Risk Management Policy Statement & Strategy
advertisement
Appendix 1 LONDON BOROUGH OF CROYDON Practical Guide to Risk Management Contents Page Number Section 1: Importance of Risk Management 3 What is Risk Management? 3 Why risk management is important? 4 Benefits of successful risk management 4 Section 2: Roles & Responsibilities 5 What is your role? 6 Section 3: Risk management process 6 Five steps of risk management 7 Opportunity Risk Management 14 Risk Register 14 JCAD RISK management system 15 Section 4: Corporate Governance and internal control 17 Performance 17 Partnerships 17 Project Management 18 Appendixes Appendix 1: Risk Management Policy Statement & Strategy 19 Appendix 2: Role of Risk Champions and Risk Support Staff 21 Appendix 3: Risk Management Steering Group: Terms of Reference22 Appendix 4: Categories of Risk 24 Appendix 5: Impact and Likelihood Classification 25 2 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Appendix 6: Example risk register 27 3 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Section 1: This document describes the London Borough of Croydon risk management strategy and policy. The aim of the guidance is to ensure all staff employed by London Borough of Croydon: have a common understanding about the purpose, structure and approach to risk management; are aware of their roles and responsibilities; can identify, minimise and manage risk effectively and; are able to undertake risk management in an open, supportive and transparent environment. What is Risk Management? Risk can be defined as the effect of uncertainty on objectives” ISO 31000 Risk Management (Guide 73) Risk can be a negative ‘threat’ or positive ‘opportunity’ or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence. The risk is assessed in respect of the combination of the likelihood of something happening, and the impact which arises if it does actually happen. Historically, risk management has been regarded primarily as threat management. However the management of opportunities is also important because it will maximise the benefits to the organisation if a course of action is taken. Some opportunities present themselves as pure chances but others need to be sought out by the organisation. This indicates that in order to maximise benefits, organisations needs to be proactive in identifying and managing potential threats as well as looking for possible opportunities. (See more detail in Section 2) The effective management of risk therefore is very important in the public sector. Croydon Council defines risk management as a process by which risks are identified, evaluated and controlled. Good risk management will also help us to explore and take opportunities as they are identified. Risk management is relevant at any level of the organisation. At the operational level it ensures the ongoing continuity of business and the mitigation of physical hazards or incidents. 4 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 At the strategic level it is concerned with achieving high level corporate objectives and long term goals. An operational risk is concerned with localised priorities and areas. Why is risk management is important? . The risks associated with the business need to be managed to ensure the achievement of objectives. Government requires public services to promote best practice in service delivery and risk management as an integral part of good business practice. However risk management is not just a statutory requirement but also an essential element of good management. Effective risk management will have several benefits for the organisation. Benefits of successful risk management • Enhanced performance: by identifying barriers to achievement there is an increased likelihood of achieving corporate objectives. More efficient use of resources; reduction in business interruptions; added value across service areas and improved service delivery that matches organisational priorities. • Become less risk averse and hence more innovative. There is a smarter awareness of where opportunities are and ability to exploit them fully within our overall priorities. • Improve business planning through a risk based decision making process • Reduction in legal liabilities: risk management can highlight areas of high risk where the council needs to follow set procedures to ensure the likelihood of non-compliance and therefore legal liability is reduced. • Better outcomes for residents as risk management focuses you to consider potential impacts if the risk where to occur for the council and the wider Borough. Therefore if risks are successfully managed this could lead to improved customer relations and increased public satisfaction. • Improved insurance management: reduced cost of insurance premiums and number/level of claims and reduced uninsured losses. 5 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Section 2: Roles and Responsibilities The practical guide defines what roles and responsibilities different employee groups have for the effective management of risk within the organisation. In the London Borough of Croydon, the Deputy Chief Executive & Executive Director of Resources & Customer Services and Deputy Leader (Statutory) and Cabinet Member for Housing, Finance & Asset Management, has overall responsibility for embedding and championing risk management throughout the Council. All Employees, Managers and Councillors are expected to have a level of understanding of how risk and opportunities could affect the performance of the Council and should regard the management of those risks and opportunities as part of their everyday activities. In addition key individuals such as the Risk management team and Risk Champions have specific leadership roles for risk management within the Council. It is also important that the management of risk is regarded when setting up the