2018 risk management policy managment policy... · 2 the international risk management standard...
TRANSCRIPT
Risk Management Framework Final Draft v0.2
Page 1 of 24
1
Risk Management Policy 2018
Version: Final Draft 0.2Date: March 2018
Risk Management Framework Final Draft v0.2
Page 2 of 24
2Document Control
Organisation Copeland Borough CouncilTitle Risk Management FrameworkVersionAuthor Gillian Butterworth, Performance and Risk Management OfficerFilenameOwner Director of Commercialisation and Corporate ResourcesSubject Risk ManagementProtective Marking NoneReview Date March 2020
Revision History
Version Reviewed
Date Reviewed Reviewed By Description of Revision
Final Draft V0.2
March 2018 GB and CLT Review of draft V0.2. Progressed to Final version V1
Document Approval
Version Approved By DateCorporate Leadership Team 22.03.2018Audit and Governance Committee 19.04.2018Executive 24.04.2018Full Council 08.05.2018
Document Distribution
This policy is to be available to all staff and elected members of Copeland Borough Council by being placed on the Council’s Intranet Site.
Contributors
Institute of Risk Management (IRM) – Fundamentals of Risk ManagementIRM - A Risk Practitioners Guide to ISO 31000: 2018ISO31000 – Risk Management guidelines (2018)CIPFA – Delivering Good Governance in Local Government Framework - 2016Essex County Council Risk Management Strategy 2014-17Northumberland City Council – Risk Ready Reckoner
Risk Management Framework Final Draft v0.2
Page 3 of 24
3Contents
Purpose and Benefits..........................................................................................................4Introduction .......................................................................................................................5
Risk Appetite Statement…..................................................................................................5Definitions..........................................................................................................................6Roles and Responsibilities ..................................................................................................7
Policy Details including proceduresApproach to Risk Management...........................................................................................9Stage 1. Risk Identification ......................................................................................................10Stage 2. Risk Assessment.........................................................................................................12Stage 3. Risk Control ................................................................................................................14Stage 4. Risk Monitoring..........................................................................................................15Monitoring of Policy Adherence........................................................................................18
AppendicesAppendix A: Risk Identification Examples................................................................................19Appendix B: Risk identification Techniques.............................................................................20Appendix C: Risk Impact scale including examples..................................................................21Appendix D: Risk Management Form template ......................................................................23Appendix C: Risk Register Action Plan template......................................................................24
Risk Management Framework Final Draft v0.2
Page 4 of 24
41. Purpose and Benefits2.1 Copeland Borough Council (the council) has a statutory responsibility to have in place
arrangements for managing risks, as stated in the Accounts & Audit Regulations 2015:-
“A relevant body must ensure that it has a sound system of internal control which:(a) facilitates the effective exercise of its functions and the achievement of its
aims and objectives;(b) ensures that the financial and operational management of the authority is
effective; (c) Includes effective arrangements for the management of risk.”
1.4 This purpose of this policy is to set out the processes used by the council to ensure an effective and consistent approach to risk management.
2.3 The benefits to be gained from effective risk management include:
Improved strategic management - Greater ability to deliver against corporate objectives and priorities. Improved decision making. Enhanced corporate governance. Increased capacity to anticipate and respond to change proactively (technological, social, environmental, legislative changes)
Improved operational management - More effective management of resources. Improved service delivery and VFM. Prevention of loss or injury to staff and public.
Improved financial management - Better informed financial decision-making leading to greater financial control and a reduction in insurance and claims costs to the Council. Greater protection of assets and guard against impropriety or poor VFM.
Improved customer service - Minimal service disruption to customers and a positive external image as a result of all of the above. Reduction in complaints. Enhance the profile of the Council and increased customer/community confidence.
2. Introduction2.1 Risk is defined as:-
‘The possibility that an event will occur that will have an impact on the achievement of objectives’1 In its simplest sense, risk can be defined as, ‘The effect of uncertainty on objectives’2.
2.2 This effect of uncertainty on objectives or ‘the risk’ is measures by a combination of the probability of an event happening and the consequences of an event happening.
1 COSO – Definition of risk.2 The International Risk Management Standard ISO: 31000
Risk Management Framework Final Draft v0.2
Page 5 of 24
52.3 Risk is always present in all that we do and a certain amount of risk taking is inevitable
to achieve strategic ambition and business objectives. Risks can be either negative or positive, this means that can pose a threat and an opportunity to the achievement of objectives.
