2018 risk management policy managment policy... · 2 the international risk management standard...

Risk Management Framework Final Draft v0.2

of 24

1

Risk Management Policy 2018

Version: Final Draft 0.2Date: March 2018


of 24

2Document Control

Organisation Copeland Borough CouncilTitle Risk Management FrameworkVersionAuthor Gillian Butterworth, Performance and Risk Management OfficerFilenameOwner Director of Commercialisation and Corporate ResourcesSubject Risk ManagementProtective Marking NoneReview Date March 2020

Revision History

Version Reviewed

Date Reviewed Reviewed By Description of Revision

Final Draft V0.2

March 2018 GB and CLT Review of draft V0.2. Progressed to Final version V1

Document Approval

Version Approved By DateCorporate Leadership Team 22.03.2018Audit and Governance Committee 19.04.2018Executive 24.04.2018Full Council 08.05.2018

Document Distribution

This policy is to be available to all staff and elected members of Copeland Borough Council by being placed on the Council’s Intranet Site.

Contributors

Institute of Risk Management (IRM) – Fundamentals of Risk ManagementIRM - A Risk Practitioners Guide to ISO 31000: 2018ISO31000 – Risk Management guidelines (2018)CIPFA – Delivering Good Governance in Local Government Framework - 2016Essex County Council Risk Management Strategy 2014-17Northumberland City Council – Risk Ready Reckoner


of 24

3Contents

Purpose and Benefits..........................................................................................................4Introduction .......................................................................................................................5

Risk Appetite Statement…..................................................................................................5Definitions..........................................................................................................................6Roles and Responsibilities ..................................................................................................7

Policy Details including proceduresApproach to Risk Management...........................................................................................9Stage 1. Risk Identification ......................................................................................................10Stage 2. Risk Assessment.........................................................................................................12Stage 3. Risk Control ................................................................................................................14Stage 4. Risk Monitoring..........................................................................................................15Monitoring of Policy Adherence........................................................................................18

AppendicesAppendix A: Risk Identification Examples................................................................................19Appendix B: Risk identification Techniques.............................................................................20Appendix C: Risk Impact scale including examples..................................................................21Appendix D: Risk Management Form template ......................................................................23Appendix C: Risk Register Action Plan template......................................................................24


of 24

41. Purpose and Benefits2.1 Copeland Borough Council (the council) has a statutory responsibility to have in place

arrangements for managing risks, as stated in the Accounts & Audit Regulations 2015:-

“A relevant body must ensure that it has a sound system of internal control which:(a) facilitates the effective exercise of its functions and the achievement of its

aims and objectives;(b) ensures that the financial and operational management of the authority is

effective; (c) Includes effective arrangements for the management of risk.”

1.4 This purpose of this policy is to set out the processes used by the council to ensure an effective and consistent approach to risk management.

2.3 The benefits to be gained from effective risk management include:

Improved strategic management - Greater ability to deliver against corporate objectives and priorities. Improved decision making. Enhanced corporate governance. Increased capacity to anticipate and respond to change proactively (technological, social, environmental, legislative changes)

Improved operational management - More effective management of resources. Improved service delivery and VFM. Prevention of loss or injury to staff and public.

Improved financial management - Better informed financial decision-making leading to greater financial control and a reduction in insurance and claims costs to the Council. Greater protection of assets and guard against impropriety or poor VFM.

Improved customer service - Minimal service disruption to customers and a positive external image as a result of all of the above. Reduction in complaints. Enhance the profile of the Council and increased customer/community confidence.

2. Introduction2.1 Risk is defined as:-

‘The possibility that an event will occur that will have an impact on the achievement of objectives’1 In its simplest sense, risk can be defined as, ‘The effect of uncertainty on objectives’2.

2.2 This effect of uncertainty on objectives or ‘the risk’ is measures by a combination of the probability of an event happening and the consequences of an event happening.

1 COSO – Definition of risk.2 The International Risk Management Standard ISO: 31000


of 24

52.3 Risk is always present in all that we do and a certain amount of risk taking is inevitable

to achieve strategic ambition and business objectives. Risks can be either negative or positive, this means that can pose a threat and an opportunity to the achievement of objectives.

