appendix a - wiltshire pathways – wiltshire pathways · web viewuse the scoring criteria for...
TRANSCRIPT
Draft Guidance Note
How to Manage Risks
Author Risk and Assurance Team
Revision V03Created March 2009Updated February 2012Classification Unrestricted
Management of Risk Registers
Carrying out an assessment of the risks against business objectives is primary to business and service planning, core decision-making processes influencing policy, financial planning and spending, agenda management, change management, project management and performance management.
Risk Registers will be revised in line with Corporate, Service and Team Planning.
Service Risk Registers and Risk Action Plans assist managers in focussing on the key risks and ensuring that actions are in place to effectively manage these risks. They provide a documentary record of each risk, its owner, the key controls that relate to it and the status of any planned actions to be used to direct resources towards the effective treatment and tracking of the risks identified.
Monitoring, managing and responding to risks are fundamental to the delivery of priorities and services. The reason for monitoring key risks is to create an “early warning system” for any movement in risk – key risks are defined as those which score 12 or above. Risks scoring below 12 are considered to be managed and monitored appropriately and therefore within the Council’s “risk appetite”.
As well as providing useful data internally, these records also provide external inspection agencies with evidence of the completeness of the risk management process in place.
Remember your Risk Registers and Action Plans are live data and must be maintained being:
- Complete- Accurate- Reliable - Timely- Relevant- Valid
Service Risks must be recorded on SharePoint. A Risk Action Plan should be completed for all risks on the Service Risk Registers to provide further detail on the risk and how it is being controlled.
2
Guidance Note – The Risk Management Process
All Services must have a Risk Register. This process is designed to assist Managers in focussing on the key risks and ensuring that actions are in place to effectively manage these risks.
The key stages in producing your Risk Register are:-
1. ContextFirstly the parameters within which the rest of the process will be followed should be established.
What are our objectives What do we want to achieve What are the success factors/
outcomes
2. Risk IdentificationIdentifying risks facing Wiltshire Council is crucial if informed decisions are to be made about policies and service delivery.
3. Risk Analysis, Estimation and EvaluationOnce risks have been identified they are systematically and accurately assessed in terms of how likely they are to occur and what the impact would be if they did.
4. Risk Treatment and ControlActions are taken to reduce the likelihood of risks occurring and/or the impact should they occur. A Risk Action Plan should be completed for each risk to show it is adequately managed.
5. Risk Monitoring & Review The effectiveness of control actions are kept under review – as is the nature of the risk (which can change over time).
The process is continual and Risk Registers and Risk Action Plans should be viewed as living documents and should be relevant to the objectives of the Council.
3
Monitoring and review
of risks
Risk
treatment and control
Risk
analysis, estimation
and evaluation
Risk
Identification
Context
Definition of Risk: Any occurrence that will impact on the attainment of a desired outcome.
An example of the risk assessment cycle is set out in Appendix A.
Step 1 – Context
Risks should be linked directly to Business Plan objectives, goals and projects in order to ensure that action plans are focussed on managing the risks identified.
What are your objectives - Do they link to the Business and Service Plans? What do we want to achieve? What are the success factors/outcomes?
Step 2 – Risk Identification
Identify the risks to achieving your objectives.
Gather a cross section of officers involved in the service/key objective setting. Hold a brainstorming session (this may be facilitated) to identify the risks both opportunities and threats facing your service. Use the SWOT approach to help identify the risks.
There are three parts to risks:-
An event → a root cause or source → leads to consequence or harm resulting in an impact
Look at previous history and records, risk assessments, questionnaires, checklists, surveys, organisational change charts, health & safety risk assessments, incident, accident records, claims history, financial penalties, benchmarking, community consultations etc., other Council experiences, businesses both private and public and also look at legislation or other set requirements. Ask those who know.
Managers should apply the method(s) that best suits their particular circumstances to help identify risks. This information is necessary to enable the likelihood and impact to be ascertained, and the management action needed to reduce them to be determined and taken.
