RISK MANAGEMENT T O O LK I T Rev. 2009 CONTENTS 1. Introduction 2. Risk Management Process – One page summary 3. What is risk? 4. What is business risk management? 5. Risk appetite and tolerance thresholds 6. Process 7. Who should be involved? 8. Working through the 4 stages of the risk assessment process .1 Risk identification .2 Risk analysis and evaluation .3 Risk control .4 Risk monitoring and review 9. Escalating risks 10. Early warning indicators 11. Risk assessments 12. Risk registers 13. Summary APPENDICES 1. Sources of risk 2. Glossary of terms 3. Business continuity 4. Partnerships 5. Risk rating matrix 6. Risk register 7. Example risk assessment 1. INTRODUCTION The diverse range of activities undertaken by the Council involves making decisions and taking risks. Part of why KCC has been so successful is because it encourages and supports well-managed risk taking by recognizing that innovation and opportunities to improve public services requires risk taking provided that we have the ability, skills, knowledge and training to manage those risks well. Risk management is therefore at the heart of what we do. We cannot always decide upon the activities with which we are involved. In the private sector, high impact/high likelihood risks can be avoided by opting out of that part of the business. In the public sector that option may not exist due to statutory responsibilities. Risk management therefore plays an important role in helping to manage risks and opportunities in a practical and cost effective manner. Some risks will require very little management whereas others will require a more managed and structured approach. This toolkit is designed to help in this process and describes a simple methodology to maximise the opportunity to achieve expected results. This toolkit will work through the following questions: What do you want to achieve? What can stop you achieving your target? How big is the risk? What is the chance of it happening? What has been done about it? What else do you need to do about it? This toolkit is provided to assist with the management of operational risks however examples of strategic risks are also provided for information. Guidance is also provided on business continuity planning and the management of risks within partnerships. 2. Risk Management - Process – One Page Summary PROCESS Monitor and Review Identify Maximise opportunities that will help to deliver them. Council objectives Plan & action Manage threats that may hinder delivery of priorities. Assess Process is a continuous cycle. 1. Identify What could go wrong? What type of risk is it? Best done in groups Use available documents, e.g. business plans etc Think about the risk e.g. If we do not review and manage our budget there is a risk of overspending What category is it? Corporate, operational, partnership or project? Political, economic, social, technological, legislative, When to think about risks? environmental, competitive, customer/citizen, reputation, partnership. Consider risks when setting objectives, improving services, early stages of project/partnership planning etc 2. Assess What would the impact be? Likelihood x Impact = Risk rating Likelihood How likely is it to happen? Very likely Likely 5 Possible 3 Unlikely 2 Very Unlikely 1 RISK RATING MATRIX 4 5 Low 4 Low 3 Low 2 Low 1 Low 1 Minor 10 Medium 8 Medium 6 Low 4 Low 2 Low 2 Moderate 15 Medium 12 Medium 9 Medium 6 Low 3 Low 3 Significant 20 High 16 High 12 Medium 8 Medium 4 Low 4 Serious 25 High 20 High 15 Medium 10 Medium 5 Low 5 Major Impact 3. Plan & implement controls What should be done to reduce the risk? Who owns the risk? What else do you need to do about it? 4. Monitor and Review Are the controls effective? Has the risk changed? Is there something new? Rank risks in order of priority Concentrate on high ranked risks first Look at reducing the likelihood and impact Options to control – tolerate / treat / transfer / terminate Devise contingency plans for risks that remain high even with controls Few risks remain static. Existing risks may change. New issues and risks may emerge 3. WHAT IS RISK? Wherever there is a decision or action to be taken, there lies a risk potential. There are many definitions for ‘risk’ of which the following is just one example: “Risk is the chance of something happening that will have an impact on objectives” This means that risk can be seen as a negative threat or a positive opportunity A threat is anything that could hinder the achievement of business goals or the delivery of customer / stakeholder expectations. It’s not always a bad thing, as there is no activity without risk, it’s in the very nature of things. What is bad is when it’s a surprise and has an adverse impact on the whole enterprise or where there is an event that seriously affects a stakeholder. Opportunities are often described as the added benefits arising from the implementation of the opportunity – benefits that are over and above the achievement of the original objective. Opportunities may be wider than this and encompass the opportunity to add benefit by deliberately taking risks through choice. Some people confuse risk and hazard. A hazard is the source or origin of the event. For example, a swimming pool filled with sharks is a hazard. It’s only when someone might fall in does it become a risk. There can be many hazards around but it is only when people, systems, property etc are exposed to them that they become risky. 4. WHAT IS BUSINESS RISK MANAGEMENT? Put simply, business risk management is the culture, organizational structure and ongoing processes of managing the risks around the provision of services or development of the local economy. It’s about getting the right balance between innovation and change on the one hand and the avoidance of shocks and crises’ on the other in a consistent and systematic way. Equally, risk management can also help identify opportunities and implementing measures aimed at increasing the prospects of success. The benefits of a robust approach to risk management will help to manage risks so that: There is an increased focus on what needs to be done to meet objectives Better use of resources Better management of change programmes Innovation is supported Results are achieved first time of trying Competitiveness is improved Improved quality of service delivery Enhanced ability to justify actions taken Protection of reputation KCC has published its Risk Management Strategy which describes the framework for managing risk. A key element of this is to have a consistent approach in how we identify and control risks through risk assessment. This is known as the process and is described in the following sections. You might find it useful to use problem solving techniques as you proceed through the stages of the process. 