PAGE
Introduction
Current Status
2

Corporate Governance Framework

Governing the Business
Short Term Action Plan
3
4
6
Main Risks
Risk Management Process
6
7

The A&RM Committee considered a report at its first meeting in July 2008 that sought approval for a refreshed and more current framework for the management of Risk Management within the
Council that complied with the CIPFA/SOLACE framework.
Details of the proposed Risk Management system were outlined, that gave supporting documentation identifying the desirable Risk Management elements. The new framework addressed issues raised within the Key Lines of Enquiry (KLOEs) of the 2007/08 Use of Resources
Assessment. The ordering of the various component parts reflected the ‘golden thread’ of a corporate approach to Risk Management that should reinforce, through strong leadership, the
Council’s Constitution and core documentation cascaded down through the strategic management structure to the individual service functions of the Council. It was considered that the adoption of the new framework would ensure that Risk Management would be addressed in a more logical, structured and coherent manner.
The framework for the management of risk outlined within the report was approved and agreement given to implement, and that an updated status report should be brought back to the Committee outlining the progress achieved by October 2008. Due to other strategic issues being tackled at the time (e.g. LGR) it was considered that little purpose would be served with an earlier update. Now, appears to be a more appropriate time to raise this important topic in order to consider progress made and to endorse future plans.
Prior to the report being presented in July 2008, a Risk Management system was introduced to the
Council following work with Zurich Municipal in 2003 through the Internal Audit function. Each
Service Team has used this system at least once and the main projects have also been using the same process. A description of the process can be found under Section 5. As a result of this, many of the current requirements of a modern Risk Management process have in part been implemented, although not to the required degree and standard. Many individual requirements have been implemented in different parts of the Council, but they have not at present all been linked together in a coordinated way.

The current status is described in this section, focussing on the main topics, and is not meant to be a complete and detailed account. It provides information that will be used for further reference and development.
1. Corporate Governance Framework
It is essential that risk management is corporately driven reflecting good governance. The existence of a Code of Corporate Governance that reflects the CIPFA/SOLACE Framework should demonstrate strong leadership and the recognition that risk is an integral part of the corporate management process.
Status: The Section 151 Officer is in control of the Governance Framework and has been responsible for its review, especially with the creation of the Audit & Risk Management
Committee and the new role of a corporate Risk Manager being put in place.
The following sub-sections address major areas for consideration and comment. Also, they need to be reviewed and evaluated in more depth according to the strict rules that exist and that as a
Council we need to adhere to improve our corporate ratings across the board. a) The Constitution
The Constitution details the Council’s decision-making processes, the methods of operation, and the procedures implemented to ensure that the local authority is efficient, transparent and accountable to local people. Certain processes are statutory, whilst others are conscious choices enacted by the Council. The Constitution also sets out the roles of the Monitoring
Officer and Section 151 Officer with regards to their statutory responsibilities relating to compliance with the law and ensuring sound financial control.
Status: The Constitution is a live document under the working control of the Monitoring
Officer, who ensures through a Working Party that it is kept current. b) Codes and Procedures
Status: A system exists, using strong links with other Suffolk Authorities to ensure best practice, that reviews Codes and Procedures beneath the Constitution to ensure that the
Monitoring Officer and the Section 151 Officer satisfy their statutory responsibilities and ensure sound financial control. Best practice is strived for using links with other
Authorities. c) Financial Procedure Rules
Status: The Financial Procedure Rule s are in place, and outline the Council’s
Constitution, and provide the framework within which the financial administration of the
Council is conducted. They identify the financial responsibilities of Full Council,
Members, the Monitoring Officer, the Section 151 Officer and Corporate Directors. d) Role of Internal Audit with respect to Financial Procedure Rules
Status: The Internal Audit function provides independent and objective services, including consultation and fraud-related work. Internal Audit en sures that the Council’s
Fraud & Corruption Policy is regularly reviewed and advises of circumstance where investigations, reviews and reports reveal fundamental weaknesses within the organisation.
The Fraud & Corruption Policy, also strengthened by the Whistleblowing Policy is due to be reviewed during 2009/10, and changes will be presented to the Audit & Risk
Management Committee. e) Corporate Risk Management Group
Such a group has lapsed in recent times, but discussions have taken place to re-form it with a more focussed view to include in its remit the review of the Corporate, Directorate, and Service risk registers, including major projects and partnerships. Further reporting into Cabinet on a regular basis would be part of an integrated performance reporting process.

