BUSINESS RISK MANAGEMENT TOOLKIT revision 09

advertisement
RISK MANAGEMENT
T O O LK I T
Rev. 2009
CONTENTS
1.
Introduction
2.
Risk Management Process – One page summary
3.
What is risk?
4.
What is business risk management?
5.
Risk appetite and tolerance thresholds
6.
Process
7.
Who should be involved?
8.
Working through the 4 stages of the risk assessment process
.1 Risk identification
.2 Risk analysis and evaluation
.3 Risk control
.4 Risk monitoring and review
9.
Escalating risks
10.
Early warning indicators
11.
Risk assessments
12.
Risk registers
13.
Summary
APPENDICES
1.
Sources of risk
2.
Glossary of terms
3.
Business continuity
4.
Partnerships
5.
Risk rating matrix
6.
Risk register
7.
Example risk assessment
1.
INTRODUCTION
The diverse range of activities undertaken by the Council involves making decisions and
taking risks. Part of why KCC has been so successful is because it encourages and
supports well-managed risk taking by recognizing that innovation and opportunities to
improve public services requires risk taking provided that we have the ability, skills,
knowledge and training to manage those risks well. Risk management is therefore at the
heart of what we do.
We cannot always decide upon the activities with which we are involved. In the private
sector, high impact/high likelihood risks can be avoided by opting out of that part of the
business. In the public sector that option may not exist due to statutory responsibilities.
Risk management therefore plays an important role in helping to manage risks and
opportunities in a practical and cost effective manner.
Some risks will require very little management whereas others will require a more managed
and structured approach. This toolkit is designed to help in this process and describes a
simple methodology to maximise the opportunity to achieve expected results.
This toolkit will work through the following questions:
What do you want to achieve?
What can stop you achieving your target?
How big is the risk?
What is the chance of it happening?
What has been done about it?
What else do you need to do about it?
This toolkit is provided to assist with the management of operational risks however examples
of strategic risks are also provided for information.
Guidance is also provided on business continuity planning and the management of risks
within partnerships.
2.
Risk Management - Process – One Page Summary
PROCESS
Monitor
and
Review
Identify
 Maximise opportunities that will help to deliver them.
Council
objectives
Plan &
action
 Manage threats that may hinder delivery of priorities.
Assess
 Process is a continuous cycle.
1. Identify
What could go wrong?
What type of risk is it?
 Best done in groups
 Use available documents, e.g. business plans etc
 Think about the risk e.g. If we do not review and manage our
budget there is a risk of overspending
What category is it?
 Corporate, operational, partnership or project?
 Political, economic, social, technological, legislative,
When to think about risks?
environmental, competitive, customer/citizen, reputation,
partnership.
 Consider risks when setting objectives, improving services,
early stages of project/partnership planning etc
2. Assess
What would the impact be?
Likelihood x Impact = Risk rating
Likelihood
How likely is it to happen?
Very
likely
Likely
5
Possible
3
Unlikely
2
Very
Unlikely
1
RISK RATING
MATRIX
4
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
Impact
3. Plan & implement controls
What should be done to reduce
the risk?
Who owns the risk?
What else do you need to do
about it?
4. Monitor and Review
Are the controls effective?
Has the risk changed?
Is there something new?





Rank risks in order of priority
Concentrate on high ranked risks first
Look at reducing the likelihood and impact
Options to control – tolerate / treat / transfer / terminate
Devise contingency plans for risks that remain high even with
controls
 Few risks remain static.
 Existing risks may change.
 New issues and risks may emerge
3.
WHAT IS RISK?
Wherever there is a decision or action to be taken, there lies a risk potential.
There are many definitions for ‘risk’ of which the following is just one example:
“Risk is the chance of something happening that will have an impact on objectives”
This means that risk can be seen as a negative threat or a positive opportunity
A threat is anything that could hinder the achievement of business goals or the delivery of
customer / stakeholder expectations. It’s not always a bad thing, as there is no activity without
risk, it’s in the very nature of things. What is bad is when it’s a surprise and has an adverse
impact on the whole enterprise or where there is an event that seriously affects a stakeholder.
Opportunities are often described as the added benefits arising from the implementation of the
opportunity – benefits that are over and above the achievement of the original objective.
Opportunities may be wider than this and encompass the opportunity to add benefit by
deliberately taking risks through choice.
Some people confuse risk and hazard. A hazard is the source or origin of the event. For
example, a swimming pool filled with sharks is a hazard. It’s only when someone might fall in
does it become a risk. There can be many hazards around but it is only when people,
systems, property etc are exposed to them that they become risky.
4.
WHAT IS BUSINESS RISK MANAGEMENT?
Put simply, business risk management is the culture, organizational structure and ongoing
processes of managing the risks around the provision of services or development of the local
economy. It’s about getting the right balance between innovation and change on the one
hand and the avoidance of shocks and crises’ on the other in a consistent and systematic
way. Equally, risk management can also help identify opportunities and implementing
measures aimed at increasing the prospects of success.
