RISK MANAGEMENT

Introduction

Risk management is a hot topic for local authorities as it is a key factor in Corporate Governance and in the CPA process. It is also required by the Council's Financial Regulations.

Link to Corporate Governance

"Corporate Governance is the system by which local authorities direct and control their functions and relate to their communities"

The underlying principles of good governance are

• Openness
• Integrity
• Accountability

Corporate governance and risk management are inextricably linked. It is one of the five dimensions of corporate governance in a local authority, as outlined by CIPFA / SOLACE. Councils are required to comply with the principles of good governance in these five areas of their work:

• Community Focus
• Service Delivery Arrangements
• Structures and Processes
• Risk Management and Internal Control
• Standards of Conduct

Link to Comprehensive Performance Assessment

Risk management is set to play an important role in the CPA process, and an "excellent " rating is more likely to be achieved where sound risk management and corporate governance arrangements are already in place.

For CPA assessment the authority needs to demonstrate not only that it has developed a risk strategy and identified key risks, but also that it has integrated risk management into the business framework.

Link to Financial Procedures and Regulations

The Council's existing financial regulations stress the importance of Risk Management:

"It is essential that robust systems are developed and maintained for identifying and evaluating all significant operational risks to the authority on an integrated basis. This should include the proactive participation of all those associated with planning and delivering services"

(Fin. Reg. C1.)

Risk

What is it?

Risk is the chance of something happening that will have an impact upon objectives. This could be at corporate / strategic level, service / operational level or in relation to a specific project.

Risk Management

What is it?

Risk management is the term applied to a logical and systematic method of identifying, analysing, evaluating, treating and reporting on the risks associated with any activity, function or process in a way that will enable the organisation to minimise losses and maximise opportunities. It should be an iterative and integrated activity, which fits in with existing planning and control mechanisms rather than adds to them.

Why do we do it?

In its publication "Chance or Choice - Risk Management and Internal Control guidance for Local Government " SOLACE says:

" If a Council doesn't have effective risk management then it doesn't have effective management"

Effective risk management should help to improve the planning organising, directing, staffing, co-ordinating and controlling of the Council's activities at strategic, operational and project level.

Effective risk management could result in:

• Better service delivery
• More efficient use of resources
• Minimisation of waste, fraud and poor value for money
• Projects completed on time / within budget
• Protect / enhance the council's reputation
• Compliance with regulations
• Avoidance of bad publicity
• Minimise service disruption
• Less claims for compensation
• Improved customer satisfaction
• Improve staff morale

How do we do it?

Risk Management Working Group

The starting point has been to establish a Risk Management Working Group in September 2003, which is now playing a key role in developing and implementing the risk management framework and programme of operational risk reviews across the authority.

The composition and remit of this group is set out in Terms of Reference, agreed by the Corporate Management Team.

To demonstrate the commitment of the Council to risk management, and to facilitate reporting to the Corporate Management Team (CMT) and Cabinet, the Head of Finance chairs the Group. Internal Audit provides technical input and secretarial support and each of the Council's directorates has nominated a representative to participate in the activities of the working group. Member involvement in risk management has also been encouraged, with a member representative attending the RMWG meetings.

The remit for the RMWG includes proposals for, inter alia:

Risk Management Policy

Risk Management Framework

Implementation Plan

Risk Management Process

Roles and Responsibilities

Risk Management Tools

The RMWG Terms of Reference are included at Annex A.

Policy and Strategy

The Head of Finance is responsible for preparing the Council's risk management policy and for promoting it throughout the authority. Accordingly, the RMWG has made proposals for a risk management policy statement and strategy, including a risk management framework,.implementation plan and timetable for operational risk reviews.

Pitfalls

In formulating the policy and strategy, the following common pitfalls have been considered.

Reference has been made to risk management standards and the experiences of other authorities in implementing risk management.

The RMWG has also considered the risk management implementation checklist contained in the Audit Commission publication "Worth the Risk - Improving risk management in local government" (Annex B).

Risk Management Policy Statement

Risk management is the process by which risks are identified, evaluated and controlled. It is recognised as an integral part of good management practice and as such it is a key element of the framework of corporate governance.

Shrewsbury and Atcham Borough Council will adopt the principles of risk management in order to protect the health, safety and welfare of its employees and the people it serves, to protect its property, assets and other resources, to enhance the delivery of services and to maintain its reputation and good standing in the wider community. The Council will apply best practice in identifying, evaluating and cost effectively controlling risks at all levels and across all activities.

