Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Risk Management Strategy

advertisement 
Appendix 1
RISK MANAGEMENT POLICY AND STRATEGY
RISK MANAGEMENT POLICY
Risk is the chance of something happening that will have an impact on what we set out to achieve. This
could be positive (i.e. an opportunity) or negative (i.e. a threat). It could be high-level (affecting our
corporate objectives) or low-level (affecting an individual task) with several degrees in between.
Our risk management strategy sets out the processes and structures in place to identify, record,
measure, control and manage risk at all levels within the authority. It clarifies roles and responsibilities
and provides the necessary tools and advice for effective risk management. This will be supported by
awareness raising and training to embed risk management principles at every level of the authority.
LIKELIHOOD
The authority's risk appetite is defined by the tolerance lines on the risk matrix below which is used to
score inherent and residual risk and to identify control and monitoring requirements.
Almost certain
4
4
8
12
16
Probable
3
3
6
9
12
Possible
2
2
4
6
8
Hardly ever
1
1
2
3
4
1
2
3
4
Negligible
Minor
Major
Critical
IMPACT
Green:
No risk control action required; monitor annually
Yellow:
Set target for acceptable risk and take control action to achieve; monitor quarterly
Red:
Set target for acceptable risk and take control action as a priority; monitor monthly
Negligible:
financial loss of <£10,000, inconvenience to the project and/or services, potential reputation
issue
Marginal:
financial loss of <£25,000, limited disruption to the project and/or services, could affect
reputation
Significant:
financial loss of <£160,000, major disruption to the project and/or services or medium term
failure to deliver services, major damage to reputation inflicted, external intervention likely
Critical:
financial loss of >£160,000, major disruption to the project and/or services or major failure to
deliver vital services, serious major damage to reputation inflicted, external intervention certain
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
As an organisation we have identified our strategic risks and have a process in place to control and
monitor them. We will regularly review them (at least annually) to ensure that the strategic risk register
remains up-to-date. We also have a system in place to identify project and operational risks at an early
stage and again to control and monitor them effectively.
We do not expect to eliminate all risks but to take a balanced approach by setting appropriate tolerance
levels. We identify actions to reduce negative risks to an agreed acceptable level and this is monitored
via the risk register.
There is clear ownership of risks at all levels within the authority and we expect partner organisations
and contractors to have suitable risk management arrangements. We are working closely with the
Greater Lincolnshire Risk Management Forum (GLRMF) on all aspects of risk management, particularly
on partnership arrangements.
This policy and strategy has been presented to Audit & Governance Committee in November 2006 and
will be presented to Cabinet in January 2007. There will be an annual review thereafter.
The policy and strategy will be published on the Intranet and Internet following adoption. This will be
supported by information in the Chief Executive's Bulletin and by presentations on the key points and
practicalities to team meetings. See the communications section of the strategy for more detail.
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
RISK MANAGEMENT STRATEGY
AIMS AND OBJECTIVES
The aim of this strategy is to clearly set out Boston Borough Council's approach to risk management
and the processes and procedures in place to ensure that it is embedded within the organisation.
The objectives of this strategy are:
 To be clear and consistent about definitions, processes and procedures, roles and responsibilities
 To define the Council's risk appetite and tolerance levels
 To raise awareness of the benefits of effective risk management both in terms of avoiding negative
outcomes but also in terms of taking opportunities and learning lessons
 To embed risk management into the culture of the organisation
ROLES AND RESPONSIBILITIES
Responsible
body
Cabinet
Portfolio holder
Audit &
Governance
Committee
(A&GC)
Corporate
Management
Board (CMB)
Senior Managers
Forum (SMF)
Employees
Performance &
Improvement
Responsibilities in terms of risk management
Overview of risk management framework; hold Audit & Governance Committee
and CMB accountable for the effective management of risk
Currently Councillor Mike Brookes; lead on Cabinet for risk management issues
Overview of risk management; particular responsibility for recommending the risk
management strategy and framework to Cabinet and reviewing annually; also for
annual review of strategic risks and receiving regular reports on high residual
strategic risk areas
Overview of risk management; responsible for ensuring risk is managed effectively
by reviewing strategy, framework and strategic risks annually; agree assessment,
prioritisation of risks and action plans; receive regular reports on high residual
strategic and operational risk areas
Implementation of risk management; responsible for implementing the risk
management strategy and framework; responsible for managing risks where
identified as the lead officer and reporting to CMB and/or Audit & Governance
Committee as and when required; responsible for assessing risks of current and
new pieces of work
All employees have risk management responsibilities and should be aware of the
risk management strategy and framework; liaise with line manager to assess risks
specific to their area of work; undertake job within risk management guidelines
Responsible for co-ordinating the risk management framework; drafting and
annually reviewing the strategy and presenting to CMB, A&GC and Cabinet;
facilitating annual workshops with CMB and A&GC to identify strategic risks;
ensuring action plans are drawn up and monitored with exception reporting to
CMB & A&GC on high residual risk areas; maintaining the risk register and
prompting updates as required; communicating framework to elected Members
and all staff; identifying and reporting any common trends and patterns; links with
Greater Lincolnshire Risk Management Forum (GLRMF) and ALARM (the national
forum for risk management in the public sector)
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
THE RISK MANAGEMENT CYCLE
THE RISK MANAGEMENT PROCESS
The starting point is always the Council’s corporate objectives – what we are trying to achieve.