strategic objectives and long, medium and short term goals for the organisation. Roles and responsibilities of risk management in detail: Members: to oversee the effective management of risk throughout the Council; to challenge the extended management team accountable on the effectiveness of risk management. Extended Management Team: to ensure that the Council manages risk effectively through the development of a comprehensive risk management strategy; to monitor high level strategic risks by receiving the corporate risk register on a regular (typically monthly) basis. Risk management team: to support the council and its departments and services in the effective development, implementation and review of the risk management framework; to provide adequate training to other groups of the Council to enable them to carry out their responsibility in risk management. To provide guidance on risk issues such as strategic and operational risk management. Risk Champions: to champion the cause of risk management within each department, particularly at the strategic level; to take personal responsibility for ensuring that the risk management objectives set out in the policy are achieved and to encourage a risk aware culture in all areas of the organisation. (See Appendix 2 for detailed roles and responsibilities) Risk Management Steering Group: to develop a formal framework to assist the Council to manage risks to the achievement of the Council's strategic priorities and the delivery of services to the community. (See Appendix 3) Audit Advisory Committee: responsible to review the corporate risk register periodically; to endorse risk management annual action plan which outlines the strategic direction of risk management within the council. 6 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Risk Owners: Directors and Heads of service: responsible for identifying, assessing, managing and reviewing all risks assign to them. To ensure that all risks are added where appropriate to the corporate risk register and that those which regarded as red risks are reported to DMT regularly. Departmental Management Teams: to ensure that risks are identified and managed effectively in each service area within the agreed risk management strategy; to review strategic risks in timely fashion. Corporate Project Office: to devise and implement effective, proportionate and auditable project and programme management standards, This can include guidance on risk management in projects and programmes. For further information please refer to CPO Intranet Homepage Project Managers: identify and assess risks at the outset of any new or proposed projects as part of the project initiation document. Timely review of risks throughout the life cycle of the project. Partnership Managers: identify, assess and manage key risks which may prevent successful joint working and the achievement of agreed objectives. The continual review of risks within the partnership should be encouraged. All Employees: to manage risks effectively in their jobs and report hazards and risks to their service managers. Section 3: Risk Management Process Risk management should be a part of normal business processes and should become the basis for a number of activities such as: Setting strategic aims→ Corporate Plan Setting business objectives →Service Plan Part of budget process→ Budget Planning Cycle Project planning & key project stages→ Project Initiation Document, Project Highlight Reports Governance arrangement for→ Local Strategic Partnership (LSP) reporting partnership working The Risk Management Process is not just a scoring or measurement process, it requires judgements and informed decisions to be made. It is best done as a group exercise such as a workshop to involve those who understand the key issues in delivering a service, and to form a shared understanding regarding the key risk areas, the level of risk and the control measure actions that are required. 7 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 The five steps of risk management: THE ORGANISATION’S STRATEGIC OBJECTVES RISK IDENTIFICATION MONITORING AND REVIEW RISK ANALYSIS RISK MANAGEMENT RISK PRIORITISATION 8 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Step 1: Risk Identification The first step of the risk management process involves the identification of risks. However prior to this step the organisation has to make sure that it’s corporate objectives, priorities and/or targets have been clearly communicated and understood. These are identified in the corporate plan, the sustainable community strategy and departmental service plans which should outline specific objectives and expected outcomes. Risks can be identified in three categories: strategic, operational and governance. Strategic risks (or opportunities) are most likely to affect the performance and delivery of business services; e.g. change in legislation may affect Authorities ability to deliver a service or create a new income generating stream. Operational risks (or opportunities) are primarily concerned with continuity of service delivery. Strategic and operational risks are not mutually exclusive and a risk might escalate from an operational risk to a strategic risk; for example a fire in school is an operational risk which may be related to the strategic risk around the possible breakdown in relationship between the Local Authority and schools. Governance risks (or opportunities) relate to risks which might affect the organisation’s reputation, decision making ability and the effectiveness of its strategy; e.g. risk of employee fraud. (See Categories of Risk in detail in Appendix 4). There are several methods which can be used to identify risks such as document examination, flow chart analysis (to identify interdependencies within a business), physical surveys, workshops and interviews with key personnel. The method used will depend on the nature of risk; e.g. physical/operational risks may be identified through physical surveys plus flow chart analysis while strategic and governance risks may be better identified through interviews or workshops. Once risks are identified, a risk register should be created. Croydon Council uses a specific risk management information system called JCAD RISK as a database to record risks which can then form a Risk Register Report. This database allows other useful information to be added such as the risk owner, cost analysis, proximity of risk. The system and the risk register will be described in the section: JCAD RISK management system. 