Appendix E
advertisement
Appendix E North Norfolk District Council Risk Management Framework v2 Version history Title Prepared by Approved by Version V1 V2 Risk Management Framework v2 D S Ablett Date 01/08/2011 Not yet issued Date 08/11/2011 Summary of changes Original framework Redrafted framework document M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 1 Appendix E Index Section 1 2 3 4 5 App 1 App 2 App 3 App 4 App 5 Detail Policy Statement Introduction The risk management strategy Accountabilities and roles A framework for risk management Conclusion Accountabilities, roles and responsibilities Performance and Risk Management Board – Terms of Reference Risk Management Guidance Notes for Officers Risk Register layout Completing the Risk Register M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc Page number 3 4 4 4 5 6 7 9 11 14 15 2 Appendix E Policy Statement It is the policy of the Council to adopt a proactive approach, through its management processes, to risk management of the services it delivers both for itself and in partnership with others. Risk management refers to the culture and processes that are directed towards the effective management of potential opportunities and threats. Effective risk management optimises the balance between risk and control and aims to maximise the opportunity to make the right decisions and to achieve objectives once those decisions have been made. It is recognised that a certain amount of risk is necessary and indeed that it can be a positive catalyst in the development of the services the Council provides. The process is not about eliminating risk but rather understanding it and managing it effectively. It needs to be managed in order to:• Safeguard our clients or service users, Members and employees and all other persons to whom the Council has a duty of care • Ensure compliance with statutory obligations • Preserve and enhance service delivery • Protect our property, including buildings, equipment, vehicles and all other assets and resources • Maintain effective control of public funds • Protect and promote the reputation of the Council • Support the quality of the environment All of these objectives will be achieved by applying the Council’s risk management strategy, which outlines responsibilities for managing risks and defines how risk management should be applied across the Council. Risk management is a continuous process of review and improvement that must be embedded in the culture of the Council M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 3 Appendix E 1. Introduction 1.1. This document sets out how the Council plans to address the strategic, service and operational risks that it faces and reduce them to an acceptable level by mitigation and a pro active action plans. 1.2. Risk can be defined as: “the combination of the likelihood and impact of an event or action or lack of action that could adversely affect the ability of the Council in achieving its objectives and its ability to successfully deliver services”. 1.3. The management of risk is an essential part of corporate governance it includes the identification of the exposure to risk that might impact on the Council’s key objectives and to establish measures to mitigate and control those risks. 2. The risk management strategy 2.1. The purpose of the risk management strategy is to identify how the Council will manage the threats it faces in delivering the policy objectives set out in the Corporate Plan. 2.2. Risk management is a planned and systematic approach to the identification, assessment and management of the risks facing the Council. 2.3. The traditional mechanism of protecting against risks has been through insurance. However, there are many risks that cannot be insured against and which must be addressed in different ways. In the case of insurable risk and those which are deemed outside the scope of insurance actions can be identified to reduce the potential risks which will either reduce premiums or reduce the disruption of work. 2.4. The aims and objectives of the risk management strategy can be stated as: • Embedding risk management into the culture of the Council. • Introduce a framework that allows for the systematic and consistent identification of risk and a method of assessment which allows the Council to prioritise and monitor risk. • Clarify the responsibilities for identifying and managing risk. • Increase awareness and use of risk management across the Council as a regular element of service management and improvement. 2.5. To achieve these objectives the strategy : • Outlines clear accountabilities across all services. • Establish a framework for risk assessment. • Ensure that risk as an important part of the corporate and business processes. • Encourage the sharing of best practice across the Council and with partner organisations. • Provide guidance to managers in assessing, managing and monitoring risk. 3. Accountabilities and roles M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 4 Appendix E 3.1. Risk management is the responsibility of all Members and Officers of the Council. The Chief Executive is the Officer with overall responsibility for securing adherence to the Council’s policy on Risk Management. 3.2. The detailed roles and responsibilities for Councillors and Officers are set out in Appendix 1 to this framework. 3.3. Strategic risks are identified and managed by both the Corporate Management Team and the Senior Management Team. The linkages that are required between the two teams are enhanced by the work of the Performance and Risk Management Board (PRMB). The terms of reference for the PRMB are reproduced at Appendix 2 below. 3.4. The members of CMT will share the role of coordinating and maintaining the Corporate Risk Register as a regular item on their agenda. The ownership of corporate risks will be shared between the Strategic Directors as appropriate to their line management responsibilities. 3.5. Strategic Directors will nominate appropriate Heads of Service to undertake the role of managing and maintaining service risk registers and liaising with the Performance and Risk Management Board on a regular basis. 