5. RISK APPETITE / TOLERANCE THRESHOLDS Before identifying and assessing risks consideration should be given to the amount and type of risk that you can or are prepared to accept, tolerate, or can be exposed to at any point in time. The level of risk that you are prepared to accept is known as your risk appetite. Within KCC there will be many different risk appetites due to the diverse range of activities. For example there may be zero appetite for taking risks in relation to activities associated with child protection. For new initiatives there will likely be a greater appetite for risk taking in order to bring about change. The level of risk appetite at any level will be dictated by the level of risk appetite at the next senior level. The levels of appetite that can be taken at any one level should be made clear and communicated. As a strict rule the risk appetite at one level must never exceed that of any senior levels. Working with defined risk appetites is a developing area and where this has not been confirmed it might be useful to use levels of authority as a guide. The degree of residual risk you are prepared to accept forms the basis of your tolerance threshold and should be set below your risk appetite. Risks that exceed your pre defined risk appetite should not be allowed to exist. Risks that exceed your tolerance threshold should be referred to a senior management for instruction as to how to proceed. Risk appetite and tolerance thresholds are not always easy to describe and are more easy to apply to financial, programme or project risks however by trying to describe and implement appetites and tolerance thresholds you will demonstrate increased governance over risks. Appendix 5 can be used as guidance. 6. PROCESS There are four stages to the risk assessment process:- Objectives Risk Appetite / Tolerance thresholds Process 1 Risk Identification What can happen? How could it happen? 4 2 Risk Monitoring Monitor & review the effectiveness of controls and review the risk profile Risk Analysis Determine the likelihood/impact in order Estimate the level of risk 3 Plan & Implement Determine how to treat the risk If you work with other organisations, contractors, partnerships etc you will probably find that they use a similar core process approach which helps simplify working across organisational boundaries. You will also find that a common language is used when referring to risks. See Appendix 2 for Glossary of Terms. 7. WHO SHOULD BE INVOLVED? The best people to identify and control risks are those who are directly responsible for the activity. Ideally, the group identifying the risks should contain the risk ‘owner’ i.e. the person who will be responsible for actually designing and implementing controls and able to provide early warning of difficulties. Where activities and associated risks cut across other directorates, partners, external organisations, etc it may be prudent to consult with them where they can influence the level of risk, outcome or output. 8. 1 WORKING THROUGH THE 4 STAGES OF THE RISK ASSESSMENT PROCESS Identifying the risk In order to manage risk it is necessary to know what risks exist or might occur. Understanding where risks might exist and how to deal with them helps to ensure that all the positive things we plan do happen and that we identify and prevent any of the negative things from occurring that could stop or cause us to revise these plans or cause harm. When thinking about risks you can look at events such as the failure of a database, criminal prosecution, increase in demand for services or a process such as the management of health and safety, financial control or client care management. First, set out the objectives of the activity to be examined. It may help to have key documents available such as the current annual business operating plan, medium term plan, project brief, performance indicators etc. Using these documents you can start to identify your risks. You should think about risks in terms of Event For example: Consequence Impact Break in leads to theft of server which leads to loss of data Or Staff absence prevents compliance with statutory duties resulting in clients not receiving critical services As you proceed through this process you will start to build up a list of risks. Risks can be broken down into two categories – strategic and operational. Strategic risks are those arising from major events which could impact across the whole of the Council e.g. major overspend or serious damage to the reputation of the Council. Their sources of origin include: Operational risks are those arising from the day-to-day management of activities within directorates and less likely to impact upon other directorates or the Council as a whole. Their sources of origin include: Political Economic Social Technological Legislative Environmental Competitive Customer/stakeholders Professional Financial Legal Physical Contractual Technological Environmental Most risks will fall into the ‘operational’ category. The process for managing strategic and operational risks is identical however accountability for strategic risks lies with the Chief Executive Officer and the Chief Officers Group whereas operational risks lie with directorate managers. To help facilitate discussion the above sources of risk are expanded in Appendix 1. 