2.4 Risk Management is not about taking no risks at all. It is about being able to take calculated and controlled risks to achieve objectives. To manage risk, the council uses a coordinated process to identify, assess, control and monitor risks with a view to increasing the probability of success and reducing the likelihood of failure.

2.5 The Risk Management Policy supports the Council’s vision and priorities which are set out in the Corporate Strategy for 2016-2020. The Council has a clear mission that is “To make Copeland a better place to live, work and visit”.

Risk appetite statement – Copeland Borough Councils’ vision for 2020 is for the Council to be ‘a commercially focused organisation with a national reputation for high quality services’.

All key decisions will be informed by a robust assessment of the risks, and must be able to demonstrate that the level of risk accepted against an activity, will only be undertaken where the benefits are proportionate to, or greater than, the level of risk involved.Risk assessments will use the Zurich Risk Assessment Matric set out in the policy.

Through increasing the commercial activity of the Council, it is expected that there will be increased exposure to new risks. The Council recognises that there is risk in all that we do, and that while some risks pose a threat, others provide an opportunity. Acceptance of risks will be founded on an evidence based comprehensive assessment the controls and resources available.

The Council’s priority is to ensure that it protects the public purse in accordance with audit and governance provisions, and to this end the Council’s risk appetite in relation to statutory services and functions, is one of prudence.

Realisation of the Council’s mission and vision is founded on the achievement of four key ambitions. Here the Councils appetite for is assessed based on the balance between cost and benefit, this is set out for each of the four ambitions below;

Town Centre Regeneration - The Council is open to opportunities relating to its influence on generating sustainable growth throughout the borough.

Commercialisation – The Council is open to developments and innovations that will (sustainably) increase the income, efficiency and quality of its commercial services.

Employment, Skills and Social wellbeing - The Council is open to opportunities to increase the employment, skills and social wellbeing of


of 24

6Copeland residents.

Strengthen the way we operate - The Council is open to opportunities to improve the way it operates to provide high quality statutory and discretionary services.

3. Definitions3.1 The following definitions are used throughout this policy to define and identify key terms

Risk The effect of uncertainty on objectives.

Risk Management

The continuous process of identification, assessment and control of risks.

Zurich Risk Matrix

Matrix used by the Council to asses and score risks. Risks are assessed by putting a numerical value on the likelihood that the event will happen and impact on the Council’s objectives, should that event happen. Risk Score = likelihood x impact

Risk Score Current Risk - Score given to a risk taking into account any controls that are already in place.

Target Risk – Target score for a risk, given that further controls identified in the risk action plan are put in place.

Risk Owner Named persons responsible for overseeing the identification, management, monitoring, and escalation and reporting of a risk.

Controls Controls are actions put in place to reduce the risk.

Risk Action Plans Action plans used to identify and monitor controls that need to be implemented in order to reduce risk.

Risk Registers Risks grouped together on a register for monitoring and reporting purposes.

Risk Appetite The amount and type of risk that The Council is willing to accept or pursue to achieve its strategic objectives.

Risk Tolerance The amount a risk that the council can manage effectively or tolerate to achieve its objectives.

Risk Escalation Process which allows a risk to be escalated to next level of management.

Pentana Performance management software used by the Council to record, monitor and report on its risk registers (formally called Covalent)


of 24

74. Roles and Responsibilities4.1 The Council is committed to embedding risk management into the culture of the

organisation. In order to realise this commitment, all Council employees and elected members should: -

Become familiar with the Risk Management Policy. Be aware of personal roles and responsibilities in managing risk. Be proactive in the identification, assessment and control of threats and

opportunities. Use the agreed procedures and templates contained within this policy to identify,

assess, control, monitor and escalate risks. Immediately report any incident, accident, ‘near misses’ or any other concerns that

they may have with regards to risks to their manager.

4.2 Specific responsibilities and governance with regard to Risk Management are shown below,

Executive Oversee risk management of the Council in delivering its strategic objectives and core services.

