managing risk - leicester · risk management is all about managing the council’s threats and...
TRANSCRIPT
1
MANAGING RISK
A Practical Guide to Managing Risk and
Opportunities at Leicester City Council Version 9 Original Production Date: November 2009 Review Date:-January 2017 Last amendment – January 2016 Interface Address: http://interface.lcc.local/our-organisation/corporate-resources-and-support/financial-services/iarmis/risk-management-and-insurance-services/risk-management-/
2
Contents THE COUNCIL’S RISK MANAGEMENT POLICY STATEMENT 2016 3 HEAD OF INTERNAL AUDIT AND RISK MANAGEMENT’S INTRODUCTION 4 1. WHAT IS A RISK 5 2. DEFINITION OF RISK MANAGEMENT 5 3. WHY SHOULD RISK BE MANAGED 7 4. LEICESTER CITY COUNCIL’S APPROACH TO RISK MANAGEMENT 8 5. RISK MANAGEMENT STRATEGY 8 6. LEADERSHIP – ROLES AND RESPONSIBILITIES 9 7. STEP-BY-STEP GUIDE – HOW THIS WORKS AND HOW IT’S DONE 11
7.1 Five Steps of Risk Management 11 Step 1 – Identify the Risk 12 Step 2 – Assess the Risk 15 Step 3 – Management of Risk (Control Measures) 16 Step 4 – Monitoring Risk 17 Step 5 – Reviewing and Reporting 17
8. BUSINESS CONTINUITY MANAGEMENT 20 9. USEFUL CONTACTS AND ONGOING SUPPORT 21 10. RISK MANAGEMENT GLOSSARY 22 11. RISK ASSESSMENT/REGISTER FORM 24 12. RISK SCORING GUIDE 25 13. RISK MANAGEMENT TRAINING 27
3
The Council’s Risk Management Policy Statement 2016
Our approach to the management of risk Risk management is all about managing the council’s threats and opportunities. By managing the council’s threats effectively we will be in a stronger position to deliver the council’s objectives. It is acknowledged that risk is a feature of all business activity and is a particular attribute of the more creative of its strategic developments. The council accepts the need to take proportionate risk to achieve its strategic obligations, but expects that these are properly identified and managed. By managing these opportunities in a structured process the council will be in a better position to provide improved services and better value for money. The council will undertake to:--
1. Identify, manage and act on opportunities as well as risks to enable the council to
achieve its objectives and integrate risk management into the culture and day to day working of the council.
2. Manage risks in accordance with best practices and comply with statutory requirements. 3. Ensure that a systematic approach to risk management is adopted as part of Service
Planning and Performance Management. 4. Anticipate and respond to changing social, environmental and legislative requirements. 5. Keep up to date and develop our processes for the identification/management of risk. 6. Have in place a defined outline of individual roles and responsibilities. 7. Raise awareness of the need for risk management to those involved in developing the
council’s policies and delivering services. 8. Demonstrate the benefits of effective risk management by
Cohesive leadership and improved management controls; Improved resource management – people, time, and assets; Improved efficiency and effectiveness in service and project delivery; Better protection of employees, residents and others from harm; Reduction in losses leading to lower insurance premiums; and, Improved reputation for the council;
9. Ensure risk assessments (identification of, and plans to manage, risk) are an integral part of all plans and proposals to the Executive; Corporate Management Board and Strategic Directors.
10. Recognise that it is not always possible, nor desirable, to eliminate risk entirely, and so have a comprehensive insurance programme that protects the council from significant financial loss following damage or loss of its assets.
Andy Keeling Sir Peter Soulsby
Chief Operating Officer City Mayor
4
Introduction Managers know that there can be surprises at any time, both good and bad. A councillor may suggest a new funding stream or service opportunity that could help the council meet its strategic priorities. A member of staff may provide poor service that results in a legal dispute, or may carelessly, accidentally or deliberately, do something resulting in someone (staff member, public or service user) being harmed. These events can have a serious impact on the council’s effectiveness, financial position, staff or other stakeholders. These impacts may be:-
Legal actions which lead to a charge against the area’s budget; Legal actions personally against directors, employees or volunteers; Distraction of management in dealing with crisis situations; Adverse publicity affecting the councils reputation; and, Potential increases in Insurance Premium.
Some events have such an impact that the risk of them happening cannot be left to chance. Many such events can be avoided or their impacts dealt with by having an effective risk management process. Effective risk management is essential for the council and its partners to achieve their priorities and both strategic and operational objectives, thus improving the outcomes for local people. Good risk management is concerned with both the positive (opportunities) and negative (threats) aspects of risk. It supports and enhances the decision making process, increases the likelihood of the council fulfilling its objectives and enabling it to respond quickly to new pressures and opportunities. Organisations that manage risk effectively and efficiently minimise ‘firefighting’ during an incident as risk management allows you to anticipate what may happen and you are, therefore, more likely to achieve your objectives/goals, often at a lower cost. Effective risk management is, therefore, good management practice:- "If you don't have effective risk management, you don't have effective management" ‘Chance of Choice - SOLACE, 2000’. The purpose of this toolkit is to assist managers and staff with the practical application of the risk management strategy and policy within Leicester City council, and to provide guidance to ensure all are aware of their responsibilities and duties. It is not to ensure that you eliminate risk as that would be neither reasonable, practicable nor (in reality) possible. This toolkit includes a step-by-step guide to the council’s risk management framework and supporting processes. It is designed to complement the mandatory (since October 2014) ‘Identifying and Assessing Operational Risk’ training which forms part of the Risk Management and Insurance Services training programme detailed in Section 13. Tony Edeson Head of Internal Audit and Risk Management 0116 454 1621 [email protected] January 2016
5
1. What is a Risk Before managers can identify their risks they need to know what a risk is. The usual definitions of risk are:-
“Risk is the effect of uncertainty on objectives” (ISO31000 – Risk Management Principles and Guidelines standard and BS65000 – Guidance on Organisational Resilience) “Something which may occur in the future which could affect the success of a project or adversely impede the delivery of a service objective (which may need to be managed)” – (general description)
“The uncertainty of the outcome of actions and events. Risks must be assessed by a combination of the likelihood of something happening and the impact if it does actually happen” – (HM Treasury Orange Book)
It is the first of those three definitions that we use at Leicester City Council, although all effectively mean the same thing. An ‘effect’ is a deviation from the expected – positive and/or negative. ‘Objectives’ can have different aspects (such as financial, health and safety, legal, and environmental – these are not separate risk areas but are all implications arising from ‘operational’ risks) and can apply at different levels (such as strategic, project or operational – including process or procedure driven). ‘Uncertainty’ is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence (impact) or likelihood. To try and give a practical definition of risk, it helps to imagine that there are three parts to a risk – the risk event that has a consequence that leads to an impact on the outcome of your service plans and/or your objectives. The potential impact of these risks can be measured by then estimating the likelihood of the event happening and the impact they will have on your objectives if they do occur. This is your risk assessment. You will then identify the measures or controls you have in place to lessen the impact and/or reduce the likelihood of the risk and its consequences. Simply put, you have objectives to deliver and the risks are things that could prevent you delivering those objectives. The controls are how you will manage to reduce the likelihood of the risk from happening or lessen the impact on your business area if it does. 2. Definition of risk management Risk management is the process of managing your risks to minimise the council’s exposure to potential liabilities. It is a cross-service planning activity to identify, control/manage and prioritise risks before they can have a significant adverse effect on your service delivery plans and your objectives. Management and staff do this by identifying risks in order to reduce the likelihood of them occurring and introduce suitable controls to minimise or better manage the impact if it does occur. Sensible Risk Management is about:-
• Reducing the number of events with negative outcomes (threats) and increasing the number of events with positive outcomes (opportunities) – enabling innovation;
• Identifying opportunities which, when taking managed risks, would benefit the council;
6
• Ensuring that those responsible for the risks manage them responsibly; • Making change more effective and improving project management; • Ensuring compliance with governance, legal, statutory and regulatory criteria and
that Officers work within the council’s social responsibilities and ethical policies; • Protecting revenue, reputation, stakeholders and enhancing value for money; • Being transparent and supports the proactive management of the council’s
operations; • Being dynamic, tailorable, iterative and responsive to change; • Challenging complacent behaviours; • Ensuring risks are continually or periodically re-assessed.