2.4 Risk Management is not about taking no risks at all. It is about being able to take calculated and controlled risks to achieve objectives. To manage risk, the council uses a coordinated process to identify, assess, control and monitor risks with a view to increasing the probability of success and reducing the likelihood of failure.
2.5 The Risk Management Policy supports the Council’s vision and priorities which are set out in the Corporate Strategy for 2016-2020. The Council has a clear mission that is “To make Copeland a better place to live, work and visit”.
Risk appetite statement – Copeland Borough Councils’ vision for 2020 is for the Council to be ‘a commercially focused organisation with a national reputation for high quality services’.
All key decisions will be informed by a robust assessment of the risks, and must be able to demonstrate that the level of risk accepted against an activity, will only be undertaken where the benefits are proportionate to, or greater than, the level of risk involved.Risk assessments will use the Zurich Risk Assessment Matric set out in the policy.
Through increasing the commercial activity of the Council, it is expected that there will be increased exposure to new risks. The Council recognises that there is risk in all that we do, and that while some risks pose a threat, others provide an opportunity. Acceptance of risks will be founded on an evidence based comprehensive assessment the controls and resources available.
The Council’s priority is to ensure that it protects the public purse in accordance with audit and governance provisions, and to this end the Council’s risk appetite in relation to statutory services and functions, is one of prudence.
Realisation of the Council’s mission and vision is founded on the achievement of four key ambitions. Here the Councils appetite for is assessed based on the balance between cost and benefit, this is set out for each of the four ambitions below;
Town Centre Regeneration - The Council is open to opportunities relating to its influence on generating sustainable growth throughout the borough.
Commercialisation – The Council is open to developments and innovations that will (sustainably) increase the income, efficiency and quality of its commercial services.
Employment, Skills and Social wellbeing - The Council is open to opportunities to increase the employment, skills and social wellbeing of
Risk Management Framework Final Draft v0.2
Page 6 of 24
6Copeland residents.
Strengthen the way we operate - The Council is open to opportunities to improve the way it operates to provide high quality statutory and discretionary services.
3. Definitions3.1 The following definitions are used throughout this policy to define and identify key terms
Risk The effect of uncertainty on objectives.
Risk Management
The continuous process of identification, assessment and control of risks.
Zurich Risk Matrix
Matrix used by the Council to asses and score risks. Risks are assessed by putting a numerical value on the likelihood that the event will happen and impact on the Council’s objectives, should that event happen. Risk Score = likelihood x impact
Risk Score Current Risk - Score given to a risk taking into account any controls that are already in place.
Target Risk – Target score for a risk, given that further controls identified in the risk action plan are put in place.
Risk Owner Named persons responsible for overseeing the identification, management, monitoring, and escalation and reporting of a risk.
Controls Controls are actions put in place to reduce the risk.
Risk Action Plans Action plans used to identify and monitor controls that need to be implemented in order to reduce risk.
Risk Registers Risks grouped together on a register for monitoring and reporting purposes.
Risk Appetite The amount and type of risk that The Council is willing to accept or pursue to achieve its strategic objectives.
Risk Tolerance The amount a risk that the council can manage effectively or tolerate to achieve its objectives.
Risk Escalation Process which allows a risk to be escalated to next level of management.
Pentana Performance management software used by the Council to record, monitor and report on its risk registers (formally called Covalent)
Risk Management Framework Final Draft v0.2
Page 7 of 24
74. Roles and Responsibilities4.1 The Council is committed to embedding risk management into the culture of the
organisation. In order to realise this commitment, all Council employees and elected members should: -
Become familiar with the Risk Management Policy. Be aware of personal roles and responsibilities in managing risk. Be proactive in the identification, assessment and control of threats and
opportunities. Use the agreed procedures and templates contained within this policy to identify,
assess, control, monitor and escalate risks. Immediately report any incident, accident, ‘near misses’ or any other concerns that
they may have with regards to risks to their manager.
4.2 Specific responsibilities and governance with regard to Risk Management are shown below,
Executive Oversee risk management of the Council in delivering its strategic objectives and core services.
Approve the Risk Management Strategy and Policy Provide challenge around the risks involved in ‘key decisions’
Audit & Governance Committee
Provide independent assurance to the Council on the overall adequacy of the risk management framework including review of proposed amendments to the Risk Management Framework prior to its presentation to Executive
Review the Strategic Risk Register on a quarterly basis and make recommendation for change.