4. A framework for risk assessment 4.1. There are five main elements in the risk management process: • Risk identification • Risk analysis • Prioritisation • Risk management • Monitoring 4.2. Service managers are the primary resource for identifying risk. It is vital that service plans are actively monitored to identify risks and enable change management practices and controls to reduce their impact. Risks can also be escalated to a corporate risk through the Performance and Risk Management Board. 4.3. However, it is important that all staff are able to identify risks through their Managers and to Heads of Service. 4.4. A methodology for assessing and managing risk within the Council has been developed. This methodology has the advantage of being straightforward to use and can be applied to both the strategic risks of the Council and as part of the routine service and project planning processes. 4.5. Guidance for managers on the application of the risk management methodology has been produced and is updated regularly. The Guidance is reproduced at Appendix 3 below and is also available on the Council’s intranet. 4.6. Assessing each risk in terms of likelihood and impact the risk score is the product of likelihood value multiplied by the impact value. In the proposed matrix the highest score is therefore: (Likelihood – score 5) X (Impact – score 5) = Risk Score 25 M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 5 Appendix E 4.7. Following the scoring of risk and the effect of the existing mitigation factors the resultant answer provides a prioritisation of risk where the larger the score the greater the risk. 4.8. Having established the likelihood and the impact of each risk and the priority order of the whole risk population it is necessary to manage these risks by assessing the actions that are necessary to reduce the risk score to an appropriate level consistent with the Council’s appetite for risk. 4.9. The action is selected from one of the following four options: • Transfer - transfer the risk or the consequences of the risk to a third party or to the insurance market. • Tolerate - accept the risks and manage them internally. • Terminate - the probability is too high to bear by the Authority. • Treat - accept the risks and deal with the impacts internally by internal controls and protection systems. 4.10. The work necessary to reduce the risk score is then part of an action plan the progress of which is regularly reported to the PRMB. The detail of each risk is recorded in the appropriate risk register (Corporate or Service Risks). The Corporate Risk Register which is maintained by the CMT on behalf of the Chief Executive and monitored by the Performance and Risk Management Board. 4.11. A draft corporate risk register layout is attached as Appendix 4 to this Framework. 4.12. Service risks can also be collated in a similar register to that suggested for corporate risk. The key is that the risks should be identified and regularly reviewed to minimise the impact they may have on service delivery. These service risks will probably be identified from service plans and will be signed off by the relevant Strategic Director. The Service risks which are monitored through service plans, and through the TEN system, are the responsibility of the service managers. 5. Conclusion 5.1. The potential risks faced by the Council are in many cases similar to those faced by other authorities and it is practical and cost effective to learn from the experience of others. 5.2. The work of ALARM (Association of Local Authority Risk Managers), ZM Insurance (Zurich Municipal) and more locally the Norfolk Risk Managers’ Group provide important networking opportunities and facilitate discussion on risk management issues that are shared across similar organisations. 5.3. The Risk Management Framework is part of a group of strategy and policy statements authored by the Council and brought together in the Local Code of Corporate Governance. In particular this Framework complements the IT Security Policy, the Information Management Strategy, the Business Continuity Policy and the Health and Safety Policy. 5.4. This Framework will be reviewed by the Performance and Risk Management Board twelve months after if formal adoption by the Full Council. M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 6 Appendix E Appendix 1 Accountabilities, roles and responsibilities Who Full Council Cabinet Chief Executive CMT/ SMT Audit Committee Performance & Risk Management Board Role To establish the strategy and policies by which the Council deals with risk. To ensure that the Corporate Risk Management Framework is up to date and risk management is embedded within the overall management structures of the Council. To receive regular reports on risk reduction and agree revisions to the Corporate Risk Register. As Head of Paid Service to ensure that policies and strategies required providing a sound risk management framework are in place and formally adopted by Full Council. To ensure that risk management is embraced by the whole council in delivering services and supporting the community. To ensure that the Council manages risk effectively through the Risk Management Framework to identify and consider the strategic risks affecting the Council. To provide a declaration of assurance the Cabinet concerning risk management and compliance. To monitor arrangements for the identification and management of strategic and operational risk across the Council. To ensure that the Risk Management Framework and associated controls are up to date and operating effectively. To allocate responsibility to Strategic Directors to develop action plans for corporate strategic risks. To receive progress reports on risk reduction programmes in Responsibility To approve the Corporate Risk Management Framework To hold the Chief Executive accountable for the effective management of risk across the Council. To recommend to Full Council the adoption of the Corporate Risk Management Framework