Sensible Risk Management is not about:-
• Taking no risks (risk averse)- stopping people from delivering
services/projects/activities where the risks are properly identified and are being
well managed;
• Generating endless paperwork and creating a bureaucratic system;
• Exaggerating or publicising trivial risks;
• Doing it once and forgetting about it.
Understanding and managing the threats and risks to the council comes down to:- • Systematically identifying the risks surrounding your business activities;
What could go wrong? What is it that prevents you from achieving your objectives? What is it that stops you delivering your (service) plans?
• Assessing the likelihood of an event occurring and the impact upon the business should it occur (your assessment of the risk);
• Understanding how to respond to these events by; Reducing the impact by putting systems in place to deal with the
consequences and implications; Asking ‘how can it be prevented from happening again’ or ‘what can be put in
place to manage it if it did occur’ (further controls/lessons learned/near miss reporting).
Good, effective risk management also helps you to explore and take opportunities as they are identified. Think about the following:-
• Is there an opportunity which could be taken that will help to achieve the council’s objectives and assist in the delivery of your (service) plans?
• How likely is this to deliver significant benefit to your service and/or the council and what would those benefits be?
• How will these be achieved? • What might go wrong and how could the likelihood of that happening be
reduced or the impact on the business if it does happen be minimised? and • What controls/actions are required to ensure that the above processes
happen? Good, effective risk management does not mean that we take greater risks, or that we avoid taking any risks at all. It gives a better understanding of the risks and opportunities that the council faces and how these can be best managed within the council’s overall risk appetite - risk appetite is the amount and type of risk that the organisation is prepared to take in order to achieve its objectives. It allows management to clearly demonstrate what risks are being taken to achieve results, and demonstrate how well those risks are being managed and monitored.
7
3. Why should risk be managed? Effective risk management supports better decision making through having a good understanding of risks and their likely impact should they occur. A major factor that led towards a more formalised approach to risk management has been the increased focus given to corporate governance as a result of a number of high-profile incidents. A series of reports covering risk management (Cadbury in 1992; Greenbury and Hampel in 1995; Turnbull in 1998 and Sarbanes Oxley in 2002) recommended more effective Corporate Governance. The principles within these reports describe good management practice and should, therefore, be applied equally to the public sector as well as the private sector. Key amongst these recommendations was that managers should be responsible for implementing policies and identifying and evaluating their risks. Responding to these incidents, the Audit Commission produced a report entitled ‘Worth the Risk’. This extended the requirement to have demonstrable Corporate Governance procedures within the Public Sector. The council is now required to have a Code of Corporate Governance and make annual statements on its compliance with the Code, which includes an assessment of their approach to risk management. The council’s external auditors (and the council’s Insurers) specifically assess Risk Management and the degree to which it is applied within the council. It has to be stressed that risk management is not about eliminating risk – it is about identifying risks within your services that need to be managed and then, through effective management of those risks, you reduce the likelihood of them occurring and lessen the impact on your service should they happen. Whilst risk management is a process that helps reduce the likelihood and minimise impact of risk, it cannot eliminate all risk; nor can it prevent risks from happening. With the best risk management process in place, things may still happen. The value of effective risk management lies in the benefits that can be delivered, such as:-
• Cohesive leadership and improved management controls – a more sound basis for setting of strategies and policies;
• Opportunities may be taken that lead to financial benefit; • Enhanced ability to justify actions taken (particularly after things go wrong!); • Improved resource management – people, time and assets; • Securing funding (increasingly, funding bodies - including central government -
are becoming interested in seeing demonstrable, effective management of risk); • Better management of change programmes - increases likelihood of change
initiatives and projects being successfully implemented; • Improved efficiency and effectiveness in service and project delivery; • Better protection from harm of employees, service users and other members of
the public; • Fewer complaints; • Conformance with council policies (across all areas of risk); • Compliance with legislation; • Reduction in likelihood/impact of losses; • Lower insurance premiums, reduced claims costs; • Protects and enhances the reputation of the council (and its management); and • Being ‘risk aware’ and not ‘risk averse’.
8
Finally, risk needs to be managed because ‘things happen’ (all of the events listed below have taken place since 2010):-
• Hull/ Doncaster/York/Cumbria/Worcester/Somerset –Floods; • B Block, Granby Street and Catherine Street Junior School Fires; • Accidents have occurred in Leicester care homes; • Incidents on our ‘managed’ housing estates; • Letters have been sent out to third parties with sensitive or confidential data
about others; • Deaths and serious incidents have occurred in City parks; and, • Closure of 16 New Walk and the Customer Service Centre due to power loss.
4. Leicester City Council’s Approach to Risk Management The aims and objectives of Leicester City Council’s Risk Management Strategy are:
To provide Directors, Members and officers with risk registers that give a comprehensive picture of the council’s risk profile;
To assist the council and its partners to adopt a “fit for purpose” methodology towards identification, evaluation and control of risks and to help ensure those risks are reduced to an acceptable level – the ‘risk appetite’;
To ensure that transparent and robust systems are in place to track and report upon existing and emerging risks which potentially could cause damage to the council;
To help integrate risk management into the culture and day to day working of the council and ensure a cross divisional/operational approach is applied; and,
To provide reliable information on which to base the annual strategic and operational risk and governance assurance statements.
5. Risk Management Strategy The purpose of our risk management strategy is to define how risks and opportunities will be handled by Leicester City council. The strategy provides information on roles, responsibilities, processes and procedures. It states how risks will be identified, assessed, managed and reviewed. Leicester City council has a clear strategy and process for identifying, assessing, managing, controlling, reviewing and reporting risk. The leadership, roles and responsibilities have been defined for managing those risks. Leicester City council expects all its employees, officers and councillors to have a level of understanding of how risks and opportunities could affect the performance of the council and to regard the management of those risks as part of their everyday activities. This could be the management of strategic risks (those risks that threaten the achievement of the council’s medium and long-term strategic objectives or operational risks (which Directors, managers and staff will encounter in the daily course of their work). Some groups or individuals will have a specific leadership role or responsibility for risk management and this detail is set out in Section 6 below. The council has a ‘five-step’ framework for identifying; assessing; managing; controlling; reviewing; and, reporting risk (see Section 7). This is a continuous process and can easily integrate with strategic planning, financial planning, service planning and performance management activities. The council has agreed a criterion by which to
9
measure the likelihood and impact of risks, effectiveness of control measures and required levels of risk management. 6. Leadership, roles and responsibilities All Councillors To consider and challenge risk management implications
as part of their decision making process.