Status: The group is being re-formed, with the first meeting to be held by end-March
2009 under the Chairmanship of the Director for Resources and involving Heads of
Service, and members of the Community Development and Performance Team. f) Audit & Risk Management Committee
Although it isn’t a statutory obligation to have such a Committee, it is commonly accepted that to operate such a committee provides best practice. Through its work it should demonstrate its impact in providing effective challenge across the Council, and give assurance on the risk management framework and associated internal control environment both to the Council and the public. In demonstrating its effective impact it is necessary to produce an annual report of the Audit Committee’s activities to serve to highlight the effectiveness of the function. g) Internal Audit Planning
It is important that when the Plan is being compiled, it should be risk assessed to ensure that sufficient internal audit resources are given to review and investigate areas of the work of the
Council where there is significant risk attached to its operation, as well as covering fundamental systems that the Audit Commission focus their attention on.
Status: The current 2009/10 Internal Audit Plan has gone through a risk screening process, and is due to be presented to the A&RM Committee on 24 th March 2009.
2. Governing The Business a) Performance Management
This area of work is pivotal to ensuring that improvements are made to the way the Council performs its work, with a continuous improvement culture involving the golden thread of risk management being cascaded down through the delivery of a Performance Plan within a
Performance Framework, resulting in best value being obtained.
Status: Risk is managed in relation to performance and evident in the performance monitoring process. Measurement of the performance indicators uses the status of Red,
Amber, and Green (RAG) system to illustrate the recognition of areas of concern in relation to the achievement of corporate objectives. b) Partnerships
Due to the Council’s exposure through its partnership working it must be able to demonstrate that partnerships embed risk management, as part of setting priorities, policy making, financial planning and performance management in a similar fashion to that of the Council itself. This highlights the diverse approach the Council takes to risk management.
Status: The Partnership Policy, which was approved by Cabinet in March 2008, underwent its bi-annual review by the Overview & Scrutiny Committee in January 2009.
Each Lead Officer is tasked with ensuring that each partnership conducts a partnership monitoring exercise to identify and address any weaknesses and associated risks. Risk registers of the main partnerships e.g. Waveney Campus and Waveney Norse are in place, thus ensuring that threats to the achievement of corporate objectives through partnership working are identified and monitored. c) Projects
Reports to support strategic policy decisions, and initiation documents for all major projects, require risk assessment including a sustainability impact appraisal to be included. The
Identification, mitigation and monitoring of risk is considered central to project development, delivery and progress monitoring and is a consideration in the closedown of projects.
Status: The risk assessment process is active and Project Managers use it to identify and control key project risks. However, its application tends to be somewhat haphazard in its application, although major projects appear well covered. d) Risk Manager
One of the main actions to be put in place is the appointment of a Risk Manager, who will promote the effective use of, monitor and report on Risk Management throughout the Council.

Status: This post has recently been filled within the Community Development &
Performance Team and is due to commence late March 2009. e) Risk Registers
The key documents in maintaining assurance as to the containment of threats to the achievement of corporate objectives are Risk Registers. They link risks to strategic objectives, assess the risks for likelihood and impact, and assign named individuals to lead on actions identified to mitigate each risk. Identifying the threats to Council’s objectives should drive a framework of assurance including the work of Internal Audit and should facilitate mitigating actions to contain the threats. They are fluid in nature and should be reviewed on a frequent basis to ensure the continuing effectiveness of mitigating actions and the potential identification of new risks. Risk Registers are also informed by the identification of risks within the Service
Plans and they take two forms. Firstly, risks that are addressed and mitigated by the Service
Team itself, and secondly risks that the Service Team cannot resolve as they need corporate action to resolve and inclusion onto the Corporate Risk Register..
In order to manage risk on a day-to-day basis and ensure information on significant risks is cascaded upwards it is appropriate to have risk registers in place at all levels of the Council, including major partnerships and projects.
Status:

Corporate Risk Assessments have been conducted for each of the financial years since 2003/04. An update is planned by end-March 2009 before another full exercise is undertaken later during 2009/10, when (hopefully) the result of
LGR will be known. Work has already started with a brainstorming session by senior officers to identify the main risks facing the Council. (Refer Section 5 for more details.)

