POLICE CRIME COMMISSIONER FOR
GLOUCESTERSHIRE
&
GLOUCESTERSHIRE CONSTABULARY
Risk Management Framework
Title:
Authors:
Management of Risk for the Force
Planning & Governance Services Unit, BID
Date prepared:
RMF Version 2.9 revised 15 Nov 2012
30 September 2010
1
Statement
The Risk Management Policy for the Police and Crime Commissioner for
Gloucestershire and Gloucestershire Constabulary (the Commissioner and
Constabulary) is to adopt recognised best practice in the identification,
evaluation and cost effective control of risks and opportunities to ensure that
they are managed at acceptable levels.
We use a definition of risk, which is ‘An uncertain event or set of events
which, should it occur, will have an effect on the achievement of objectives’ 1.
Good risk management will support and enhance the decision making
process, increasing the likelihood of the Commissioner and Constabulary
meeting their objectives and enable them to respond quickly to new threats
and opportunities.
Aims
This framework aims to ensure there is a planned and systematic approach to
identifying, evaluating and managing risks threats and opportunities facing the
Commissioner and Constabulary. The framework is underpinned by
procedures that detail the responsibilities, process and structure for delivering
effective risk management.
Objectives
The primary objective of the risk management process is to manage threats in
a way that reduces the likelihood of them occurring and minimises their
impact should they materialise. Associated objectives are to:

Integrate risk management into planning and performance frameworks

Ensure the Commissioner and Constabulary operate under sound
principles of Corporate Governance

Improve strategic, operational and financial management

Prevent or reduce events that could damage reputation and public
confidence

Improve service delivery and value for money
Application & Communication
All officers and employees must be made aware of the importance of risk
management and their role in promoting better risk management. In order to
1
As defined by the OGC Management Of Risk: Guidance for Practitioners
RMF Version 2.9 revised 15 Nov 2012
2
achieve this, a communication strategy will be developed by the risk
management.
This strategy will ensure that:

The Commissioner’s and Constabulary’s Strategy & Framework on
Risk Management is disseminated throughout both organisations.

Risk-related information is communicated to the appropriate recipient.

Any risk of breakdown in communication, leading to inaccurate/out of
date risk management information and potentially greater exposure, is
minimised.
Outcomes
The adoption of this framework will have the following implications for the
Constabulary within several specified areas:

The Police Crime Commissioner (via their Audit Committee) and the
Constabulary (via the RRG) will identify what level of risk it will tolerate.
This is the appetite for risk.

Police Officers and Staff will be encouraged to raise potential risks that
may concern them.

The Commissioner and Constabulary will adopt a Standard Operating
Procedure for Risk Management.

An embedded culture where everyone is aware of the Commissioner
and Constabulary’s approach to risk and their responsibilities in relation
to it
We will do this by:

A formal initial and periodic evaluation of organisational risks using a
standard corporate methodology.

The development of appropriate control strategies and ongoing
monitoring of progress and impact.
RMF Version 2.9 revised 15 Nov 2012
3
Table of Contents
Risk Management Framework ...................................................................... 1
Statement ..................................................................................................... 2
Aims .............................................................................................................. 2
Objectives ..................................................................................................... 2
Application & Communication ....................................................................... 2
Outcomes ..................................................................................................... 3
Context ......................................................................................................... 5
Approach ...................................................................................................... 5
Structure ....................................................................................................... 6
Responsibilities ............................................................................................. 6
Business Continuity Management................................................................. 6
Appendix 1 – The Risk Management Process .............................................. 8
Appendix 2 – Risk Management Structure .................................................. 16
Appendix 3 – Roles & Responsibilities........................................................ 17
Appendix 4 – Risk Register ......................................................................... 18
Terminology ................................................................................................ 18
RMF Version 2.9 revised 15 Nov 2012
4
Context
Gloucestershire Constabulary delivers a range of essential services to a
countywide population in excess of 575,000 people, as well as supporting a
number of sites of strategic national importance. Inevitably through its day-today business it will encounter varying degrees of risk.
The purpose of this document is to illustrate the processes required to
implement effective management of risk - whether it is a threat or an
opportunity.
Risk Management is the systematic application of principles, approach and
processes to the tasks of identifying and assessing risks, and then planning
and implementing risk responses. This provides a disciplined environment for
proactive decision-making.
Health & Safety and Operational Policing Risks will be managed through
already established structures and reporting practices and therefore will not
be included in the Risk Management Process, except in circumstances where
it is considered to have such an effect on the organisation that it becomes a
strategic risk.
Approach
There is a two-tiered approach to managing risk within Gloucestershire Police
Service. Risks will be managed at a Corporate and Business area/Local
Policing Area, with the focus on the achievement of objectives, not the
process itself.
The Constabulary will focus on two areas of risk:
Strategic Risk: Key significant risks that will have an impact across the whole
Constabulary with a need for regular strategic management input and/or
require a Constabulary wide response in terms of mitigation.
Business area/LPA Risk: Key risks that will have an impact in one or more
LPA or Business area achieving their objectives.
Any identified high risk from Local Policing Area/Business area Risk Registers
can be escalated to the Strategic Risk Register through the Risk Review
Group, when appropriate.
The Police and Crime Commissioner will focus on the Strategic risks as
defined above.
The four stages to the Risk Management Process are described below.

