Risk Management Strategy December 2012
Contents: 1. Introduction
Page 1
2. The Tewkesbury method of managing risks
Page 2-3
Stage 1 – Objectives Stage 2 – Risk Identification and risk recording Stage 3 – Risk ownership Stage 4 – Risk scoring/evaluation Stage 5 – Action planning Stage 6 – Monitoring and reporting
3. Tewkesbury Risk Structure
Page 3
4. Responsibilities for risk management
Page 4-5
Members Executive Committee Lead Member for Corporate Governance Audit Committee Chief executive Corporate Management Team Corporate Governance Group Service managers Internal Audit All employees 5. Risk reporting
Page 5
6. Summary
Page 5
Appendix A – The risk management process
Page 6-8
Appendix B – Risk register template
Page 9
Tewkesbury Borough Council Risk Management Strategy 1. Introduction The classic definition of risk is an uncertain event, which, should it occur, will have an impact upon the achievement of objectives. This means an event that might possibly happen, but then again might not. The impact from this event could be either positive or negative, with upside impacts considered to be opportunities and downside impacts considered to be threats. Crucially, though, that impact will be upon something, namely an objective, hence the reason why we manage risk is to make the successful achievement of objectives more likely. Most risk management in corporate bodies concentrates upon downside (negative) impacts and therefore consists of all the actions required to identify and understand the threats to objectives and then control exposure to them. This is not a new principle; risk management is a natural part of the human existence. In a corporate context, where the job of managers is to deploy and direct the resources they have been allocated so as to achieve agreed objectives, risk management is simply an intrinsic element of good, effective management. The council has a set of priorities for the period 2012-16. It is necessary for the council to make achievement of these priorities more likely by controlling the uncertainties that may threaten them. The priorities are: • • • • •
Use resources effectively and efficiently. Promote economic development. Improve recycling and care for the environment. Provide customer focused community support. Develop housing relevant to local needs.
Managers must devise and implement a strategy that will ensure that risk is managed in a consistent and uniform manner right across the authority. This strategy must give clear direction and set out an approach that is practical, proportionate and, most of all, value-driven. It is then incumbent upon managers to comply fully with the strategy through fulfilling their prescribed responsibilities, taking ownership of risks and controlling them effectively. Members must act in a manner that protects stakeholder interests. Members must ensure that the risk management strategy is robust and defensible, that there is full compliance with the policy across the authority and that the risks to the council priorities are being properly controlled. Members must also articulate the authority’s risk appetite and ensure that it is being applied appropriately by managers. The council does not consider risk management in isolation and recognises it as part of the council’s overall assurance framework that ultimately contributes to the promotion of good corporate governance.
.
Risk Management Strategy Updated October 2012
-1-
2. The Tewkesbury method of managing risk The risk management cycle involves a number of key stages which are outlined below but are shown in more detail in Appendix A. Stage 1: Objectives Identify and agree the objectives for the council including how services, projects and partnerships support the delivery of these objectives. Stage 2: Risk identification and risk recording To identify and record the risks, relating to the achievement of the council priorities. A risk register for each directorate will be maintained and will record the key risks facing that directorate in terms of achieving the council’s priorities. The risk register template is shown in Appendix B. Stage 3: Risk ownership Each risk needs to be allocated a risk owner to take responsibility for managing the risk. Specific responsibilities include: • • • •
To understand and monitor the risk throughout its existence. To report, as and when required, on the status of the risk. To ensure that the appropriate risk controls are put in place. To ensure that the risk management strategy is followed for each risk.
Stage 4: Risk scoring/evaluation Having identified areas of potential risk we assess them with the use of a risk matrix to give an assessment of impact and likelihood and calculate an overall risk score. The results are recorded in the risk register and risks can then be prioritised. Stage 5: Action planning There are four main control options to manage the risk: Terminate
Do not undertake the activity or consider a different approach to managing that risk.
Transfer
Pass the risk on e.g. insure.
Treat
Manage it, put in place effective controls including the consideration of any contingency action.
Tolerate
Monitor and re-evaluate in the future.
If the current risk score is higher than acceptable, we need to identify what further action can be taken to reduce the risk further.
Risk Management Strategy Updated October 2012
-2-
Stage 6: Monitoring and reporting Risks can change over time and therefore need to be monitored on a regular basis to ensure that controls in place remain effective and actions have been implemented. Also new risks can be added to the risk register and those that are no longer a risk can be removed. All changes must be recorded and reported appropriately. For reporting purposes, each directorate register will be reported to Overview and Scrutiny committee and then Executive Committee on a quarterly basis. It is also important that risk forms part of normal management dialogue so that risk becomes embedded naturally in the management culture.