Overall responsibility for securing adherence to the Council’s policy on risk management. Accountable to the Cabinet for the effective management of risk by officers of the Council. Responsible to the Chief Executive for the effective operation of the Risk Management Framework. Heads of Service are responsible to their Strategic Director for risk management within their services. To receive progress reports on the Corporate Risk Register. To notify Cabinet of any concerns regarding the Council’s arrangements for dealing with risk. To report to Cabinet and/or the Audit Committee on the implementation and monitoring of the Risk Management Framework for Corporate and Service Risks M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 7 Appendix E Corporate health & safety group Service managers both corporate and service risk registers. To deliver the Health and Safety Policy across the Council To identify, manage and monitor risk in their service area and develop action plans in relation to corporate strategic risks as they relate to their area Employees & Members Maintain awareness of risk management principles within their own working environment Internal audit Maintaining a regular review of the Council’s approach to risk External audit Reviewing the Council’s approach to risk management Reports directly to the Performance and Risk Management Board. Report to their Head of Service on compliance with the risk management strategy. Ensure that the service risk register is maintained and updated every six months and that action plans are implemented. Manage risks within their own working environment and maintain a copy of risk assessments relating to them and their area of work. Reporting to management on the performance of the Council under the risk management framework Reporting to management on the Council’s arrangements for addressing risk. M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 8 Appendix E Appendix 2 Performance & Risk Management Board Terms of reference Members The Performance & Risk Management Board is composed of the following members:Leader of the Council Portfolio Holder Chief Executive Strategic Director - Community Strategic Director - Environment Strategic Director - Information Deputy Chief Executive The Board will request the attendance of other officers, Members or contractors to their meetings where their input will be of assistance to the work of the Board. The Board is accountable to the Cabinet and has a relationship with the Audit Committee, particularly on risk-related matters. Purpose The purpose of the Board is to embed performance and risk management within the culture of the Council as a means of: • • • Driving organisational improvement forward; Providing evidence of priority achievements; and Minimising and managing the Council’s on-going risk exposure. Objectives 1. To maintain a performance management framework that is understood and implemented by all. 2. To identify and manage the Council’s strategic and operational risks and strengthen business continuity. 3. To ensure that all staff and Members have a shared understanding of the council’s priorities and of what is needed to be done to realise those priorities. 4. To ensure that the commitment given to performance and risk management is commensurate with the importance placed on embedding a successful performance and risk management culture. 5. To ensure that services deliver the corporate objectives by challenging the measures and targets put forward by service heads / managers. 6. To ensure that management and Council decisions are based on valid, accurate and timely information. Tasks M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 9 Appendix E 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. To review performance and risk management information monthly, in accordance with the Performance Management Framework. To review service business plans to ensure that appropriate performance measures, indicators and targets have been set and to monitor progress on key activities within the plans, which contribute to the delivery of the Corporate Plan. To look at and consider value for money in delivery of projects and improvements plans. To review the risks identified in the service business plans to ensure that appropriate action is taken to mitigate significant risks. To review and update the strategic risk register half-yearly. To ensure the Council discharges its Health and Safety obligations and delivers an agreed development programme. To ensure that effective business continuity plans are established and implemented and that the Council discharges its Civil Contingencies obligations. To raise awareness and understanding of the importance of performance and risk management amongst staff and Members. To ensure that a corporate approach is taken to developing project management by maintaining a current project management toolkit and supporting processes to improve skills and techniques. To establish project groups as required and agree and monitor detailed project plans for the work of those groups. To take appropriate action in response to external assessment of performance and risk management. 19th September 2008 as amended November 2011 M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 10 Appendix E Appendix 3 Risk Management Guidance Notes for Officers Risk and Opportunity Assessment Initially the risks should be split into: Corporate risk (one that affects the whole council or the achievement of a corporate objective) and Service risk (one that has an effect on the service – it may also affect a corporate objective). It is then necessary to: a. Identify the risk showing 1. Cause of risk, 2. Description of risk and 3. Consequence of risk occurring. b. Identify what category of risk it is. (See below) c. Show any treatment or mitigation that is in place to reduce either likelihood or impact. d. Score that risk against likelihood and impact on a scale of 1 to 5 (where 1 = negligible and 5 = catastrophic) e. Any actions that are being taken to reduce the risk further (with timescales if