City Mayor/ Executive/ Audit and Risk Committee
Approve the council’s Risk Management Strategy and Policy Statement annually.
Consider risk management implications when making decisions and determine the risk appetite for the council.
Agree the council’s actions in managing its significant risks. Receive regular reports on risk management activities. Approve an annual statement on the effectiveness of the
council’s risk controls as part of the statement of accounts. Consider the effectiveness of the implementation of the risk
management strategy and policy.
Strategic Directors Responsibility for leading and managing the identification of significant strategic risks.
Ensure that there is a robust framework in place to identify, monitor and manage the council’s strategic risks and opportunities.
Ensuring that the measures to mitigate these risks are identified, managed and completed within agreed, time-scales, ensuring that they bring about a successful outcome.
Lead in the promoting of a risk management culture within the council and with partners and stakeholders.
Approve and maintain the requirements for all CMT reports, business cases and major projects to include a risk assessment (where appropriate).
Ensure risk is considered as an integral part of service planning; performance management; financial planning; and, the strategic policy-making process.
Consider risk management implications when making Strategic decisions.
Management and quarterly review of the strategic risk register. Review and progress actions and capture emerging risks.
Recommend the level of risk appetite for all strategic risks to Executive.
Note, through quarterly review, the operational risk register. Ensure that the measures to mitigate these operational risks are identified, managed and completed within agreed timescales, ensuring that they bring about a successful outcome.
Ensure that appropriate advice and training is available for all councillors and staff.
Ensure that resources needed to deliver effective risk management are in place.
10
Corporate Management Team
Responsibility for leading and managing the identification of significant operational risks from all operational areas.
Ensuring that the measures to mitigate these risks are identified, managed and completed within agreed timescales, ensuring that they bring about a successful outcome.
Lead in promoting a risk management culture within the council.
Divisional Directors Submit Divisional Operational Risk Register (DORR) showing significant Divisional operational risks to Risk Management for consideration of inclusion in the council’s Operational Risk Register.
Escalating risks/issues to the relevant Strategic Directors, where appropriate.
Ensure there is a clear process for risks being managed by their Heads of Service (and where appropriate, their managers and/or supervisors) to be reviewed, at least quarterly, allowing their DORR to be seen as complete.
Embeddedness of risk management within the service areas they are responsible for.
Ensure compliance with corporate risk management standards.
Ensure that all stakeholders (employees, volunteers, contractors and partners) are made aware of their responsibilities for risk management and are aware of the lines of escalation of risk related issues.
Identify and nominate appropriate staff for risk management training.
Head of Internal Audit and Risk Management and the Manager, Risk Management
Provide facilitation, training and support to promote an embedded, proactive risk management culture throughout the council.
Assist the Strategic and Divisional directors in identifying, mitigating and controlling the council’s risks.
Maintain the strategic and operational risk registers of the council’s most significant risks.
Review risks identified in reports to Strategic Directors and the Executive.
Ensure that risk management records and procedures are properly maintained, decisions are recorded and an audit trail exists.
Ensure an annual programme of risk management training and awareness is established and maintained.
Review External and Internal Audit recommendations to ensure these are picked up and dealt with by the business.
All Employees To have an understanding of risk and their role in managing risks in their daily activities, including the identification and reporting of risks and opportunities.
Support and undertake risk management activities as required.
Attend relevant training courses focussing on risk and risk management.
11
7. Step by Step Guide – How this all works and how it gets done This guide is designed to guide managers and their teams through the process of assessing risk without lots of unnecessary bureaucracy. The Council has approved for use one simple risk assessment form – see section 11. Remember, risk management is not an “added extra”, it should be part of your normal management process and should become the basis upon which you focus your business plans and actions. It is probably being done already. This process allows this to be demonstrated and recorded. This framework is not only a scoring or measurement process, but also requires judgements and informed decisions to be made. It is, sometimes, best done as a group and should, ideally, involve those who are responsible for delivering the services. You should also encourage the participation of the Executive/ward councillors, staff and/or other stakeholders when appropriate. Just because you happen to be a Director, manager or supervisor, you are not always best placed to identify and assess all of the risks in your operational areas! It may be helpful to have a facilitated session with the Risk Management and Insurance Services team assisting. This is important where significant risks need to be managed or where insurance or indemnity advice will be required. You are not able to properly complete your risk assessment without this information as the insurance/indemnity will probably be a significant control to your risk. 7.1 - Five Steps of Risk Management Your focus should be on the outcome of the objective, not the process itself. We take a very simple approach to risk management, one that will reflect and is linked to:-
Setting strategic/operational aims and objectives and agreeing service plans; Considering resource allocation; Deciding on asset management prioritisation; Running programmes, projects and partnerships; and, Considering option appraisal within key decision reports or policy changes.
To manage risk effectively leads to the following five steps that need to be considered:-
1. Identification of risk, and its consequences/effects; 2. Assessment of the risks identified (risk scored using the council’s agreed
methodology – presently a 5x5 grid - on page 25); 3. Identification of any controls required to manage/mitigate the risks identified; 4. Monitoring to ensure those identified controls are working effectively and continue
to do so; 5. Review of the process to ensure it remains operational and is providing the
desired outputs and outcomes.
To ensure ‘visibility’ of this process, the risks identified are then reported to the appropriate level of Management (or members), for instance (Head of Service, Divisional Director, Corporate Management Team or Executive/Committee/Council). The following sections give more detail around the process needed in each of the above ‘five steps’.
12
The whole process is encapsulated in the diagram below:-
Step 1 – Identify Risk The council faces risks from both internal and external factors (see page 14). Understanding this helps you to assess the level of influence the council/you may have over the risks identified. A starting point for the identification of risk should be to examine your area’s objectives as laid down within any service plans. This process may also highlight key objectives that currently are not covered within your service plan. At Strategic level, the focus is on identifying key risks affecting the achievement of the council’s strategic objectives. These are the risks (or opportunities) that are most likely to affect the performance and delivery of the council’s strategic priorities and the City Mayor’s Action Plan. The risks may prevent the Council from meeting statutory obligations or present a serious risk to completion of major projects. At Operational level, the focus is on the risks (or opportunities) that occur in the delivery of day-to-day/front-line operations and continuity of the service – this includes Health and Safety activities (which are consequences of many operational risks) and issues arising from external reports, Coroners reports, complaints or Audit reports for example. Management should remember that, in practice, operational risks may overlap into other service areas or Divisions. Risks that occur in one area can have an impact on other areas of the organisation. This is why it is important to identify risks and how they may impact on different parts of the organisation. It is also important to be aware that actions to manage a risk in one area may create or increase a risk in another area. Communication of possible impacts on other areas is essential – at Leicester City Council this dialogue may take place each quarter when the risk registers are presented to Corporate Management Team by RMIS in line with our strategy and policy. It is important that all members of staff are involved (or feel involved) in the risk management process. Managers should ensure that there is a process in place for all staff to actively report any risks as and when they arise, and also for them to report when any aspect of a risk changes. It is recommended that risk should be on the agenda of all 121s at least quarterly. This ensures that there is upward reporting (from staff to supervisor; supervisor to manager; manager to Head of Service; and, Head of
Identify
Risk
Assess Risk
Manage
Risk
Monitor
Risk
Record in Risk Register
Report to management
and members
Review Review
The Risk Management Cycle
13
Service to Director) which, in turn, ensures that the high level DORR and its risks reflect the actual position within the Division. There are a number of ways that managers and staff can identify their risks:-
• Brainstorming – involve all stakeholders (staff and contractors for example) and ensure that the forum allows open and honest discussion. It is important to allow this session to be as open as possible with no fear of come back. All initial ideas should be recorded and then reviewed one by one.