Successful risk management is about ensuring that we have the right level of control in place to provide sufficient protection from risk, without holding back our development. We must ensure that the decisions we take as a Council include a consideration of the potential implications for all of our stakeholders. We must decide whether the benefits of taking our actions outweigh the risks.

To be most effective, risk management should become part of the Council's culture. Therefore, the aim of the Council's strategy is to integrate risk management into the existing management processes for planning, decision making and control at all levels and across all activities.

We need to have the framework and processes in place to manage risk in a consistent and proactive way. The following strategy document identifies where we are now with risk management, where we need to be, and how to get there.

The Chief Executive, Corporate Management Team and Council Members are fully committed to promoting and implementing the risk management strategy throughout the authority.

Signed Date

Chief Executive, Shrewsbury and Atcham Borough Council

Risk Management Strategy

Introduction

Risk management is recognised as an integral part of good management practice. As such, implementing sound risk management practices is a journey, an evolutionary and learning process rather than a one-off exercise. We need to start on the journey, building our risk management capabilities and learning from our experiences. The key is to recognise where we are on the journey and to identify where we want to be.

This strategy identifies where we are now with risk management, where we need to be, and how to get there. It identifies the steps we need to take to implement a risk management framework capable of accomplishing our stated aims and objectives.

The strategy has been developed from current risk management standards, the work of other local authorities and risk management best practice set out in the Audit Commission publication "Worth the Risk".

Where are we now?

Assessment of risk is a fundamental process within the Council's activities. For example:

• Risks are insured wherever possible.
• Capital projects are assessed for risk under the project management regime.
• Risk assessments are undertaken on specific activities.
• Service managers assess the risks in the delivery of their services.

However, these are not considered in a corporate and integrated way and no central record is kept in a risk register.

Where do we want to be?

Our risk management activities need to be integrated, proactive, continuous and forward-looking. To be most effective, risk management should become part of the Council's culture. It should be integrated, or embedded, into the organisation's philosophy, practices and business plans, rather than be viewed or practised as a separate program. When this is achieved, risk management becomes the business of everyone in the organisation.

Aims and Objectives

The aim is to ensure that risk management becomes part of the Council's culture and is the business of everyone in the organisation.

The objectives of the Council's risk management strategy are to:

• Embed risk management into the culture of the Council at all levels and across all activities.
• Manage risk in accordance with best practice.
• Adopt a systematic approach to risk management as an integral element of strategic and service planning.
• Promote awareness of the principles of risk management throughout the Council.
• Minimise injury, damage and loss.

How do we get there?

The Council will achieve these objectives by:

• Setting up a Risk Management Working Group (RMWG) to develop and implement the risk management framework.
• Establishing a clearly defined risk management policy.
• Pursuing a clear implementation plan and timetable as contained in this strategy document.
• Clearly defining individual and collective roles and responsibilities in relation to risk management.
• Providing adequate resources and training.
• Establishing an iterative process for identifying, evaluating and controlling risks on a consistent basis at all levels and across all activities.
• Integrating risk management in existing management processes for planning and control at all levels.

• Provision of risk management guidelines for Service Managers.

• Providing suitable insurance or other arrangements to manage the impact of unavoidable risks.
• Reporting and monitoring of risk management arrangements on a regular basis.

This strategy document identifies the key elements of the Council's risk management framework and includes a detailed implementation plan and timetable for operational risk reviews.

Risk Management Framework

The RMWG, the risk management policy statement and this strategy document are all key elements of the Council's risk management framework depicted above. Other elements of the framework to be developed or addressed by the RMWG are:

• The Risk Management Process
• Risk Management Methodology
• People's Roles and Responsibilities
• Training
• Risk Management Tools
• Risk Management Guidelines

Risk Management Process

A risk management process will be defined and documented by the RMWG so that risk is managed on a consistent basis across the authority. The process will be based on that contained in the UK Risk Management Standard and that applied by ZMMS.

Risk management is an iterative and cyclical process of steps, which are undertaken in sequence. The process includes:

• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment
• Risk Reporting
• Monitoring and Review of Risk Management Arrangements

The agreed process will be fully documented in the Risk Management Guidelines produced by the RMWG.

Risk Management Methodology

The Risk Management Methodology will be defined and documented in the Risk Management Guidelines, so that risk is assessed on a consistent basis across the organisation. The methodology will be consistent with that applied by ZMMS so that strategic and operational risk reviews are approached in the same way. The methodology will include:

• Defined Business Units for risk identification and recording.