Identification- Identify potential risk Threats/Opportunities which may
affect the Commissioner’s or Constabulary’s ability to achieve its
objectives.
RMF Version 2.9 revised 15 Nov 2012
5

Assessment- Analyse the potential risk, and score it in terms of the
potential likelihood and impact of occurrence.

Addressing- Review current management controls and develop
strategies for managing the risk.

Reviewing and Reporting – Evaluating the actions implemented and
monitoring them as to their effectiveness.
Appendix 1 outlines the risk management process for the Commissioner and
Constabulary in more detail.
Structure
Together the Commissioner and Constabulary have implemented a risk
management structure to effectively manage strategic risks in order to ensure
it operates under sound principles of Corporate Governance.
Appendix 2 outlines a graphical representation of the risk management
structure within Gloucestershire Constabulary & the standard operating
procedure.
Responsibilities
All members, employees and partner organisations must understand the
nature of risk and accept responsibility for managing those risks associated
with their area of activity.
Appendix 3 outlines the roles & responsibilities for managing risk within the
Constabulary.
Business Continuity Management
For the Gloucestershire Police and Crime Commissioner and Constabulary,
Business Continuity Management is ‘the means by which the organisations
plan to maintain their business in the event of adverse impact to essential
activities and critical functions of our business’.
Business Continuity Management is part of the Commissioner and
Constabulary’s overall risk management framework and can be used to
mitigate risks. A risk based assessment of any 'essential activity' should be
undertaken in order to evaluate the risk of the activity being ceased or
curtailed. The risk assessment can then be used by individual LPA’s/Business
areas as necessary to escalate any ceased or curtailed essential activities
that are becoming a priority or threat.
Business area and LPA Business Continuity Plans identify activities which are
identified as ‘business as usual’, ‘essential’ and ‘critical’ - supported through
Business Impact Analysis – the Constabulary uses this as a system to
categorise and prioritise. This process links with the Constabulary’s Risk
Management Framework underpinned by Business area/LPA Risk Registers.
RMF Version 2.9 revised 15 Nov 2012
6
The Business Continuity Plan can be viewed on the intranet, using the link
below or accessed through Business Improvements Intranet site under the
Planning & Governance Unit section.
Business Continuity Plan
RMF Version 2.9 revised 15 Nov 2012
7
Appendix 1 – The Risk Management Process
Risk Definition

‘An uncertain event or set of events which, should it occur, will have an
effect on the achievement of objectives’

The role of risk management is to ensure that the Commissioner and
Constabulary make better decisions through a good understanding of
the risks and their likely impact through a disciplined environment.

The risk management process looks at what can prevent the
Commissioner and Constabulary from achieving their objectives,
through identifying what could go wrong and the actions that can be
taken to prevent this from happening or taking full advantage of
emerging opportunities.

The Risk Management Framework provides a standardised approach
on how risk is managed by the Commissioner and Constabulary
through a four step approach

The risk management process can only commence after the objectives
for the Commissioner, Constabulary & business area have been set
and understood.

The diagram below demonstrates the fours steps to the risk
management process, which should align to the Corporate/Business
area objectives.