Corporate Leadership Team
Champion an effective Council-wide risk management culture Ownership of the Strategic Risk Register Overview of red risks on other Risk Registers Oversee and manage escalated risks as next level of management. Ensure members receive relevant risk information Design and facilitate the implementation of a risk management
framework within the Council Ensure relevant expertise is available to provide support and guidance as
required Provide assurance that risks are being effectively assessed and managed
Leadership & Management Group
Responsible for the effective management of risk in their Service and projects within their service, in line with the processes set out in this policy. This includes; Identify, assess, mitigate and monitor service based risks.Identify risk owner, controls, action and timeframes for implementation.
Risk Management Framework Final Draft v0.2
Page 8 of 24
8Attend training and awareness sessions as appropriate
Maintain the relevant Service and project risk registers using Pentana by reviewing all risks monthly.
Escalate risks appropriately Encourage staff to identifying risks and opportunities
Performance and Risk Management Officer
Collate risk information and prepare reports as necessary. Support Corporate Leadership Team to embed risk management through
the arrangement or provision of training. Support Risk Owners to manage risks by providing support and training
on Pentana.Officers Manage day to day risks and opportunities effectively and report risk
management concerns to the line managers. Attend training and awareness sessions as appropriate
Members Champion a Council-wide risk management culture. Provide scrutiny to the risks involved in Council in delivering its strategic
objectives and core services.
Risk Management Framework Final Draft v0.2
Page 9 of 24
95. Policy Details including procedures 5.1 Our approach to Risk Management
The Councils approach to risk management is an ongoing coordinated process which identifies, assesses, controls and monitors risks, with the aim of increasing the probability of success and reducing the likelihood of failure.The process is cyclical and it is often necessary to revisit a previous stage to ensure that you have a complete picture of the risks that you are assessing.
There are four logical stages to the risk management process, these are outlined in the diagram and sub-sections below.
RiskIdentificationthe identification of
risks that matter.What events could occur
that would have animpact on the
Risk AssessmentAsses and score the risk.What is the liklihood ofthe event occurring and
what impact could ithave on the achivement
of our objectives.Rank risks
Risk ControlDetermine how to treat
the risk;Treat
TolerateTransfer
TerminateDetermine what controlsneed to be put inplace to
manage the risk.Define a target risk score
Risk MonitoringLog all risks on a Risk Register
and monitor at regularintervals
Monitor the implementationand effectiveness of controls.Monitor changes to the riskHorizon scanning to identify
new risks emerging.
Risk Management Framework Final Draft v0.2
Page 10 of 24
105.2 Stage 1 - Risk Identification
The first stage of the risk management process is to identify the risks. At first glance, this can seem like a daunting task, after all risks ever present and an inevitable part of business and innovation. However, risk management is about the proportionate use of resources to manage only with risks the matter i.e. risks that may have an impact in the achievement of objectives.
The risk identification stage uses tools, techniques and standard templates to help the risk owner identify the risks that matter.
5.3 Understanding the risk contextAn integral part of identifying risks, is understanding the context. Depending on the area under review, the relevant objectives and outcomes will usually be detailed in existing documents, including the following: Corporate Strategy 2016-2020 Service Plans Project Brief/Project Initiation Document Partnership Agreements Contractual Agreements Policies and procedures
5.4 Techniques used to Identifying where Risks.There are a number of techniques and tools that can be used to aid the identification of risks. To act as a prompt and to ensure completeness, a list of risk categories has been developed around the acronym PERFORMANCE:
Political - risks arising from the political environment e.g. government policyEconomic - risks arising from a unique demographic / economic featuresRegulatory - risk arising from legislation, legal challenges, and judicial reviewsFinancial - risk associated to financial implications e.g. budgeting or affordabilityOpportunities –arising from and risks to outcomes or objectives not being metReputation - risks that may damage the reputation of the councilManagement - risk to the effective management of the organisationAssets - risks relating to property, information, intellectual and ICT assets.New - risk arising from and risks to objectives not being met for new venturesCustomers - risks associated with customers OR risks to customer service Environment - risk arising from environmental issues.
Other examples of risks from each category are detailed in Appendix A.
Further examples of risk identification techniques are listed in Appendix B.