9 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Step 2: Risk Analysis and Rating The next step is to define the identified risk in detail. Croydon Council use a 2 part risk scenario: Likeihood and Impact. Risk refers the possible event which you would want to mitigate if it was a threat or maximise if it was an opportunity. Impact refers to the consequence the risk may have on the service/project/partnership/ wider council and the Borough. Examples: Operational risk example: Risk: Fire in Taberner House, resulting in the evacuation of central complex Impact: Unable to provide council services including face to face services in Access Croydon. Strategic risk example: Risk: Failure to meet local area agreement targets due to uncoordinated strategies. Impact: Not achieving desired outcomes for the benefit of local residents and damage to the Council’s reputation for failing to meet LAA targets. Once risks have been analysed they need to be rated in order to prioritise the risks that pose the greatest threat (or opportunity). This is done by looking at both the likelihood and impact of the risk. Impact means thinking about the effect of the risk if it should become a reality (what would the consequence be?). Likelihood is looking at the possibility of the risk materialising. Croydon has adopted a 5 by 5 likelihood and impact matrix as it shown below to assess the value of the risk. (Link to One Page Guide to Risk Management & Risk Scoring) 10 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Assessing Likelihood 5. Almost Certain 4. Likely 3. Possible 2. Unlikely 1. Rare Assessing Impact 5. Extreme 4. Very High 3. Medium 2. Low 1. Negligible The impact of the risk is calculated by using the following Impact Classification Matrix. This helps users in Croydon to decide the seriousness of the impact. Impact/Benefi t Classification Treat or Opportunity Service Financial disruption/im Loss/Gain provement Reputation both positive and negative Threat Failure to provide statutory service/meet legal obligations Multiple civil or criminal suits. Litigation, claim or fine above £5m People Extreme 5 Total failure of service/ major service improvement Over £5m National publicity > than 3 days.. Very high 4 Serious disruption to service/service development £500k- £5m National public or press interest. Litigation, claim or fine £500k - £5m Serious injury. Permanent disablement of one of more clients/staff Medium 3 Disruption to service/positiv e service delivery change £50k -£500k Local public/ press interest Litigation, claim or fine £50k - £500k Major injury to individual Low 2 Some minor impact on service – positive or negative £5k - £50k Contained within department Litigation, claim or fine £5k - £50k Minor injuries to several people Negligible 1 Annoyance but does not disrupt service < £5k Contained within unit/section Litigation, claim or fine less than £5k Minor injury to an individual Fatality of one of more clients/staff The likelihood of risk occurring is estimated following these guidelines below: Likelihood Classification For An Event Occurring In A Given Year: 5. Almost Certain–Expected to occur in most circumstances (> 80%). 4. Likely - Will probably occur in most circumstances (51% - 80%). 3. Possible – Fairly likely to occur (21% - 50%). 2. Unlikely - Could occur at some time (6% - 20%). 1. Rare May occur only in exceptional circumstances (0 – 5%). Once the level of impact and likelihood has been identified a risk score can be calculated using the following equation: Risk Rating (Scoring) = Impact * Likelihoo (See Impact and Likelihood classification document in Appendix 5) 11 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Step 3: Risk Prioritisation Once the risk rating has been calculated the risk owner can prioritise between the different risks to ensure the correct risks receive immediate attention. Croydon Council uses the following risk prioritisation matrix: Risks with the highest score are treated as priority and require immediate management and monitoring. The following table shows how risks with the different score levels are managed: Green rated risks are deemed an acceptable tolerance level. 20-25 9-19 1-8 Those risks requiring immediate management and monitoring Those risks requiring management and monitoring but less time critical Those risks which require ongoing monitoring The above process will be automatically calculated when using JCAD risk software 12 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Step 4: Risk management Once the high level identification and prioritisation of risk areas has been completed control measures need to be identified which will hopefully mitigate the risks. It is important to keep in mind that most risks cannot be eliminated altogether which means a crucial part of risk management is making judgements about what level of risk is acceptable. There are four categories of response that the Council can take: Transfer: the organisation can decide to shift the responsibility or burden for the loss to another party or to share risks in part or full with another stakeholder. The main method of transferring risk is through contract management for example