Approve the Risk Management Strategy and Policy Provide challenge around the risks involved in ‘key decisions’

Audit & Governance Committee

Provide independent assurance to the Council on the overall adequacy of the risk management framework including review of proposed amendments to the Risk Management Framework prior to its presentation to Executive

Review the Strategic Risk Register on a quarterly basis and make recommendation for change.

Corporate Leadership Team

Champion an effective Council-wide risk management culture Ownership of the Strategic Risk Register Overview of red risks on other Risk Registers Oversee and manage escalated risks as next level of management. Ensure members receive relevant risk information Design and facilitate the implementation of a risk management

framework within the Council Ensure relevant expertise is available to provide support and guidance as

required Provide assurance that risks are being effectively assessed and managed

Leadership & Management Group

Responsible for the effective management of risk in their Service and projects within their service, in line with the processes set out in this policy. This includes; Identify, assess, mitigate and monitor service based risks.Identify risk owner, controls, action and timeframes for implementation.


of 24

8Attend training and awareness sessions as appropriate

Maintain the relevant Service and project risk registers using Pentana by reviewing all risks monthly.

Escalate risks appropriately Encourage staff to identifying risks and opportunities

Performance and Risk Management Officer

Collate risk information and prepare reports as necessary. Support Corporate Leadership Team to embed risk management through

the arrangement or provision of training. Support Risk Owners to manage risks by providing support and training

on Pentana.Officers Manage day to day risks and opportunities effectively and report risk

management concerns to the line managers. Attend training and awareness sessions as appropriate

Members Champion a Council-wide risk management culture. Provide scrutiny to the risks involved in Council in delivering its strategic

objectives and core services.


of 24

95. Policy Details including procedures 5.1 Our approach to Risk Management

The Councils approach to risk management is an ongoing coordinated process which identifies, assesses, controls and monitors risks, with the aim of increasing the probability of success and reducing the likelihood of failure.The process is cyclical and it is often necessary to revisit a previous stage to ensure that you have a complete picture of the risks that you are assessing.

There are four logical stages to the risk management process, these are outlined in the diagram and sub-sections below.

RiskIdentificationthe identification of

risks that matter.What events could occur

that would have animpact on the

Risk AssessmentAsses and score the risk.What is the liklihood ofthe event occurring and

what impact could ithave on the achivement

of our objectives.Rank risks

Risk ControlDetermine how to treat

the risk;Treat

TolerateTransfer

TerminateDetermine what controlsneed to be put inplace to

manage the risk.Define a target risk score

Risk MonitoringLog all risks on a Risk Register

and monitor at regularintervals

Monitor the implementationand effectiveness of controls.Monitor changes to the riskHorizon scanning to identify

new risks emerging.


of 24

105.2 Stage 1 - Risk Identification

The first stage of the risk management process is to identify the risks. At first glance, this can seem like a daunting task, after all risks ever present and an inevitable part of business and innovation. However, risk management is about the proportionate use of resources to manage only with risks the matter i.e. risks that may have an impact in the achievement of objectives.

The risk identification stage uses tools, techniques and standard templates to help the risk owner identify the risks that matter.

5.3 Understanding the risk contextAn integral part of identifying risks, is understanding the context. Depending on the area under review, the relevant objectives and outcomes will usually be detailed in existing documents, including the following: Corporate Strategy 2016-2020 Service Plans Project Brief/Project Initiation Document Partnership Agreements Contractual Agreements Policies and procedures

5.4 Techniques used to Identifying where Risks.There are a number of techniques and tools that can be used to aid the identification of risks. To act as a prompt and to ensure completeness, a list of risk categories has been developed around the acronym PERFORMANCE:

Political - risks arising from the political environment e.g. government policyEconomic - risks arising from a unique demographic / economic featuresRegulatory - risk arising from legislation, legal challenges, and judicial reviewsFinancial - risk associated to financial implications e.g. budgeting or affordabilityOpportunities –arising from and risks to outcomes or objectives not being metReputation - risks that may damage the reputation of the councilManagement - risk to the effective management of the organisationAssets - risks relating to property, information, intellectual and ICT assets.New - risk arising from and risks to objectives not being met for new venturesCustomers - risks associated with customers OR risks to customer service Environment - risk arising from environmental issues.