Risk Management Framework Final Draft v0.2
Page 11 of 24
115.5 Describing the Risk
The way a risk is described is important to ensure that risks are clear, unambiguous and fully understood. Risk owners are required to write a risk statement which fully describes the risk.
5.6 The risk statement should tell a story and must consist of a cause, the risk and a consequence.
The CauseSources and factsto describe theexisting conditionAs a result of...Due to...Because of....[Language]is, do, has, has not..[present condition]
The Riska description of theuncertain event oruncertaion future...may occurRisk of...[Language]may, might,possibly
TheConsequenceimpacts - negativeand positiveResulting in.....Which would leadto .......effect onthe objectives[Language]would, will...
E.g. ‘Due to the policy being 4 years old, it may not be compliant with the latest legislation, which would lead to the incurrent of penalties due to non-compliance’.
5.7 Classifying the type of riskWhen a risks has been identified, the Council uses two classifications to determine the type of risk; Strategic Risks - Risks that could have a long term impact on the achievement of
strategic ambitions. If the risk event happens, will the consequence affect the council’s strategic ambitions?
Operational Risks – Risks that could have an effect on the successful achievement of the objectives of an individual Service, including service lead projects and operational partnerships. If the risk event happens, will it affect the council’s operational delivery and functions?
Risk Management Framework Final Draft v0.2
Page 12 of 24
125.8 Stage 2 - Risk Assessment
Having identified the risks that matter in stage one, the second stage of the risk management process is concerned with the assessment of the risk, this is done by giving the risk a score and a priority
5.9 Risk Score. The council uses the Zurich Risk Assessment Matrix to score risks. Risks are scored by putting a numerical value on both, the likelihood that an event will happen and the impact on the Council’s objectives, should that event happen.
5.10 The likelihood of the risk occurring is measured using a scale of 1 – 6, where a value of 1 means that the likelihood of the risk occurring is almost impossible and a value of 6 means the likelihood is very high. As defined in the table below;
Likelihood Almost Impossible
Very Low Low Significant High Very High
Value 1 2 3 4 5 6Description Will
probably never
happen
Do not expect it to happen but
it may
Might happen rarely
Might happen
occasionally
Might happen
frequently
Will almost certainly happen
Probability Less than 1%
(1 in 100)
Between 2% & 5%(1 in 20)
Between 6% & 10%(1 in 10)
Between 11% & 30%
(1 in 3)
Between 31% & 50%
(1 in 2)
More than 50%
(>1 in 2)Frequency No
expected to occur for
years
Expected to occur less
than annually
Expected to occur more
than annually
Expected to occur at
least monthly
Expected to occur at
least weekly
Expected to occur at
least daily.
Depending on the risk, description, probability or frequency can be used to guide scoring.
5.11 The impact of a risk, should it occur, is measured using a risk impact scale of 1– 4, where a value of 1 means the impact would be negligible and where a value of 4 means the impact would be catastrophic to the achievement of objectives.
Impact Negligible Marginal Critical CatastrophicValue 1 2 3 4Description Minimal Impact on
ability to deliver objectives /
services
Moderate Impact on ability to
deliver objectives / services
Significant impact on ability to
deliver objectives / services
Will not be able to deliver objectives /
services
A table containing detailed examples of risk impact scores is listed in Appendix C
Risk Management Framework Final Draft v0.2
Page 13 of 24
135.12 To calculate the risk score, the numerical value given to likelihood is multiplied by the
numerical value given to impact of the risk. Risk Score = likelihood x impact
E.g. If a risk has a low likelihood of occurring (Value =3) but a Critical impact (Value =3)The Risk Score would be 3 x 3 = 9
5.13 This is known as the Current Risk Score as it is an assessment of the risk as it is presently, taking into account any controls that are already in place to manage it.
5.14 Risk PrioritisationOnce the current risk scores has been calculated, the priority of the risk can be determined. The higher the score, the higher the risk priority and the more it will need to be managed to mitigate adverse events.
The Zurich Risk Assessment Matrix used by the council, uses a ‘traffic light’ system to determine whether a risk is Low, Medium and High priority.