insurance or outsourcing a service to a third party. However it should be noted that in reality it is not possible to transfer a risk entirely, as the statutory obligation to provide certain services remain with the local authority even if the delivery of the service is outsourced. Therefore legal liability risks cannot be completely transferred. Treat: put procedures and controls in place to reduce the likelihood and/or impact of the risk. For example the impact of fire risk in Taberner house can be treated by applying control measures such as: fire alarms, regular fire drills, sprinkler systems. Terminate: eliminate or avoid the risk by ceasing the activity or choosing an alternative approach or process which makes the risk no longer relevant. Tolerate: the organisation may decide to retain risks, monitor the situation and bear losses out of normal operational costs. An informed decision is made to accept the likelihood and impact of a particular risk. The reason for this action may be due to the council’s ability to manage the risk might be limited or the cost of taking any action may be disproportionate to the cost of the risk occurring. As a part of the process of applying control measures the risk owners should weigh up the cost/benefit of investing in control measures. If the cost of a control measure exceeds the benefits of mitigating the risk, then maybe a reasonable judgement can be made to tolerate the risk. It should be noted however that the cost of a risk occurring is not just financial but can also be reputational, effect the wellbeing of staff or be result in a claim or fine. Therefore the probability and impact of the risk should be evaluated when making this decision. In practice the expectation is that managers will continue to develop and implement control measures until the risk has reached a score which is considered to be acceptable. In Croydon the JCAD RISK system enables the risk owners to capture the cost of the resources required to set in place the control measure(s). 13 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Step 5: Monitor and Review The monitoring of risks is key to the successful management of risks. Departments are responsible for the effective monitoring of their risks, risk assessments, controls, assurances and the accuracy of risk entries and related material on JCADrisk. The risk landscape needs to be regularly monitored since no risks remain static. Departments should review their risks at least once on a monthly basis for hgh rated risks and on a 3 monthly basis for all other risks. This is to ensure new risks are identified, and existing ones are continually reassessed. Croydon Council’s review process: • Audit Advisory Committee review red risks • Cabinet Members receive risk reports in their portfolio • Leadership review red risks on a regular basis • Red risks are reviewed to EMT on the regular basis as a part of Corporate Performance Dashboard. • Departmental Management Teams review high level risks regularly and all risks at least annually • All reports to Members should include a section on Financial and Risk Assessment Considerations, where any potential strategic, operational or governance risk which may prevent the achievement of objectives should be identified. In addition to the review process outlined above, the entire risk register should be reviewed annually, possibly during the strategic planning period. Project, Programme and Partnership risks should also be reviewed by the appropriate stakeholders on a regular basis. This is current set as 30 days for high rated risks, 3 months for mediums rated risks and annually for low rated risks. The reminder system within the JCAD system.is set for these parameters. The JCAD RISK system provides support for the review process by sending automatic e-mail reminders to the risk owners when a review is required. 14 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Opportunity Risk Management The effective management of opportunities is also an important feature of risk management. Opportunities should be managed in the same way as negative risks The five step Risk Management Process outlined above can also be applied to opportunities which may arise. This is particularly relevant for projects, programmes and partnership working. Example of an opportunity: Opportunity: Working with another local authority to deliver a future strategic programme. Impact: Delivering the programme in partnership will lead to: - economies of scale savings - reduction in administrative support - sharing of best practice across both authorities Opportunities and the risk of missed opportunities should be entered on the departmental risk register in the same way you would a threat. Control measures should aim to maximise the opportunities and/or minimise the threat of missing opportunities. The Risk Register The information identified during the risk management process should always be recorded. Most organisations use a risk register to do this. A risk register provides a central point to log all of the identified risks against business objectives and to capture detailed information about each risk such as brief description, its likelihood, its impact, control measures used, name of risk owner etc. The purpose of a risk register is to collect sufficient information to enable risk response planning and subsequent control. Croydon Council uses an online database called JCAD RISK. Croydon Council’s risk register contains the following headings: Risk reference: identifies every risk entered into the risk register Risk Scenario: describe the risk and identifies the possible impact. Assigned to: identifies the risk owner (this has to be only one person and not a group of people) Existing controls: details the existing control measures already implemented. Current risk rating: shows the risk rating which is calculated taking the existing control measures into consideration. Future control measures: identifies future actions which are planned for the future in order to control the risk further. Future risk rating: shows the possible target risk rating which can be achieved if future control measures are applied. 