Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

HOW WE DO RISK MANAGEMENT IN SUFFOLK COUNTY

advertisement 
HOW WE DO RISK MANAGEMENT IN SUFFOLK COUNTY COUNCIL – POLICY AND
GUIDANCE
Our risk management approach conforms to the CIPFA ‘three lines of defence’
governance framework. We call it “Active Risk Management”.
Active Risk Management (ARM) is a pragmatic and flexible approach based on the
following principles:
•
Proportionate – uses common sense! Some threats or opportunities will require
significant effort to manage because of their potential impact and likelihood. Minor
risks should not be ‘over managed’.
•
Aligned – to planning and other business activities being carried out. Risk must be
routinely discussed at management team meetings. Risks must be actively reviewed
and managed and records kept up to date. Managers should be well briefed and open
as to the progress being made or the problems being experienced.
•
Thorough – managers will take a broad but sensible view as to sources of both
operational and strategic risk. Some will affect long-term strategies, whilst others will
impact upon day-to-day operations or projects. Risks that could affect the organisation
as a whole should be recorded once, not replicated by all directorates.
•
Shared responsibility – roles, responsibilities and relevant risk management activities
are clearly defined at all levels of the organisation.
•
Dynamic – doing not just talking! Risks and our responses to them will change,
sometimes quickly. Senior managers must be receptive to risks that are escalated to
them, viewing risk data as a valuable source of information.
ARM involves staff actively managing the council’s risks by considering the following
simple questions in their everyday work:
1.
2.
3.
4.
5.
What could go wrong?
If it happens, what will be the impact?
What am I doing about it?
Is it working?
How am I monitoring it?
If you are new to Risk Management, please read the Introduction to Risk Management
guidance document.
Roles and responsibilities
Everyone in the Council is involved in risk management and should be aware of their
responsibilities in identifying and managing risk. Please see Risk Management Roles and
Responsibilities document for specific roles and responsibilities.
Corporate risk register and escalation
What counts as a corporate risk is defined in the document Criteria for judging a risk
corporate and examples. Briefly, these are:
•
Could adversely affect the corporate governance of SCC
•
Applies across the organisation
Page 1 of 3
January 2012
HOW WE DO RISK MANAGEMENT IN SUFFOLK COUNTY COUNCIL – POLICY AND
GUIDANCE
•
Has the potential to affect the achievement of corporate objectives
•
Concerns significant changes to the environment in which SCC operates
•
Could inflict major reputational and/or financial damage on SCC
All corporate risks must be recorded on JCAD Risk with a member of CMB as designated
owner. As a general rule, corporate risks will require mitigation (control actions) in more
than one part of the organisation and therefore the ‘responses’ in JCAD Risk would be
assigned to a number of individuals.
Each quarter, CMB will review risk. This will include corporate risks & opportunities
together with any others escalated through the DMT in order to satisfy itself that all
necessary mitigation and response is in place.
It is crucial that directorates review their current strategic and high-level risks regularly to
ensure that any with corporate implications are escalated accordingly.
Directorates may choose how to record their non-strategic and low-medium operational
and project risks, for example by including Excel risk spreadsheets within project
management documentation.
Guidance documentation on JCAD risk is available on COLIN.
Risk maturity
The table below describes levels of risk maturity. This can be used to self-assess the
extent to which risk management is embedded in our organisation.
Risk maturity
Approach to risk management
Risk Enabled – Level 5
Risk Management and controls assurance policy
embedded into organisational culture and
operations.
Risk Managed – Level 4
Organisation-wide approach to risk management
communicated and implemented.
Risk Defined – Level 3
Strategy, policies, and risk appetite defined.
Risk Aware – Level 2
Some areas risk aware, probably due to culture,
history or staff in post.
Risk Naïve – Level 1
No formal approach developed.
Reporting
Quarterly reports are made to Corporate Management Board.
Directorate-specific risk reports are produced at least quarterly to inform DMT meetings.
An annual performance and risk report is prepared for Audit Committee.
Page 2 of 3
January 2012
HOW WE DO RISK MANAGEMENT IN SUFFOLK COUNTY COUNCIL – POLICY AND
GUIDANCE
Weekly reports of ‘overdue’ risks (those past their review dates) are produced from JCAD
Risk by Business Development to monitor and drive action where needed. This will
continue until Active Risk Management is fully embedded.
Page 3 of 3
January 2012
Related documents
Module B * References
Module B * References
RISK MANAGEMENT POLICY STATEMENT
RISK MANAGEMENT POLICY STATEMENT
How to structure your report
How to structure your report
Corporate Performance Evaluation
Corporate Performance Evaluation
MM Assignment briefing - Jun-Sep 2013
MM Assignment briefing - Jun-Sep 2013
Identify the health information needs of staff, patients and the public
Identify the health information needs of staff, patients and the public
Corresponding Members Form
Corresponding Members Form
IA report clearance form
IA report clearance form
First Stage Application Form.doc
First Stage Application Form.doc
Vehicle Activated Signs guidance document
Vehicle Activated Signs guidance document
pdf - Suffolk RoadSafe
pdf - Suffolk RoadSafe
Download
advertisement