By taking each objective and identifying the risks that need to be considered we can start to populate
our strategic risk register. This will be updated at least annually. Identification should include all risks
whether or not they are under the control of the Council.
The standard 15 categories of risk are:
 Contractual/Supplier
 Customer/Citizen
 Economic
 Environmental
 Financial
 Governance
 Legal
 Legislative & Regulatory







RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
Managerial & Professional
Partnership
Physical
Political
Procurement/Competitive
Social/People
Technological
The operational risks will be identified via line managers. All category A and category B actions in the
Service Development Plans (SDPs) are risk assessed by the relevant line manager. Additional
operational risks are also risk assessed when identified by the line manager. Specific risks are identified
through the project management process and through decision-making reports.
Risks are more easily understood and managed if they are framed as scenarios i.e. broken down into
their component parts. The first part is to identify the root cause or source of the risk. The second part
is to identify the consequences. This fits in with the system used by Lincolnshire County Council to
facilitate future partnership working.
One or more of the 15 categories shown previously will usually prompt the source of the risk. The
consequences tend to focus on four key areas – service delivery; finance; reputation; and/or people.
The aim of analysis is to separate the minor acceptable risks from the more significant ones. It may
require additional information gathering to be able to assess the likelihood and impact of the risk. The
‘score’ enables the risks to be prioritised and managed accordingly. The initial score should reflect the
inherent risk as mitigating action will be considered at a later step.
Risk profiling enables us to concentrate control measures in high risk areas. The risk matrix on the
'Assessment of Risk' form (see Annex 1) has ‘tolerance’ lines to show in general which risks are
acceptable and which require some form of management action. These ‘tolerance’ levels may be
moved in response to a specific risk appetite but in general they remain as shown.
Those risks below the threshold (bottom left) are generally acceptable and require no further
intervention. However, they should still be documented and monitored to ensure they do not move
above the risk tolerance line in the future. Those risks above the threshold (top right) are the highest
priorities and should be considered first, followed by those in the middle area.
Any existing mitigating actions should be challenged to see if they are appropriate and then any extra
or alternative actions should be considered. Should the risk be avoided, eliminated, reduced,
transferred or accepted? A useful framework is to use the 4Ts of risk control:
 Terminate – rarely, we may be able to stop doing the activity altogether
 Tolerate – accept the risk and live with it, particularly if it is within the tolerance threshold or where
the cost of mitigating action would outweigh the benefits
 Transfer – move all or part of the risk to a third party or through insurance; however, sometimes
accountability still remains so caution is advised
 Treat – take action to control the likelihood and/or impact
It is important to make sure that the action is appropriate to the risk and not to take action for the sake
of it. A cost benefit analysis may be needed to help to achieve the right balance. It also helps to be
clear about exactly what is being treated – cause, consequence, likelihood, impact or a combination.
Control actions should always be SMART – Specific, Measurable, Achievable, Realistic and Timebound.
Review cycles will depend largely on the level of risk with high risk areas being reviewed more
frequently than lower risk areas. The overall process and all risks will be reviewed at least annually.
Reviews may also be triggered by changes in circumstance, as risks do not remain static.