• SWOT Analysis (Strengths; Weaknesses; Opportunities; Threats) of your service area;
• One to one meetings – with operational staff who are involved in the delivery of the service within the council;
• Learn from experience – compare risks from similar operations – both here at Leicester City council and within your peer groups at other authorities. Utilise any findings from recent reports by Internal Audit, regulatory bodies or Health and Safety teams; accident and incident reports; complaints; insurance claims.
Managers also need to be absolutely clear on what their business objectives and service plan deliverables are and to have these in mind when identifying risks/opportunities/threats. In order to identify your risks, you need to consider the following question:- ‘What will stop you achieving your objectives or missing service plan deliverables?’ The risk itself should define the actual root cause or underlying issue, and what impact this would have if it occurred. It is often easier to start with consequences (the things that will actually happen should the risk event occur) and by asking ‘why would that happen’ (probably, no more than five times – we call this the ‘5Ys’)? Your answer will either be the actual risk or another consequence. You should end up with the ‘real’ risk. Comparison of risks will allow prioritisation of effort and resource to ensure the most effective and efficient mitigation measures are introduced. Many of the mitigating actions will, in any case, be designed to prevent the consequences which in turn will control the risk. Managers should remember at this point that the aim of the exercise is not to eradicate risk completely as there are risks involved in all activities. You need to demonstrate that you have done all that is ‘reasonable and practical’ to reduce risk and further mitigation should be considered only where cost, time or resource does not prove to be prohibitive. The Health and Safety Executive define ‘reasonably practicable’ through the use of a definition set out by the Court of Appeal (in its judgement in Edwards v. National Coal Board, (1949) 1 All ER 743): ‘Reasonably practicable’ is a narrower term than ‘physically possible’……a computation must be made by the owner in which the quantum of risk is placed on one scale and the sacrifice involved in the measures necessary for averting risk (whether in money, time or trouble) is placed in the other, and that, if it be shown that there is a gross disproportion between them – the risk being insignificant in relation to the sacrifice – the defendants discharge the onus on them.’ Categories and some examples of risk are given in the table on the next page which may help you to identify risks that you will have to manage or control (this is not an exhaustive list and is for guidance only).
14
Sources of risk Risk examples
Strategic Infrastructure Functioning of transport, communications and infrastructure. Impact of storms,
floods, pollution.
Political, Legislative and Regulatory
Effects of the change in Central Government policies, UK or EU legislation, local and National changes in manifestos. Exposure to regulators (auditors/inspectors). Regulations – change and compliance.
Social Factors Effects of changes in demographic profiles (age, race, social makeup etc.) affecting delivery of objectives. Crime statistics and trends. Numbers of children/vulnerable adults ‘at risk’. Key Public Health issues.
Leadership Reputation, authority, democratic changes, trust and branding. Intellectual capital. Culture. Board composition.
Policy and Strategy
Clarity of policies, communication. Policy Planning and monitoring and managing performance.
Technological Capacity to deal with (ICT) changes and innovation, product reliability, developments, systems integration etc. Current or proposed technology partners.
Competition and Markets
Cost and quality affecting delivery of service or ability to deliver value for money. Competition for service users (leisure, car parks etc.). Success or failure in securing funding.
Stakeholder related factors
Satisfaction of LCC’s taxpayers, Central Government, GOEM and other stakeholders. Customer/service user demand.
Environmental Environmental impact from council, stakeholder activities (e.g. pollution – air and water, energy efficiency, recycling, emissions, contaminated land etc.). Traffic problems and congestion. Impact of activity on climate and climate change.
Operational (Internal influences) Finance Associated with accounting and reporting, internal financial delegation and control,
e.g. schools finance, managing revenue and capital resources, neighbourhood renewal funding taxation and pensions. Liquidity and cashflow. Interest rates. Credit lines and availability. Accounting controls.
Human Resources Recruiting and retaining appropriate staff and applying and developing skills in accordance with corporate objectives, employment policies, health and safety. Employees – people risks.
Supply Chain - Contracts and Partnership
Suppliers. Supply Chain management. Contracts. Failure of contractors to deliver services or products to the agreed cost and specification. Procurement, contract and life cycle management, legacy. Partnership arrangements, roles and responsibilities.
Tangible Assets and Equipment
Safety and maintenance of buildings and physical assets i.e. properties; plant and equipment; ICT equipment and control. Public access.
Environmental Pollution, noise, licensing, energy efficiency of day-to-day activities. Natural events, often weather related.
Project and Processes
Compliance, assurance, project management, performance management, revenue and benefits systems, parking systems etc. Research and development.
Professional Judgement and Activities
Risks inherent in professional work, designing buildings, teaching vulnerable children, assessing needs (children and adults).
Integrity Fraud and corruption, accountability, transparency, legality of transactions and transactions and limit of authority.
Leadership Reputation, authority, democratic changes, trust and branding.
Information Governance & Data Security/Information for decision making
Data protection, data reliability and data processing. Control of data and information. E-government and service delivery. IT Systems.
Risk Management and Insurance
Incident reporting and investigation, risk analysis or measurement, evaluation and monitoring. Taking advantage of opportunities.
15
Use the categories in the table above when you run a “brainstorm” session with your team. Don’t get too hung up on which category a risk fits into, as these are just prompts to help you to think. You should also remember that the above list is not exhaustive. Step 2 – Assess the Risk Having completed Step 1 you should have a list of risks (and probably several consequences for each risk). The next step is to ‘score’ those risks by agreeing how likely the event is to happen and how great an impact they will have on the achievement of your objectives or delivery of your service plan. This information will help you to decide which risks require dealing with first by helping you prioritise them for action. The council has agreed a corporate standard for the levels of likelihood and impact for risks and opportunities and this is detailed within Section 12. Using this scale, look at each of your identified risks and, using the criteria given; assess each of your risks in terms of the likelihood of it actually happening and the impact on the council/your service area if it did. As there are very few risks, if any, which will not have controls in place; this should be done taking into account the existing controls you have and assuming they are working effectively. This exercise can be a continuation of the brainstorming session in Step 1, or can be done with just your Senior/Leadership team or, indeed, by yourself. If the risks are significant to the Council or have a need for Insurance or Indemnity cover as a major or only control, then either the Head of Internal Audit and Risk Management or the Principal Insurance Officer should be invited to the session to assist you in defining your requirements. As a City Council the areas of most concern are likely to be:-
• Risks that threaten business critical activities or the welfare of staff; • Risks that threaten vulnerable service users or property; • Where existing controls are weakest, are not effective or have failed; and, • Where significant financial risk is apparent.