15 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Disruption to service delivery, increased spending on temporary staff John Smith Construct a Business Continuity plans in place for the department 4 3 12 Future Control Measures Future Risk Rating Total A flu pandemic results in 25% of the workforce absent at any one time Current Risk Rating Likelihood Impact Existing Controls Impact Risk Assigned to Total RCS000 Risk Scenario Likelihood Risk Ref. Impact Example of Croydon Council’s Risk Register: Cross training of personnel 3 3 9 This template while in Excel follows the same format as used in the JCAD RISK. Link to Risk Register Template (Excel) (or see Appendix 6: Risk Register Template) JCAD RISK management system & risk escalation The JCAD RISK system allows both the recording of individual risks and information about them, and also provides the facility to produce reports which can be used to manage risk both individually and collectively. This tool is user-friendly and contains all the functionality required to record and dynamically monitor, audit, analyse, and manage by exception the entire risk register. The system also sends reminder emails to all users when the review of the risk assigned to them is due which makes the review and monitoring process more effective. It ensures that if action required alternative measures can be applied to manage risks on time. Red risk (score 20 and above) are reviewed monthly at EMT. These risks are in turn reported to leadership and to audit advisory committee. Departments are also advised to review high amber (score 15 and above) monthly and all other risks at least annually. By these means a formalised escalation process for any corporate risk is provided for within the risk management policy and strategy of the Council. When using the JCAD RISK system it is possible to link identified risks to different corporate objectives, identify the nature of risks and assign them to the relevant risk category. The system also has a powerful reporting facility which makes monitoring and review easier. The most commonly used report is the Croydon Risk Register which displays risks by department, project or programme (see example below) and the Risk Status Report which gives an overview of the changes in rating over a period of time and the number of control measures applied. 16 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 JCAD risk can be accessed via the web https://croydon.jcadrisk.com/ and is used by risk owners such as directors or heads of service, project, programme and partnership managers and Cabinet Members. This version allows users to view risks and control measures and if authorised change, add or withdraw risks and control measures and generate basic reports such as the risk register and dashboard. Internal Audit conduct a programme of risk based auditing and therefore use the JCAD Risk system to inform their annual audit programme. In addition most audit reports contain a risk management level of assurance in appendix of the reports. This includes assurance around the risk register and any recommendation. 17 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Section 4: Corporate Governance and Internal Control Risk management in any organisation should form an important part of its corporate governance and internal control process. Corporate governance can be defined as the ongoing activity of maintaining a sound system of internal control to ensure that effective management systems, including financial monitoring and control system have been put in place to protect assets, earnings capacity and the reputation of the organisation. A sound system of internal control and corporate governance will help the Council to achieve its corporate objectives and lead to improved performance. Performance All risks in the JCAD system have been linked to the high level corporate visions and strategies. This allows easy identification of risks which may impact key performance areas. The Council’s Performance Dashboard assesses performance in delivering the corporate priorities and the targets that underpin them within Corporate Plan and Departmental Service Plans. It is a strategic level report which provides a ‘birds eye view’ of how the council is performing. The report is submitted quarterly and monitors the Council’s National Indicators, Finances, Projects, Customer Indicators, HR indicators and Risks. It highlights areas which are underperforming so they can be dealt with promptly. Currently this report is reviewed by EMT. Risk management is also important when the organisation tries to achieve its strategic and medium term goals. Partnerships play an increased role in achieving strategic goals and medium terms are usually addressed through programmes and projects. Croydon Council have already achieved great results in developing an integrated risk management approach for its significant partnerships and working towards accomplish a similar strategy for major projects as well. Partnerships It is important that public sector organisations work together to maximise their service delivery across the borough. The government also places emphasis to improve partnership working between local authorities, other public bodies business, community groups and the voluntary sector. In order to achieve these goals organisations need to commit resources, in terms of officer time or direct financial funding to develop and deliver the desired outcome. Part of this process should involve identifying the risks and opportunities which might prevent or