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
RISK REGISTER
The risk register will be maintained by the Performance & Improvement section. It will be regularly
reviewed, reported to Audit & Governance Committee and available via the Intranet (later through the
Council’s performance software – QPR).
COMMUNICATION
It is important that risk management is communicated in a positive way enabling us all to proactively
deal with negative risks but also to seize opportunities with well-managed risk taking being encouraged.
The Performance & Improvement Manager will attend team meetings and an SMF meeting to raise
awareness of this strategy, the importance of handling risks well and identifying opportunities, the main
risks facing the authority and the main risks facing individual sections. This will also be covered at
induction.
Everyone is encouraged to challenge practices, identify new ways of doing things and be innovative
through this process.
The focus will also be on learning lessons rather than apportioning blame and concentrating at least as
much on how risks have been managed in any given situation rather than just the outcome.
TRAINING
There will be regular training sessions for the Audit & Governance Committee, the Portfolio Holder,
CMB, SMF and nominated staff to ensure that those with key corporate roles to play within this
framework are equipped to do so.
KEY TARGETS AND MILESTONES
Action
Audit & Governance Committee (AGC) to identify strategic risks
Draft updated Risk Management Strategy to AGC
Identified strategic risks allocated to officers to draft assessment forms
RMAF benchmarking exercise (see next section)
Update report to CMB and reporting arrangements agreed
Draft updated Risk Management Strategy to Cabinet
Drafted assessment forms to AGC for further debate
Awareness raising sessions to SMF and team meetings
Specific training needs identified
Exception report on high residual risk areas to AGC
Exception report on high residual risk areas to AGC
Exception report on high residual risk areas to AGC
Annual review of Risk Management Strategy and Policy
*
timing subject to meeting dates set after May 2007
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
Target/Milestone
Nov 06
Nov 06
Nov 06
Nov/Dec 06
Nov/Dec 06
Dec 06
Jan 07
Jan/Feb 07
Mar 07
Mar 07
Jun 07*
Sep 07
Sep 07
BENCHMARKING
The Council is part of the Greater Lincolnshire Risk Management Forum (GLRMF) and a member of
ALARM, the National Forum for Risk Management in the Public Sector. Through these organisations
we will be able to benchmark our performance on risk management as well as move forward in
partnership.
The GLRMF are using the “Risk Management Assessment Framework” (RMAF), an independent
‘maturity’ model developed by HM Treasury and adapted for use by GLRMF led by Lincolnshire County
Council, to track progress and for benchmarking.
There are 7 areas of assessment - Leadership; Strategy & Policies; People; Partnerships; Processes;
Risk Handling; Outcomes. Our aim is to complete a self-assessment against these criteria and
benchmark against our GLRMF partners this year to identify our priorities for improvement in the future
and to inform the next review of the strategy in September 2007.
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
GLOSSARY
This glossary provides a common understanding of key terminology relating to risk management.
Control
Any action, procedure or operation undertaken to either contain a risk to an acceptable level, or to
increase the probability of a desirable outcome.
Down-side risk
A risk with a negative or unfavourable impact.
Embedding risk management
Ensuring that the risk management Strategy is reflected in the objectives and functions of every level of
the organisation.
Impact
The evaluated effect or result of a particular outcome actually happening.
Inherent risk
The level of risk existing before any treatment measures have been taken.
Likelihood
Used as a qualitative description of probability or frequency.
Operational risk
Risks associated with the day-to-day issues that the organisation is confronted with as it strives to
deliver its objectives.
Residual risk
The level of risk remaining after risk treatment measures have been taken.
Risk
The chance of something happening that will have an impact upon objectives. It is measured in terms
of consequences and likelihood.
Risk analysis
A systematic use of available information to determine how often specified events may occur and the
magnitude of their consequences.
Risk appetite
The range of exposure that is judged to be tolerable for the organisation.
Risk assessment
The overall process of risk analysis and risk evaluation.
Risk control
That part of risk management which involves the provision of policies, standards and procedures to
eliminate or minimise adverse risks.
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
Risk evaluation
The process used to determine risk management priorities by comparing the level of risk against
predetermined standards, target risk levels or other criteria.
Risk framing
Presenting risks as three-part scenarios, with root causes, triggers and impacts.
Risk identification
The process of determining what can happen, why and how.