Note that Strategic risks are those that would be potentially damaging to the Council’s goals and key corporate objectives. Operational risks are those day to day issues which the Council is confronted with as it strives to deliver and maintain its key corporate priorities and service plans. Project risks are those potentially damaging to the successful conclusion of a specific project.
Use the list of sources of risk categories set out below to prompt risk areas to consider and debate. The categories of risks are not limited.
Communications Legal / Statutory
CompetitiveOrganisational Management / Human Resource
Corporate / Leadership / Organisation (Reputation) Partnerships / Contractual (Procurement)Knowledge / Data / Information PoliticalEconomic Processes
4
Opportunities
PositiveOutcomes
Threats
NegativeOutcomes
Strengths
Weaknesses
Maximising Risk
Minimising Risk
Upside/Positive
Risk Achievement
of..
Downside /Negative
Risk Failure of…
Consequence / Impact
Event
Root Cause or Source
Opportunities
PositiveOutcomes
Threats
NegativeOutcomes
Strengths
Weaknesses
Maximising Risk
Minimising Risk
Upside/Positive
Risk Achievement
of..
Downside /Negative
Risk Failure of…
Consequence / Impact
Event
Root Cause or Source
Environmental & Sustainability Professional judgement & activitiesEnvironmental factors / acts of God (force majeure) Resources / Physical / AssetsFinance Service DeliveryFraud Social Health & Safety StakeholderInfrastructure Technological
Further categories of risks and definitions for all of them are set out in Appendix B.
Risk Action Plans
The Risk Action Plan Template is set out in Appendix C. The following pages contain more detail about the information needed to complete the Risk Action Plan.
a) Complete a Risk Action Plan for each risk you have identified. The Risk Ref. will be entered by the Risk and Assurance Officer – you do not need to include anything in this box. Name the risk and define the scope/background of the risk. The scope is the cause of the risk and the impact to meeting your objectives.
b) Establish the Risk Owner – the officer who has overall responsibility if the risk arises – and the Key Officer – the person who has day-to-day responsibility for controlling the risk.
Step 3 - Risk analysis, estimation and evaluation
The aim of analysis is to separate out acceptable risks from the more significant ones and to provide data to assist in their further evaluation and treatment.
a) Provide details of how the risk is currently being managed. List all of the controls that are already in place to mitigate against the risk - what is currently being actioned and resourced to manage the risk?
b) You need to consider how likely the risk is to materialise and, if it did occur, what its effect would be on your service and/or the community. Use the scoring criteria for Impact and Likelihood set out in Appendix D and E to evaluate the impact and likelihood of your risk.
The scoring criterion is a guide to use to enable a consistent approach to the assessment of risk.
To get the current risk rating, each risk is scored from 1 to 4 in terms of impact and likelihood and multiplied together to produce a score of red, amber or green. This establishes the level of risk:-
Red = High Risk (Score 12 – 16) Significant risks which are unacceptable; reduce the likelihood and/or impact through control measures.
Amber = Medium Risk (Score 6 – 9) Manageable risks, controls to be put in place; managers should consider the cost of implementing controls against the benefit in the reduction of risk exposure.
Green = Low Risk (Score 1 – 4) Negligible risks - to be considered and monitored as costs may outweigh benefits.
Step 4 – Risk Treatment and Control
5
a) After establishing existing controls and arrangements and having evaluated the risk, consider what further control measures/actions need to be taken to improve the management of the risk to an acceptable level. Examples of Risk Treatment and Controls are set out in Appendix F. List any additional actions that need to be taken and identify the name of the person responsible for each action and the date for completion. This could include if the actions need cabinet approval or if they are already approved; if actions have budget allocation or whether additional funding is needed. Also, include any contingency plans or back-up arrangements that are in place should the risk occur – if there are none in place, then consider developing them.
b) When any actions have been completed move them into the section above called ‘Controls in place to manage risk’.
c) Re-evaluate the impact and likelihood of the risk and record as a Target Risk Rating. This is the level of risk that is acceptable to the organisation.