Once you have a ‘score’ for both the likelihood and impact, multiply these scores to get an overall risk score. This overall risk score should be used to prioritise your risks and to make decisions about the significance of the risk; how they should be treated; how quickly action needs to be taken; by whom i.e. the risk/action owner; and, how quickly and at what cost. The higher the ‘score’ the greater the need for prompt, effective action to be taken. The next step is to decide what, if any, additional actions you need take to better manage the risk and prevent any of the consequences from happening or lessening their impact if they do. This review is a ‘dream world’ type scenario where you would have no limitations on budget, timescale, resources, climate (political and environmental), location, other threats and weaknesses. This need only be done where the initial risk ‘score’ is above the Council’s identified risk appetite (identified in the Risk Scoring Guide Matrix in Section 12 by the solid black line). Document any further controls on the form (in the ‘further management actions’ column) and then re-score the risk to show how introducing these controls would affect the risk score. This will enable you to make a business case for the resource you may currently be lacking to introduce these additional control measures. This gives you the ability to demonstrate that by providing (what may be) a small budget increase, the impact on the Council of a risk occurring might fall (in financial terms) by a considerably greater
16
amount. Clearly, in some cases, there may be no further controls you can introduce or there may be no change to the overall risk score. Then try to establish the cost of risk. This needs to show the cost to the Council if the risk manifests itself i.e. what would it cost in damage and repairs if it happens; the cost of the existing controls used to manage that risk. At this stage consider the worst case scenario when estimating this cost. The Principal Insurance and Claims Officer can advise on this where it is an insurable risk. Also, consider the cost of any future controls you think you need to better manage the risk. Remember, the cost of managing and controlling the risk should be proportionate to the risk that is being addressed – so you would not be able to justify spending £10,000 on a control that will reduce the cost of it happening by only £100. The controls that you identify to avoid, reduce or transfer risk may not always lessen either the impact or the likelihood. Some risks will have significant impact no matter what you do, and equally in some cases all the controls you identify may not lessen the likelihood of something happening either. In these cases you are identifying actions that will allow you to better manage the situation when the risk occurs. At this stage you should consider contacting Risk Management and Insurance Services for support and guidance or just for the assurance that your risk evaluation and controls appear to be appropriate. Step 3 – Management of Risk (Control Measures) Having assessed your risks and arrived at a meaningful ‘score’ with the current control measures identified, you should now decide whether or not you want to take the risk and, if you do, what level of risk you are prepared to take. You need to choose from one of the following four options commonly referred to as the ‘4 Ts’ (again at this stage it may be worth seeking guidance from the Risk Management and Insurance Services team):-
“Tolerate” the risk. It is accepted that sometimes it might be that an activity is classified as ‘risky’ but we choose to continue with it. The council will tolerate risks that it considers to be acceptable, for example:- A risk that has been mitigated by several controls but remains a ‘high’ risk; A risk where the costs of any controls outweigh the actual risk; and A risk that actually provides more measurable benefits than it does by not
doing it. “Treat” the risk. This is the approach most often used. The purpose of treating
the risk is to carry on with the activity by taking additional actions to control it, reduce the likelihood of it happening or reduce the impact if it does.
“Transfer” the risk to a third party, for example through insurance or by contracting it out. This reduces the impact on the council if an event occurs. This option is particularly good for mitigating financial risks or risks to assets, e.g. the transfer of risks may be considered to either reduce the exposure of the council or because an organisation is more capable of effectively managing the risk.
“Terminate” the risk, or avoid the activity or circumstance that gives rise to the risk - stop doing something.
Some control measures may be relatively straightforward to address, some may take longer and may need to be implemented in stages. However, if the control measure required falls outside your immediate control, for instance the level of financial commitment required or the overall impact on the council, then these should be referred to The Corporate Management Team via your Divisional Director.
17
The Risk Register Owner has ultimate responsibility for seeing that actions are implemented, with individual risk owners being responsible for ensuring that existing controls remain effective and that any agreed additional controls are implemented.
Step 4 – Monitoring Risk This is an important and often overlooked stage of the risk management process. Monitoring risk is all about ensuring that the control measures identified are working and are effective. It may be helpful to ask the following questions:-
Have the chosen control measures been implemented as planned? Are the identified control measures in place? Are these measures being used properly?
Are the chosen control measures working? Have the changes made to manage exposure to the assessed risks resulted
in what was intended? Has exposure to the assessed risks been eliminated or adequately reduced? Has there been any ‘near misses’? If yes, have any ‘lessons learned’ been
applied? Do any new controls need to be introduced?
Are there any new problems? Have the implemented control measures introduced any new problems? Do the existing controls need to be reviewed and updated?
A risk score is only as good as the control; if the control is not effective, or does not work as envisaged, then your overall risk score will be false – and will, potentially, under-estimate the true level of risk you face. Therefore, it is vital to ensure that the controls put in place are working effectively. It is necessary to monitor and to report on the progress in managing risks so that the achievement of objectives is maximised and losses are minimised. In addition, the effectiveness of risk management controls to reduce the likelihood/impact of adverse risk events occurring needs to be assessed and alternative controls be introduced if the identified control is proving ineffective. When reviewing the risk assessment/register you need to ask yourself if the risk score is still correct. Are the ‘highs’ still ‘high’, and your ‘lows’ still ‘low’, for example. As your focus will be mainly on ‘highs’ or higher scoring ‘mediums’ you may also want to look at the ‘direction of travel’. That is, has a low ‘medium’ moved upwards toward a high ‘medium’ score for example? This could be an indication that you need to do something more to prevent it becoming a ‘high’. You should also consider whether you need to add any new risks to your risk register and those to be deleted. However, as mentioned earlier, we do not want this process to be a paper intensive exercise. Step 5 – Reviewing and Reporting All information relating to the identified risks should be recorded on the council’s risk assessment form/risk register see Section 11. It is important that this is the form used by all for both consistency and compliance with our policy and strategy. This latter point is particularly important to ensure that our insurer’s indemnity is not put at risk, as we agree our risk management strategy and policy (including the forms we use) with our insurers as part of our review of insurance each year. If we do not follow our own policy, we are not, strictly speaking, complying with the terms of our insurance. This leaves the Council (your) budget exposed to uninsured loss – which can be in the hundreds of thousands of pounds. So it is essential that only the Council’s approved risk assessment form is used and that it has been completed by staff that have attended the mandatory
18
(since October 2014) ‘Identifying and Assessing Operational Risk’ training within the past two years. When your risks and their mitigating controls have been recorded, identify the person (should be a named individual and not a group or job title) who will be responsible for introducing, implementing and managing the effectiveness of each control. Do make sure that the person responsible is told and understands what is required from them. Note a date by which the control needs to be implemented ensuring that the action fits into your service plans and resource availability. If the management of a risk is ‘on-going’, then you need to set the ‘action by’ date to the end of the financial year to ensure that it gets reviewed at least once a year. If additional costs are involved, you will need to seek approval from the budget holder for those, as appropriate. Business priorities and situations may change over time. These changes may change your risks and opportunities and, therefore, they need to be reviewed regularly by asking yourself the following questions:-
• Are my risks still the same? • Are there any new risks arising? • Has the risk been controlled effectively to reduce the likelihood and impact? • Has the action (or lack of actions) affected the overall impact (score) of the risk? • Are there any other controls required? If so, what are they?