possible). f. Identify a target score that is acceptable as a reasonable risk g. Identify a corporate or service objective that this risk relates to. While risks may not fall precisely into a single category they should be included in the category that best fits the overall risk. A B C D E F Category Financial Reputational Capacity Statutory compliance Human resources Partnership Impact There is a financial aspect to corporate risk and also service impact for the service risks. Corporate M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 11 Appendix E Impact Type Objectives Catastrophic 5 The key objectives in the Corporate Plan will not be achieved. Critical 4 One or more Key Objectives in the Corporate Plan will not be achieved. Moderate 3 Significant impact on the success of the Corporate Plan. Marginal 2 Some impact on more than one Service. Negligible 1 Insignificant impact on more than one Service. Financial Impact (Loss) Over £1m £400K £1m £200K £400K £10K £200K £0-10K Impact Type Objectives Catastrophic 5 The key objectives in the Business Plan will not be achieved Critical 4 One or more Key Objectives in the Business Plan will not be achieved. Moderate 3 Significant impact on the success of the Service Business Plan. Marginal 2 Personal or team objectives not met. Negligible 1 Insignificant impact. Financial Impact (Loss)* Service impact Over £500K £250K £500K £50K £250K £5K - £50K £0-5K Service suspended long term or statutory duties not delivered. Service suspended short term. Service reduced significantly Slightly reduced No effect Service * These are indicative figures it may be better to use % of budget for some of the smaller services. Likelihood 5 Likelihood Very High Probability Over 90% Timing Within six months 4 High 60 - 90% This year 3 Moderate 40 - 60% Next year 2 Low 10 - 40% Probably within 15 years 1 Very Low below 10% Probably over 15 years The probability and timing are guidelines only and should be used with judgement. M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 12 Appendix E For example: an identified risk happened in the last six months but had not occurred previously for over 10 years. The likelihood of it happening again is still probably still Low, particularly if you feel that any new controls put in place since the risk happened have made it less likely. Risk Matrix The Risk Score is calculated by multiplying the likelihood against the impact e.g. taking a likelihood of 4 which is classified as “High” and multiplying this against a impact of 2 which is classified as “Marginal giving a risk score of 8. High Risk equates to a score between 16 and 25 indicating that such activities should cease immediately until further control measures can be introduced. Medium risk scores lie between nine and 15 where the risk can be tolerated in the short term to allow further mitigation to be planned and introduced within a defined time frame. Low Risk are those with a score of between one and eight generally these are acceptable subject to periodic reviews to ensure that the score remains in this category. 5 Likelihood 4 3 2 1 1 2 3 4 5 Impact As a guide, any risk that is in the grey area, i.e. a score of over 12 or more would be expected to have action planned to reduce that score to below 12. M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 13 Appendix E Appendix 4 Risk register layout Likelihood Risk Ref: Current score Target score Description 5 4 3 2 1 1 2 3 4 Impact Risk area: Risk category: Risk description: 5 Risk owner: Corporate ain: Risk score before mitigation: Likelihood Existing mitigating actions: Impact Score Existing assurances Risk score after mitigation: Likelihood Impact Score Future mitigating actions: Owner Completion date Notes: Target risk score after mitigation actions Likelihood Impact Score M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 14 Appendix E Appendix 5 Completing the Risk Register The top part of the form is a summary of the risk. The information is given a more detailed analysis in the lower portion of the form. Heading Risk reference Current score Target score Description Risk area Risk owner Risk category Corporate aim Risk score before mitigation Likelihood score Impact Score Risk score Existing mitigation Existing assurances Risk score after mitigation Future mitigating actions Owner Completion date Description The unique reference given to this risk comprising two elements: • The year added • A sequential number within that year Transferred from the lower portion of the form this represents the score before mitigation Transferred from the lower portion of the form this score represents the target score to be achieved after mitigating actions have been introduced The risk identified should be described as fully as possible to make clear the cause of the risk (1), a description of the risk (2) and the consequences of the risk happening (3). The generic area the risk is associated with The CMT Officer responsible for the risk and its mitigation Category A to F as identified below: • A – Financial • B – Reputational • C – Capacity • D – Statutory compliance • E – Human Resources • F - Partnership The aim that is threatened by the risk event Likelihood score multiplied by the impact score Measured on a scale of 1 to 5: • Very High • High • Moderate • Low • Very Low Measured on a scale of 1 to 5: • Catastrophic • Critical • Moderate • Marginal • Negligible Total of likelihood score multiplied by impact score Details of what mitigation is already in place Confirmation, or otherwise, that this mitigation is operating as required. Rescore the risk to show the impact of the agreed mitigation Identify further steps to be taken to improve mitigation CMT and Head of Service responsible for the actions to improve m8tigation Expected completion date for the action(s) M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 15 Appendix E Target risk score after mitigation actions Ideal score for the risk after the proposed actions have been completed. M:\909\WPDATA\NEW COMMITTEES\Audit Committee\2011-2012\6 December 2011\Draft\Appendix E.doc 16