The Council does not accept Red Target Risks except by exceptional circumstances.
d) In the ‘Comment on Current Status of Risk’ box provide an update on the progress of the risk. Has there been a change to the score and if so what caused it. How have the service plans been affected? You may wish to record meetings, dates and reports. This comment will be used for reporting to Corporate Leadership Team and Audit Committee. If the risk is high (Red) the comment should include enough detail for reporting to Corporate Leadership Team and Councillors.
e) Once you have reviewed the progress of your risk you then need to enter the RAG rating in the ‘Progress on Risk Action Plan’ box. Enter the appropriate RAG rating using the following key:
R Little progress made against action planA Moderate progress being made against action planG Significant progress being made against action plan
Your completed risk action plans should now contain full details of all the risks facing your service objectives and you will have set out how you will be addressing them.
New Risks and Revised Risks
New risks will always be encountered and it is important that these are identified and documented promptly to enable them to be evaluated and appropriate action to be taken. Managers and staff should be made aware that new risks have been highlighted and should be brought to the attention of an appropriate responsible officer(s). They should be recorded using the same process as above.
Closed Risks
Please refer to the ‘How to – Close a risk’ guide on the Risk Information page on SharePoint for the procedure for closing risks.
6
Step 5 – Risk Monitoring, Review and Reporting
The risk action plan is a living document that must be retained on SharePoint, made available and be regularly reviewed and amended. The process doesn’t end here, the business environment is constantly changing, you will be exposed to new risks, some existing risk may be removed/eliminated and your risk management action plans/control measures need to be adjusted accordingly.
Monitoring, managing and responding to risks are fundamental to the delivery of priorities and services.
Significant Risks have a score of 12 to 16 – ensure these risks are escalated to Management Teams and communicated.
The reason for monitoring key risks is to create an “early warning system” for any movement in risk – key risks are defined as those which score 12 or above in accordance with the diagram below. Risks scoring below 12 are considered to be managed appropriately and therefore within the Council’s “risk appetite”.
The Risk Matrix diagram below outlines the Risk Appetite of the Council.
Impa
ct
Sig
nific
ant
(4)
L M
SignificantRisk
H
SignificantRisk
H
Sub
stan
tial
(3)
L M M
SignificantRisk
H
Mod
erat
e (2
)
L L M M
Low
(1)
L L L L
Very Unlikely (1) Unlikely (2) Likely (3) Very Likely (4)
Likelihood of occurrence
Red = High Risk (Score 12 – 16) Significant risks which are unacceptable; reduce the likelihood and/or impact through control measures.
Amber = Medium Risk (Score 6 – 9) Manageable risks, controls to be put in place; managers should consider the cost of implementing controls against the benefit in the reduction of risk exposure.
Green = Low Risk (Score 1 – 4) Negligible risks - to be considered and monitored as costs may outweigh benefits.
7
Communicating Risks
All Risk Owners, Key Officers and those affected should be aware of the risks and their responsibilities. Communications should be cross cutting across the organisation as well as internal within your teams.
Reporting Risks
Service risks identified in the Service Risk Registers may be considered for inclusion in the Risk Management Update Report which is reported to the Corporate Leadership Team quarterly or by exception, if a significant event has occurred that warrants early reporting.
Effectiveness of Risk Registers/Risk Action Plans
In order for the Risk Registers and Risk Action Plans to be an effective management tool they need to be maintained up to date following the corporate process. Risk Registers are living documents and therefore must be regularly reviewed and amended.
Working documents where appropriate should be kept as an archive for future reference. The Performance of Risk Registers will be monitored by the Risk and Assurance Officer.
The Risk and Assurance Officer will save a full Council register at month end.
The Risk Registers will inform the Councillors and the Corporate Leadership Team on the significant risks facing the Council.