Other examples of risks from each category are detailed in Appendix A.

Further examples of risk identification techniques are listed in Appendix B.


of 24

115.5 Describing the Risk

The way a risk is described is important to ensure that risks are clear, unambiguous and fully understood. Risk owners are required to write a risk statement which fully describes the risk.

5.6 The risk statement should tell a story and must consist of a cause, the risk and a consequence.

The CauseSources and factsto describe theexisting conditionAs a result of...Due to...Because of....[Language]is, do, has, has not..[present condition]

The Riska description of theuncertain event oruncertaion future...may occurRisk of...[Language]may, might,possibly

TheConsequenceimpacts - negativeand positiveResulting in.....Which would leadto .......effect onthe objectives[Language]would, will...

E.g. ‘Due to the policy being 4 years old, it may not be compliant with the latest legislation, which would lead to the incurrent of penalties due to non-compliance’.

5.7 Classifying the type of riskWhen a risks has been identified, the Council uses two classifications to determine the type of risk; Strategic Risks - Risks that could have a long term impact on the achievement of

strategic ambitions. If the risk event happens, will the consequence affect the council’s strategic ambitions?

Operational Risks – Risks that could have an effect on the successful achievement of the objectives of an individual Service, including service lead projects and operational partnerships. If the risk event happens, will it affect the council’s operational delivery and functions?


of 24

125.8 Stage 2 - Risk Assessment

Having identified the risks that matter in stage one, the second stage of the risk management process is concerned with the assessment of the risk, this is done by giving the risk a score and a priority

5.9 Risk Score. The council uses the Zurich Risk Assessment Matrix to score risks. Risks are scored by putting a numerical value on both, the likelihood that an event will happen and the impact on the Council’s objectives, should that event happen.

5.10 The likelihood of the risk occurring is measured using a scale of 1 – 6, where a value of 1 means that the likelihood of the risk occurring is almost impossible and a value of 6 means the likelihood is very high. As defined in the table below;

Likelihood Almost Impossible

Very Low Low Significant High Very High

Value 1 2 3 4 5 6Description Will

probably never

happen

Do not expect it to happen but

it may

Might happen rarely

Might happen

occasionally

Might happen

frequently

Will almost certainly happen

Probability Less than 1%

(1 in 100)

Between 2% & 5%(1 in 20)

Between 6% & 10%(1 in 10)

Between 11% & 30%

(1 in 3)

Between 31% & 50%

(1 in 2)

More than 50%

(>1 in 2)Frequency No

expected to occur for

years

Expected to occur less

than annually

Expected to occur more

than annually

Expected to occur at

least monthly


least weekly


least daily.

Depending on the risk, description, probability or frequency can be used to guide scoring.

5.11 The impact of a risk, should it occur, is measured using a risk impact scale of 1– 4, where a value of 1 means the impact would be negligible and where a value of 4 means the impact would be catastrophic to the achievement of objectives.

Impact Negligible Marginal Critical CatastrophicValue 1 2 3 4Description Minimal Impact on

ability to deliver objectives /

services

Moderate Impact on ability to

deliver objectives / services

Significant impact on ability to

deliver objectives / services

Will not be able to deliver objectives /

services

A table containing detailed examples of risk impact scores is listed in Appendix C


of 24

135.12 To calculate the risk score, the numerical value given to likelihood is multiplied by the

numerical value given to impact of the risk. Risk Score = likelihood x impact

E.g. If a risk has a low likelihood of occurring (Value =3) but a Critical impact (Value =3)The Risk Score would be 3 x 3 = 9

5.13 This is known as the Current Risk Score as it is an assessment of the risk as it is presently, taking into account any controls that are already in place to manage it.

5.14 Risk PrioritisationOnce the current risk scores has been calculated, the priority of the risk can be determined. The higher the score, the higher the risk priority and the more it will need to be managed to mitigate adverse events.

The Zurich Risk Assessment Matrix used by the council, uses a ‘traffic light’ system to determine whether a risk is Low, Medium and High priority.