help maximise the partnership to achieve it’s objectives. Croydon Council developed a joint risk management framework with their significant partners via the Local Strategic Partnership (LSP) using the Council’s risk management system. The Council has key streams each with its own partnership manager: 18 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Each key stream has developed a joint risk register which was developed during a multi-agency risk workshop. A good example of effective partnership management is the use of joint partnership risk registers. It is recommended that a joint risk register approach is developed for all major partnerships which the council enters into. Facilitation of this process can be conducted by the Risk Management Team. Project management Effective project management is crucial for an organisation’s success because any organisation can only achieve its goals through the delivery of some fundamental projects. It was estimated by the Employee’s Organisation for Local Government that up to 70 % of local authority work is project based. This indicates that organisations spend a significant amount of resources on project work. Efficient project management will ensure that projects are delivered at the right time, within budget and to the agreed scope. In order to minimise losses and maximise chances of success risks (threats and opportunities) associated with project have to be recognised and managed. Advantages of effective risk management in projects: Prioritise actions and management focus Support decision making Identify required contingency plans Improve communication Team involvement Governance compliance Minimise overspend Reduce the change for overruns Improve the quality of service delivery In Croydon Council all corporately significant projects have risk registers on the Council’s JCAD risk management system. A council wide project management framework is in place. Details can be found on the Councils intranet and using this link; Link to CPO Homepage This involves the creation of a Corporate Programme Management Office to support and provide information to all project and programme boards. The Council’s well developed project risk management approach also includes the consideration of possible opportunities that relate to major projects. 19 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Appendix 1 Risk Management Policy Statement & Strategy Croydon Council (the Council) is aware that risks will always arise from its various duties and functions. Some risks will always exist and will never be eliminated. However, the Council recognises that it has a responsibility to manage its significant business risks and supports a structured and focused approach to managing risk by approval and support of the Council's risk management strategy. In this way the Council will better achieve its corporate objectives and enhance the value of the services it provides to the community whether directly or via its many partnership arrangements. The Council's risk management strategy's objectives are to: Identify corporate and operational risks Assess the risks for likelihood and impact Identify mitigating controls Allocate responsibility for the mitigating controls The Council maintains and reviews a register of its corporate business risks linking them to strategic business objectives and assigning ownership of each risk. The Executive Director of Resources & Customer Services and the Cabinet Member for Economic Development & Corporate Services will jointly champion and take overall responsibility for imbedding risk management throughout the Council. The Council will embed risk management in its corporate business processes including: Strategic planning Financial planning Policy making and review Performance management Partnership working Project management Reports to support strategic policy decisions and project initiation documents will include a risk assessment. Croydon will also consider positive risks (opportunities) as well as negative risks (threats) in relation to its business planning. Members All members will receive risk management awareness training in relation to their role. In addition the member committee with responsibility for risk management reviews reports quarterly and takes appropriate action to ensure that corporate business risks are being actively managed including detailed reporting from officers on key risks. Cabinet Members will be trained on, and given access to the Council's corporate risk management software. 20 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Officers All staff will be given appropriate training and guidance to enable them to take responsibility for managing risk within their own working environment. All named risk owners have access to the corporate wide risk register system and will be required to update and maintain their entries on the system. The risk management strategy will allow for a formalised route for the escalation of risk with risks rated as ‘high amber’ (rated 16) escalated from departments to the extended management team on a quarterly basis and ‘red risks’ (rated at 20+) escalated to extended management team on a monthly basis and reported onwards to members in the form of leadership and the audit advisory committee. Councillor Dudley Mead - Deputy Leader (Statutory) and Cabinet Member for Housing, Finance & Asset Management Jon Rouse, Chief Executive Nathan Elvery, Deputy Chief Executive and Executive Director of Resources & Customer Services 21 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Appendix 2 Role of Risk Champion and Risk Support Staff: - To act as the main contact for their department on risk management matters, and ensuring that corporate information and requirements are communicated through out the department. - To represent their department at the Risk Management Steering Group. - To provide support on risk management to directors, heads of service and other managers across the department. - To promote the benefits of risk management across the department. - To identify their department’s risk management training needs and reporting these to the Risk and Insurance Team. - To maintain on behalf of the Department, a risk register that complies with corporate guidelines and includes encouraging the identification of new risks. - To act as the main contact for risk management with regards to the reporting requirements to EMT, Leadership, Cabinet Members and Audit Advisory Committee. - Risk Champions to update the departmental risk register on behalf of other Directors. 