2 Risk Analysis & Evaluation Having compiled a list of risks it is necessary to assess which of these are going to pose the greatest threat (or opportunity) and this is done by looking at both impact (what harm might result from the risk) and likelihood (chance of the risk occurring). Likelihood When assessing risks you are simply looking at what might happen, the chances of it happening and when. This assessment can be achieved through rating each risk. A 5x5 matrix is used for this purpose. By considering these factors and giving each risk a score you will quickly be able to rank these and identify which need early and closer attention. Very likely 5 Likely 4 Possible 3 Unlikely 2 Very Unlikely 1 RISK RATING MATRIX 5 Low 4 Low 3 Low 2 Low 1 Low 1 Minor 10 Medium 8 Medium 6 Low 4 Low 2 Low 2 Moderate 15 Medium 12 Medium 9 Medium 6 Low 3 Low 3 Significant Impact 20 High 16 High 12 Medium 8 Medium 4 Low 4 Serious 25 High 20 High 15 Medium 10 Medium 5 Low 5 Major Each risk identified should first be scored according to the potential level of likelihood and impact without controls to give the inherent risk value and then again with existing controls in place and working to give the residual risk value (what is left). If there are no controls in place the residual risk can only be scored as you proceed through stage 3. Risks will fall into three categories: LOW MEDIUM HIGH 1–6 8 – 15 16 - 25 For example: Staff absence prevents compliance with statutory duties resulting in clients not receiving critical services Inherent - Impact = 5 x Likelihood = 4 Residual - Impact = 5 x Likelihood = 3 Risk ranking = 20 (HIGH) Risk ranking = 15 (MED) Identified risks should be recorded. If you are dealing with one particular activity it may be appropriate to simply record details of risks within a risk assessment. When recording risks across a range of activities a risk register should be prepared. Any entry within a register can also be supported by a risk assessment which sets out any barriers to success and describes controls in more detail to help monitor them. Templates are provided in Appendix 6 & 7 for this purpose. An example of an entry within a risk register at business unit level may be: Ref Source Event No. 4 Building is located in a high crime area Break in leads to theft of IT systems resulting in the loss of information Planned Outcome Secure site Accountable Manager Assistant Director Existing Controls - intruder alarm system New Task / Actions Date inherent Rating I=3 L= 5 R= 15 MED Residual rating I= 3 L= 3 R=9 MED When a risk is recorded it should be given a reference number. This reference number should remain with the risk until it no longer exists to provide an audit trail. 3 Risk Control Having identified and assessed a risk it is then necessary to decide on what initial or further action needs to be taken to control it or overcome barriers to ensure you achieve your objective. The residual rating attributed to each risk should be rescored on the assumption that the controls have been implemented are and effective. Those risks with HIGH residual scores will need early and closer attention and should be addressed as a priority. It may be that some high risks will remain HIGH even with controls in place. These risks should be considered against your risk appetite and tolerance thresholds. The level of tolerance should be established if not already done. For example the risk tolerance line could be set where MEDIUM risks butt up against HIGH risks on the 5x5 matrix. Any risks that exceed this tolerance threshold should be referred immediately to the next level of management for guidance. Risks beyond the tolerance threshold can only be accepted with the permission of the next level of management. Tolerance Only a workable number of risks should be focused upon at any one time - probably anything up to 10. Hopefully there won’t be many HIGH risks in which case MEDIUM risks can also be considered. Any remaining risks can be dealt with as more immediate risks drop out of the top 10 once appropriate controls have been introduced and are working. As part of this process you should identify which of the controls are more critical in terms of their effectiveness. It may be helpful to list controls in order of their criticality. Although those risks requiring early or closer attention have been identified there may be other risks that are suitable for a “quick fix” and can be quickly and easily controlled. These should be dealt with if possible particularly where they will have a real impact upon the overall effectiveness of control measures. The courses available to control risks are: Action: Evaluated level of risk Tolerate Treat Transfer Terminate Accept with existing level of controls? Yes or No Tolerate Treat Transfer Terminate Do nothing special and continue as planned. The ability to do anything may be limited or the cost of taking action may be disproportionate to the potential benefit gained. Introduce control procedures to increase the chance of success Share the exposure of risk with insurance or contractor. The relationship with a contractor needs to be carefully managed as it may not be possible to fully transfer all risks and some aspects might remain such as reputational risk. Withdraw from the activity if possible Controlling risks will be a process of reducing ‘impact’ and / or ‘likelihood’. Suggested controls might include:Impact Business continuity plans Contractual agreement Fraud control planning Good public relations Minimising exposure to the source of risk Likelihood Contract conditions Process controls and inspections Project management Preventative maintenance Effective internal controls Supervision Structured training programme Any controls should always be proportional to the risk and ‘over control’ avoided. Loss control initiatives can be expensive and time consuming to initiate and it is therefore important to try and ensure that they are likely to be successful and will not cost more than the losses they are designed to avoid or mitigate. Controls should be clearly described to avoid ambiguity and any obstacles or barriers that might arise and affect them should be explored along with early warning indicators. Controls should be recorded in the order of their critically upon the achievement of the outcome for ease of identification. Target dates for completion of aspects of control, reporting of progress etc should be made clear and recorded where possible. Some risks might seem too difficult to tackle because they are controversial, political, too big or too specialist. These should not be avoided but dealt with in a positive but proportional way by considering factors such as the opportunity to improve them, ease of improvement, cost of improvement and breadth of community affected. Even with controls some degree of residual risk may remain in which case business continuity plans might need to be considered to reduce impact and ensure that the service can function even if something awful is happening. See Appendix 3 4 Risk monitoring and review Few risks remain static and it is important to know and understand what is happening. This can be