Advice and Support
Information on Risk Management is available on:
- The Wire at: Risk Management- SharePoint at: Managing Risk
If you require any training, advice and or assistance with a risk assessment or any aspect of risk management including access to SharePoint please contact:
Venita King, Risk and Assurance Officer, Tel No: (01225) 713766Email: [email protected].
Rose Outen, Risk and Assurance Officer, Tel No: (01225) 713549Email: [email protected]
/tt/file_convert/5e97aa475af8280d2f609e41/document.doc
8
Appendix A – Example of Risk Assessment Cycle
9
Context Identify Assessment Implement Monitor
Scope Boundary
ParticipantsEtc
IdentifyRisks
Analyse Risks
Impact Likelihood
InformationAssets
Existing Controls
Example areas for IT:
• Data systems•company•supplier•Customer
• Systemdevelopment
• Programme maintenance
• Network• IT Ops
Example risk areas:•3rd Party accessto systems
•Unauthorised accessto data
•Hacking•Identity management•Denial of access•Unencrypted data•Use of non standardequipment
Refer to matrix
Prioritise DecisionMaking
TreatTerminateTolerateTransferTake Opportunity
Implement Monitor
Reduce risk totake control of
• Damage to reputation
• Financial Loss• Legal & Regulatorynon-compliance
For Example:• Access control• Penetration tests• Encryption of data on mobiledevices
• Development of company policies
• Audit of compliance
Likelihood of occurrence
Sign
ifica
nt (4
)M
oder
ate
(3)
Min
or (2
)In
sign
ifica
nt (1
)
Rare(1) Unlikely (2) Possible (3) Almost certain (4)
Impa
ct
L
L M M
M M
H H
H
L L
L L L L
M
Likelihood of occurrence
Sign
ifica
nt (4
)M
oder
ate
(3)
Min
or (2
)In
sign
ifica
nt (1
)
Rare(1) Unlikely (2) Possible (3) Almost certain (4)
Impa
ct
L
L M M
M M
H H
H
L L
L L L L
MSign
ifica
nt (4
)M
oder
ate
(3)
Min
or (2
)In
sign
ifica
nt (1
)
Rare(1) Unlikely (2) Possible (3) Almost certain (4)
Impa
ct
L
L M M
M M
H H
H
L L
L L L L
M
Context Identify Assessment Implement Monitor
Scope Boundary
ParticipantsEtc
IdentifyRisks
Analyse Risks
Impact Likelihood
InformationAssets
Existing Controls
Example areas for IT:
• Data systems•company•supplier•Customer
• Systemdevelopment
• Programme maintenance
• Network• IT Ops
Example risk areas:•3rd Party accessto systems
•Unauthorised accessto data
•Hacking•Identity management•Denial of access•Unencrypted data•Use of non standardequipment
Refer to matrix
Prioritise DecisionMaking
TreatTerminateTolerateTransferTake Opportunity
Implement Monitor
Reduce risk totake control of
• Damage to reputation
• Financial Loss• Legal & Regulatorynon-compliance
For Example:• Access control• Penetration tests• Encryption of data on mobiledevices
• Development of company policies
• Audit of compliance
Likelihood of occurrence
Sign
ifica
nt (4
)M
oder
ate
(3)
Min
or (2
)In
sign
ifica
nt (1
)
Rare(1) Unlikely (2) Possible (3) Almost certain (4)
Impa
ct
L
L M M
M M
H H
H
L L
L L L L
M
Likelihood of occurrence
Sign
ifica
nt (4
)M
oder
ate
(3)
Min
or (2
)In
sign
ifica
nt (1
)
Rare(1) Unlikely (2) Possible (3) Almost certain (4)
Impa
ct
L
L M M
M M
H H
H
L L
L L L L
MSign
ifica
nt (4
)M
oder
ate
(3)
Min
or (2
)In
sign
ifica
nt (1
)
Rare(1) Unlikely (2) Possible (3) Almost certain (4)
Impa
ct
L
L M M
M M
H H
H
L L
L L L L
M
Continuous cycle
Categories of Risk (but not restricted) DescriptionCommunications Consultation arrangements and media promotion.Competitive Affecting the competitiveness (cost & quality) of the service & / or
ability to deliver best value and effectiveness.Corporate / Leadership / Organisation (Reputation) Risks leading to the Councils reputation, authority, democratic
renewal, trust identify - public perception. Knowledge / Data / Information Data protection, data reliability and data processing. Information and
communication quality. Effective use and interpretation of information. Control of data and information. E-Government and service delivery.