Your risk assessment/risk register should be a live document and changes should be recorded, updated and used to help you manage your everyday work. If you review without making any changes i.e. your risk profile has not changed, then ensure that the date of the document is amended to evidence your review. The Council’s Risk Management Strategy requires risk owners to review and update their risks at least quarterly, as below:-
• At least once a quarter you should discuss your risks with your line manager; • At least once a quarter, each Head of Service should discuss their service area
risks at their 121 with the Divisional Director; • Following these discussions the Divisional Director will compile their Divisional
Operational Risk Register showing the Division’s most significant risks and agree this with their Divisional Management Team and Strategic Director (where appropriate it should also be shared with the Executive portfolio holder for the area);
• At the end of January, April, July and October each Divisional Director should send their Divisional Operational Risk Register to Risk Management and Insurance Services (RMIS).
• RMIS will produce the Council’s Operational Risk Register and Strategic Risk Register on behalf of the Corporate Management Team.
• Audit and Risk Committee will review on behalf of Members. At each stage in this Risk “escalation” process, the impact will be re-assessed. This is because a risk that is “high” at the point of service delivery may not be classified as “high” when considered at Divisional or Board level. For example, if one staff member at a Leisure Centre is absent, this may be a ‘high’ impact for the Centre. However, at Divisional level the absence of one staff member is likely to be insignificant. Only the risks that remain classified as “high” should pass to the next “level” of the risk escalation process.
19
Risk management should, therefore, be included as an agenda item on divisional management team meetings at least once a quarter. However, if a significant risk event occurs between scheduled meetings, you may want to discuss this immediately. Risk management is a continuous cycle designed not only to identify, assess, manage and review risks, but also to support the strategic planning process. The strategic planning process and risk registers should be used as part of the budgetary decision making process. Business objectives created, as part of the strategic planning process, as well as your Service Plan deliverables should be used as the basis for identifying risks. The objectives and deliverables should be clear and concise or SMART (Specific; Measurable; Achievable; Realistic; and Timely), as this will aid the identification of risk to that objective or deliverable being achieved. Linking the business objectives, service plan deliverables and the risks/opportunities together will help toward a successful outcome being achieved. By doing this you will have a trail of information, which can then be used to link risk management to performance measures and their outcomes. Communication and Learning Although communication and learning do not really form part of the risk management cycle, they are an integral part of the process. Without them the process of identification, assessing, managing, controlling and reporting risk would not be as effective. It is important to communicate with all stakeholders (from Directors to operational staff, external partners and third parties) about the way in which the council is managing risk and to provide assurance of this. More and more of the council’s priorities are being delivered in partnership with other private, public and charitable bodies. Misunderstanding a joint risk can lead to serious problems such as inappropriate (expensive) control measures being applied by both/all parties or failure to deliver the overall objective. It is, therefore, important that you identify at the start of any partnership/joint working arrangement who is taking responsibility for the management of which risks. Communicating internally is also vital to ensure that:-
Everybody within your team understands their role and individual responsibilities in identifying, reporting, managing and controlling risks. If this is not achieved then the embedding of risk management will be ineffective and this may lead to risks not being identified and, potentially, failure to meet the council’s objectives;
Lessons can be learned and communicated to those who can benefit from them (internal and external). For instance, if a risk has been identified (and an effective control measure was implemented which led to a successful outcome) then the same or very similar risk may occur in another project or business area and the same outcome could be achieved by using the same control measure(s). Equally, if control measures introduced fail to be effective, by communicating that, it can prevent another area making the same mistake;
Strategic Directors and senior management all receive the same, consistent levels of assurance about the way in which risks are managed in their areas; and
There are no surprises and processes going wrong, with no unexpected financial impacts.
20
8. Business Continuity Management As detailed above, there will be occasions when a risk has to be taken and the consequences may be the loss or interruption to a service activity. In these cases, the only mitigant or control will be to have an effective Business Continuity Plan. For many of your services the council cannot afford to have any interruptions to service delivery – put simply, if you don’t deliver, people may die or suffer serious consequences. The council has a responsibility to assist with handling incidents and emergencies that affect the wider City of Leicester through its Emergency Management Unit (external) and business continuity is about the smooth running of the Council itself (internal). An internal business continuity issue may escalate to a level where the emergency services are required and, therefore, constitute a major incident as defined by the Civil Contingencies Act (2004). Also, an external major incident may soon develop into a business continuity issue for the council, depending upon the resources it must commit under its Statutory Duty as a Category 1 Responder. Business Continuity and Crisis Management are about finding strategic solutions to the loss of one or more of four significant resources (the ‘4 Ps’):
• People - Customers or service users and staff; • Partners - Key Suppliers; • Premises - Facilities; and, • Plant and Equipment.
Being properly prepared to deal with unexpected interruption to any of these resources is at the heart of any business continuity or crisis management strategy. Business Continuity Management is the only real methodology that delivers such resilience across the entire range of business activity. A key part of Business Continuity Management is the Business Continuity Plan (BCP). Where disruption affects critical business activities the consequences can be severe and may include substantial financial loss, an inability to achieve desired levels of service, embarrassment and/or loss of credibility within the Community. The benefit of having a business continuity/recovery plan that can be implemented with the minimum of fuss and delays, significantly reduces the levels of disruption the council suffers and ensures rapid resumption of ‘normal service’ to the public. The council’s Corporate BCP outlines the actions required by the council’s Business Continuity Management Team – high level officers that respond to events that affect the council’s identified business critical activities – those that need to be restored to order within 24 hours. This means that each Division should have their own individual plans for each of their service delivery units – probably one for each Head of Service’s area if appropriate. Each of these plans should be based on a similar format and be aligned to the corporate template which can be found on the Risk Management and Insurance Services (RMIS) Interface pages. Responsibility for managing responses to events that do not affect critical activities will sit with Divisional Directors, their Heads of Service and individual managers or response teams within their Division. Directors should ensure that their Divisional plans are realistic and easy to use during a crisis. As such, Business Continuity Management planning should form part of their overall risk management. Guidance and support will be available from the RMIS team. Positive assurance from each Director that these plans have been reviewed and remain fit for purpose will be required by the Chief Operating Officer and the City Mayor on an annual basis.