6 Very High 6 12 18 245 High 5 10 15 204 Significant 4 8 12 163 Low 3 6 9 122 Very Low 2 4 6 8Li

kelih

ood

1 Almost Impossible 1 2 3 4

Negligible Marginal Critical Catastrophic

1 2 3 4Impact

RED (12 to 24)Risk Score is Very High - Take Immediate Action to Mitigate Risk and monitor/review monthly.AMBER (5 to 12) Risk Score is Significant – Act to mitigate risk and monitor/review quarterly.GREEN (1 to 6) Risk Score is Low – No Action Necessary but continue to monitor risk quarterly.


of 24

145.15 Risk Control

Stage three of the risk management process is concerned firstly with, deciding on whether the risk is worth taking, based on information gathered in stages one and two, and secondly with taking appropriate targeted actions to control the risk through, the use of risk action plans.

5.16 Risk Treatment Based on the risk context, relevance to objectives, risk score and risk priority, Council uses the ‘4Ts’ to determine how the risk should be treated.

Tolerate(Accept the risk)

Accept the riskThis risk is deemed acceptable in order to achieve an objective. This measure is only appropriate for low level risks (Green)

Treated(Do something to reduce the risk)

We do something to reduce the riskBy far the greater number of risks will be addressed in this way. The risk is deemed too high at present, however, we will continue with the risk and ensure that it is managed to an acceptable level, by putting controls in place to reduce the likelihood or the impact.

Transferred(Share the risk)

Share the riskThe risk is deemed too high, however, the risk to the Council can be reduced by sharing the burden of the risk. For example, insuring against the risk, outsourcing the activity, working in partnership with other organisations to share/transfer the risk

Terminated(Remove the risk)

Remove the riskRisk would be of such a severity that the only option is to terminate the activity that is generating the risk.

5.17 It may be necessary to use a combination of treatments to manage a particular risk.The reason behind the risk treatment must be recorded onto the Risk Management form. (5.21)

5.19 Risk Action PlansControls are actions that are put in place in order to manage a risk by either, maintaining the risk at a current tolerable level or reducing the risk to a tolerable level. For each risk, it is necessary to list all current controls that are in place and any further controls that are required to manage the risk (required actions).

Required actions are recorded and monitored using a risk action plan. Each required action must be assigned a named responsible officer and the date by which the action will be implemented. It is the responsibility of the risk owner to oversee the risk actions plan. Progress of risk action plans will be monitored and reviewed regularly alongside risk registers.


of 24

155.20 Target Risk Score

At this stage in the risk management process it may be necessary to assess and score the risk for a second time, this is to establish a Target Risk Score.

The Target Risk Score shows the direction of where we want and expect the risk to be if all required controls are successfully put in place.

5.21 Documenting the riskThe Council uses a standard ‘Risk Management Form’ as a template to record all risks. The form is designed to work in tandem with this policy and to allow employees to develop the correct approach to managing risks. Details taken from the risk monitoring form will be used by the Risk Management Officer to record all risks onto the councils risk registers held on Pentana. (5.26 – 5.29)

Risk Management Form – Appendix D

5.22 Risk MonitoringThe fourth stage of the Risk Management process is the review and monitoring of the risks.

5.23 Reviewing RisksRisks are reviewed regularly by looking at; How the risk has changed over time Change in either the likelihood or impact values The implementation of the agreed risk control action plan The effectiveness of the action in controlling the risk

Risk management is on ongoing process, and it may often be necessary to revisit earlier stages and carry them out again to ensure that you have an up-to-date and relevant picture of the risk.

5.24 Escalation of risksUpon reviewing a risk, it may be necessary to escalate the risk to a higher level in the organisation. Risk may need to be escalated if;• The risk becomes too unwieldy to manage at the current level• The risk remains very high even after controls are implemented• The risk will impact on more than one service/project/function if the risk event materialises• Instinct tells the owner it is out of their control

5.25 Risks that require escalation onto the Strategic Risk Register are identified through monthly and quarterly risk monitoring and reporting. It is the responsibility of the risk owner to alert the Corporate Leadership Team of any risks that may need to be


of 24

16escalated. The Corporate Leadership Team will decide whether the risk is escalated and managed through the Strategic Risk Register.