achieved through regularly monitoring progress and formally reviewing risks in order to: Gain assurance that progress is being made towards controlling risks and the effectiveness of controls Monitor changes to the risk profile brought about by circumstances and business priorities i.e. new legislation A suggested monitoring period might be every three months with a more formal review period annually. The frequency will be dependent on the circumstances and environment around the risks. Within a rapidly changing environment monthly monitoring and three monthly reviews may be more appropriate. When monitoring and reviewing risks you need to be clear about how this is to be undertaken. It may help to develop a set of questions for example: Are the key risks still relevant? Have some risks become issues? Has anything occurred which could impact upon them? Has the risk appetite or tolerance levels changed? Are performance / early warning indicators appropriate? Are the controls in place effective? Have risk scores changed and if so are they decreasing or increasing? If risk profiles are increasing what further controls might be needed? If risk profiles are decreasing can controls be relaxed? Where objectives have not been achieved or are not on course to be achieved the cause(s) should be investigated to inform and improve the risk assessment process. At the next formal review of the risk the rating attributed to the risk should again be considered. At this stage you may wish to review your risk appetite or tolerance levels to ensure they remain appropriate. The review and monitoring process of risks should be integrated into existing organisational and business planning processes so that it adds value and supports the successful achievement of objectives and not just seen as a “bolt on”. 9. ESCALATING RISKS There will be occasions when risks should be shared with more senior managers. These will automatically include risks that exceed your tolerance thresholds. Residual risks that are rated as HIGH, i.e. with a combined score of 16+, should also be referred up to the next level of management to advise upon the appropriate level of control. ‘HIGH’ residual rated risks should not remain without the permission of the next senior level of management. Directorate management teams should have in place a process which allows for risks at any level to be escalated upwards to enhance their level of control. Business unit risks Service unit risk register Directorate risk register Where a risk is escalated to a more senior level it should be considered along with all other risks at this new level and possibly included within the higher level risk register. Using a system whereby risks can be escalated allows senior managers to better target their attention and resources towards key activities. 10. EARLY WARNING INDICATORS The sooner you know something is not going to plan or events are happening around you that will impact upon objectives the quicker you will be able to take corrective action and get back on target or amend your course of action / priorities to reflect changing circumstances. Early warning indicators are used as a way of measuring change in local critical areas so that if pre-defined levels (tolerance levels or appetite) are reached, corrective action will be triggered. To be effective they need to be monitored on a regular basis and the findings presented in such as way that the information can be quickly assimilated. Early warning indicators should be specific to the risk and should not be confused with Key Performance Indicators. Indicators should be reviewed and updated to ensure they remain appropriate. When establishing an indicator you should establish from the outset what information is to be collected, the reporting frequency and trend or tolerance thresholds. Early warning indicators can be applied to strategic and operational risks. risks they can be set to measure activity such as: For operational Achievement of service quality levels Achievement of volume targets Achievement of time targets Achievement of revenue targets Levels of safety incidents or injury Achievement of key milestones Delivery of planned activities on time and on budget Points to consider when establishing / reviewing indicators: Are all critical business systems clearly defined? Do early warning indicators exist for critical business systems? Do early wanting indicators exist for programmes and projects? Do early warning indicators exist for operational activities? Is there a balanced set of indicators, including financial indicators? Are indicators examined by decision makers with the authority to take corrective action on a regular cycle? Are the results of monitoring early warning indicators presented in a concise, consistent manner so that the impact of the information is readily understood? Are the indicators updated to reflect changes within the activity? Are the indicators inward and outward looking? Early warning indicators can also be used to identify opportunities 11. RISK ASSESSMENTS Although there are some similarities in the information recorded within risk assessments and risk registers both documents actually serve a specific purpose. Risk assessments tend to look at one particular element of a risk recorded against an objective in detail and its associated controls whereas registers summarise risks and their controls across a project, unit or directorate. It may be necessary to complete a number of risk assessments to support a single objective especially where elements may be under the control of different teams. Risk assessments should be used to assess the level of risk associated with the objective and inform the process for refreshing risk registers All risk assessments associated with objectives within business plans should be kept updated throughout the year as necessary. They will also be used by Internal Audit to inform the Annual Audit Progamme and provide the basis for testing the extent and effectiveness of controls and provide evidence that risk management methodology is being complied with. Key project and partnership risks should be included within this process as they will have their sources of origin in business objectives. 