21
9. Useful Contacts and Ongoing Support
Business Continuity and Risk Management
Tony Edeson – Head of Internal Audit and Risk Management – 37 1621 Sonal Devani – Manager, Risk Management – 37 1635
Customer Services Alison Musgrove - Service Manager - Revenues & Customer Support - 37 2642
Finance Martin Judson – Head of Finance (Adults and Children) - 37 4101 Colin Sharpe – Head of Finance (CDN, Housing and Resources) - 37 4081
ICT Security Kulbinder Bhangu – Network and Telecoms Manager – 37 1244
Information Governance
Lynn Wyeth – Information Governance - 37 1291
Information Management
Matthew Johnson- Enterprise Content Manager – 37 1307
ICT Helpdesk Helpdesk generic number -37 1066
Insurance and Claims
Alexandra Weller – Principal Insurance and Claims Officer - 37 1642
Internal Audit Tony Edeson – Head of Internal Audit and Risk Management - 37 1621
Learning Services Chetna Patel-Liburd – Head of Service TLE Strategy – 37 2266
Legal Services Kamal Adatia – City Solicitor/Barrister and Head of Standards - 37 1401 Principal Solicitor for your Area – Pretty Patel/Paul Atreides/Emma Horton
Pay and Workforce Strategy (including Health and Safety)
Martin Southam – Health & Safety Team Manager - 37 4307
Property Wayne Antoine – Director of Investment -37 6949 Sean Atterbury – Service Manager (Facilities Management), Investment – 37 4099
Procurement Neil Bayliss –Head of Corporate Procurement - 37 4021
Safeguarding Jane Boulton – Head of Safeguarding (Adults) – 37 2417 TBC -Steven Gauntley – Head of Service, CYP Safeguarding and Quality Assurance
If you require further training, advice or support in identifying risk and the management of risk, then please contact Risk Management and Insurance Services on 0116 454 1620/37 1620 or visit the Risk Management and Insurance Services pages on Interface for full details of our ongoing training programme which is managed by Workforce development and courses may be booked through their training pages on MyView. These sessions are detailed in Section 13.
22
10. Risk Management Glossary
Assessing risks The approach and process used to prioritise and determine the likelihood of risks occurring and their potential impact on the achievement of the Councils objectives.
Assurance The level of comfort that can be given over a process or procedure.
Consequence The outcome of an event.
Contingency An action or arrangement that can be put in place to minimise the impact of a risk if it should occur.
Control (control measures)
Any action, procedure or operation undertaken to either contain a risk to an acceptable level, or to reduce the likelihood.
Corporate Governance
Set of internal controls, processes, policies, affecting the way the Council is directed, administered or controlled.
Divisional risk Significant operational risks which affect the day-to-day activities of the council.
Identifying risks The process by which events that could affect the achievement of the Council’s objectives, are drawn out and listed.
Impact The effect that a risk would have if it occurs.
Issue An event or concern that has occurred or is taking place and needs to be addressed (as opposed to a risk which has not yet, or might not, occur).
Likelihood The probability that an identified risk event will occur.
Managing and controlling risks
Developing and putting in place actions and control measures to treat or manage a risk.
Mitigation (Plan) A strategy that reduces risk by lowering the likelihood of a risk event occurring or reducing the impact of the risk should it occur.
Objective Something to work towards – goal.
Operational risk Risks arising from the day to day issues that the Council might face as it delivers its services.
Overall risk score The score used to prioritise risks – impact multiplied by likelihood.
Risk Risk is the effect of uncertainty on objectives. A future event which, if it happens, will have an effect on Council objectives. This could be an opportunity as well as a threat.
Risk Appetite The level of risk the Council is willing to accept, tolerate or be exposed to at any given time.
23
Risk Assessment Analysis undertaken by management/staff when planning a new process or changing an existing procedure to identify risks that may occur, their potential impact and likelihood of occurrence. It will also identify controls needed to mitigate the risk and who is responsible for this.
Risk Averse
Avoidance of all risk.
Risk Aware
Having a process in place that allows management to know which risks are being taken and what controls are in place to manage them.
Risk Owner The person who has overall responsibility for ensuring that the strategy for addressing risk is appropriate and effective, and who has the authority to ensure that the right actions are being taken.
Risk Management Strategy
The purpose of a risk management strategy is to define how Leicester City Council will handle risks and opportunities. This provides information on roles, responsibilities, processes and procedures. It states how risks will be identified, assessed, managed and reviewed.
Risk Register A log of identified risks.
Strategic risks Risks that would significantly impact on the delivery of the council’s strategic priorities.
Stakeholders Employees; customers and service recipients; funding providers; suppliers of services; partners; the media; the environment.
24
11. Risk Assessment/Register
xxxx Risk Assessment/Register Completed by (Risk Register Owner): Name (person who is responsible for all the risks in
this register)
Date completed: xx/xx/2016 Business
Objective Risk Consequence /effect:
what would actually happen as a result? How much of a problem would it be? To whom and why?
Existing actions/controls (What are you doing to manage this now?)
Risk Score with existing measures
Further management actions/controls required. (What would you like to do in addition to your existing controls?)
Target Score with further management actions/
Cost (of Impact; of current controls; of further controls)
Risk Owner (Officer responsible for managing risk and controls)
Risk Review Date
What is the problem/hazard?
controls required
What is it that will prevent you from meeting your
(See Scoring
objectives? Table) (See Scoring
Table)
Imp
act
Lik
elih
oo
d
Ris
k R
ati
ng
(I x
L)
Imp
act
Lik
elih
oo
d
Ris
k R
ati
ng
(I x
L)
What is it you need to achieve? Think about what your objective is/what you have to deliver.
What is the actual risk to your objective? This should be a statement that provides a brief, unambiguous and workable description that enables the risk to be clearly understood, analysed and controlled.
If the risk happens, what will actually be the impact? What will go wrong?
What have you already got in place to either reduce the likelihood of this risk occurring, or to reduce the impact on your area/budget if it does happen? These will be factors that are exerting material influence over the risk's likelihood and impact.
Score as per the scoring guide for
both impact and
likelihood. Multiply the two together
to get the overall risk
score. These scores
should take into account the existing
controls.
What further action do you feel necessary? Enter here, regardless of whether you have the resource to make these happen.
Score, as per the scoring guide, for
both impact and
likelihood taking into
account the proposed
new controls. Multiply the two together
to get the overall risk
score.
Impact cost - what will it cost you/the Council if this occurs? Controls Cost - how much are the current controls costing and how much will the future controls cost?
Who is owner of this risk on a day to day basis? This may not be the owner of the risk register nor the person who identified the risk.
When will the future controls be in place or when will this risk be reviewed.
25
12. Risk Scoring Guide IMPACT
SCORE BENCHMARK EFFECTS
CR
ITE
RIA
CRITICAL/ CATASTROPHIC
5 Multiple deaths of employees or those in the Council’s care
Inability to function effectively, Council-wide
Will lead to resignation of Chief Operating Officer and/or City Mayor
Corporate Manslaughter charges
Service delivery has to be taken over by Central Government
Front page news story in National Press
Financial loss over £10m
MAJOR 4 Suspicious death in Council’s care
Major disruption to Council’s critical services for more than 24hrs (e.g. major ICT failure)
Noticeable impact in achieving strategic objectives
Will lead to resignation of Strategic Director and/ or Executive Member
Adverse coverage in National Press/Front page news locally
Financial loss £5m - £10m
MODERATE 3 Serious Injury to employees or those in the Council’s care
Disruption to one critical Council Service for more than 24hrs
Will lead to resignation of Divisional Director/ Project Director
Adverse coverage in local press
Financial loss £1m - £5m
MINOR 2 Minor Injury to employees or those in the Council’s care
Manageable disruption to internal services
Disciplinary action against employee
Financial loss £100k to £1m
INSIGNIFICANT/ NEGLIGIBLE
1 Day-to-day operational problems
Financial loss less than £100k
LIKELIHOOD
SCORE EXPECTED FREQUENCY
ALMOST CERTAIN
5
Reasonable to expect that the event WILL undoubtedly happen/recur, possibly frequently and is probable in the current
year.