Risk management
The culture, processes and structures that are directed towards the effective management of potential
opportunities and adverse effects.
Risk reduction
A selective application of appropriate techniques and management principles to reduce either likelihood
of occurrence or its consequences, or both.
Risk register
A product used to maintain information on all the identified risks pertaining to a particular activity,
project or programme. Also known as the Risk Log.
Risk transfer
Shifting of the responsibility or burden for loss to another party through legislation, contract, insurance
or other means. Risk transfer can also refer to shifting a physical risk or part thereof elsewhere.
Risk treatment
Selection and implementation of appropriate options for dealing with risk.
Stakeholders
Those individuals and organisations who may affect, be affected by, or perceive themselves to be
affected by, the decision or activity.
Strategic risk
Risks concerned with where the organisation wants to go, how it plans get there and how it can ensure
survival.
Up-side risk
A risk with a positive or favourable impact.
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
Annex 1
ASSESSMENT OF RISK TEMPLATE
A. ASSESSMENT OF INHERENT RISK
Type of risk:
Identified by:
Responsible officer:
Source of risk:
Strategic / Operational
Consider Contracts/Suppliers; Customer/Citizen; Economy; Environment; Finance; Governance; Legal; Legislation/
Regulation; Managerial/Professional; Partnership; Physical; Political; Procurement/Competitive; Society/People; Technology
Consequences of risk:
Consider four key areas - service delivery, finance, reputation and/or people.
Inherent risk score:
Entered onto risk register:
Yes / No
LIKELIHOOD
Plot the inherent risk score on the risk matrix below:
Almost certain
4
4
8
12
16
Probable
3
3
6
9
12
Possible
2
2
4
6
8
Hardly ever
1
1
2
3
4
1
2
3
4
Negligible
Minor
Major
Critical
IMPACT
Green:
No risk control action required; monitor annually
Yellow:
Set target for acceptable risk and take control action to achieve; monitor quarterly
Red:
Set target for acceptable risk and take control action as a priority; monitor monthly
Negligible:
financial loss of <£10,000, inconvenience to the project and/or services, potential reputation
issue
Marginal:
financial loss of <£25,000, limited disruption to the project and/or services, could affect
reputation
Significant:
financial loss of <£160,000, major disruption to the project and/or services or medium term
failure to deliver services, major damage to reputation inflicted, external intervention likely
Critical:
financial loss of >£160,000, major disruption to the project and/or services or major failure to
deliver vital services, serious major damage to reputation inflicted, external intervention certain
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
B. MANAGEMENT OF RISK
Controls required:
Yes / No
Consider the 4Ts - terminate (stop doing the activity altogether); tolerate (if within threshold or where the cost of mitigating
action would outweigh the benefits); transfer (move all or part of the risk to a third party or through insurance);
treat ( take action to control the likelihood and/or impact)
Be clear about what is being treated - cause, consequence, likelihood, impact or a combination? Is a cost/benefit
assessment required to ensure that the controls are appropriate? Control actions should be SMART
Controls in place:
Controls to be implemented:
(with target dates)
Residual risk score:
LIKELIHOOD
Plot both inherent and residual risk scores on the risk matrix below:
Almost certain
4
4
8
12
16
Probable
3
3
6
9
12
Possible
2
2
4
6
8
Hardly ever
1
1
2
3
4
1
2
3
4
Negligible
Minor
Major
Critical
IMPACT
Updated on risk register:
Date of last review:
Date for next review:
Report to:
Yes / No
Line manager / Head of Service / Director / CMB / Audit &
Governance Committee
Reporting date:
Outcome:
RISK MANAGEMENT POLICY AND STRATEGY - DECEMBER 2006
Related documents
Risk Assessment of Work
Risk Assessment of Work
Impact of risk - University of Cambridge
Impact of risk - University of Cambridge
Standardized Risk Management Terms, Based on ISO/IEC Guide 73
Standardized Risk Management Terms, Based on ISO/IEC Guide 73
Shared Governance
Shared Governance
Critical assumptions and risk assessment
Critical assumptions and risk assessment
REGISTER OF SIGNIFICANT RISKS
REGISTER OF SIGNIFICANT RISKS
PR-presentation
PR-presentation
6145.5 - Capitol Region Education Council
6145.5 - Capitol Region Education Council
Download
advertisement