horizon is used so that the likelihood and impact can be considered within this

The matrix is also constructed around 3 filters - these being red, amber and green.
The red filtered risks are of greatest priority and require immediate attention. Amber
risks should be reviewed and moderate risk mitigation action may be required.
Green risks are likely to require no further action and should be monitored at 3-
monthly intervals, in case the situation changes.

Figure 3: Example of a risk matrix and filters

   Risk Matrix

                                                     Timeframe: 3 years

           A                                         Likelihood:
                                                     A         Very high

           B                                         B         High
                                                     C         Significant
                                                     D         Low
                                                     E         Very low
                                                     F         Almost impossible
     Lik   D
     ho                                              Impact:
     od    E
                                                     I         Catastrophic
                                                     II        Critical
                                                     III       Marginal

               IV        III       II       I        IV        Negligible

                                                     Date of assessment:

If there are numerous red and amber risks to be managed it is prudent to cluster
similar risks together. This is to aid the action planning process as a number of risks
can be managed by the same or similar activity. Each cluster should be given a title
e.g. recruitment and retention, staff empowerment etc. This technique of clustering
should only be used when there are many risks to be managed eg in excess of 15
red and amber risks and where risks share common causes and consequences and
therefore could be managed in a similar way.

Stage 4 – Action Planning

This is the process of turning ‘knowing’ into ‘doing’. It is assessing whether to
control, accept transfer or terminate the risk based on an agreed ‘risk appetite’.
Risks may be able to be: -

Controlled     It may be possible to mitigate the risk by ‘managing down’ the
               likelihood, the impact or both. The control measures should, however,
               be commensurate with the potential frequency, severity and financial
               consequences of the risk event.

Accepted       Certain risks may have to be accepted as they form part of, or are
               inherent in, the activity. The important point is that these risks have
               been identified and are clearly understood.

Transferred Transfer to another body or organisation i.e. insurance, contractual
            arrangements, outsourcing, partnerships etc.

Terminated      By ending all or part of a particular service or project.

It is important to recognise that, in many cases, existing controls will already be in
place. It is therefore necessary to look at these controls before considering further
action. It may be that these controls are not being complied with or are ‘out of date’.

The potential for controlling the risks identified will be addressed through service
plans. Most risks are capable of being managed – either by managing down the
likelihood or impact or both. Relatively few risks have to be transferred or
terminated. The service plans will also identify the resources required to deliver the
improvements, timescale and monitoring arrangements.

Existing controls, new mitigation measures and associated action planning
information is all recorded on the risk register. Full details of the risk mitigation
measures that are to be delivered are likely to be recorded in the respective business
plans and cross reference should be made to this in the risk registers.

Stage 5 – Monitoring risk management

CMT Corporate responsibility
The Corporate Management Team (CMT) is responsible for ensuring that the key
risks on the corporate risk register are managed and the progress with the risk
mitigation measures being monitored at appropriate intervals.

Departmental responsibility
Department Heads are responsible for ensuring that the key risks in their
departmental risk registers are managed. This may include developing mitigation
plans for corporate risks that CMT has assigned ownership of to a Department.

    There is a quarterly process for the review and escalation of risks.

Quarterly review of Corporate and Departmental Risks
On a quarterly basis, the corporate risk register and departmental risks will be
reviewed and where necessary risks re-prioritised. Risks are amended so they
reflect the current situation, obsolete risks are deleted and new risks identified. This
ensures that throughout the organisation there is always an up to date view of the
risks facing the Council.

Quarterly Escalation
There will be a formal review of risks and especially those above an acceptable
threshold (i.e. the red risks) every quarter at CMT to ensure risks are understood and
are being practically mitigated. This will be co-ordinated by the Head of Community
Engagement and Performance

Every six months CMT will report the headline red risks to the Cabinet for
consideration and challenge. This challenge (in a positive spirit) will seek to
provide confidence that the key risks have been reported and the mitigation
measures are adequate. Annually the risk register and matrix will be sent to the full

Annual Assurance
Cabinet should seek from Internal Audit that the risk process is being operated
consistently in line with this strategy.