The risk management process is a cyclical cycle that continues
throughout the year, on a quarterly basis.
RMF Version 2.9 revised 15 Nov 2012
8
What are the 7 key risk management standards?
The following standards have been identified to help you successfully
integrate risk management into your business area. The seven
standards are:
Standard 1 Clarify your outcomes/objectives
Within the context of the Commissioner and Constabulary there are
established strategic objectives to help deliver the priorities in the Police and
Crime Plan. Therefore objectives must exist before we can identify potential
events affecting their achievement (both positive and negative).
Standard one is straight forward, link these objectives with what our
organisation is aiming to achieve
Standard 2 Identifying the risks
Once the objectives have been identified, the next standard is to identify the
key risks that can hinder, or opportunities that can enhance the achievement
of the objective.
When objectives have been changed or recently set any existing identified
risks should be reviewed and updated as to there relevance.
The use of categories can be used to make it easier when identifying risks, a
definition of each of the categories is provided to clarify what they mean and
the type of risk it can be. (See page 11 for the categories definition)
Standard 3 Assessing/Evaluating the risks
Once all the possible key risks and/or opportunities have identified, it is then
necessary to analyse and evaluate the risks so that you may distinguish minor
acceptable risks from major risks.
This process means determining the likelihood of the risk happening and the
impact the risk will have on the achievement of the objectives, should the risk
occur.
To assess the risks adequately and consistently, we should give each risk a
score or risk rating which is calculated by multiplying the likelihood score by
the potential impact score this can be achieved by using the 5x5 Risk Matrix
and scoring methodology. (See page 13 for scoring methodology)
The first assessment should be undertaken on the ‘Inherent Risk’ i.e. the risk
before any controls have been put into place. This is to ensure that all
significant risks are highlighted and assurance can be provided that these
risks are being managed. If you only assess the risk after controls have been
RMF Version 2.9 revised 15 Nov 2012
9
put in place (Residual Risk) then you are assuming that the controls will
always be there.
Standard 4 What controls are already in place?
The fourth standard is to document the key controls, systems and processes
i.e. the policies/actions/measures that you currently have in place to manage
the inherent risks identified. This process also evidences control.
Standard 5 Re-assess the risk
The fifth standard is to assess your risks after your existing controls have
been evaluated. This will give you a Residual Risk score and overall risk
rating level.
Standard 6 Are there any further actions required?
The sixth standard is to determine if any actions are required to reduce further
the risks identified and nominate a risk owner who will take responsibility to
ensure that these actions are addressed. (It may be that no further actions are
required as the risk is acceptable subject to the current control measures
remaining in force and valid).
A summary of the type of action you should consider when addressing a risk
is set out below:

Terminate
Accept the risk, use this option where the cost of acting on the risk is
too high compared to the perceived benefits or the ability to deal with a
risk is limited.
Any Residual Risks considered low impact and/or likelihood will usually
be tolerated, however, the risk should be monitored in case the
situation changes (Increased impact/likelihood).
By terminating the risky activity or partnership this might lead to other
risks or disadvantages, especially where you provide a statutory
service, so use this control with caution.

Transfer
This option is usually used through insurance policies or third party
arrangements (Partnership working), however, the reputation of the
Commissioner or Constabulary could still be affected if the risk is
realised.

Tolerate
Accept the risk, use this option where the cost of acting on the risk is
too high compared to the perceived benefits or the ability to deal with a
risk is limited.