Economic General economic problems, regional economic pressures, high cost capital, treasury risk, missed service & business opportunities, failure of major project(s), failure to prioritise, allocate appropriate budgets and monitor inefficient / ineffective procesing of documents.
Environmental & Sustainability Consequences of progressing strategic objectives in terms of contamination and pollution, noise, recycling or the energy efficiency of ongoing operations. Impact on Local Agenda 21 policies, crime and disorder Act.
Environmental factors / acts of God (force majeure ) Natural disasters that specifically require Emergency Management, Business Continuity and Disaster management arrangements.
Finance Accounting and reporting, internal financial delegation and control, e.g. schools finances, managing revenue and capital resources, neighbourhood renewal funding taxation, pensions.
Fraud / Integrity Fraud and corruption, accountability and openness, legality of actions and transactions and limits of authority.
Health & Safety The health, safety and wellbeing of employees, partners, public and visitors. Compliance with health & Safety legislation, polices and processes.
Infrastructure Functioning of transport and impact of planning transportation policies communications and utilities infrastructure. The impact of storms, floods, pollution.
Legal / Statutory Legal constraints / requirements and the level of ongoing legal advice required. Risks of compliance, breach of legislation or regulatory duties. Judicial review, Human Rights Act - breaches, inadequate response to new legislation, intervention by regulatory bodies and inspectors e.g. OFSTED, SSI, Audit Commission etc.Failure to implement legislative change and meet statutory duties / deadlines.
Organisational Management / Human Resource Recruiting and retaining appropriate staff provision of capacity and expert assistance .Applying and developing skills in accordance with corporate objectives, employment polices, absences, diversity and equalities
Partnerships / Contractual (Procurement) Failure of contractors to deliver services or products to agreed cost /specification. Procurement, contract and relationship management. Overall partnership arrangements.
Resources / Physical /Assets Threats of fire, damage, security of land, buildings, vehicles and technology and any other assets. Maintenance of accommodation, transport, communications and suppliers of all kinds - power, office equipment. Safety of plant and equipment, control of IT
Political Wrong strategic priorities, not meeting Government agenda, too slow to innovate / modernise.
Processes Infection control, inspection, compliance, project management, performance management, benefits system, environment management system.
Professional judgement & activities Risk inherent in professional work, i.e. assessing clients welfare, design of buildings, teaching vulnerable children, response to human rights act.
Service Delivery Risks associate with failure to deliver a primary service to the community . Failure to deal with refuse, Social services: Child protection, housing: Welfare of tenants, town planning.
Social Failure to meet the needs of the disadvantaged community, residential and social trends, effects / impacts of changes in demographic,employemnt challenges, regeneration, failures in partnership working, problems in delivering life long learning, crime and
Stakeholder Satisfaction of; citizens, users, central and regional government of other stakeholders.
Technological Capacity to deal with obsolescence and innovation, product relativity, development and adaptability or ability to use technology to address changing demands.
Appendix B – Sources of risk and example definitions
10
Appendix C WILTSHIRE COUNCIL RISK ACTION PLANRisk Ref: Risk: Date of Action Plan Update:RXXXXX
Current Risk Rating:(High, Med, Low):
Target Risk Rating:(High, Med, Low):
Progress on Risk Action Plan:
I = L = Current Score = I = L = Target Score = RAG =
Comment on Current Status of Risk (for use in risk management update reports)
Action Plan
Risk Owner Key Officer/s
Scope / Background to Risk(Insert information about the risk that explains it further including any history, cause of risk and potential impact and likelihood evaluation information)
Cause:
Impact:
Controls in place to manage risk
1.2.