Figure 4 Risk management reporting arrangements
Roles and responsibilities

                                                                                annual      Full
                                                                                report     Council

          Actions monitored                                       CMT                                Management
           through normal                                                           risks               Group
                                                   review and

                                    Head of Community Engagement and Performance


                 *1 Also within project documents and policy reports where appropriate

The following describes the roles and responsibilities that members and officers will
play in embedding and owning the risk management:

Members              •     Elected members are responsible for governing the delivery of
                           services to the local community. Members have a responsibility
                           to understand the strategic risks that the Council faces, and will
                           be made aware of how these risks are being managed through
                           the annual strategic and service planning process. They will
                           also be kept informed on the management of those risks
                           through the regular performance management framework. All
                           members will have the responsibility to consider the risks
                           associated with the decisions they undertake and will be
                           informed of these risks in the reports that are submitted to them.
                           They should not seek to avoid or delegate this overall
                           responsibility, as it is key to their stewardship responsibilities

Cabinet              •     approving the risk management strategy
                     •     ensuring the Council’s risk management and internal control
                           arrangements are robust
                     •     the Leader approves the statement of internal control approving
                           the public disclosure of the annual outcome of this assessment
                           (the assurance statement), and publishing it in the annual
                           Statement of Accounts.
                     •     using the option appraisal section of reports to consider the
                           strategic risks associated with the decisions they are required to
                     •     Reviewing every six months the top risks identified by the

Overview and    •   reviewing the effectiveness of the risk management and internal
Scrutiny            control framework
Committee       •   challenging the appropriateness of mitigation measures

Chief           •   The Chief Executive and CMT are pivotal in the promotion,
Executive and       demonstration and embedding of risk management within the
Corporate           Council. The successful outcome of this will be risk
Management          management practised throughout the organisation as part of
Team (CMT)          usual activities and the sharing of best practice and experience
                    between services.

                •   The Chief Executive and CMT’s key tasks are:

                    •   recommending to the Cabinet the risk management strategy
                        and subsequent revisions thereof
                    •   supporting and promoting risk management throughout the
                    •   identify, assess and monitor corporate strategic risks on a
                        quarterly basis using the risks reported via the performance
                        management arrangements
                    •   reporting the headline risks and mitigation plans to Cabinet
                        and the Audit and Performance Committee on a quarterly
                    •   the Chief Executive is required to agree and sign the annual
                        statement of internal control (assurance statement)
                        approving the public disclosure of the annual outcome of
                        this assessment, and publishing it in the annual Statement
                        of Accounts.
                    •   to monitor the practice of risk management at departmental
                        and project level to ensure that the process set out in the
                        strategy is complied with
                    •   Passing common risks to the Risk Management Group to
                        manage and report back

Heads of        •   Heads of Department will demonstrate their commitment to risk
Department          management through:

                    •   being actively involved in the identification and assessment
                        of departmental level risks resulting in an up to date
                        departmental risk register
                    •   incorporating the risk management process into the service
                    •   encouraging staff to be open and honest in identifying risks
                        or missed opportunities
                    •   ensuring that the risk management process is part of all
                        major projects and change management initiatives
                    •   ensuring that all reports written for Members include a risk
                        assessment of the options presented for a decision

                     •   monitoring and reviewing relevant PI’s regularly to reduce or
                         control the significant risks via the performance
                         management framework.
                     •   Reporting quarterly to the Chief Executives (through Head of
                         Community Engagement and Performance) on the progress
                         being undertaken to manage the risks and an up date on the
                         nature of the high priority red risks.
                     •   Verbal presentation to CMT on key risks and the mitigation
                         measures in place to manage them.

Head of          •   As a Head of Department above PLUS
Engagement           •   Collation of “red” risks from Heads of Department on a
and                      quarterly basis
Performance          •   Submission of composite report to CMT
                     •   Reporting to Cabinet on a six monthly basis of current risk
                     •   Ensuring that mitigation measures and captured and
                         monitored normal performance management arrangements

Council          •   To manage risk effectively in their job and report hazards/risks
Officers             to their service managers. To undertake their job within risk
                     management guidelines.

Risk             •   Manage specific risks as directed by CMT
Management       •   Report to CMT on the said management of those risks.
Group            •   Highlight to CMT potential new operational risks emerging
                     through frontline activity
                 •   Research, consider and recommend to Corporate Management
                     Team best practice in order to reduce or mitigate losses or risks
                     and to comply with legislation;

Internal Audit   •   use the corporate and service risk registers to inform the
                     internal audit timetable and plan
                 •   provide independent assurance on the adequacy of the
                     Council’s risk and control procedures
                 •   provide independent assurance on the management of high
                     priority risks
                 •   provide professional advice on cost effective ways of identifying
                     and managing risk, based on their view of the whole of the
                     Council’s services and resources

Monitoring and Review
Bassetlaw District Council’s Risk Management Strategy will be reviewed every 2

The ultimate measure of effective risk management is that the Council:

   •   Has resilience to deliver its services and core objectives;
   •   Is protected from the possibility of being impacted by an unforeseen risk;
   •   Is protected from the possibility of a foreseen risk having significantly greater
       impact than anticipated;
   •   Is able to take cost-effective measures to reduce or eliminate the effects of
       negative risk;
   •   Is able to identify, and take maximum advantage of, the occurrence of
       positive risk.