5.26 Risk RegistersRisks are monitored through risk registers.Risk registers group together risks, for the purpose of monitoring and reporting.

The table below gives details about the risk registers used by the council and how these are monitored and reported.

Register What is on the register? How will it be monitored and reported?

Strategic Risk Register

The Strategic Risk Register (SRR) is a central register of all the risks that may prevent the Council meeting its long term strategic objectives.

It is owned and managed by the Corporate Leadership Team (CLT).

Strategic Risks are identified by the Corporate Leadership Team or through the escalation of risks from the Operational Risk Register, or via Horizon Scanning as part of the monthly review of the SRR.

The Strategic Risk Register is uploaded to Pentana (Performance and risk management software).

The Risk Management Officer is responsible for ensuring all details are entered onto Pentana

The SRR and action plan are monitored and reviewed monthly by Corporate Leadership Team.

All SRR risks are reported quarterly to Audit and Governance Committee and the Executive.

Operational Risk Register

The Operational Risk Register (ORR) is a central register of Service level risks produced as part of the annual service plan.

Operational risks are owned and managed and updated by the Service Manager.

Operational risks can be identified as part of the annual Service plan or team meetings, process improvements or staff appraisals.

The Operational Risk Register is uploaded to Pentana

The Risk Management Officer is responsible for ensuring all details are entered onto Pentana and for setting monthly reminders to prompt Service Managers to review and update their Operational Risks

Operational risks are monitored by the Service Managers and the Corporate Leadership Team through monthly reports, departmental team meetings and 1-2-1 meetings.

All high priority (red) risks are reported and reviewed at departmental team meetings monthly.

All high priority (red) risks are monitored and reported to Audit and Governance Committee, the Executive quarterly.


of 24

175.27 Project Risk Register

Project risks are identified, assessed and controlled following the risk management process outlined in this policy. Monitoring and reporting of project risks will follow the Project Management Framework; whereby, each project will have its own risk register and the Project Manager will be responsible for managing or escalating the project risks, and all high priority (red) risks will be reported to and monitored monthly by the Corporate Project Group.

5.28 Partnership RisksPartnership risk registers are usually devised as part of the partnership agreement and are managed by the partnership board/group and not solely by the Council. Copies of the risk registers are held by the Director of Customer and Community, who is responsible for identifying and managing any risks to the Council. Any high priority (red) risks must be reported to Corporate Leadership Team for consideration and addition to the appropriate risk register.

5.29 Risk Register vs Issues logThe main difference between a risk and an issue is that a risk is concerned with the ‘effect of uncertainty’, it is something that may or may not affect the achievement of objectives. Whereas, an issue is something that has already happened that must be addressed or corrected.When progressing through the Risk Management Process, it may be helpful to keep a separate issues log, so that issues which require a management response, are not confused with risks.

5.30 Pentana – Performance and Risk Management system

The Council’s Pentana Performance Management Software to monitor and record risk registers and risk action plans.

Strategic and Operational Risks Registers will be entered onto Pentana by the Risk Management Officer.

The Risk Management Officer is responsible for ensuring the Strategic Risk Register is updated on Pentana.

Service Managers are responsible for ensuring the Operational Risks Register is updated monthly on Pentana.Pentana will generate email reminder to each risk owner to prompt the monthly review.

6. Monitoring of Policy Adherence


of 24

186.1 Compliance with this policy will be monitored via on an annual audit undertaken by the

Business Support Manager. The results will be reported to the Leadership and Management Group and the Corporate Leadership Team.