3. Tewkesbury risk structure Corporate risk To add value and provide a focus on corporate risk the current strategic risk register and twenty one operational risk registers will be replaced by five directorate registers. These registers will contain the risks originating in each directorate that could threaten the achievement of the corporate objectives. Risks could emerge through the business planning process or from risks brought to the attention of directors by service managers. To ensure the regularity of review the registers should form part of the corporate management team meeting and individual directorate team meetings. Risk owners can be either at chief executive, director or service manager Level. The directorate registers will be reviewed on a quarterly basis by the corporate governance group and then reported to members via Overview and Scrutiny Committee and then Executive Committee as part of the performance management reporting framework. Operational risk Each director should be assured that his/her service managers are likely to achieve their objectives, as failure could have a knock on effect upon the corporate objectives. To obtain this assurance, they will want to know that the service manager understands what could cause them not to achieve their aims and that they are doing something proactively about those threats. This is information that should be presented at regular reviews/meetings as part of the normal management dialogue. Project risk The council has a project management framework which monitors the delivery of key corporate projects. Each project is supported with a project initiation form (PIF) and on this form is a requirement to undertake a project scaling exercise. Any project which is determined to require ‘intermediate’ or ‘full’ monitoring must be supported with a risk register. Projects are monitored by the programme board which includes representation from senior management.
Risk Management Strategy Updated October 2012
-3-
4. Responsibilities for risk management In order to ensure risk management is embedded within the council, roles and responsibilities have been defined as follows: Group/Individual
Role/Responsibilities
All members
• • • •
Executive Committee
• • • •
Overview and Scrutiny Committee
• •
To understand the corporate risks that the council faces and to oversee the effective management of these risks by officers. To seek assurance there is full compliance with the strategy right across the organisation. To consider the risk of approving or not approving key business decisions as set out in committee reports. To articulate the risk appetite of the council, which will likely change from time to time. In accordance with their terms of reference to fulfil the council’s responsibilities in relation to risk management. To approve the risk management strategy. To receive quarterly updates from directorates on how corporate risks are being managed. To respond to any concerns raised by the Overview and Scrutiny Committee following their quarterly review of the risk registers. On a quarterly basis to review the directorate risk registers as part of the review of the overall performance management framework. Where appropriate to challenge the integrity of the risk information and if necessary refer any concerns to the Executive Committee.
Lead Member for Corporate Governance
•
To be the lead member on risk management and act as an ambassador for the promotion of risk management within the council.
Audit Committee
•
In accordance with their terms of reference to monitor the effective development and operation of risk management and corporate governance. To approve the authority’s annual governance statement (AGS) and to monitor delivery of the significant governance issues identified in the AGS.
•
Chief executive
•
Accountable for devising a robust and defensible risk management strategy, for its implementation and for full compliance with the strategy throughout the council.
Directors
•
To support the chief executive in achieving his risk management responsibilities. Contribute towards the identification and effective management of risks and opportunities facing the council. Facilitate the recording of these risks within a directorate risk register. To ensure there is regular dialogue with service managers to ensure operational risks are effectively managed.
• • • Borough solicitor (Monitoring officer)
• •
Chair of the councils corporate governance group. To promote good corporate governance.
Risk Management Strategy Updated October 2012
-4-
Corporate Governance Group (CGG)
• •
To annually review and if necessary update the risk management strategy and risk management process. On a quarterly basis, review each directorate risk register and monitor progress of the AGS action plan.
Service Managers
•
To cascade the principles of good risk management to their sections, report potential corporate risks to their management team and manage risks within their service areas.
Internal Audit
•
To provide an independent review of the corporate approach and compliance with the risk management strategy. To provide assurance to management and members as to the accuracy and integrity of the risk registers. To provide advice on the mitigation of risk through routine audit work.
• • All employees
•
All employees have a responsibility for identifying and managing the risks that they face on a day to day basis, and reporting these to their managers.
5. Risk reporting Risk management information is to be reported through the following channels: •
Key committee reports must identify the key risks associated with approving or not approving the recommendation being made. Members should therefore be fully informed of the risk implications of that recommendation
•
The directorate risk registers will be reported to Overview and Scrutiny Committee on a quarterly basis as part of the performance management framework. The risk registers and any observations made by the committee will then be presented to the next Executive Committee for their comment and appropriate action if necessary
•
Risk registers and general awareness of any operational risks arising will form part of management dialogue between directors and their service managers
•
An annual review of the risk management strategy and risk management process will be undertaken by the corporate governance group. Any significant changes will be reported to the Executive Committee
•
The council’s risk management arrangements will be detailed within the Annual Governance Statement and from time to time the adequacy of those arrangements will be subject to review by Internal Audit
6. Summary Risk management is a continuous and improving process that the council is committed to. The council experiences a range of risks due to the diverse range of its activities and an aim of the strategy is to ensure those risks are consistently managed. Risk management should be embedded into the culture of the council led by senior management but with responsibility assigned through all levels of the council’s structure. Risk management is therefore not an addon to the role and responsibilities of management but is actually a fundamental and inherent part of it. Risk Management Strategy Updated October 2012
-5-
Appendix A Tewkesbury Borough Council – The risk management process The following processes should be recorded within the risk register. For consistency purposes the council has a risk register template and this can be found in Appendix B. Stage 1: Objectives •
Be clear on what are the corporate priorities and objectives of the council and the operational objectives of your service. Give due consideration to the additional risks that may arise where objectives may be delivered through a partnership or shared working.