PROBABLE/LIKELY 4
Event is MORE THAN LIKELY to occur. Will probably happen/recur, but it is not a persisting issue. Will possibly happen in the current year and be likely in the longer term.
POSSIBLE 3 LITTLE LIKELIHOOD of event occurring. Not likely in the
current year, but reasonably likely in the medium/long term.
UNLIKELY 2
Event NOT EXPECTED. Do not expect it to happen/recur. Extremely unlikely to happen in the current year, but possible in
the longer term.
VERY UNLIKELY/RARE 1 EXCEPTIONAL event. This will probably never happen/recur. A
barely feasible event.
26
LEVEL OF RISK OVERALL RATING
HOW THE RISK SHOULD BE TACKLED/ MANAGED
High Risk
15-25 IMMEDIATE MANAGEMENT ACTION
Medium Risk 9-12 Plan for CHANGE
Low Risk 1-8
Continue to MANAGE
LIK
EL
IHO
OD
(A
)
Almost Certain
5
5 10 15 20 25
Probable/Likely
4
4
8 12 16 20
Possible 3
3 6 9 12 15
Unlikely 2
2 4 6 8 10
Very unlikely/ Rare
1
1 2 3 4 5
Insignificant/ Negligible
1
Minor 2
Moderate 3
Major 4
Critical/ Catastrophic
5
IMPACT (B)
27
13 - RMIS Training Programme 2016
Below are details of the Risk Management and Insurance Services (RMIS) Training Programme for 2016. If you wish to attend these sessions, they are available now for you to book through the Myview pages of Corporate Workforce Development enter the date and the ‘key word’ below. As with any training, please discuss with and seek your manager's approval before booking. Most of the sessions are limited to 25 attendees and the majority of our sessions have been over-subscribed in each of the last six years, so bookings will be on a 'first come, first served' basis. All of the sessions will take place in City Hall. All sessions will start promptly at 9.30. Most of the sessions run for no more than two hours and finish times are dependent upon the numbers attending and their inter-action and involvement, but will be no later than 12 noon. 20 January; 24 February; 22 March; 5 May; 25 May; 21 June; 20 September; 12 October; 23 November. Identifying and Assessing Operational Risks [key word on my view: Ident] Since October 2014 this session is mandatory for all staff who will complete an operational risk assessment or risk register. Anyone completing a risk assessment that has not been on this training recently may be exposing the Council to a potential uninsured loss. If in doubt – ask! This course covers the process of Operational Risk Identification and Assessment and will touch upon identification of mitigating controls. The session includes an outline of the Council’s Risk Management Strategy and Policy and how it affects your role. The session is targeted at everyone who manages operational risk (manage staff; manage buildings; manage contact with service users or the general public) in their day to day role – all tiers of staff from Director’s down – and those that let Council contracts. The course will lead you through the agreed risk reporting process here at LCC and allow you to identify your role within that process. There is also a practical exercise that ensures staff leave this session confident in completing the Council’s risk assessment form. 20 April; 21 September Contract Risk Management (delivered by Zurich Municipal Risk Consultants) [key word on my view: contract] Staff attending this session must have been on the mandatory ‘Identifying and Assessing Operational Risk’ training above. The aim of the session is to review how the management of contracts and projects can aid in assessing and mitigating organisation’s risk. The objectives are to ensure attendees understand how to minimise the risk to the organisation when entering into contracts; assist in identifying the key areas of risk within contracts; highlight the benefits of managing contract/partnership risk; and, how on-going contract and partnership management heightens organisational risk awareness and mitigates organisational risk. This session is specific to contract risk and, as a natural pre-cursor, it will be of benefit to have attended the Identifying and Assessing Operational Risk training above. 2 February; 19 April; 11 May; 5 October Business Continuity Management [key word on my view: business] A guide to what you need to develop Business Continuity Management within your Service/work areas. It explains the difference between managing business continuity and merely writing your plan. This will allow you to manage unexpected incidents and get back to delivery of your ‘business as usual’ service in the event of unforeseen circumstance. This session is aimed at anyone who has a responsibility for a building or staff; has responsibility for delivery of a service and, therefore, needs to have a Business Continuity Plan or would be part of a recovery team needed to restore an affected service after an incident. The session also outlines the Council’s Business Continuity Strategy and Policy and will explain how that might affect you and your work and has a step-by-step guide to completing the Council’s BCP pro-forma. This session needs to be attended by all Heads of Service and their senior management to ensure that, in the event of a serious, unexpected incident, the Council will continue to operate.
28
18 May Guide to Corporate Manslaughter Legislation [key word on my view: manslaughter] This session will provide a brief insight into the recent changes to legislation in this area and its potential impact on the Council and its management. This session is aimed at Directors, Heads of Service, managers and staff that make decisions. The session explains how the recent changes in legislation may lead to more staff, at many different levels, being prosecuted for breaching Health and Safety regulations and will help you to avoid this risk. Hopefully, this session will help keep you out of prison! 23 March; 29 September Insurance – Policies, Levels of Cover/Indemnity Limits and Incident Reporting [key word on my view: indemnity] This session will discuss what the Council's Insurance policies cover; details of regular types of claim that the RMIS team deal with and how claims can be avoided, or their impact lessened; how to calculate the minimum Corporate Indemnity limits for your contracts or third parties and why they are necessary. The session is aimed at all procuring managers or managers and staff responsible for entering into contractual agreements (including funding agreements) with third parties. The session will also outline, in simple terms, the implications for the Council, and you personally, if you get these wrong in any of your contracts. We will then explain the types of incidents that need to be reported to RMIS and/or the Council's insurers; why we need to know; and, the potential consequences for you if we don’t – there will be no insurance cover and your departmental budget will have to cover any claim (which can run into thousands of pounds!). Session is aimed at Managers and senior staff who are likely to have responsibility for delivery of services to Service Users/members of the Public or who manage and have responsibility for the health and safety of staff or manage buildings. Personal/Bespoke Sessions We accept that, due to staff constraints and timing of leave, it may not be possible for all of your staff with a need to attend these training courses to attend one of the dates above. We continue to offer all of our training to specific groups of staff at times and locations to suit you. All of our training can be condensed to fit whatever time you have available. We can also focus on your own service area’s needs and objectives when delivering this training to a bespoke Group of staff. Please be aware that we are a small team and it may be that such a session may take weeks rather than days to be arranged. Please contact Sonal Devani ([email protected]), 454 (37) 1635 or Tony Edeson ([email protected]), 454 (37) 1621 if you would like to discuss a bespoke session.