Bassetlaw District Council will develop outcome and process based risk performance
indicators to monitor the success of its Risk Management Strategy.

For further information about this document please contact the Community
Engagement and Performance Service.

Appendix 1 – Categories of risk
Risk            Definition                                                                  Examples
Political       Associated with the failure to deliver either local or central government   New political arrangements,
                policy or meet the local administration’s manifest commitment               Political personalities, Political make-up
Economic        Affecting the ability of the council to meet its financial commitments.     Cost of living, changes in interest rates,
                These include internal budgetary pressures, the failure to purchase         inflation, poverty indicators
                adequate insurance cover, external macro level economic changes or
                consequences proposed investment decisions
Social          Relating to the effects of changes in demographic, residential or socio-    Staff levels from available workforce, ageing
                economic trends on the council’s ability to meet its objectives             population, health statistics
Technological   Associated with the capacity of the Council to deal with the pace/scale     E-Gov. agenda,
                of technological change, or its ability to use technology to address        IT infrastructure,
                changing demands. They may also include the consequences of                 Staff/client needs, security standards
                internal technological failures on the council’s ability to deliver its
Legislative     Associated with current or potential changes in national or European        Human rights,
                law                                                                         appliance or non-appliance of TUPE
Environmental   Relating to the environmental consequences of progressing the               Land use, recycling, pollution
                council’s strategic objectives
Professional/   Associated with the particular nature of each profession, internal          Staff restructure, key personalities, internal
Managerial      protocols and managerial abilities                                          capacity
Financial       Associated with financial planning and control                              Budget overspends, level of council tax,
                                                                                            level of reserves
Legal           Related to possible breaches of legislation                                 Client brings legal challenge
Physical        Related to fire, security, accident prevention and health and safety        Offices in poor state of repair, use of
Partnership/    Associated with failure of contractors and partnership arrangements to      Contractor fails to deliver, partnership
Contractual     deliver services or products to the agreed cost and specification           agencies do not have common goals
Competitive     Affecting the competitiveness of the service (in terms of cost or           Fail to win quality accreditation, position in
                quality) and/or its ability to deliver best value                           league tables
Customer/       Associated with failure to meet the current and changing needs and          Managing expectations, extent of
Citizen         expectations of customers and citizens                                      consultation

Appendix 2 – Sample Risk Register
Example Risk Register
Risk   Objective   Owner/    Cause     Consequences      Likelihood   Current
No.                service                               /impact      mitigation   Adequacy     Further        Action   Key action       Target   Comments
                                                                                                planned        owner    dates and        risk     from
                                                                                                action                  review           score    independe
                                                                                                                        frequency                 nt

Risk Number         This is the unique identification number given to each individual risk
Objective           Cross reference to the strategic objectives as stated in the corporate, departmental or project plans
Owner/service       Who is the risk owner (and their service) and therefore responsible for ensuring the mitigation work is undertaken
Cause               This describes the existing, potential or perceived risk/threat to the strategic objectives
Consequence         The impact of the cause is often a chain of events that can impact on many stakeholders
Likelihood/         Based on the risk matrix, how is the risk likelihood scored
impact              eg A, B, C, D or E
                    Based on the risk matrix, how is the impact scored
                    eg 1, 2, 3 or 4
Adequacy            An assessment on the suitability of the current mitigation measures
Further planned     Activity that is planned to further manage the risk
Action owner        Who will be responsible for undertaking the further planned action
Key action dates    Specific deadlines for the new risk control measures to be put in place with associated review frequency
& review
Comments from
independent         Record of comments received from inspectors, internal audit and other independent assessors

Appendix 3 – Risk Matrix Scoring Definitions
The definitions below provide guidance as to what is meant by both likelihood and
impact. Using this table will aid consistency.