6.2 The Internal Audit Service also has a planned programme of performance management audits that will measure compliance with this policy and will report results to the Corporate Leadership Team and the Audit & Governance Committee.


of 24

19Appendix A: Risk Identification Examples

Political Change in Government policy - Member support / approvalPolitical personalities - New political arrangements

Economic DemographicsEconomic downturn - prosperity of local businesses / local communities

Regulatory Legislation and internal policies/regulations Grant funding conditionsLegal challenges, legal powers, judicial reviews or public interest reports

Financial Budgetary pressuresLoss of/reduction in income/funding, increase in energy costsCost of living, interest rates, inflation etc.Financial management arrangementsInvestment decisions, Sustainable economic growthSystem / procedure weaknesses that could lead to fraud

Opportunities Add value or improve customer experience/satisfactionReduce waste and inefficiencyRaising educational attainment and improving the lives of children, young peopleand familiesMaximising independence for older people with disabilitiesDeveloping sustainable places and communitiesProtecting the community and making Copeland a safer place to live

Reputation Negative publicity (local and national), increase in complaintsManagement Loss of key staff, recruitment and retention issues

Training issuesLack of/or inadequate management supportPoor communication/consultationCapacity issues - availability, sickness absence etc.Emergency preparedness / Business continuity

Assets(Includingtechnology)

Property - land, buildings and equipment,Information – security, retention, timeliness, accuracy, intellectual property rightsICT – integrity, security, availability, e-governmentEnvironmental - landscape, countryside, historic environment, open space

NewPartnerships/Projects/Contracts

New initiatives, new ways of working, new policies and proceduresNew relationships – accountability issues / unclear roles and responsibilitiesMonitoring arrangementsManaging change

Customers/Citizens

Changing needs and expectations of customers - poor communication/consultationPoor quality / reduced service delivery - impact on vulnerable groupsCrime and disorder, health inequalities, safeguarding issues

Environment Recycling, green issues, energy efficiency, land use and green belt issues, noise,contamination, pollution, increased waste or emissions,Impact of planning or transportation policiesClimate change – hotter drier summers, milder wetter winters and more extremeevents – heat waves, flooding, storms etc.

Risk Management Framework Draft v0.3

of 24

20Appendix B: Risk Identification techniques(Source – IRM Risk Management Standard)

• Brainstorming• Questionnaires• Industry benchmarking• Scenario analysis• Risk assessment workshops• Incident investigation• Auditing and inspection• HAZOP (Hazard & Operability Studies)• Test marketing/ Market Surveys• Business impact analysis• SWOT analysis (Strengths, Weaknesses, Opportunities, Threats)• Event tree analysis• Business continuity planning• BPEST (Business, Political, Economic, Social, Technological) analysis• Decision taking under conditions of risk and uncertainty• Statistical inference• PESTLE (Political Economic Social Technical Legal Environmental)


of 24

21Appendix C – Risk Impact scale – with examples

6 Very High 6 12 18 245 High 5 10 15 204 Significant 4 8 12 163 Low 3 6 9 122 Very Low 2 4 6 8Li

kelih

ood

1 Almost Impossible

1 2 3 4

Negligible Marginal Critical Catastrophic

1 2 3 4Examples ImpactService disruption Minor errors in

systems/operations or processes Service unavailable for < 8 hours

Significant short-term minimal disruption of activities. Service Unavailable for up to 1 day

Significant disruption of core activities.Service Unavailable for up to 3 days

Cessation of core activities, StrategiesService Unavailable for 3 days or more

Statutory duties Statutory duties are being complied with but there is scope for improvement and without an improvement plan in place, there is a risk that statutory duties may be affected.

There are isolated unrelated incidents of a failure to deliver a statutory duty with such failure being rectified immediately but the improvement plan already in place is failing to deliver improvements.

There have been a number of incidents within a single service delivering a statutory duty with delays occurring in rectifying the failures but as yet the impact has not affected the community. AND/ORThe Council is at risk of receiving or has received a statutory notice or condemnation in connection with a failure or is at risk of being prosecuted for such.

There have been a number of incidents in one or more services delivering a statutory duty which is impacting on the community. AND/ORThe Council is at risk of receiving or has received a statutory notice or condemnation in connection with a failure or is at risk of being prosecuted for such".

Finance Budget base exceeded by less than 10%

Budget base exceeded by 10-50%

Budget Base exceeded by 50-100%

Budget base exceeded by over 100%

Projects Negligible delays

< 5% of project spend exceeded

Minor deviations from project specification; does not affect final benefits

Minor delays with some uncertainties

< 10% of project spend exceeded

Notable change to project specification

Significant Delays in project implementation

> 10% of project spend exceeded requiring a review and reframe of the costings.