6 Very High 6 12 18 245 High 5 10 15 204 Significant 4 8 12 163 Low 3 6 9 122 Very Low 2 4 6 8Li
kelih
ood
1 Almost Impossible 1 2 3 4
Negligible Marginal Critical Catastrophic
1 2 3 4Impact
RED (12 to 24)Risk Score is Very High - Take Immediate Action to Mitigate Risk and monitor/review monthly.AMBER (5 to 12) Risk Score is Significant – Act to mitigate risk and monitor/review quarterly.GREEN (1 to 6) Risk Score is Low – No Action Necessary but continue to monitor risk quarterly.
Risk Management Framework Final Draft v0.2
Page 14 of 24
145.15 Risk Control
Stage three of the risk management process is concerned firstly with, deciding on whether the risk is worth taking, based on information gathered in stages one and two, and secondly with taking appropriate targeted actions to control the risk through, the use of risk action plans.
5.16 Risk Treatment Based on the risk context, relevance to objectives, risk score and risk priority, Council uses the ‘4Ts’ to determine how the risk should be treated.
Tolerate(Accept the risk)
Accept the riskThis risk is deemed acceptable in order to achieve an objective. This measure is only appropriate for low level risks (Green)
Treated(Do something to reduce the risk)
We do something to reduce the riskBy far the greater number of risks will be addressed in this way. The risk is deemed too high at present, however, we will continue with the risk and ensure that it is managed to an acceptable level, by putting controls in place to reduce the likelihood or the impact.
Transferred(Share the risk)
Share the riskThe risk is deemed too high, however, the risk to the Council can be reduced by sharing the burden of the risk. For example, insuring against the risk, outsourcing the activity, working in partnership with other organisations to share/transfer the risk
Terminated(Remove the risk)
Remove the riskRisk would be of such a severity that the only option is to terminate the activity that is generating the risk.
5.17 It may be necessary to use a combination of treatments to manage a particular risk.The reason behind the risk treatment must be recorded onto the Risk Management form. (5.21)
5.19 Risk Action PlansControls are actions that are put in place in order to manage a risk by either, maintaining the risk at a current tolerable level or reducing the risk to a tolerable level. For each risk, it is necessary to list all current controls that are in place and any further controls that are required to manage the risk (required actions).
Required actions are recorded and monitored using a risk action plan. Each required action must be assigned a named responsible officer and the date by which the action will be implemented. It is the responsibility of the risk owner to oversee the risk actions plan. Progress of risk action plans will be monitored and reviewed regularly alongside risk registers.
Risk Management Framework Final Draft v0.2
Page 15 of 24
155.20 Target Risk Score
At this stage in the risk management process it may be necessary to assess and score the risk for a second time, this is to establish a Target Risk Score.
The Target Risk Score shows the direction of where we want and expect the risk to be if all required controls are successfully put in place.
5.21 Documenting the riskThe Council uses a standard ‘Risk Management Form’ as a template to record all risks. The form is designed to work in tandem with this policy and to allow employees to develop the correct approach to managing risks. Details taken from the risk monitoring form will be used by the Risk Management Officer to record all risks onto the councils risk registers held on Pentana. (5.26 – 5.29)
Risk Management Form – Appendix D
5.22 Risk MonitoringThe fourth stage of the Risk Management process is the review and monitoring of the risks.
5.23 Reviewing RisksRisks are reviewed regularly by looking at; How the risk has changed over time Change in either the likelihood or impact values The implementation of the agreed risk control action plan The effectiveness of the action in controlling the risk
Risk management is on ongoing process, and it may often be necessary to revisit earlier stages and carry them out again to ensure that you have an up-to-date and relevant picture of the risk.
5.24 Escalation of risksUpon reviewing a risk, it may be necessary to escalate the risk to a higher level in the organisation. Risk may need to be escalated if;• The risk becomes too unwieldy to manage at the current level• The risk remains very high even after controls are implemented• The risk will impact on more than one service/project/function if the risk event materialises• Instinct tells the owner it is out of their control
5.25 Risks that require escalation onto the Strategic Risk Register are identified through monthly and quarterly risk monitoring and reporting. It is the responsibility of the risk owner to alert the Corporate Leadership Team of any risks that may need to be
Risk Management Framework Final Draft v0.2
Page 16 of 24
16escalated. The Corporate Leadership Team will decide whether the risk is escalated and managed through the Strategic Risk Register.
5.26 Risk RegistersRisks are monitored through risk registers.Risk registers group together risks, for the purpose of monitoring and reporting.
The table below gives details about the risk registers used by the council and how these are monitored and reported.
Register What is on the register? How will it be monitored and reported?