12. RISK REGISTERS Risk registers provide an immediate record of all the identified risks, key controls and their status resulting from their assessment in terms of likelihood and impact across a wider pool of risks. Risks registers should be monitored by management teams. Risks included within directorate registers should be closely monitored by senior management teams. The critical risks that can affect the Council as a whole should be recorded within the Strategic Risk Register which is monitored by Directorate Resource Managers on behalf of the Chief Officer Group which is made up of the Chief Executive and Managing Directors of the Council. 13. SUMMARY Working through this toolkit provides a simple basic methodolgy to help identify and manage business threats and opportunities that might arise. It is important to ensure that continuous risk assessment feeds into any decision making and therefore business process. It may be helpful to understand how managing risk through this process fits in with the overall framework for managing risk throughout the Council. Details of this can be found in the document ‘Risk Management Strategy”. If you would like further advice about the risk management process contact the Corporate Risk & Insurance Manager or your directorate lead officer for risk management. SOURCES OF RISK Appendix 1 The examples given are neither prescriptive or exhaustive. SOURCES OF STRATEGIC RISK (PESTLE – expanded) Definition - Risks that may be potentially damaging to the achievement of KCC’s objectives Political Associated with the failure to deliver either local or central government policy, or to meet the local administration’s commitment. Examples of nature of risk:Wrong political priorities Decision based on incorrect information Not meeting government agenda Unfulfilled promises to electorate Too slow or failure to modernise Community planning oversight/errors Economic Affecting the ability of the Council to meet its financial commitments. These include internal budgetary pressures, inadequate insurance cover, external macro level economic changes (e.g. interest rates, inflation etc) or the consequences of proposed investment decisions. Examples of nature of risk:General/regional economic problems High cost of capital Treasury risk Missed business and service opportunities Social Relating to the effects of changes in demographic, residential or socio-economic trends on the Council’s ability to deliver its objectives. Examples of nature of risk:Failing to meet the needs of disadvantaged Failures in partnership working communities Problems in delivering life-long learning Impact of demographic change Crime and disorder Technological Associated with the capacity of the Council to deal with the pace / scale of technological change, or its ability to use technology to address changing demands. They may also include the consequences of internal technological failure on the Council’s ability to deliver its objectives. Examples of nature of risk:Obsolescence of technology Breach of confidentiality Hacking or corruption of data Failure in communications Legislative Associated with current or potential changes in national or European law. Examples of nature of risk:Inadequate response to new legislation Judicial review Intervention by regulatory bodies Human Rights Act breaches and inspectorates Environmental Relating to the environmental consequences of progressing the Council’s strategic objectives (e.g. in terms of energy, efficiency, pollution, recycling, landfill requirements, emissions etc). Examples of nature of risk:Impact of Local Agenda 21 policies Impact of planning &transportation policies Noise, contamination and pollution Competitive Affecting the competitiveness of the service (in terms of quality or cost) and / or its ability to deliver Best Value. Examples of nature of risk:Take over of services by government Failure of bids for government funds Agencies Failure to show best value Customer / citizen Associated with the failure to meet the current and changing needs and expectations of customers and citizens. Examples of nature of risk:Lack of appropriate consultation Bad public and media relations SOURCES OF OPERATIONAL RISK Those risks that may be encountered in the day to day provision of services Professional Associated with the particular nature of each profession. Examples of nature of risk:Inefficient/ineffective management processes Inability to implement change Lack of control over changes to service provision Inadequate consultation with service users Failure to communicate effectively with employees Lack of business continuity plan Non achievement of Best Value Bad management of partnership working Failure to manage and retain service contracts Poor management of externally funded projects Financial Associated with financial planning and control and the adequacy of insurance arrangements. Examples of nature of risk:Failure of major projects Ineffective/inefficient processing of documents Missed opportunities for income/grants Inadequate insurance cover Legal Related to possible breaches of legislation. Failure to prioritise, allocate appropriate budgets and monitor Inadequate control over expenditure Inadequate control over income Examples of nature of risk:- Not meeting statutory duties/deadlines Failure to implement legislative change Failure to comply with European directives on Misinterpretation of legislation Procurement of works, supplies and services Exposure to liability claims e.g. motor Breach of confidentiality/Data Protection Act accidents, wrongful advice Physical Related to fire, security, accident prevention and health and safety. Examples of nature of risk:Violence or aggression Loss of physical assets Non compliance with Health & Safety legislation Criminal damage to assets e.g.vandalism Injury at work Failure to maintain and upkeep land Loss of intangible assets and property Contractual Associated with the failure of contractors to deliver services of products to the agreed cost and specification. Examples of nature of risk:Non compliance with procurement policies Poor selection of contractor Over reliance on key contractors/suppliers Poor contract specification, deficiencies Failure of outsourced provider to deliver Inadequate contract terms & conditions Failure to monitor contractor Quality issues Technological Relating to reliance on operational equipment (e.g. IT systems or equipment) or machinery. Examples of nature of risk:Failure of big technology related project Breach of security of networks and data Crash of IT systems affecting service delivery Failure to comply with IT Security