• Categories of Strategic and Operational Risks.
• Risk Assessment - Qualitative Measures of Consequence and Likelihood.
• The Risk Matrix / Profile.

The risk management methodology to be applied will be fully explained in the Risk Management Guidelines.

Risk Management Roles and Responsibilities.

Risk management will be applied at strategic, operational and project level so that all parts of the organisation have a role to play in delivering effective risk management. Accordingly, individual and collective risk management roles and responsibilities will be defined and documented, consistent with those responsibilities already included in Financial Regulation C - Risk Management and Control of Resources.

Roles and responsibilities will include:

• Members
• Cabinet
• Corporate Management Team
• Risk Management Working Group
• Head of Finance
• Service Heads / Managers
• Internal Audit
• All Employees
• Members

The role of members is to oversee the effective management of risk by Council officers.

• Cabinet

As detailed in Financial Regulations:

The Cabinet is responsible for approving the authority's risk management policy statement and strategy and for reviewing the effectiveness of risk management. The Cabinet is responsible for ensuring that proper insurance exists where appropriate.

It is the overall responsibility of Cabinet to promote a culture of risk management awareness throughout the authority.

• Corporate Management Team

CMT will receive and consider reports from the Head of Finance on the work of the Risk Management Working Group.

• Risk Management Working Group

The Risk Management Working Group will assume the responsibilities of a risk management function, which include:

Setting the policy and strategy for risk management.

Designing and introducing processes for risk management.

Championing risk management at operational level through departmental representatives.

Conducting operational risk assessments in conjunction with Service Managers.

Reporting to the Corporate Management Team on risk management.

The full responsibilities of the Risk Management Working Group are set out in agreed Terms of Reference. (Annex A)

• Head of Finance

The responsibilities of the Head of Finance as set out in Financial Regulations are:

To prepare and promote the authority's risk management policy statement.

To develop risk management controls in conjunction with other Chief Officers.

• Service Heads / Managers

Service Heads / Managers will be responsible for:

Managing operational risks on a day to day basis.

Identifying, analysing and profiling operational risks and producing risk action plans in conjunction with the Risk Management Working Group.

Promoting risk awareness within their areas of operation / activity.

Incorporating risk management into their existing service planning and reporting activities.

• Internal Audit

Internal audit will:

Maintain the authority's Risk Register.

Implement risk management software to facilitate the recording, analysis and reporting of risks.

Participate in the activities of the Risk Management Working Group.

Provide active support and involvement in the risk management process, including the identification and assessment of operational risks.

Align risk management and internal audit to focus audit work on significant operational risks, using risk-based auditing.

Undertake risk assessment in producing audit plans as part of the Audit Needs Assessment process.

Audit the authority's risk management arrangements and provide annual assurance on the management of risk.

• All Employees

Risk Management is the business of everyone in the authority.

All employees are responsible for maintaining their awareness of risks and feeding these into the formal risk management process. They must also control the risks inherent in their jobs and report any risk concerns to their manager.

Risk Management Training

Training and presentations will be provided to ensure that all managers have an understanding of the risk management process before the RMWG undertakes its review of operational risks across the Council's services. All employees will have access to the Council's risk management policy, strategy and risk management guidelines.

Risk Management Tools

We will use technology to assist in managing information, analysing, reporting and monitoring of risk. Magique risk management software will be employed by internal audit to automate the cyclical and iterative risk management process.

Risk Management Guidelines

Comprehensive risk management guidelines have been developed by the RMWG to communicate the Council's risk management process and the methodology which we will apply in the conduct of operational risk reviews across the Council in conjunction with Service Managers.

Implementing and Embedding Risk Management.

Our implementation plan takes account of the Audit Commission's Risk Management Checklist contained in the publication "Worth the Risk".

We need to address risk management at strategic, operational and project levels.

Strategic Risk Management.

For CPA it is important that:

• There is member involvement in, and support for, risk management.
• Members agree a list of the most significant risks.
• The process is "top down" rather than "bottom up"

Therefore, the authority will adopt a top-down approach to the implementation of risk management by starting with strategic risks.

To start the process, an external facilitator (ZMMS) will be engaged to run a workshop session with members and senior management to identify, prioritise and then formally report on the key strategic risks facing the authority. CMT will then determine risk ownership and produce action plans for each of the key risks / risk clusters identified in the Strategic Risk Report. The results of the review will then be input to the authority's risk register. The participation of Service Managers in this workshop should then enable them to apply the same process and methodology at operational level in conjunction with members of the RMWG.