Actions to take to improve the management of this risk OR Contingency Arrangements
Responsibility for action
Date for completion
Progress / Status Report for Improvement Actions
1. 1. Officer name 1. Date Include some narrative on how you are progressing with the actions to improve the management of the risk.
2. 2. 2.
3. 3. 3.
Helpful Hints to Complete the Action Plan Template for Each Risk:
Risk Ref: Reference from risk register on SAP, SSM.
Risk: As shown on the risk register.
Action Plan Update: Date that review and update of the action plan is done.
Current/Target Risk Rating: Enter the current and target ‘Impact’ and ‘Likelihood’ ratings, the scores and level of risk using the following key:
Red = High Risk (Score 12 - 16) Amber = Medium Risk (Score 6 - 9) Green = Low Risk (Score 1 - 4)
Progress on Risk Action Plan: Enter the appropriate RAG rating using the following key:
R Little progress made against action planA Moderate progress being made against action planG Significant progress being made against action plan
Comment on Current Status of Risk: Updated comment that can be used for reporting to Corporate Leadership Team and Audit Committee. If risk is high (Red) the comment should include enough detail for reporting to chief officers and councillors.
Risk Owner: Name of officer who has overall responsibility for the risk.
Key Officer/s: Name of officer/s who has day to day responsibility for controlling the risk.
Scope/Background to risk: Include a clear description of the risk, its cause and what the impact would be should it occur. Also, give details of any past incidences of this risk occurring.
Controls in place to manage risk: Provide details of how this risk is being managed at the moment.
Actions to take to improve the management of this risk OR contingency arrangements: Create a list of additional measures that need to be taken to improve the management of the risk. Enter the name of the person responsible for each action and the date for completion. (Could include if the actions need cabinet approval/ if they are already approved: If actions have budget allocation or whether additional funding is needed). Also, include any contingency plans or back-up arrangements that are in place should the risk occur – if there are none in place, then consider developing them.
12
When any actions have been completed move them into the section above ‘Controls in place to manage risk’.
Progress/Status report for improvement actions: Give details of how planned actions are progressing – are they going as planned / behind schedule / overspent etc. This will then help you assess the RAG rating of progress on your action plan (see box in current risk rating row above).
13
Appendix D – Wiltshire Council Impact Scoring Criteria
Score Effect on service Embarrassment/ reputation
Personal safety
Personal privacy
infringement
Failure to provide statutory
duties/meet legal obligations
FinancialEffect on project
objectives/ schedule deadlines
ICT Environment
4Significant
Major loss of service, including several important areas of service and/ or for a protracted period
Service disruption 5+ days
Adverse and persistent national media coverage
Adverse central government response, involving (threat of) removal of delegated powers
Officer(s) and/ or Members forced to resign
Death of an individual or several people
All personal details compromised/ revealed
Litigation/ claims/ fines from Departmental £250k+
Corporate £500k+
Costing over £1m
Major increase on up to 75% of budget
Complete failure of project/ extreme delay - 3 months or more
All benefits fail to be realised
Total replacement of existing system
Major redevelopment required
Substantial impact on service
Significant/ excessive emissions to land, air or water; or disruption to plant and/ or animal life with long term effects (over 5yrs)
3Substantial
Complete loss of an important service area for a short period
Moderate effect to services in one or more areas for a period of weeks
Service disruption 3-5 days
Adverse publicity in professional/ municipal press, affecting perception/ standing in professional/ local government community
Adverse local publicity of a major and persistent nature
Severe injury to an individual or several people
Many individual personal details compromised/ revealed
Litigation/ claims/ fines from Departmental £100k to £250K
Corporate £250k to £500k
Costing between £250k and £1m
Up to 50% of budget
Significant impact on project or most of expected benefits fail/ major delay of 2-3 months
Majority of benefits fail to be realised
Major configuration of existing system
Disruption to service