                   Negligible         Marginal          Critical       Catastrophic
    Financial       £50K -         £100k - £250K      £250K - £1M         £1M+
     Impact         £100K
     Service                           Slightly       Suspended
                     No effect                                           Long Term
    Provision                         Reduced         Short Term /
                                                                      Statutory duties
                                                                        not delivered
                      Sticking                           Loss of        Major loss of
    Health &                          Broken
                      Plaster /                        Life/Major     life/Large scale
     Safety                         bones/Illness
                     first aider                         illness         major illness
                                     Objectives of     Directorate        Corporate
   Objectives                      one section not     Objectives      objectives not
                                          met           not met              met
                                     Some hostile
                                                                         Mass staff
                                   relationship and     Industrial
     Morale                                                           leaving/Unable
                                    minor non co-         action
                                                                       to attract staff
                     No media
                     attention/    Adverse Local                       Remembered
   Reputation                                           National
                       minor       media Leader                         for years!!
                                                      Service taken    Service taken
  Government                           Poor
                                                          over             over
   relations                       Assessment(s)
                                                       temporarily     permanently

 LIKELIHOOD                          PROBABILITY               TIMING
 Very High                           > 90%                     This week
 High                                60% to 90%                Next week / this
 Significant                         25% to 60%                This year
 Low                                 10% to 25%                Next year
 Very Low                            1% to 10%                 Next year to five
 Almost Impossible                   0% to 1%                  Next ten years

Appendix 4 – Sample Management Action Plan
Risk Group:                                                                                    Owned by:
                A                                   Risk         Current        Target                                            Description
                                                    Number       Risk Score     Risk Score                                        [short name]
                B                                     [no.]        [matrix       [improved
                                                                  position]       position]



                     IV     III   II     I

             Action/controls already in place   Adequacy of            Required management action/control             Responsibility     Critical success       Review          Key dates
                                                action/control to                                                     for action         factors & KPI’s        frequency
                                                address risk
                                                                                                                      [the person        [what will success     [frequency of    Mileston
[actions/controls already being done            [how effective are     [new actions/controls required to manage the   responsible for    look like?, how will   reviewing          es /
that relate to this risk/cluster]               the actions/controls   risk down to its target score]                 this action plan   performance            this action      deadline
                                                already in place?]                                                    being carried      indicators             plan]                s
                                                                                                                      out]               improve?]


Completed by                                      Date

                                      RISK MANAGEMENT STRATEGY AND PROCESS TOOLKIT
                                                                                           Steps 4 and 5 – Mitigation and monitoring
              Step 3 – Prioritisation using the standard matrix                                                   Mitigation                                               Monitoring
              below                                                                        •     Assess current actions and controls …. Adequate            Review with colleagues [as part of the
                                                                                                 or more needed.                                            Service Delivery Plan at least quarterly
              • How likely is this risk?                                                   •     Within your Service Delivery Plans -develop                • Risks changed?
              • How big an impact will this risk have on [my area / the                          specific SMART actions that will either reduce the         • New risks?
                                                                                                 likelihood of the risks or minimise the impact.            • Need to report or escalate risks?
                 whole organisation]                                                       •     See detailed strategy for example management               • Risks ranking changed
                                                                                                 action plans
                     Very High

                                       A                                                    Definitions
                                                                                                                                             Description guide
                                                                                               Likelihood                  Impact
                                                                                               Very High          > 90%    Negligible        £50-£100K. No effect on service provision or reputation, limited
                                                                                                                                             physical consequences

                                       B                          1, 7                         High               60% to   Marginal          £100k - £250K, Service slightly reduced
                                                                                                                   90%                       broken bones/Illness, objectives of one section not met, minor
                                                                                                                                             adverse local media, impact on inspection (s)


                                                                                               Significant        25% to   Critical          £250K - £1M, Service suspended short term / reduced, loss of
                                                                                                                   60%                       Life/major illness, area objectives not met, industrial action,
                                       C               2, 4                                    Low                10% to                     adverse national publicity
                                                                                               Very Low           1% to    Catastrophic      £1M+, Service suspended long term, statutory duties not
                                                                                                                   10%                       delivered, major loss of life/large scale major illness, corporate
                                                                                               Almost             0% to                      objectives not met, mass staff leaving/Unable to attract staff,

                                       D                 6            3                        Impossible          1%                        Remembered for years!! Service taken over permanently

                                                                                            What have I got to do?
                           Very Low

                                                                                               CMT                  Review escalated risks quarterly
                                                                                                              •     Challenge Heads of Services re adequacy of risk assessments / mitigation plans
                                       E                                         5                            •     Update the corporate register quarterly so there is always a consensus view
                                                                                               Head of        •     Review risks regularly (changes / new risks / deletions) as part of Service Delivery Plan
                                                                                               Service              review