The benefits of a robust approach to risk management will help to manage risks so that:









There is an increased focus on what needs to be done to meet objectives
Better use of resources
Better management of change programmes
Innovation is supported
Results are achieved first time of trying
Competitiveness is improved
Improved quality of service delivery
Enhanced ability to justify actions taken
Protection of reputation
KCC has published its Risk Management Strategy which describes the framework for
managing risk. A key element of this is to have a consistent approach in how we identify and
control risks through risk assessment. This is known as the process and is described in the
following sections.
You might find it useful to use problem solving techniques as you proceed through the stages
of the process.
5. RISK APPETITE / TOLERANCE THRESHOLDS
Before identifying and assessing risks consideration should be given to the amount and type
of risk that you can or are prepared to accept, tolerate, or can be exposed to at any point in
time. The level of risk that you are prepared to accept is known as your risk appetite. Within
KCC there will be many different risk appetites due to the diverse range of activities. For
example there may be zero appetite for taking risks in relation to activities associated with
child protection. For new initiatives there will likely be a greater appetite for risk taking in order
to bring about change. The level of risk appetite at any level will be dictated by the level of risk
appetite at the next senior level. The levels of appetite that can be taken at any one level
should be made clear and communicated. As a strict rule the risk appetite at one level must
never exceed that of any senior levels. Working with defined risk appetites is a developing
area and where this has not been confirmed it might be useful to use levels of authority as a
guide.
The degree of residual risk you are prepared to accept forms the basis of your tolerance
threshold and should be set below your risk appetite. Risks that exceed your pre defined risk
appetite should not be allowed to exist. Risks that exceed your tolerance threshold should be
referred to a senior management for instruction as to how to proceed. Risk appetite and
tolerance thresholds are not always easy to describe and are more easy to apply to financial,
programme or project risks however by trying to describe and implement appetites and
tolerance thresholds you will demonstrate increased governance over risks. Appendix 5 can
be used as guidance.
6.
PROCESS
There are four stages to the risk assessment process:-
Objectives
Risk Appetite
/ Tolerance thresholds
Process
1
Risk Identification
What can happen?
How could it happen?
4
2
Risk Monitoring
Monitor & review the
effectiveness of controls
and review the risk profile
Risk Analysis
Determine the
likelihood/impact in order
Estimate the level of risk
3
Plan & Implement
Determine how to
treat the risk
If you work with other organisations, contractors, partnerships etc you will probably find that
they use a similar core process approach which helps simplify working across organisational
boundaries. You will also find that a common language is used when referring to risks. See
Appendix 2 for Glossary of Terms.
7.
WHO SHOULD BE INVOLVED?
The best people to identify and control risks are those who are directly responsible for the
activity. Ideally, the group identifying the risks should contain the risk ‘owner’ i.e. the person
who will be responsible for actually designing and implementing controls and able to provide
early warning of difficulties.
Where activities and associated risks cut across other directorates, partners, external
organisations, etc it may be prudent to consult with them where they can influence the level of
risk, outcome or output.
8.
1
WORKING THROUGH THE 4 STAGES OF THE RISK ASSESSMENT
PROCESS
Identifying the risk
In order to manage risk it is necessary to know what risks exist or might occur. Understanding
where risks might exist and how to deal with them helps to ensure that all the positive things
we plan do happen and that we identify and prevent any of the negative things from occurring
that could stop or cause us to revise these plans or cause harm.
When thinking about risks you can look at events such as the failure of a database, criminal
prosecution, increase in demand for services or a process such as the management of health
and safety, financial control or client care management.
First, set out the objectives of the activity to be examined. It may help to have key documents
available such as the current annual business operating plan, medium term plan, project brief,
performance indicators etc. Using these documents you can start to identify your risks.
You should think about risks in terms of
Event
For example:
Consequence
Impact
Break in leads to theft of server which leads to loss of data
Or
Staff absence prevents compliance with statutory
duties resulting in clients not receiving critical services
As you proceed through this process you will start to build up a list of risks.
Risks can be broken down into two categories – strategic and operational.
Strategic risks
are those arising from major events
which could impact across the whole of
the Council e.g. major overspend or
serious damage to the reputation of the
Council. Their sources of origin include:
Operational risks
are those arising from the day-to-day
management of activities within
directorates and less likely to impact
upon other directorates or the Council as
a whole. Their sources of origin include:















Political
Economic
Social
Technological
Legislative
Environmental
Competitive
Customer/stakeholders
Professional
Financial
Legal
Physical
Contractual
Technological
Environmental
Most risks will fall into the ‘operational’ category. The process for managing strategic and
operational risks is identical however accountability for strategic risks lies with the Chief
Executive Officer and the Chief Officers Group whereas operational risks lie with directorate
managers.
To help facilitate discussion the above sources of risk are expanded in Appendix 1.
2
Risk Analysis & Evaluation
Having compiled a list of risks it is necessary to assess which of these are going to pose the
greatest threat (or opportunity) and this is done by looking at both impact (what harm might
result from the risk) and likelihood (chance of the risk occurring).
Likelihood
When assessing risks you are simply looking at what might happen, the chances of it
happening and when. This assessment can be achieved through rating each risk. A 5x5
matrix is used for this purpose. By considering these factors and giving each risk a score you
will quickly be able to rank these and identify which need early and closer attention.