Severe emissions to land, air or water; or disruption to plant and/ or animal life with medium term effects (3-5yrs)
2Moderate
Minor effect to an important service area for a short period
Adverse effect to services in one or more areas for a period of weeks
Service disruption 2-3 days
Adverse local publicity/ local public opinion aware
Statutory prosecution of a non-serious nature
Minor injury to an individual or several people
Some individual personal details compromised/ revealed
Litigation/ claims/ fines from Departmental £25k to £100k
Corporate £50k to £250k
Costing between £50k and £250k
Up to 25% of budget
Adverse effect on project/ significant slippage of 3 weeks - 2 months
Some benefits fail to be realised
Basic IT requirements. Some minor configuration
Minimal disruption to service
Limited emissions to land, air or water; or disruption to plant and/ or animal life with short term effects (up to 2yrs)
1Low
Brief disruption of important service area
Significant effect to non-crucial services area
Service disruption 1 day
Contained within section/ Unit or Directorate
Complaint from individual/ small group, of arguable merit
Slight injury or discomfort to an individual or several people
Isolated individual personal details compromised/ revealed
Litigation/ claims/ fines from Departmental below £25k
Corporate below £50k
Costing less than £50k
Up to 10% of budget
Minimal impact to project
Slight delay less than 3 weeks
Minimal benefits fail to be realised
Basic IT requirements met
No disruption to service
Negligible emissions to land, air or water; or disruption to plant and/ or animal life with no lasting effects (Current)
NB: Not all categories may apply to each risk. You need to come to a management consensus among your group.
Appendix E - Wiltshire Council Likelihood scoring criteria
SCORE DESCRIPTION INDICATORS
4Very Likely
More than 75% change of occurrence
Regular occurrence. Circumstances frequently encountered – daily/weekly/monthly
3Likely
40% - 75% change of occurrence
Likely to happen at some point within the next 1-2 years. Circumstances occassionally encountered (few times a year).
2Unlikely
10% - 40% chance of occurrence
Only likely to happen in 3 or more years
1Very Unlikely
Less than 10% chance of occurrence
Has happened rarely/never before
15
Appendix F – Risk Treatment and Control Measures
Consideration should be given to approaches to maximise the risk managed by enhancing and securing controls by realisation, enhancement, and exploitation), Retention and approaches to the reduction of risk by preventative controls and mitigating controls examples below:Treat Mitigation - Apply control measures - Actions can be taken to reduce the
likelihood and/or impact of the risk, such as projects, new systems or procedures, training, monitoring. Preventative Designed to limit the possibility of an undesirable outcome.
These may include training, provision of information, ensuring some activities are carried out by competent / accredited persons. Also includes security policies / procedures
Corrective Designed to correct undesirable outcomes which have been realised. Contingency and business continuity falls into this category
Directive Designed to ensure a particular outcome is achieved. Health & Safety, Security procedures fall into this category. A requirement to wear protective clothing when undertaking hazardous duties is an example
Monitoring / Detective
Designed to identify undesirable outcomes that have been realised. These will include stock or asset reconciliations to detect theft / fraud. These may include post event or implementation assessment and feedback measures
Transfer Transfer risk to a third party to bear all or part of the risk. This can be done by conventional insurance, contractual transfer, or partnership, ventures / outsourcing services.(The Council cannot transfer the risk to its reputation, or service delivery to its partners or contractors. Where a key or statutory service is being supplied by a partner organisation it will, therefore, usually be necessary for exit strategies and / or contingency plans in the event of partner failure. Care must be taken to ensure that the extent of the transfer is clearly defined.
Tolerate Retention - Accept risk. No scope to mitigate risk without disproportionate costs or effective.Consider contingency planning to deal with impact if risk event occurs.
Terminate Elimination - Risks can be avoided by not proceeding with an activity but is limited. This does not apply with statutory services.
Take Opportunity
Consider other gains that may be made by applying the risk controls envisaged. These may have a positive impact beyond the activity being assessed.
16