Treat
Aims to (1) Reduce the likelihood of the risk, by performing some form
of control, &/or (2) Reduce the impact of the risk should it occur.
RMF Version 2.9 revised 15 Nov 2012
10
Treating the risk may not eradicate it completely but reduce it to a more
manageable level.
What do I do if I want to accept one or more of the risks?
Risk tolerance
Before deciding what action to take to further mitigate risks consideration
should be given to the amount of risk you are prepared to accept/tolerate,
bearing in mind there will always be competing risks, for example financial risk
via environmental risk or reputation risk.
This will vary according to the importance of achieving particular
objectives/benefits and what the impact the realisation of the risk will have on
those outcomes. The risk matrix and scoring methodology detailed within
standard 3 should be used to identify the likelihood and impact the risk may
have on the objectives and applied to all proposed options.
Standard 7 Risk Monitoring
The final standard is to ensure that the objective/risk is monitored and
reported on a quarterly basis to Risk Management upon request. Depending
upon the complexity of the risk it would be good practice to have the risk
register as a standing agenda item at your monthly Business Area/LPA
meetings to be able to discuss/ close down risks when they no longer pose a
threat or to add new risks and opportunities in the light of new information.
RMF Version 2.9 revised 15 Nov 2012
11
Categories of Risk
Category Definitions
Political
Those associated with the organisations’ ability to deliver either central government
policy or meet the Commissioner’s Police and Crime Plan commitments
Economic
Those associated with the ability of the organisation to meet its financial
commitments. There may be external (e.g. interest rates, exchange rates, and inflation)
or internal (e.g. budgetary pressures, adequacy of insurance cover, consequences of
proposed investment decisions).
Social
Those associated with the effects of any changes in socio-demographic trends, and the
organisations’ ability to deliver its objectives.
Technological
Those associated with the capacity of the organisation to deal with the
pace/scale of technological change, or its ability to use technology to address
changing demands.
This would also include the organisations’ reliance on operational equipment (e.g. IS
or equipment and machinery).
Environmental
RMF Version 2.9 revised 15 Nov 2012
12
Those relating to the environmental consequences (including climate change) of
progressing the organisations’ strategic objectives (e.g. emissions) or the impacts of
ongoing operations (e.g. pollution, noise, energy efficiency).
Legal
Those related to possible breaches of legislation, or compliance with laws and
regulations designed to reduce hazards (e.g.-Health and Safety at Work Act).
Organisational
Anything which would affect the ability of the organisation to achieve its objectives.
Risk associated with the organisations’ reputation and the public perception of the
organisation’s efficiency and effectiveness.
Risks associated with the particular nature of each profession and the people who
deliver those services (e.g. 999 calls, Public Protection Bureau etc.)
Insuring Your Risks
Risk Management and Insurance Services also have a critical role to play in
helping each service strike a balance between self-insurance and external
insurance.
Regardless of the balance chosen, effective risk management will help to
reduce the direct costs of self-insurance, the indirect (hidden) costs (e.g.
management and administration time, negative impact on our reputation,
service disruption, client/service user dissatisfaction etc), associated with
‘clearing up the aftermath of an event that has happened’ and minimise the
premiums paid for external cover.
Did you know?
That only 20-25% of risks are insurable?
The other 75-80% of risks need to be managed by us!!
RMF Version 2.9 revised 15 Nov 2012
13
Whilst the above highlights that insurance is one way of controlling risks. It
should be stressed that there are lots of other things that we can do to control
our risks; we do not want to depend on insurance. As can be demonstrated
above, effective risk management activities and arrangements are essential to
control the 75-80% of risks that are NOT INSURABLE!!
Risk Assessment
Having identified the risks, the next stage is to assess both the likelihood of
the risk event occurring and the impact of the risk if it is realised. Each risk
must be evaluated to decide whether the level of risk is acceptable, i.e. you
are happy to tolerate that level of risk exposure or not.
Risk Appetite & Tolerance
Risk Appetite is the position the Commissioner and Constabulary will take
towards risk taking, which will also decide the amount of risk considered
acceptable.
The Risk Review Group is responsible for defining the levels of appetite
through performance improvement review methods to achieve the
Constabulary’s overall Purpose and Mission.
Risk Scoring
Risks need to be assessed both in terms of their likelihood and impact. When
assessing the level of likelihood and impact, the Commissioner and
Constabulary will use a number rating system of 1 – 5 (1 = Low, 5 = High) to
summarise the measurement of descriptive information.
There are two stages when assessing the risk, the initial stage is to assess
the pure risk when no controls or mitigation have been considered, this is
called the ‘Inherent Risk’ score. The second stage is to produce the ‘Residual
Risk’ score, which is the score of a risk when all the controls or mitigation
have been considered.
A risk score is calculated by multiplying the Likelihood score by the Impact
score
Both the Likelihood & Impact tables can be viewed using the link below:
Scoring a Risk
Risk Opportunities
Risk Management includes the identification of beneficial opportunities
through risk awareness. If risk opportunities occur, they will be assessed
using the processes and procedures set down in the Risk Management
Framework
RMF Version 2.9 revised 15 Nov 2012
14
Review & Reporting Risk
At a corporate level there are lead “Risk Owners” usually members of the
Chief Officers Group who have ultimate responsibility for the Strategic Risk
Register (SRR). Below them the ”Risk Leads” are responsible for reporting on
mitigation progress, blockages or developments and further actions relating to
the risk. The SRR will be reported to the Chief Constable’s Executive Board
and the Audit Committee on a quarterly basis though if needed’ there will be
an “exception” report produced to highlight any major changes/ increases in
the risk status in the interim periods.
At a Business area/Local Policing Area, managers are required to ensure that
risks associated to priorities are reported quarterly through the business
planning template, Risk Management will provide quality assurance checks on
the risks.
If a new risk needs to be agreed the manager responsible should complete a
“risk form” this form should be forwarded/e-mailed to the relevant senior
manager for agreement. Select the attached link for the Risk Form template.
Escalation of Risks
If an operational level risk needs to be escalated to the Strategic Risk
Register it is agreed by the Risk Review Group members before it is reported
by Exception to either the Chief Officer Executive Board or the Chief Officer
Group.
Risk updates are provided to the Change Management Board and the Service
Improvement Board as and when required. In which case the risk will be
reported to the Commissioner and Chief Officers to make an informed
decision about the further action required.
Risk Management Intranet Site
Internal Control
Our internal control measure is to provide reasonable assurance through the
identification of objectives/priorities and associated risks in the business
planning process within the Commissioner’s office and Constabulary.
RMF Version 2.9 revised 15 Nov 2012
15
Appendix 2 – Risk Management Structure
The Gloucestershire Police and Crime Commissioner and Constabulary have
implemented a risk management process to manage effectively the business
risks in order to ensure it operates under sound principles of Corporate
Governance.
A structural diagram for managing risk and key reporting responsibilities for
the organisations can be accessed using the link below:
Management of risk structure & reporting
RMF Version 2.9 revised 15 Nov 2012
16
Appendix 3 – Roles & Responsibilities
Roles and Responsibilities
Within the Commissioner’s office and Constabulary the following key roles
and responsibilities have been identified as part of the standard operating
procedures.