Very likely
5
Likely
4
Possible
3
Unlikely
2
Very
Unlikely
1
RISK RATING
MATRIX
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
Impact
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
Each risk identified should first be scored according to the potential level of likelihood and
impact without controls to give the inherent risk value and then again with existing controls in
place and working to give the residual risk value (what is left). If there are no controls in
place the residual risk can only be scored as you proceed through stage 3.
Risks will fall into three categories:
LOW
MEDIUM
HIGH
1–6
8 – 15
16 - 25
For example: Staff absence prevents compliance with statutory
duties resulting in clients not receiving critical services
Inherent - Impact = 5 x Likelihood = 4
Residual - Impact = 5 x Likelihood = 3
Risk ranking = 20 (HIGH)
Risk ranking = 15 (MED)
Identified risks should be recorded. If you are dealing with one particular activity it may be
appropriate to simply record details of risks within a risk assessment.
When recording risks across a range of activities a risk register should be prepared. Any entry
within a register can also be supported by a risk assessment which sets out any barriers to
success and describes controls in more detail to help monitor them. Templates are provided
in Appendix 6 & 7 for this purpose.
An example of an entry within a risk register at business unit level may be:
Ref
Source
Event
No.
4
Building is
located in
a high
crime area
Break in leads to
theft of IT
systems
resulting in the
loss of
information
Planned
Outcome
Secure
site
Accountable
Manager
Assistant
Director
Existing
Controls
- intruder
alarm
system
New Task
/ Actions
Date
inherent
Rating
I=3
L= 5
R= 15
MED
Residual
rating
I= 3
L= 3
R=9
MED
When a risk is recorded it should be given a reference number. This reference number should
remain with the risk until it no longer exists to provide an audit trail.
3
Risk Control
Having identified and assessed a risk it is then necessary to decide on what initial or further
action needs to be taken to control it or overcome barriers to ensure you achieve your
objective. The residual rating attributed to each risk should be rescored on the assumption
that the controls have been implemented are and effective.
Those risks with HIGH residual scores will need early and closer attention and should be
addressed as a priority. It may be that some high risks will remain HIGH even with controls in
place. These risks should be considered against your risk appetite and tolerance thresholds.
The level of tolerance should be established if not already done. For example the risk
tolerance line could be set where MEDIUM risks butt up against HIGH risks on the 5x5 matrix.
Any risks that exceed this tolerance threshold should be referred immediately to the next level
of management for guidance. Risks beyond the tolerance threshold can only be accepted with
the permission of the next level of management.
Tolerance
Only a workable number of risks should be focused upon at any one time - probably anything
up to 10. Hopefully there won’t be many HIGH risks in which case MEDIUM risks can also be
considered. Any remaining risks can be dealt with as more immediate risks drop out of the
top 10 once appropriate controls have been introduced and are working. As part of this
process you should identify which of the controls are more critical in terms of their
effectiveness. It may be helpful to list controls in order of their criticality.
Although those risks requiring early or closer attention have been identified there may be other
risks that are suitable for a “quick fix” and can be quickly and easily controlled. These should
be dealt with if possible particularly where they will have a real impact upon the overall
effectiveness of control measures.
The courses available to control risks are:
Action:
Evaluated level of
risk
Tolerate
Treat
Transfer
Terminate
Accept with
existing level of
controls?
Yes
or
No
Tolerate
Treat
Transfer
Terminate
Do nothing special and continue as planned. The ability to do anything may
be limited or the cost of taking action may be disproportionate to the potential
benefit gained.
Introduce control procedures to increase the chance of success
Share the exposure of risk with insurance or contractor. The relationship with
a contractor needs to be carefully managed as it may not be possible to fully
transfer all risks and some aspects might remain such as reputational risk.
Withdraw from the activity if possible
Controlling risks will be a process of reducing ‘impact’ and / or ‘likelihood’.
Suggested controls might include:Impact





Business continuity plans
Contractual agreement
Fraud control planning
Good public relations
Minimising exposure to the
source of risk
Likelihood







Contract conditions
Process controls and inspections
Project management
Preventative maintenance
Effective internal controls
Supervision
Structured training programme
Any controls should always be proportional to the risk and ‘over control’ avoided. Loss control
initiatives can be expensive and time consuming to initiate and it is therefore important to try
and ensure that they are likely to be successful and will not cost more than the losses they are
designed to avoid or mitigate.
Controls should be clearly described to avoid ambiguity and any obstacles or barriers that
might arise and affect them should be explored along with early warning indicators. Controls
should be recorded in the order of their critically upon the achievement of the outcome for
ease of identification.
Target dates for completion of aspects of control, reporting of progress etc should be made
clear and recorded where possible.
Some risks might seem too difficult to tackle because they are controversial, political, too big
or too specialist. These should not be avoided but dealt with in a positive but proportional
way by considering factors such as the opportunity to improve them, ease of improvement,
cost of improvement and breadth of community affected.
Even with controls some degree of residual risk may remain in which case business continuity
plans might need to be considered to reduce impact and ensure that the service can function
even if something awful is happening. See Appendix 3
4
Risk monitoring and review
Few risks remain static and it is important to know and understand what is happening. This
can be achieved through regularly monitoring progress and formally reviewing risks in order
to:
 Gain assurance that progress is being made towards controlling risks and the
effectiveness of controls
 Monitor changes to the risk profile brought about by circumstances and business priorities
i.e. new legislation
A suggested monitoring period might be every three months with a more formal review period
annually. The frequency will be dependent on the circumstances and environment around the
risks. Within a rapidly changing environment monthly monitoring and three monthly reviews
may be more appropriate.