22 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Appendix 3 Risk Management Steering Group: Terms of Reference The Risk Management Steering Group will develop a formal framework to assist the Council to manage risks for the achievement of the Council's strategic priorities and the delivery of services to the community. The Group will consist of risk champions from every department (at second tier level), a representative from Internal Audit, Head of Risk Management & Insurance, Risk management team and other seconded staff as required from time to time. Aims and objectives The Group will: 1. Draw upon the recognised risk management skills from across the Council and from external advisors or consultants to provide a more cohesive service to the corporate body and service departments. 2. Encourage a comprehensive approach to the management of hazards and risks in order that these can be assessed at the outset of any project, during the delivery of a service and also where adaptations need to be made because of experience and/or the emergence of new technology, legislation or trends. 3. Maintain a formal framework for the management risks in respect of strategic and operational hazards linking back to strategic business objectives. This process to consider positive risks (opportunities) as well as negative risks (threats). 4. Provide advice and guidance in relation to partnership risk. 5. Develop methods to inform the Council's Management Team and Members of the total cost of risk, including costs of crime and other insured and uninsured losses. 6. Analyse and collate departmental reports on self-assessment of risks and every quarter to produce a summary for the Council Management Team and Members. This analysis will identify hazards and risks that affect a number of departments and the corporate body. It will also forward the departmental reports to the Council Management Team. 7. Make recommendations to the Council's Management Team as to how: o generic and cross-departmental hazards and risks identified by departmental risk assessments can be addressed corporately; o Legislative changes and trends affect the Council and ensure that, where action is required, it is carried out in a timely and effective manner. 8. Take responsibility for embedding risk management in corporate business processes including strategic planning, financial planning, policy making and review and performance management. 9. Train and support the Group members as 'champions' for risk management within their own departments. 23 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 10. Further develop existing and new sources of partnerships with external agencies or other bodies to assist the Council and its staff, the community and visitors to Croydon by managing hazards and risks. 11. Introduce training on risk management to Group members, departmental teams and throughout the Council by harnessing existing methods of training and, where required, developing new training schemes. 12. Design and maintain a system to disseminate information throughout the council and establish a corporate intranet site containing guidance and information to enable colleagues to access information. 13. Disseminate information and guidance to departments, Council Management Team and Members on regular basis, including information on initiatives, developments and action plans. 14. Provide advice via 'champions' and other means on any changing requirements in the reporting or assessment of risk, arising from HM Treasury requirements, Audit Commission, or reports of private or public sector best practice. 15. Review the completeness and accuracy of risks included in the corporate risk register through discussions with relevant individual managers. 16. Report to the Chief Executive, the Council Management Team and Members on the management of risk throughout the Council. It is acknowledged that it is the responsibility of every department to implement Croydon Council's Risk Management Policy and support the Group in its activities, and that departments have responsibility and accountability for identifying, assessing and managing the risks that could impact on their areas of activity. Councillor Dudley Mead - Deputy Leader (Statutory) and Cabinet Member for Housing, Finance & Asset Management Jon Rouse, Chief Executive Nathan Elvery, Deputy Chief Executive and Executive Director of Resources & Customer Services 24 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Appendix 4 STRATEGIC (external drivers) CATEGORIES OF RISK Source of Risk Risk Examples Infrastructure Functioning of transport, communications and utilities infrastructure. The impact of storms, floods, pollution. Development in Borough render infrastructure inadequate. Effects of changes of government policy, UK or EC legislation, national or local political pressure or control, meeting the administration’s manifesto commitments. Effects of changes in demographic, residential and social trends on ability to deliver objectives. Excess demands on services. Capacity to deal with obsolescence and innovation, product reliability, development and adaptability or ability to