Thereafter, strategic risk management will be embedded in the authority's corporate planning arrangements. Managing strategic risks will be a core responsibility for senior managers in close liaison with elected members.

Strategic risk assessments will be undertaken as part of the corporate planning process, using such techniques as SWOT or PESTEL analyses, and the results fed into the authority's risk register.

Operational Risk Management.

In addition to the Zurich strategic risk review, RMWG will undertake an initial survey of operational risks in conjunction with each of the Service Managers. It is envisaged that the members of the RMWG will start the operational risk reviews in their own services in order to further refine the process before extending the reviews to cover all other services.

The objective will be to identify, prioritise and report on the operational risks faced by the sections within each of the Council's services. The results will be input to the risk management software to complete a comprehensive register of strategic and operational risks, produce risk profiles for each service and action plans to effectively manage the key risks.

Thereafter, risk management at operational level will be embedded in the authority's planning and control arrangements at Service level.

Project Risk Management.

SABC has developed and implemented a Project Management System, based on the PRINCE 2 project management methodology. The system will be applied to major projects as determined by Members and CMT. Guidance on good practice and how to use the system will be produced, with introductory training sessions in January 2004.

The Project Management system includes the following Risk Management elements:

• A Risk Assessment Questionnaire.

This is used on every major project and allows for the assessment of generic risk factors. The questionnaire obliges the Project Team to review risk and capacity to address it, and allows for numerical assessment of risks to determine the position of each risk on a low to high risk continuum.

• Project Specific Risk Assessment.

The assessment and documentation of mitigation measures for risks that are specific and unique to the particular project. The Proforma obliges the project team to consider such risks and to design and document the mitigation measures. Where risks are not manageable the project can be aborted or the scope altered.

• Project Issue and Risk Logs.

This is used on every major project to record all risks identified and to monitor progress on risk mitigation, with additional preventative and corrective action recommended as required. The logs also ensure that risk owners are identified and active. The log is also used to record any new risks coming to light during the project, to ensure the implementation of mitigation measures. Exception reporting allows for swift intervention where a risk or issue is predicted to go out of control.

Review.

There will be continuing involvement of the RMWG and Internal Audit in review of the risk management policy statement, strategy document and guidelines and compliance with risk management policies and procedures.

Monitoring.

An annual report will be submitted to the Standards Committee by the RMWG in order to plan and monitor the operation of risk management within the Council.

Risk Management ImplementationPlan

Timetable for the Conduct of Operational Risk Reviews

Annex A - Risk Management Working Group Terms of Reference

Purpose

The purpose of the RMWG is to develop a risk management framework, assist in the implementation of an integrated / embedded risk management process and promote sound risk management practices across the council's services

Delegations

The Risk Management Working Group (RMWG) has delegations from the Corporate Management Team for:

1. Risk Management Policy

To develop and promote a corporate Risk Management Policy Statement, subject to Cabinet approval.

2. Risk Management Strategy

To develop and promote the corporate Risk Management Strategy, including the proposed risk management framework and implementation plan, subject to Cabinet approval.

3. Risk Management and CPA

   To ensure that strategy proposals are consistent with the requirements for risk management to be embedded / integrated with existing planning / control arrangements at operational and strategic levels.

4. Risk Management Process

To establish a process and methodology for risk identification, estimation, evaluation, treatment and reporting, so that risk is managed in a structured and consistent way across the Council.

5. Roles and Responsibilities

To define the individual and collective responsibilities for risk management within the organisation.

6. Risk Management Guidelines

To develop Risk Management Guidelines to communicate the risk management process across the council.

7. Operational Risk Management

To undertake a one-off risk profiling exercise in conjunction with Service Managers to identify and report on the key operational risks facing the Council.

8. Liaison with Zurich Risk Management

To ensure that risk management consultancy days available to the Council are used effectively to assist in the implementation of risk management best practice.

9. Training

To arrange risk management training / presentations for managers.

10. Financial Regulations

To review and update references to risk management contained in the Council's financial regulations.

Reporting:

Outputs from the RMWG will be reported to CMT via the Head of Finance and to Service Managers via departmental representatives.

Frequency of Meetings:

Fortnightly from September 2003.

ANNEX B - Risk Management Implementation Checklist (Audit Commission)