When monitoring and reviewing risks you need to be clear about how this is to be undertaken.
It may help to develop a set of questions for example:









Are the key risks still relevant?
Have some risks become issues?
Has anything occurred which could impact upon them?
Has the risk appetite or tolerance levels changed?
Are performance / early warning indicators appropriate?
Are the controls in place effective?
Have risk scores changed and if so are they decreasing or increasing?
If risk profiles are increasing what further controls might be needed?
If risk profiles are decreasing can controls be relaxed?
Where objectives have not been achieved or are not on course to be achieved the cause(s)
should be investigated to inform and improve the risk assessment process. At the next formal
review of the risk the rating attributed to the risk should again be considered. At this stage you
may wish to review your risk appetite or tolerance levels to ensure they remain appropriate.
The review and monitoring process of risks should be integrated into existing organisational
and business planning processes so that it adds value and supports the successful
achievement of objectives and not just seen as a “bolt on”.
9.
ESCALATING RISKS
There will be occasions when risks should be shared with more senior managers. These will
automatically include risks that exceed your tolerance thresholds. Residual risks that are
rated as HIGH, i.e. with a combined score of 16+, should also be referred up to the next level
of management to advise upon the appropriate level of control. ‘HIGH’ residual rated risks
should not remain without the permission of the next senior level of management.
Directorate management teams should have in place a process which allows for risks at any
level to be escalated upwards to enhance their level of control.
Business unit
risks
Service unit
risk register
Directorate
risk register
Where a risk is escalated to a more senior level it should be considered along with all other
risks at this new level and possibly included within the higher level risk register.
Using a system whereby risks can be escalated allows senior managers to better target their
attention and resources towards key activities.
10.
EARLY WARNING INDICATORS
The sooner you know something is not going to plan or events are happening around you that
will impact upon objectives the quicker you will be able to take corrective action and get back
on target or amend your course of action / priorities to reflect changing circumstances.
Early warning indicators are used as a way of measuring change in local critical areas so that
if pre-defined levels (tolerance levels or appetite) are reached, corrective action will be
triggered. To be effective they need to be monitored on a regular basis and the findings
presented in such as way that the information can be quickly assimilated.
Early warning indicators should be specific to the risk and should not be confused with Key
Performance Indicators.
Indicators should be reviewed and updated to ensure they remain appropriate.
When establishing an indicator you should establish from the outset what information is to be
collected, the reporting frequency and trend or tolerance thresholds.
Early warning indicators can be applied to strategic and operational risks.
risks they can be set to measure activity such as:







For operational
Achievement of service quality levels
Achievement of volume targets
Achievement of time targets
Achievement of revenue targets
Levels of safety incidents or injury
Achievement of key milestones
Delivery of planned activities on time and on budget
Points to consider when establishing / reviewing indicators:






Are all critical business systems clearly defined?
Do early warning indicators exist for critical business systems?
Do early wanting indicators exist for programmes and projects?
Do early warning indicators exist for operational activities?
Is there a balanced set of indicators, including financial indicators?
Are indicators examined by decision makers with the authority to take corrective action
on a regular cycle?
 Are the results of monitoring early warning indicators presented in a concise,
consistent manner so that the impact of the information is readily understood?
 Are the indicators updated to reflect changes within the activity?
 Are the indicators inward and outward looking?
Early warning indicators can also be used to identify opportunities
11.
RISK ASSESSMENTS
Although there are some similarities in the information recorded within risk assessments and
risk registers both documents actually serve a specific purpose. Risk assessments tend to
look at one particular element of a risk recorded against an objective in detail and its
associated controls whereas registers summarise risks and their controls across a project, unit
or directorate.
It may be necessary to complete a number of risk assessments to support a single objective
especially where elements may be under the control of different teams.
Risk assessments should be used to assess the level of risk associated with the objective and
inform the process for refreshing risk registers
All risk assessments associated with objectives within business plans should be kept updated
throughout the year as necessary. They will also be used by Internal Audit to inform the
Annual Audit Progamme and provide the basis for testing the extent and effectiveness of
controls and provide evidence that risk management methodology is being complied with.
Key project and partnership risks should be included within this process as they will have their
sources of origin in business objectives.
12.
RISK REGISTERS
Risk registers provide an immediate record of all the identified risks, key controls and their
status resulting from their assessment in terms of likelihood and impact across a wider pool of
risks.
Risks registers should be monitored by management teams. Risks included within directorate
registers should be closely monitored by senior management teams.
The critical risks that can affect the Council as a whole should be recorded within the Strategic
Risk Register which is monitored by Directorate Resource Managers on behalf of the Chief
Officer Group which is made up of the Chief Executive and Managing Directors of the Council.
13.
SUMMARY
Working through this toolkit provides a simple basic methodolgy to help identify and manage
business threats and opportunities that might arise.
It is important to ensure that continuous risk assessment feeds into any decision making and
therefore business process.