Major projects e.g. Outsourcing of Leisure, and the Waveney Campus have conducted various Risk Assessments from which Risk Registers have been produced.

The partnership giving rise to Waveney Norse has also gone through the risk assessment process. Risk Registers have been compiled and are reviewed and updated at Performance Operations Group meeting monthly.

The Council has drafted its 2009/10 Service Plans, and they are due to be approved by Cabinet during March 2009. Each of them contains a risk assessment that identifies risks and their associated mitigating actions. f) Service Plans
In reinforcing the consideration of risk in all instances of decision-making it is important to consider risk in the service planning process. A separate section within each 2009/10 Service
Plan has been devoted to identifying the main risks to achieving the objectives of the service.
Thus a comprehensive risk assessment of all service plans is essential.
Status: For 2009/10, the process has been strengthened by including a peer review challenge. This has proved to be very useful to ensure that all Plans are “fit for purpose”. Associated risks have been identified and mitigating actions, if outside the control of individual service teams, are to be elevated as corporate issues to the
Corporate Risk Monitoring Group. g) Risk Management Training
Cascading risk management down through the organisation is essential to ensure control. It is necessary to equip both Members and staff with routine risk management training appropriate to their needs and responsibilities.
Status: It is anticipated that a Training Plan will be compiled for 2009/10.

Actions a) Engage Risk Manager b) Set-Up Corporate Risk Management Group c) Conduct a Corporate Risk Assessment Review d) Present the 2009/10 Internal Audit Plan e) Approve 2009/10 Service Plans
Date
Q4 2008/09
Q4 2008/09
Q4 2008/09
Q4 2008/09
Q4 2008/09 f) Review Fraud & Corruption & Whistleblowing Policies Q1 2009/10 g) Present Annual report of the A&RM Committee Q1 2009/10 h) Present Risk Management Updated Status Report Q2 2009/10 i) Present Risk Management Process Update
Q2 2009/10

Accepting further qualifications to financial statements.

Performing below minimum standards in the areas of Financial Management, Financial
Standing & Financial Reporting as identified through the UoR process.

Not achieving a positive Direction of Travel.
 Unacceptable standard of data quality, especially in relation to grant claims & BVPI’s.

Unproven Business Continuity Plan.

Inadequate progress against the Improvement Plan.

Inadequate control of Partnership working (e.g. LAA, CAA, LSP, 1 st East, Other local
Authorities).

Loss of key staff.

Lack of deputy cover within the Management Structure for Section 151 Officer and
Monitoring Officer cover.

Loss of reputational esteem by the wider community.

Unknown LGR structure.

Sustaining participatory budgeting within Community Boards.

Unacceptable progress against national indicator set, including climate change targets & health inequalities.
There were other risks identified through the 2007/8 Corporate Risk Assessment process that need to be assessed to see whether they fall within the corporate risk appetite or not. If not, they will be added to the above list.

Prior to workshops – Confirm attendees and timetable. Undertake background reading including last year’s report, service plan, PIs, etc. Send last year’s
Management Action Plan (MAP) to group.
Objectives
Objectives
Risk Identification
Confirm objectives are up to date
W
O
R
Assessment of risks identified previously
Have agreed actions/controls been completed?
K
S
Do all risks still exist?
Which risks are being managed within the risk
H
O appetite?
Confirm risks still in existence.
P
O
N
New risks?
Mini brainstorming session.
Agree new risks
E
Risk Analysis
Analysis of current and new risks = Final set of risks
Carried out in between workshops 1 and 2
Risk Prioritisation
1) Assess likelihood and impact of previous risks in light of the actions/controls taken – are target risk scores as predicted?
2) Prioritise new risks by assessing the likelihood and impact of each risk.
3) Has risk appetite changed?
Risk Mitigation
Will any actions/controls be carried over from last year?
Can these still be realistically implemented?
For each risk are controls/actions in place adequate?
Confirm controls/actions already in place
Need to take more action against some risks?
Where will risk move to on risk appetite after mitigation?
Management Action Plan (MAP)
Agree final set of controls/actions already in place and those agreed.
Issue of Report and Monitoring of MAP
H
O
P
T
W
O
W
O
R
K
S
Draft report issued to group for approval.
Report to PTM and follow up of actions to Scrutiny (Monitoring of MAP)
After 12 months go back to beginning of cycle