All Staff
All staff are responsible for identifying and managing risk once they
have been provided with the necessary training and skills. It’s not the
sole domain of managers or management groups.

Portfolio Holders and LPA/Business area Heads
It is the responsibility of the Portfolio Holders and Business area
managers to produce their own risk register. Any risk that needs to be
escalated to the Strategic Risk Register should be reported to the Risk
Management who will submit a quarterly “Risk Report” to the Risk
Review Group.

Risk Owners/Risk Leads
Each identified strategic risk will have a named risk owner, that is, a
person with responsibility for ensuring that each of the proposed
responses to risk are implemented The Risk Lead is responsible for
monitoring the overall progress, tackling the risk and providing report
updates on the risk controls and status.
Specific roles & responsibilities for the management of risk can be accessed
using the attached link: RM Roles & Responsibilities
RMF Version 2.9 revised 15 Nov 2012
17
Appendix 4 – Risk Register
Risk Management maintains the risk register template. A generic version is
issued to each Portfolio Holder/LPA/Business area managers for them to
complete and maintain. It is their responsibility to maintain these registers and
provide updates to Risk Management following the timetable within the
Standard Operating Procedure.
Each risk register should be constructed using the corporate template; the
latest version & guidance can be obtained from the Risk Management intranet
site or through Risk Management.
To access the risk register template, use the link below:
Risk Register Template
Each Portfolio Holder/LPA/Business area head is responsible for populating
and maintaining their risk register. Risk Management will assist a designated
member from each team in reviewing the information provided, however they
are not responsible for its accuracy or the assessments made against each
risk. The register is used to contain each Head’s assessment of their
business.
To access the Risk Management intranet site, use the link below:
Risk Management Intranet Site
Terminology
A full list of terminology for Risk Management can be accessed on the Risk
Management intranet site, using the link below:
Risk Management Terminology
Strategic Risk Management
Change Management Team
Gloucestershire Constabulary
 Police Headquarters|No.1 Waterwells|Quedgeley|GL2 2AN
 www.gloucestershire.police.uk
RMF Version 2.9 revised 15 Nov 2012
18