It may be helpful to understand how managing risk through this process fits in with the overall
framework for managing risk throughout the Council. Details of this can be found in the
document ‘Risk Management Strategy”.
If you would like further advice about the risk management process contact the Corporate Risk
& Insurance Manager or your directorate lead officer for risk management.
SOURCES OF RISK
Appendix 1
The examples given are neither prescriptive or exhaustive.
SOURCES OF STRATEGIC RISK
(PESTLE – expanded)
Definition - Risks that may be potentially damaging to the achievement of KCC’s
objectives
Political Associated with the failure to deliver either local or central government policy, or to meet the
local administration’s commitment. Examples of nature of risk:Wrong political priorities
Decision based on incorrect information
Not meeting government agenda
Unfulfilled promises to electorate
Too slow or failure to modernise
Community planning oversight/errors
Economic Affecting the ability of the Council to meet its financial commitments. These include internal
budgetary pressures, inadequate insurance cover, external macro level economic changes (e.g. interest
rates, inflation etc) or the consequences of proposed investment decisions. Examples of nature of risk:General/regional economic problems
High cost of capital
Treasury risk
Missed business and service opportunities
Social Relating to the effects of changes in demographic, residential or socio-economic trends on the
Council’s ability to deliver its objectives. Examples of nature of risk:Failing to meet the needs of disadvantaged
Failures in partnership working
communities
Problems in delivering life-long learning
Impact of demographic change
Crime and disorder
Technological Associated with the capacity of the Council to deal with the pace / scale of technological
change, or its ability to use technology to address changing demands. They may also include the
consequences of internal technological failure on the Council’s ability to deliver its objectives. Examples
of nature of risk:Obsolescence of technology
Breach of confidentiality
Hacking or corruption of data
Failure in communications
Legislative Associated with current or potential changes in national or European law. Examples of
nature of risk:Inadequate response to new legislation
Judicial review
Intervention by regulatory bodies
Human Rights Act breaches
and inspectorates
Environmental Relating to the environmental consequences of progressing the Council’s strategic
objectives (e.g. in terms of energy, efficiency, pollution, recycling, landfill requirements, emissions etc).
Examples of nature of risk:Impact of Local Agenda 21 policies
Impact of planning &transportation policies
Noise, contamination and pollution
Competitive Affecting the competitiveness of the service (in terms of quality or cost) and / or its ability
to deliver Best Value. Examples of nature of risk:Take over of services by government
Failure of bids for government funds
Agencies
Failure to show best value
Customer / citizen Associated with the failure to meet the current and changing needs and
expectations of customers and citizens. Examples of nature of risk:Lack of appropriate consultation
Bad public and media relations
SOURCES OF OPERATIONAL RISK
Those risks that may be encountered in the day to day provision of services
Professional Associated with the particular nature of each profession. Examples of nature of risk:Inefficient/ineffective management processes
Inability to implement change
Lack of control over changes to service provision
Inadequate consultation with service users
Failure to communicate effectively with
employees
Lack of business continuity plan
Non achievement of Best Value
Bad management of partnership working
Failure to manage and retain service
contracts
Poor management of externally funded
projects
Financial Associated with financial planning and control and the adequacy of insurance arrangements.
Examples of nature of risk:Failure of major projects
Ineffective/inefficient processing of documents
Missed opportunities for income/grants
Inadequate insurance cover
Legal Related to possible breaches of legislation.
Failure to prioritise, allocate appropriate
budgets and monitor
Inadequate control over expenditure
Inadequate control over income
Examples of nature of risk:-
Not meeting statutory duties/deadlines
Failure to implement legislative change
Failure to comply with European directives on
Misinterpretation of legislation
Procurement of works, supplies and services
Exposure to liability claims e.g. motor
Breach of confidentiality/Data Protection Act
accidents, wrongful advice
Physical Related to fire, security, accident prevention and health and safety. Examples of nature of
risk:Violence or aggression
Loss of physical assets
Non compliance with Health & Safety legislation
Criminal damage to assets e.g.vandalism
Injury at work
Failure to maintain and upkeep land
Loss of intangible assets
and property
Contractual Associated with the failure of contractors to deliver services of products to the agreed cost
and specification. Examples of nature of risk:Non compliance with procurement policies
Poor selection of contractor
Over reliance on key contractors/suppliers
Poor contract specification, deficiencies
Failure of outsourced provider to deliver
Inadequate contract terms & conditions
Failure to monitor contractor
Quality issues
Technological Relating to reliance on operational equipment (e.g. IT systems or equipment) or
machinery. Examples of nature of risk:Failure of big technology related project
Breach of security of networks and data
Crash of IT systems affecting service delivery
Failure to comply with IT Security Policy
Lack of disaster recovery plans
Bad management of intranet / website
Environmental Relating to pollution, noise or energy efficiency of ongoing service operation.