Policy Lack of disaster recovery plans Bad management of intranet / website Environmental Relating to pollution, noise or energy efficiency of ongoing service operation. Examples of nature of risk:Impact of Local Agenda 21 policies Noise, contamination and pollution Crime & Disorder Act implications Inefficient use energy and water Incorrect storage/disposal of waste Damage caused by trees, tree roots etc Human Resources Associated with staffing issues (e.g. recruitment / retention, sickness management, change management, stress related risk analysis). Examples of nature of risk:Capacity issues Over reliance on key officers Failure to recruit/retain qualified staff Lack of employee motivation/efficiency Failure to comply with employment law Poor recruitment /selection processes Lack of training Lack of succession planning Glossary of Terms Benefits Business Continuity Plan Business risk Consequence Contingency Control (control measures) Corporate Governance Early warning indicator Hazard Identifying risks Impact Inherent risk Issue Likelihood Mitigation (Plan) Objective Operational risks Opportunity Outcome Periodic review Project risks Proximity (of risk) Residual risk Responsible manager Risk APPENDIX 2 The measurable improvement resulting from an outcome perceived as an advantage by one or more stakeholders A plan for the fast and efficient resumption of essential business operations by directing recovery actions of specific recovery teams A threat to the achievement of a business objective / benefit The outcome of an event. An action or arrangement that can be put into place to minimise the impact of a risk should it occur. Any action, procedure or operation undertaken to contain a risk to an acceptable level. The method by which an organisation directs and controls its functions and relates to its community A measure to identify a trend A description of the source of the risk i.e. the event or situation that gives rise to the risk. Also known as source of risk The process by which events that could affect the achievement of objectives, are analysed and described and listed Impact is the result of a particular threat or opportunity actually occurring The exposure arising from a specific risk before any risk controls have been applied. An event or concern that has occurred or is taking place and should be addressed (as opposed to a risk which has not yet, or might not occur) This is the evaluated likelihood of a particular threat of opportunity actually happening A strategy that decreases risk by lowering the likelihood of a risk event occurring or reducing the impact of the risk should it occur. Something worked towards or striven for, a goal. Risks associated with the day-to-day issues that an organisation might face as it delivers its services. An uncertain event that could have a favourable impact on objectives or benefits The result of change, normally affecting real world behaviour or circumstances. Outcomes are desired when a change is conceived. Outcomes are achieved as a result of the activities undertaken to effect the change A review that occurs at specified regular time intervals. Risks associated with a specific activity, which has defined goals, objectives, requirements, a life cycle, a beginning and an end. The time factor of a risk i.e. the occurrence of risks will be due at particular times, and the severity of their impact will vary depending on when they occur The risk remaining after the risk control has been applied Manager who has responsibility for taking specified action An uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. This could be an opportunity as well as a threat. Risk appetite Risk evaluation Risk identification Risk management Risk prioritisation matrix Risk owner Risk perception Risk profile Risk source Risk register Risk strategy Risk tolerance Strategic risks Terminate Threat Tolerate Transfer Treat The level of residual risk that the Council is prepared to accept, tolerate or be exposed to at any point in time The process of understanding the net effect of the identified threats and opportunities on an activity when aggregated together Determination of what could pose a risk; a process to describe and list sources of risk (threats and opportunities) The culture, organisational structure and ongoing processes for the management of risk. The number of levels of likelihood and impact chosen against which to measure the risk and identify methods of management of the risk. A role or individual responsible for the management and control of all aspects of individual risks, and has authority to implement the measures required. May also be known as Accountable Manager The way in which a risk is viewed based on a set of values or concerns Describes the types of risk faced by an organisation and its exposure to these risks A description of the source of the risk i.e. the event or situation that gives rise to the risk A record of all identified risks relating to an area of activity which includes their status and mitigating controls. The overall organisational approach to risk management. The threshold of risk exposure, which with appropriate approvals, can be exceeded but which when exceeded will trigger some form of response (e.g. reporting the situation to senior management for action) Risks concerned with where the organisation wants to go, how it plans to get there and how it can ensure survival. A risk which should it occur, will have a significant impact upon the Council. A risk response to a threat. A deliberate decision to stop an activity which generates a risk. An uncertain event that could have a negative impact on objectives or benefits A response to a threat. A deliberate decision to retain the threat. A risk response for a threat whereby a third party takes on the responsibility for an aspect of the threat A risk response to a threat. Proactive actions are taken to reduce the threat. Appendix 3 BUSINESS CONTINUITY PLANNING The likelihood of some risks occurring remains high even with controls in place. Where these risks may also have a high impact an action plan should be devised to cope with the event to restore services that support and are provided by the Council. In such cases Business Continuity Planning (BCP) should be considered. Business continuity planning (BCP) is one of the ways in which high impact risks can be managed. It’s purpose is to enable managers to plan for how they