Potential for reduced quality or redesign of Product/Service.

Project Benefits will not be realised in current project plan.

Additional or Punitive costs that require major financial re-planning or project no longer sustainableProduct/Service not fit for purpose


of 24

22ICT Failure Minor disruption in

services delivery or function due to ICT systems failure (own or other department - ICT system interdependence)Service unavailable for < 8 hours

Significant short-term minimal disruption of services delivery or function due to ICT systems failure (own or other department - ICT system interdependence)Service Unavailable for up to 1 day

Significant disruption to services delivery or function due to ICT systems failure in own or other interdependent systemService Unavailable for up to 3 days

Cessation of core activities, Strategies due to ICT systems failure in in own or other interdependent systemService Unavailable for 3 days or more

Staffing/HR Short-term low staffing level that temporarily reduces service quality No impact on staff morale

Increase in staff turnoverpotential impact on service quality and team performance & morale

Significant staff turnover (proportional to team size) including key personnel.impact on service quality and team performance & morale

Inability to fill key posts.strike action, key staff turnover Severe impact on service quality and team performance & morale

Health & Safety Risk of injuries or stress with no workdays lost or minimal medical treatment

Risk of Injuries or stress level requiring some medical treatment, potentially some workdays lost.

Risk of Serious injuries or stressful experience requiring medical many workdays lost.

Risk of Life threatening or multiple serious injuries or prolonged work place stress

Reputational Short term adverse local public opinion.

Adverse local publicity / local public opinion

Persistent adverse local media coverage / local public opinion

Persistent adverse national media coverage / serious lack of confidence in the Council to provide the required service

Environmental Customer and Public awareness of environmental safety required in delivering service. No public health concern

Limited but repairable environmental damage No Public Health Concern

Moderate / Medium Term Environmental DamagePublic Health Concern requiring engagement

Severe / Irreparable environmental damageSerious Public Health Concerns

Contracts Failure by a contractor to meet a single minor term of a contract

A failure by a contractor or the Council to meet a number of minor terms of a contract which do not impact on delivery

A failure by a contractor (including liquidation/ bankruptcy) or the Council to perform a major term resulting in a fundamental breach of contract putting the contract at risk of or causing termination and relates to any service but which does not directly impact on the delivery of the Council's statutory duties

A failure by a contractor (including liquidation/ bankruptcy) or the Council to perform a major term resulting in a fundamental breach of contract putting the contract at risk of or causing termination and relates to a service which has a direct impact on the delivery of one or more of the Council's statutory duties;


of 24

23Appendix D: Risk Management Form

Risk Risk Statement – Description of cause, risk and consequence Type of Risk e.g. strategic, operational,

Risk Scope Description of risk, which areas it covers Risk Owner

Risk Score XX LIKELIHOOD: XX (Value X) IMPACT: XX (Value X) Target Risk Score XX LIKELIHOOD XX (XX) IMPACT XX (XX)

Risk Treatment Tolerate Treat Transfer Terminate Reason for treatmentCauses

(Causes or existing conditions)

Risks(Uncertain Events)

Consequences Risk owner Date Last Reviewed

Action/ Controls already in place

Required risk management action/control

A full list of events which may cause the

risk to occur

Consequences that the Council will suffer if the risk

is unmanaged

All risks must have a risk

owner Strategic risk must have an

Executive, CLT, and LMG

Owner assigned.

Operational Risks must have a CLT and LMG

Owner assigned.

Date when the risk was

last reviewed

A list of activities that are already in place to reduce the impact or likelihood

of the risk.

A list of activities that needs to be undertaken in order to reduce the likelihood and/or the impact

of the risk to tolerable levels.


of 24

24Appendix E: Risk Register Action Plan Template

Risk Number

Action Number

Date Added Action

CLT Owner

LMG Owner

Original Deadline

Date Updated Progress Update Status

Date Closed

2018 risk management policy managment policy... · 2 the international risk management standard...

Documents