Examples of nature of risk:Impact of Local Agenda 21 policies
Noise, contamination and pollution
Crime & Disorder Act implications
Inefficient use energy and water
Incorrect storage/disposal of waste
Damage caused by trees, tree roots etc
Human Resources Associated with staffing issues (e.g. recruitment / retention, sickness management,
change management, stress related risk analysis). Examples of nature of risk:Capacity issues
Over reliance on key officers
Failure to recruit/retain qualified staff
Lack of employee motivation/efficiency
Failure to comply with employment law
Poor recruitment /selection processes
Lack of training
Lack of succession planning
Glossary of Terms
Benefits
Business Continuity Plan
Business risk
Consequence
Contingency
Control (control measures)
Corporate Governance
Early warning indicator
Hazard
Identifying risks
Impact
Inherent risk
Issue
Likelihood
Mitigation (Plan)
Objective
Operational risks
Opportunity
Outcome
Periodic review
Project risks
Proximity (of risk)
Residual risk
Responsible manager
Risk
APPENDIX 2
The measurable improvement resulting from an outcome
perceived as an advantage by one or more stakeholders
A plan for the fast and efficient resumption of essential
business operations by directing recovery actions of specific
recovery teams
A threat to the achievement of a business objective / benefit
The outcome of an event.
An action or arrangement that can be put into place to
minimise the impact of a risk should it occur.
Any action, procedure or operation undertaken to contain a risk
to an acceptable level.
The method by which an organisation directs and controls its
functions and relates to its community
A measure to identify a trend
A description of the source of the risk i.e. the event or situation
that gives rise to the risk. Also known as source of risk
The process by which events that could affect the achievement
of objectives, are analysed and described and listed
Impact is the result of a particular threat or opportunity actually
occurring
The exposure arising from a specific risk before any risk
controls have been applied.
An event or concern that has occurred or is taking place and
should be addressed (as opposed to a risk which has not yet,
or might not occur)
This is the evaluated likelihood of a particular threat of
opportunity actually happening
A strategy that decreases risk by lowering the likelihood of a
risk event occurring or reducing the impact of the risk should it
occur.
Something worked towards or striven for, a goal.
Risks associated with the day-to-day issues that an
organisation might face as it delivers its services.
An uncertain event that could have a favourable impact on
objectives or benefits
The result of change, normally affecting real world behaviour or
circumstances. Outcomes are desired when a change is
conceived. Outcomes are achieved as a result of the activities
undertaken to effect the change
A review that occurs at specified regular time intervals.
Risks associated with a specific activity, which has defined
goals, objectives, requirements, a life cycle, a beginning and
an end.
The time factor of a risk i.e. the occurrence of risks will be due
at particular times, and the severity of their impact will vary
depending on when they occur
The risk remaining after the risk control has been applied
Manager who has responsibility for taking specified action
An uncertain event or set of events that, should it occur, will
have an effect on the achievement of objectives. This could be
an opportunity as well as a threat.
Risk appetite
Risk evaluation
Risk identification
Risk management
Risk prioritisation
matrix
Risk owner
Risk perception
Risk profile
Risk source
Risk register
Risk strategy
Risk tolerance
Strategic risks
Terminate
Threat
Tolerate
Transfer
Treat
The level of residual risk that the Council is prepared to accept,
tolerate or be exposed to at any point in time
The process of understanding the net effect of the identified threats and
opportunities on an activity when aggregated together
Determination of what could pose a risk; a process to describe and list
sources of risk (threats and opportunities)
The culture, organisational structure and ongoing processes for the
management of risk.
The number of levels of likelihood and impact chosen against which to
measure the risk and identify methods of management of the risk.
A role or individual responsible for the management and control of all
aspects of individual risks, and has authority to implement the
measures required. May also be known as Accountable Manager
The way in which a risk is viewed based on a set of values or concerns
Describes the types of risk faced by an organisation and its exposure to
these risks
A description of the source of the risk i.e. the event or situation that
gives rise to the risk
A record of all identified risks relating to an area of activity which
includes their status and mitigating controls.
The overall organisational approach to risk management.
The threshold of risk exposure, which with appropriate approvals, can
be exceeded but which when exceeded will trigger some form of
response (e.g. reporting the situation to senior management for action)
Risks concerned with where the organisation wants to go, how it plans
to get there and how it can ensure survival. A risk which should it
occur, will have a significant impact upon the Council.
A risk response to a threat. A deliberate decision to stop an activity
which generates a risk.
An uncertain event that could have a negative impact on objectives or
benefits
A response to a threat. A deliberate decision to retain the threat.
A risk response for a threat whereby a third party takes on the
responsibility for an aspect of the threat
A risk response to a threat. Proactive actions are taken to reduce the
threat.
Appendix 3
BUSINESS CONTINUITY PLANNING
The likelihood of some risks occurring remains high even with controls in place. Where these risks
may also have a high impact an action plan should be devised to cope with the event to restore
services that support and are provided by the Council. In such cases Business Continuity
Planning (BCP) should be considered.
Business continuity planning (BCP) is one of the ways in which high impact risks can be managed.
It’s purpose is to enable managers to plan for how they will respond both immediately and in the
longer term should there be a major disruption or interruption to their service. The BCP process
provides an early opportunity to identify single and weak points that may jeopardise service
delivery
Having a plan will enable you to better manage those risks where it is extremely difficult to reduce
the impact should the event occur. These are probably the risks where impact and probability
produce a combined rating of 20 or more using the KCC risk ranking matrix.
Should an event occur it may be your responsibility to get a service back operational as quickly as
possible, identify and implement interim arrangements, communicate with those that may be
affected etc.
