Audit Committee
6 December 2011
Agenda Item No____13_________
Review of the Risk Management Framework
Summary:
This report and the attached annex sets out the revised form of
the Risk Management Framework for the Council. Members are
asked to examine the annex at Appendix E and comment on the
statements and provisions it makes in respect of Risk
Management generally and the establishment of a new corporate
risk register.
Conclusions:
The Revised Corporate Risk Framework draws extensively on the
current provisions for identifying risk, recording risk and reviewing risk
while, at the same time, developing a different reporting structure to
allow for ongoing risk assessment and review.
Recommendations:
That the comments of the Audit Committee be passed to the
Performance and Risk Management Board for consideration in
preparing a final version of the revised Risk Management Framework
for the Council.
Cabinet member(s):
Ward(s) affected:
All
All
David Ablett
01263-516055
David.Ablett@North-Norfolk.gov.uk
Contact Officer, telephone number,
and e-mail:
1. Introduction
1.1. This report sets out the results of the work that has been undertaken in reviewing and
refreshing the approach that the Council takes to risk management.
1.2. The revised document builds on the Risk Management Framework dated August 2010
and the experience of risk management within the Council over the recent past.
Members agreed that such a review should be undertaken by the Performance and
Risk Management Board before the end of December 2011. This paper and the annex
attached is a key part of this review.
1.3. in particular the Framework addresses the Corporate Risks but it also provides the
basis for the recognition and scoring of service based risks too.
2. Commentary
2.1. While much of the methodology of risk assessment has remained the same as in the
August 2010 document a more explicit approach to measuring and dealing with risk has
Audit Committee
6 December 2011
been introduced whereby an action plan for further mitigation is produced to allow for
particular focus in areas of concern.
2.2. This approach is facilitated by the three steps in identifying and dealing with risk:
2.2.1. Recognise and score the risk
2.2.2. Recognise and score the existing mitigation
2.2.3. Identify a target risk score
2.3. As with the previous Framework the scoring methodology deals with assessing the
likelihood of an event and the impact such an event would have on the objectives of the
Council. In a similar way the mitigation of that risk is also assessed. By subtracting the
mitigation score from the initial risk score the remainder is the exposure to risk that the
Council is subject to.
2.4. The value also allows a prioritisation of that risk with the highest score being the highest
residual risk.
2.5. The revised Framework now anticipates that the risk owner will be able to identify a
target risk and set up an action plan to reduce the risk even further. In this way not only
is the risk addressed but also an action plan for further mitigation is developed.
Together these two elements allow for a closer monitoring of risk and risk management
across the Council.
2.6. Such an approach is scalable and will allow a similar methodology to be used with
regard to service risks.
2.7. Moving to the documentation that supports the risks and their assessment this has also
been revised. Each risk would normally occupy at least one side of A4 and sets out the
details of the risk. The revised documentation also accommodates the new target risk
and the separate assessment of likelihood and impact of the target.
2.8. Additionally the new Framework anticipates that it will be possible to categorise the risk
and a set of categories has been established for this purpose. In this way reports on risk
management progress and to a greater extent risk ownership will be more
straightforward to evaluate.
2.9. The absence of a Corporate Risk Officer within the Council’s establishment has meant
that an alternative arrangement has to be identified to promote risk awareness and
facilitate regular reports to the Performance and Risk Management board. The
categorisation of risk makes this process transparent.
2.10.
The Corporate Management Team will own individual risks and take
responsibility for the maintenance of that risk in the risk register as well as any
approved action plan to move the risk to a lower (less risky) target level. These officers
will report to the Performance and Risk management Board on a regular basis and at
their own Corporate Management Team meetings will provide a regular agenda item ti
discuss and review progress on risk management.
3. Conclusion
3.1. The attached annex (Appendix E) sets out the draft Risk Management Framework.
Members are asked to reflect on the contents of the annex and comment accordingly.
Audit Committee
6 December 2011
3.2. The comments of the Audit Committee will be passed to the Performance and Risk
Management Board which will also be asked to submit comments so that a revised
version of the Annex can be produced and adopted by the Council.
4. Recommendation
4.1. That the comments of the Audit Committee be passed to the Performance and Risk
Management Board for consideration in preparing a final version of the revised Risk
Management Framework for the Council.