Stage 2: Risk identification and risk description •
Once you know what your objectives are, consult with your management team and service team to identify the risks that could influence the ability to achieve your objectives. This should include any risks relating to partnerships or other parties you are working with. Key risks that may effect the delivery of council priorities should be recorded within the risk register.
•
Risks consist of a combination of their cause and their effect. Neither of these two elements alone makes a risk, hence best practice guidance that risks should be described using a casual statement. All risks should therefore be described with an if/then format. This also helps ensure the descriptions are consistent, for example: If we do not monitor delivery of the council plan priorities (cause) then we will have little assurance we are achieving our vision (effect)
Stage 3: Risk owner •
The risk must be assigned a risk owner. This should be an individual who is best placed and at the appropriate management level to manage and if necessary influence the mitigation of the risk.
Stage 4: Risk Scoring/Evaluation •
Use the risk matrix below to score each risk you have identified. You are assessing the magnitude of the impact it will have on you achieving your objectives and the likelihood of the risk occurring during the lifetime of the objective.
•
Score the risk with controls in place to give you the current risk score. Any controls that are identified must be in place and operating effectively. If there is something you are planning to do in the future this is an action and should therefore not be identified as a current control. Use the risk matrix below to score the current likelihood and current impact. These two scores multiplied together will give you the current rating.
Risk Management Strategy Updated October 2012
-6-
Risk Matrix i. Impacts 5
Extreme
Catastrophic effect upon the objective, thus making it unachievable
4
Very High
Significant effect upon the objective, thus making it extremely difficult/costly to achieve
3
Medium
Evident and material effect upon the objective, thus making it achievable only with some moderate difficulty/cost
2
Low
Small, but noticeable effect upon the objective thus making it achievable with some minor difficulty/cost
1
Negligible
Slight, but insignificant effect upon the achievement of the objective
ii. Likelihood – this is the likelihood of the risk occurring during the lifetime of the objective Likelihood 5. Almost certain 4. Likely 3. Moderate 2. Unlikely 1. Rare How to use the matrix If you identify the impact of the risk on achieving your objectives as extreme this will be scored a five and if the likelihood of the risk happening is almost certain this will also score a five giving a total risk score of 25 - representing a significant risk. Stage 5: Further control action •
Generally, if the current risk score is too high you will need to identify what further action can be taken to reduce the impact or likelihood including timescales for implementation.
Stage 7: Rescore the risk •
Based upon the actions to be undertaken the risk should be rescored based upon an anticipated reduction in impact and likelihood and this will create a new expected score rating.
All of the above stages should be recorded in the risk register and the current rating column and expected rating column colour coded in accordance with the risk matrix below. Risk Management Strategy Updated October 2012
-7-
Risk Evaluation Matrix
IMPACT
LIKELIHOOD RARE 1
UNLIKELY 2
MODERATE 3
LIKELY 4
ALMOST CERTAIN 5
EXTREME 5
5
10
15
20
25
VERY HIGH 4
4
8
12
16
20
MEDIUM 3
3
6
9
12
15
LOW 2
2
4
6
8
10
NEGLIGIBLE 1
1
2
3
4
5
Key
1- 4 Low Risk
5-15 Moderate Risk
16-25 Significant Risk
The above matrix demonstrates a fairly risk adverse risk appetite statement. The council will therefore try to reduce risks where the risk may be highly unlikely (rare) but which could have an extreme impact upon the achievement of an objective. One example here would be a pandemic that could considerably disrupt the council’s ability to deliver a number of its key aims. Typically, these risks are treated with contingencies, so are not considered tolerable. However, risks will be assessed on an individual basis and so positive risks (opportunities) as well as negative risks (threats) can be fully evaluated. The risk appetite can therefore vary dependent upon the circumstances. Stage 9: Monitoring •
Registers should be “live“ tools used by managers in order to drive and evidence their control of threats to the achievement of their objectives. Behaviourally, managers should not prepare or update registers simply when they are required to be reported upon. Risks should be monitored on a regular basis and form part of normal management dialogue, for example at corporate and directorate management team meetings.
Review Period The strategy will be reviewed on an annual basis by the corporate governance group and will be brought back to members for formal re-approval every three years.
Risk Management Strategy Updated October 2012
-8-
Appendix B – Risk Register template Link to council plan
Risk ref
Risk Description
Risk Management Strategy (updated March 2010)
Risk Owner
Current Controls
Current Likelihood
9
Current Impact
Current Rating
Further Control Action (inc target completion date/s)
Expected Likelihood
Expected Impact
Expected Rating