For example how do you tell your staff about the event, how do you tell the
community or clients that you cannot provide their service that day or for a longer period, how do
you meet important deadlines, what are your critical systems, suppliers and services, who might be
expected to provide physical help, advice etc and how do you get in contact? These are just
examples of some of the questions that you may need to deal with.
It is essential that you are able to respond sensibly and with minimum wasted effort and resources.
This can be best achieved by planning your response in advance with your business continuity
team. Going through a business impact analysis will illustrate where the risks are highest and the
potential impacts greatest. This will then enable you to identify potential problems and guard
against them developing into even greater disruptions through measured planning.
Possible areas for consideration might include:
Main event / cause
Result
 Loss of premises / access to premises
 Financial loss
 Breach of confidentiality
 Loss of reputation or public confidence
 Failure / corruption of IT
 Failure to deliver a service
 Continuity of support from suppliers
 Failure to respond to an event
 Loss of key documentation / data
 Impact on stakeholders
 Loss of skills / people
 Failure to comply with legal obligations
 Creation of legal liabilities
It may not be possible to predict the actual nature of the event that may cause the disruption but by
thinking about your response in advance you should be able to use and adapt this information to inform
your actions. You should also remember that you may not be dealing with a crisis in isolation and those
officers or contractors upon whom you reply within your own plan may themselves be
in a similar situation.
When preparing a plan it should address the procedure to recover functionality within
a defined time frame dependant upon the Council’s need. Managers are used to
making decisions in response to ad hoc events and it might be more helpful if the
plan is kept quite simple but with key points identified to prompt action along with
details of who to contact for assistance outside of your own team. For example,
finance managers are best placed to assist with making decisions on the release of
funding and payment of invoices in an emergency, Corporate Communications can
deal with media management, Personnel & Development can advise on staffing
issues, ISG can advise on IT and so on.
KCC is reliant upon many other organisations and contractors to help deliver its
services. Where there is a dependency upon any of these it may be appropriate to
ensure that they too have a plan to deal with any disruption and that it supports your
own response.
Once you have a plan you will need to ensure that it is regularly reviewed, tested and
accessible in an emergency.
If you would like to find out more about preparing a business continuity plan please
contact KCC’s business continuity advisers on 01622 221974 or 01622 694803
Appendix 4
PARTNERSHIPS
Partnership working is playing an increasingly important role in our policy
development and service delivery. In recent years, the focus for many public,
private, voluntary and community organisations has been on the opportunities offered
by partnership or joint working arrangements. Indeed, many new funding sources
relating to a wide range of issues can only be accessed by the demonstration of
multi-partner approaches.
Working in partnership usually means committing resources such as officer time or
direct funding to develop and deliver desired outcomes. It may not be easy and,
whilst there are opportunities there are also risks. It is therefore important to
understand and manage these in so far as they affect both the partnership and
Council. The assessment of risks within partnerships therefore needs to be inward
and outward looking. Risks to the partnership should be assessed and recorded
within the partnership risk registers whereas risks to the Council should be assessed
and recorded in directorate risk registers as appropriate.
To help officers maximize the opportunities of working within partnerships and
managing the associated risks a guide has been prepared and is available on KNET
by searching under Risk Management.
The guide includes advice on:
 how to define a partnership
 how partnership working is managed both strategically and within individual
partnerships,
 why there is a need to enter into a partnership,
 how to set one up, and
 how to understand the risks and their impact upon the Council and individuals.
The focus of the guide is currently on risk within partnerships and aims to set out a
consistent approach to the risk management of key partnerships including the
development, establishment, management and monitoring of partnerships. It is not
intended to be prescriptive but demonstrate good practice. The process must be
proportionate to the risks that each partnership poses to KCC. For the more complex
partnerships specialist legal, financial and tax advice should be sought to ensure that
your partnership is properly structured to deliver your objectives.
Appendix 5
Likelihood
Risk Rating Matrix
Very likely
5
Likely
4
Possible
3
Unlikely
2
Very
Unlikely
1
RISK RATING MATRIX
5
Low
4
Low
3
Low
2
Low
1
Low
10
Medium
8
Medium
6
Low
4
Low
2
Low
15
Medium
12
Medium
9
Medium
6
Low
3
Low
20
High
16
High
12
Medium
8
Medium
4
Low
25
High
20
High
15
Medium
10
Medium
5
Low
1
2
3
4
5
Minor
Moderate
Significant
Serious
Major
Impact
Likelihood Assessment Matrix
Factor
Very likely
Score
5
Likely
4
Possible
3
Unlikely
2
Very Unlikely
1
Indicators
Regular occurrence
Circumstances frequently encountered i.e. daily/weekly/monthly
The risk is current & is almost certain to happen within the next
twelve months
Likely to happen at some point within the next 1-2 years
Circumstances occasionally encountered (once/twice a year)
Has happened in past
Reasonable possibility it will happen within next 3 years
May have happened in the past
Unlikely to happen in 3+ years
Has happened rarely/never before
Impact Assessment Matrix
Suggested areas that might be impacted upon along with examples of potential risks. These can be used or added to as necessary.
Risk
Score
5
Major
Serious
4
Effect on Service
Complete breakdown in
service delivery with severe,
prolonged impact on
customer service affecting
the whole organisation.