use technology to address changing demands. Affecting the competitiveness (cost & quality) of the service &/or ability to deliver Best Value and general market effectiveness. Satisfaction of: citizens, users, central and regional government and other stakeholders regarding meeting needs and expectations. Environmental consequences of progressing strategic objectives (eg in terms of energy efficiency, pollution, recycling emissions etc.) Politics & Law Social Factors Technology Competition & markets Stakeholder-related factors Environmental Finance OPERATIONAL (internal drivers) Human Resources Contracts Partnerships & Tangible Assets Environmental Processes & professional judgements GOVERNANCE Integrity Leadership Policy & strategy Data & information for decision making Risk Management Associated with accounting and reporting, internal financial delegation and control, failure to prioritise or allocate budgets. Insufficient resources or lack of investment. Recruiting and retaining appropriate staff and applying and developing skills in accordance with corporate objectives, reliance on consultants, employment policies, health & safety, and absence rates. Migration of staff to contact centre. Failure of contractors to deliver services or products to the agreed cost & specification. Issue surrounding working with agencies. Procurement, contract and relationship management. Overall partnership arrangements, eg for pooled budgets or community safety. PFI, LSVT and regeneration. Quality issues. Inadequate building/assets. Security of land and buildings, safety of plant and equipment, control of IT hardware. Issue of relocation. Relating to pollution, noise or the energy efficiency of ongoing operations. Errors and omissions associated with professional judgement. Inspection compliance, project management, performance management, benefits system, environmental management system (EMS). Not achieving targets, failure to implement agendas and service failure. Also risks inherent in professional work. Fraud and corruption, accountability and openness, legality of actions and transactions and limits of authority. Reputation, publicity, authority, democratic renewal, trust and identity. Ensuring clarity of purpose and communication. Policy planning, community planning and monitoring and managing overall performance. Not seeking or following advise from the centre. Data protection, data reliability and data processing. Information and communication quality. Effective use and interpretation of information. Control of data and information. E-government and service delivery. Inappropriate and/or lack of software. Storage issues. Incident reporting and investigation, risk measurement, evaluation and monitoring. Internal Control and Business Continuity Issues. Link to Guide to risk categorisation 25 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Appendix 5 Impact and Likelihood Classification Impact Classification RISK IDENTIFICATION & ASSESSMENT Treat or Opportunity Impact/Benef it Classification Service disruption/impr ovement Financial Loss/Gain Extreme Total failure of service/ major service improvement Over £5m 5 Very high 4 Serious disruption to service/service development £500k- £5m Medium 3 Disruption to service/positive service delivery change Low 2 Negligibl e 1 Threat Reputation both positive and negative National publicity > than 3 days.. Failure to provide statutory service/meet legal obligations People Multiple civil or criminal suits. Litigation, claim or fine above £5m Fatality of one of more clients/staff National public or press interest. Litigation, claim or fine £500k - £5m Serious injury. Permanent disablement of one of more clients/staff £50k £500k Local public/ press interest Litigation, claim or fine £50k - £500k Major injury to individual Some minor impact on service – positive or negative £5k - £50k Contained within department Litigation, claim or fine £5k £50k Minor injuries to several people Annoyance but does not disrupt service < £5k Contained within unit/section Litigation, claim or fine less than £5k Minor injury to an individual Select the highest category to score the risk. Likelihood Classification For An Event Occurring In A Given Year 5. Almost Certain–Expected to occur in most circumstances (> 80%). 4. Likely - Will probably occur in most circumstances (51% - 80%). 3. Possible – Fairly likely to occur (21% - 50%). 2. Unlikely - Could occur at some time (6% - 20%). 1. Rare - May occur only in exceptional circumstances (0 – 5%). Risk Rating/Scoring = Impact*Likelihood RISK MANAGEMENT Prioritisation of Risks 20-25 9-19 1-8 Those risks requiring immediate management and monitoring Those risks requiring management and monitoring but less time critical Those risks which require ongoing monitoring Approaches that can be adopted for the management of risk: Eliminating or avoiding: Changing or abandoning goals specifically associated with the risk in question, or choosing alternative approaches or processes that make what was a risk no longer relevant. 26 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 Risk sharing: Sharing risks in part or full with another stakeholder who could be involved solely to facilitate risk treatment. Reducing the probability: Changing approach identifying causal links between threat and impact, or causes of threat, and intervening to mitigate occurrence, acting to reduce the threat. Reducing the impact: Developing contingency plans for responding to the threat if it occurs, even if other steps have been taken to minimise risk. 27 Version 2 Owner: Malcolm Davies Last Updated: October 2011 Next Review Date: April 2012 APPENDIX 6 Risk Register Template (Excel) RISK REFERENCE RISK SCENARIO RISK IMPACT ASSIGNED TO EXISTING CONTROLS CURRENT RISK RATING IMPACT LIKELIHOOD TOTAL FUTURE CONTROL MEASURES FUTURE RISK RATING IMPACT LIKELIHOOD TOTAL