                                                                                                              •     Consider risks within policy reports

                                       F                                                                            Escalate “red” risks to CMT quarterly (via Community Engagement and Perf)
                                                                                                              •     Develop mitigation plans for the key risks
                                                                                               Risk Mgmt      •     Manage specific risks as directed by CMT
                                              1          2          3            4             Group          •     Identify new and emerging specific risks
                                           Neglible   Marginal   Critical   Catastrophic       Cabinet        •     Receive risk reports every six months
                                                                                                              •     Contribute towards /challenge CMT
                                                                                                          13 unlucky categories of risk
                                                                                                                         Local and national political issues /
Five steps to good risk                                                                                      Political   interaction / decision making
management                                The risk management cycle                                                      Local and national economic issues
                                                                                                                         including interest rates / supplies /
                                                                                                                         inflation and other key assumptions
Step 1: Identification                                      Step 1: RISK IDENTIFICATION                                  Social and demographic issues
Step 2: Analysis                                                                                             Social      both within workforce and the
                                                                                                                         population you are serving
Step 3: Prioritisation                                                                                      Techno-      Reliability and ability of technology
Step 4: Mitigation                                                                                           logical     to meet and serve your needs.

Step 5: Monitoring                                                                                                       Associated with current or potential
                                      Step 5: MONITORING
                                                                                                           Legislative   changes in national or European
                                                                                  Step 2: RISK ANALYSIS                  law
                                                                                                                         Relating to the environmental
Step 1: Identification                                                                                                   consequences of progressing the
                                                                                                             mental      council’s strategic objectives
•   Consider the categories of risk                                                                                      Associated with the particular
•   Brainstorming with colleagues                                                                               /        nature of each profession, internal
•   Examination of trends              Step 4: MITIGATION                                                  Managerial
                                                                                                                         protocols and managerial abilities
•   Analysis of last years problems                                       Step 3: PRIORITISATION                         Associated with financial planning
•   Information from similar                                                                                             and control
                                                                                                                         Related to possible breaches of
                                                                                                              Legal      legislation / meeting of regulator
•   Awareness of new initiatives /                                                                                       requirements
    agendas and regulations                                                                                              Related to fire, security, accident
                                                                                                            Physical     prevention and health and safety of
                                                                                                                         both workforce and the population
                                                                                                                         Associated with failure of
                                                                                                          Partnership contractors and partnership
Step 2: Analysis of risk – capture the two main     elements to a risk                                         /      arrangements to deliver services or
 Vulnerability and Cause                            Consequences                                          Contractual products to the agreed cost and
 A fact / current exposure or situation including   A few example consequences                                           Affecting the competitiveness of the
 the event or situation you do not want to occur                                                            Compet-      service (in terms of cost or quality)
                                                                                                              itive      and/or its ability to deliver best
 This is the event you are trying to avoid or       The are the examples you want to                                     value
 minimise the chance of occurring                   prevent or mitigate                                                  Associated with failure to meet the
                                                                                                           Customer/     current and changing needs and
                                                                                                            Citizen      expectations of customers and
              PROCESS TOOLKIT

Overall Purpose

          To promote risk management within the Council and the effective
                 implementation of the Risk Management Strategy.

Terms of Reference

   •   To promote risk management within the Council

   •   To support the effective implementation of the Council’s Risk Management Strategy

   •   To draw risk management disciplines together to ensure cohesive corporate approach e.g.
       strategic risks, operational risks, project risks, insurance risks, business continuity planning and
       disaster recovery.

   •   To manage specific risks as directed by Management Team or Heads of Service Group and to
       highlight to Management Team or Heads of Service Group potential new risks emerging through
       frontline activity

   •   To participate in assessing the Council’s Corporate Risk Register

   •   To assess Service risks to ensure that appropriate action is being taken to mitigate any
       significant risks

   •   To participate in assessing the action plans to mitigate the Council’s key strategic risks

   •   To discuss best practice and recommend improvements to the Council’s approach to Risk

   •   To ensure that effective Business Continuity plans are established and effected and that the
       Council discharges its Civil Contingencies obligations

   •   To identify training needs and review training provision in terms of risk management.

   •   To conduct a review of the Council’s Risk Management Strategy every 2 years.

               PROCESS TOOLKIT

   •   Head of Community Engagement and Performance (Chair)
   •   Finance Representative
   •   Human Resource Representative
   •   Environmental Services Representative
   •   Revenues and Customer Services Representative
   •   Legal Representative
   •   Planning Representative
   •   Leisure Representative
   •   Support Services Representative
   •   Health and Safety Officer
   •   Internal Audit
   •   A1 Representative

Frequency of Meetings


April, July, October and January.


Shared By:
Description: Risk and Management Strategy document sample