3
Minor
2
1
Litigation leading to sizeable
increase in responsibilities.
A large financial loss over
50% of budget
Failure of a strategic
partnership
Substantial adverse national
media leading to Officer(s)
&/or Elected Member(s)
forced to resign &/or Audit
Commission enquiry
Multiple civil uninsured or
criminal actions with
payments / fines above
£150k
Intervention in a key service.
Criticism of a key process,.
Sizeable financial loss
up to 50% of budget
Disruption to service delivery
for one of more directorates
for 3 – 5 days.
Large scandal.
Widespread disgruntlement
High level of complaints at
the corporate level across
several service areas
National adverse publicity /
bad press
Criticism of an important
process/service
Extensive damage to a
critical building or
considerable damage to
several properties from one
source
Inability to deliver popular
policies due to budgetary
constrictions.
People
Disruptive impact on service
at business unit level
Criticism of a secondary
process/service
Embarrassment contained
within the business unit
Noticeable financial loss
Slight damage to one
property
Effect on project
objectives
Death of several people.
Complete failure of a project
Multiple uninsured civil
litigation or criminal actions
with payments / fines of
£50k - £150k
RIDDOR reportable major
injuries to several people or
death of an individual.
Extreme delay
Multiple uninsured civil
litigation or criminal actions
with payments / fines of
£25k - £50k
RIDDOR reportable major
injury to an individual
Important impact on project
or most of expected
benefits. Considerable
slippage. Possible impact on
overall finances /
programme.
Low value / high volume
litigation
Superficial first aid injuries
discomfort to more than one
person
Adverse effect to project.
Slippage requires review
finances / short term
programme.
Superficial first aid injury or
discomfort to an individual
Minimal impact to project.
Minor slippage
Substantial damage to one
part of a critical building
Embarrassment contained
within the Directorate
Localised disgruntlement
Small impact on customer
service which may result in
complaints to the business
unit
Total loss of a critical
building
Local bad press
Can handle but with
difficulty
Small setback management headache
Nuisance
Disgruntlement by a few
RM:Toolkit Rev.2009
Compliance
with law / contracts
A substantial failure in
accountability or integrity.
Disrupted service delivery
from one directorate for up
to 3 days.
Moderate
Financial &
Resources
A vote of no confidence in
one service area.
Failure of an operational
partnership
Significant
Reputation
Departmental fine of £5k £25k
Small financial loss
Low value / volume litigation
Negligible property damage
Departmental fine below £5k
RISK REGISTER
Ref
Source
RM:Toolkit Rev.2009
Event
Planned
Outcome
Acc’ table
Manager
Existing Controls
Appendix 6
New Tasks/
Actions
Date
Inherent
rating
Residual
rating
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
I=
L=
R=
Appendix 7
Managing Business Risks - Risk Assessment
This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity
Completed by: J Smith
Personnel Manager
Business/Service Objective:
Date completed: 01.04.2009
To ensure that employees, visitors and contractors remain safe whilst on KCC
property
Risk
No.
6
Challenges to the achievement
of the business objective
(Risks)
 Health and safety risk
management controls are
appropriate and implemented
 Contractors manage their
activities so as not to cause
harm to themselves or others
Assessment of Inherent Risk
Likelihood
(Probability)
Risk
Rating
4
4
16
HIGH
Very
likely
Likely
5
Possible
3
Unlikely
2
Very
Unlikely
1
4
RISK RATING MATRIX
Risk Control Measures
With NO controls in place
Impact
(Severity)
Risk Ranking Matrix
Likelihood
KCC Directorate / Unit : CED Personnel & Development
What can be done to reduce the threat
to the achievement of the
business/service objective?
List your existing control measures:
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
Impact
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
Assessment of Residual Risk
With all control measures implemented
Impact
(Severity)
Likelihood
(Probability)
Rev’d Risk
Rating
3
3
9
MED
3
2
6
LOW
 Health & safety policy developed and
implemented
 Local Health & safety representatives
 Contractors required to provide
evidence of appropriate health &
safety procedures
List what else could be done to reduce
the risk further
 Programmed auditing of KCC and
contractors health & safety
procedures
EXAMPLE
RM:Toolkit Rev.2009
 Improved training and promotion of
health & safety
Managing Business Risks - Risk Assessment
This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity
Completed by:
Business/Service Objective:
Date completed:
Risk Ranking Matrix
Likelihood
KCC Directorate / Unit :
Very
likely
Likely
5
Possible
3
Unlikely
2
Very
Unlikely
1
4
RISK RATING MATRIX
Risk
No.
Challenges to the achievement
of the business objective
(Risks)
Assessment of Inherent Risk
Risk Control Measures
With NO controls in place
Impact
(Severity)
Likelihood
(Probability)
Risk
Rating
What can be done to reduce the threat
to the achievement of the
business/service objective?
List your existing control measures:
List what else could be done to reduce
the risk further
RM:Toolkit Rev.2009
5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor
10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate
15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
Impact
20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious
25
High
20
High
15
Medium
10
Medium
5
Low
5
Major
Assessment of Residual Risk
With all control measures implemented
Impact
(Severity)
Likelihood
(Probability)
Rev’d Risk
Rating
RM:Toolkit Rev.2009
Download