will respond both immediately and in the longer term should there be a major disruption or interruption to their service. The BCP process provides an early opportunity to identify single and weak points that may jeopardise service delivery Having a plan will enable you to better manage those risks where it is extremely difficult to reduce the impact should the event occur. These are probably the risks where impact and probability produce a combined rating of 20 or more using the KCC risk ranking matrix. Should an event occur it may be your responsibility to get a service back operational as quickly as possible, identify and implement interim arrangements, communicate with those that may be affected etc. For example how do you tell your staff about the event, how do you tell the community or clients that you cannot provide their service that day or for a longer period, how do you meet important deadlines, what are your critical systems, suppliers and services, who might be expected to provide physical help, advice etc and how do you get in contact? These are just examples of some of the questions that you may need to deal with. It is essential that you are able to respond sensibly and with minimum wasted effort and resources. This can be best achieved by planning your response in advance with your business continuity team. Going through a business impact analysis will illustrate where the risks are highest and the potential impacts greatest. This will then enable you to identify potential problems and guard against them developing into even greater disruptions through measured planning. Possible areas for consideration might include: Main event / cause Result Loss of premises / access to premises Financial loss Breach of confidentiality Loss of reputation or public confidence Failure / corruption of IT Failure to deliver a service Continuity of support from suppliers Failure to respond to an event Loss of key documentation / data Impact on stakeholders Loss of skills / people Failure to comply with legal obligations Creation of legal liabilities It may not be possible to predict the actual nature of the event that may cause the disruption but by thinking about your response in advance you should be able to use and adapt this information to inform your actions. You should also remember that you may not be dealing with a crisis in isolation and those officers or contractors upon whom you reply within your own plan may themselves be in a similar situation. When preparing a plan it should address the procedure to recover functionality within a defined time frame dependant upon the Council’s need. Managers are used to making decisions in response to ad hoc events and it might be more helpful if the plan is kept quite simple but with key points identified to prompt action along with details of who to contact for assistance outside of your own team. For example, finance managers are best placed to assist with making decisions on the release of funding and payment of invoices in an emergency, Corporate Communications can deal with media management, Personnel & Development can advise on staffing issues, ISG can advise on IT and so on. KCC is reliant upon many other organisations and contractors to help deliver its services. Where there is a dependency upon any of these it may be appropriate to ensure that they too have a plan to deal with any disruption and that it supports your own response. Once you have a plan you will need to ensure that it is regularly reviewed, tested and accessible in an emergency. If you would like to find out more about preparing a business continuity plan please contact KCC’s business continuity advisers on 01622 221974 or 01622 694803 Appendix 4 PARTNERSHIPS Partnership working is playing an increasingly important role in our policy development and service delivery. In recent years, the focus for many public, private, voluntary and community organisations has been on the opportunities offered by partnership or joint working arrangements. Indeed, many new funding sources relating to a wide range of issues can only be accessed by the demonstration of multi-partner approaches. Working in partnership usually means committing resources such as officer time or direct funding to develop and deliver desired outcomes. It may not be easy and, whilst there are opportunities there are also risks. It is therefore important to understand and manage these in so far as they affect both the partnership and Council. The assessment of risks within partnerships therefore needs to be inward and outward looking. Risks to the partnership should be assessed and recorded within the partnership risk registers whereas risks to the Council should be assessed and recorded in directorate risk registers as appropriate. To help officers maximize the opportunities of working within partnerships and managing the associated risks a guide has been prepared and is available on KNET by searching under Risk Management. The guide includes advice on: how to define a partnership how partnership working is managed both strategically and within individual partnerships, why there is a need to enter into a partnership, how to set one up, and how to understand the risks and their impact upon the Council and individuals. The focus of the guide is currently on risk within partnerships and aims to set out a consistent approach to the risk management of key partnerships including the development, establishment, management and monitoring of partnerships. It is not intended to be prescriptive but demonstrate good practice. The process must be proportionate to the risks that each partnership poses to KCC. For the more complex partnerships specialist legal, financial and tax advice should be sought to ensure that your partnership is properly structured to deliver your objectives. Appendix 5 Likelihood Risk Rating Matrix Very likely 5 Likely 4 Possible 3 Unlikely 2 Very Unlikely 1 RISK RATING MATRIX 5 Low 4 Low 3 Low 2 Low 1 Low 10 Medium 8 Medium 6 Low 4 Low 2 Low 15 Medium 12 Medium 9 Medium 6 Low 3 Low 20 High 16 High 12 Medium 8 Medium 4 Low 25 High 20 High 15 Medium 10 Medium 5 Low 1 2 3 4 5 Minor Moderate Significant Serious Major Impact Likelihood Assessment Matrix Factor Very likely Score 5 Likely 4 Possible 3 Unlikely 2 Very Unlikely 1 Indicators Regular occurrence Circumstances frequently encountered i.e. daily/weekly/monthly The risk is current & is almost certain to happen within the next twelve months Likely to happen at some point within the next 1-2 years Circumstances occasionally encountered (once/twice a year) Has happened in past Reasonable possibility it will happen within next 3 years May have happened in the past Unlikely to happen in 3+ years Has happened rarely/never before Impact Assessment Matrix Suggested areas that might be impacted upon along with examples of potential risks. These can be used or added to as necessary. Risk Score 5 Major Serious 4 Effect on Service Complete breakdown in service delivery with severe, prolonged impact on customer service affecting the whole organisation. 3 Minor 2 1 Litigation leading to sizeable increase in responsibilities. A large financial loss over 50% of budget Failure of a strategic partnership Substantial adverse national media leading to Officer(s) &/or Elected Member(s) forced to resign &/or Audit Commission enquiry Multiple civil uninsured or criminal actions with payments / fines above £150k Intervention in a key service. Criticism of a key process,. Sizeable financial loss up to 50% of budget Disruption to service delivery for one of more directorates for 3 – 5 days. Large scandal. Widespread disgruntlement High level of complaints at the corporate level across several service areas National adverse publicity / bad press Criticism of an important process/service Extensive damage to a critical building or considerable damage to several properties from one source Inability to deliver popular policies due to budgetary constrictions. People Disruptive impact on service at business unit level Criticism of a secondary process/service Embarrassment contained within the business unit Noticeable financial loss Slight damage to one property Effect on project objectives Death of several people. Complete failure of a project Multiple uninsured civil litigation or criminal actions with payments / fines of £50k - £150k RIDDOR reportable major injuries to several people or death of an individual. Extreme delay Multiple uninsured civil litigation or criminal actions with payments / fines of £25k - £50k RIDDOR reportable major injury to an individual Important impact on project or most of expected benefits. Considerable slippage. Possible impact on overall finances / programme. Low value / high volume litigation Superficial first aid injuries discomfort to more than one person Adverse effect to project. Slippage requires review finances / short term programme. Superficial first aid injury or discomfort to an individual Minimal impact to project. Minor slippage Substantial damage to one part of a critical building Embarrassment contained within the Directorate Localised disgruntlement Small impact on customer service which may result in complaints to the business unit Total loss of a critical building Local bad press Can handle but with difficulty Small setback management headache Nuisance Disgruntlement by a few RM:Toolkit Rev.2009 Compliance with law / contracts A substantial failure in accountability or integrity. Disrupted service delivery from one directorate for up to 3 days. Moderate Financial & Resources A vote of no confidence in one service area. Failure of an operational partnership Significant Reputation Departmental fine of £5k £25k Small financial loss Low value / volume litigation Negligible property damage Departmental fine below £5k RISK REGISTER Ref Source RM:Toolkit Rev.2009 Event Planned Outcome Acc’ table Manager Existing Controls Appendix 6 New Tasks/ Actions Date Inherent rating Residual rating I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= I= L= R= Appendix 7 Managing Business Risks - Risk Assessment This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity Completed by: J Smith Personnel Manager Business/Service Objective: Date completed: 01.04.2009 To ensure that employees, visitors and contractors remain safe whilst on KCC property Risk No. 6 Challenges to the achievement of the business objective (Risks) Health and safety risk management controls are appropriate and implemented Contractors manage their activities so as not to cause harm to themselves or others Assessment of Inherent Risk Likelihood (Probability) Risk Rating 4 4 16 HIGH Very likely Likely 5 Possible 3 Unlikely 2 Very Unlikely 1 4 RISK RATING MATRIX Risk Control Measures With NO controls in place Impact (Severity) Risk Ranking Matrix Likelihood KCC Directorate / Unit : CED Personnel & Development What can be done to reduce the threat to the achievement of the business/service objective? List your existing control measures: 5 Low 4 Low 3 Low 2 Low 1 Low 1 Minor 10 Medium 8 Medium 6 Low 4 Low 2 Low 2 Moderate 15 Medium 12 Medium 9 Medium 6 Low 3 Low 3 Significant Impact 20 High 16 High 12 Medium 8 Medium 4 Low 4 Serious 25 High 20 High 15 Medium 10 Medium 5 Low 5 Major Assessment of Residual Risk With all control measures implemented Impact (Severity) Likelihood (Probability) Rev’d Risk Rating 3 3 9 MED 3 2 6 LOW Health & safety policy developed and implemented Local Health & safety representatives Contractors required to provide evidence of appropriate health & safety procedures List what else could be done to reduce the risk further Programmed auditing of KCC and contractors health & safety procedures EXAMPLE RM:Toolkit Rev.2009 Improved training and promotion of health & safety Managing Business Risks - Risk Assessment This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity Completed by: Business/Service Objective: Date completed: Risk Ranking Matrix Likelihood KCC Directorate / Unit : Very likely Likely 5 Possible 3 Unlikely 2 Very Unlikely 1 4 RISK RATING MATRIX Risk No. Challenges to the achievement of the business objective (Risks) Assessment of Inherent Risk Risk Control Measures With NO controls in place Impact (Severity) Likelihood (Probability) Risk Rating What can be done to reduce the threat to the achievement of the business/service objective? List your existing control measures: List what else could be done to reduce the risk further RM:Toolkit Rev.2009 5 Low 4 Low 3 Low 2 Low 1 Low 1 Minor 10 Medium 8 Medium 6 Low 4 Low 2 Low 2 Moderate 15 Medium 12 Medium 9 Medium 6 Low 3 Low 3 Significant Impact 20 High 16 High 12 Medium 8 Medium 4 Low 4 Serious 25 High 20 High 15 Medium 10 Medium 5 Low 5 Major Assessment of Residual Risk With all control measures implemented Impact (Severity) Likelihood (Probability) Rev’d Risk Rating RM:Toolkit Rev.2009