Strategic Risk Register
The Strategic Risk Register (SRR) is a central register of all the risks that may prevent the Council meeting its long term strategic objectives.
It is owned and managed by the Corporate Leadership Team (CLT).
Strategic Risks are identified by the Corporate Leadership Team or through the escalation of risks from the Operational Risk Register, or via Horizon Scanning as part of the monthly review of the SRR.
The Strategic Risk Register is uploaded to Pentana (Performance and risk management software).
The Risk Management Officer is responsible for ensuring all details are entered onto Pentana
The SRR and action plan are monitored and reviewed monthly by Corporate Leadership Team.
All SRR risks are reported quarterly to Audit and Governance Committee and the Executive.
Operational Risk Register
The Operational Risk Register (ORR) is a central register of Service level risks produced as part of the annual service plan.
Operational risks are owned and managed and updated by the Service Manager.
Operational risks can be identified as part of the annual Service plan or team meetings, process improvements or staff appraisals.
The Operational Risk Register is uploaded to Pentana
The Risk Management Officer is responsible for ensuring all details are entered onto Pentana and for setting monthly reminders to prompt Service Managers to review and update their Operational Risks
Operational risks are monitored by the Service Managers and the Corporate Leadership Team through monthly reports, departmental team meetings and 1-2-1 meetings.
All high priority (red) risks are reported and reviewed at departmental team meetings monthly.
All high priority (red) risks are monitored and reported to Audit and Governance Committee, the Executive quarterly.
Risk Management Framework Final Draft v0.2
Page 17 of 24
175.27 Project Risk Register
Project risks are identified, assessed and controlled following the risk management process outlined in this policy. Monitoring and reporting of project risks will follow the Project Management Framework; whereby, each project will have its own risk register and the Project Manager will be responsible for managing or escalating the project risks, and all high priority (red) risks will be reported to and monitored monthly by the Corporate Project Group.
5.28 Partnership RisksPartnership risk registers are usually devised as part of the partnership agreement and are managed by the partnership board/group and not solely by the Council. Copies of the risk registers are held by the Director of Customer and Community, who is responsible for identifying and managing any risks to the Council. Any high priority (red) risks must be reported to Corporate Leadership Team for consideration and addition to the appropriate risk register.
5.29 Risk Register vs Issues logThe main difference between a risk and an issue is that a risk is concerned with the ‘effect of uncertainty’, it is something that may or may not affect the achievement of objectives. Whereas, an issue is something that has already happened that must be addressed or corrected.When progressing through the Risk Management Process, it may be helpful to keep a separate issues log, so that issues which require a management response, are not confused with risks.
5.30 Pentana – Performance and Risk Management system
The Council’s Pentana Performance Management Software to monitor and record risk registers and risk action plans.
Strategic and Operational Risks Registers will be entered onto Pentana by the Risk Management Officer.
The Risk Management Officer is responsible for ensuring the Strategic Risk Register is updated on Pentana.
Service Managers are responsible for ensuring the Operational Risks Register is updated monthly on Pentana.Pentana will generate email reminder to each risk owner to prompt the monthly review.
6. Monitoring of Policy Adherence
Risk Management Framework Final Draft v0.2
Page 18 of 24
186.1 Compliance with this policy will be monitored via on an annual audit undertaken by the
Business Support Manager. The results will be reported to the Leadership and Management Group and the Corporate Leadership Team.
6.2 The Internal Audit Service also has a planned programme of performance management audits that will measure compliance with this policy and will report results to the Corporate Leadership Team and the Audit & Governance Committee.
Risk Management Framework Final Draft v0.2
Page 19 of 24
19Appendix A: Risk Identification Examples
Political Change in Government policy - Member support / approvalPolitical personalities - New political arrangements
Economic DemographicsEconomic downturn - prosperity of local businesses / local communities
Regulatory Legislation and internal policies/regulations Grant funding conditionsLegal challenges, legal powers, judicial reviews or public interest reports
Financial Budgetary pressuresLoss of/reduction in income/funding, increase in energy costsCost of living, interest rates, inflation etc.Financial management arrangementsInvestment decisions, Sustainable economic growthSystem / procedure weaknesses that could lead to fraud
Opportunities Add value or improve customer experience/satisfactionReduce waste and inefficiencyRaising educational attainment and improving the lives of children, young peopleand familiesMaximising independence for older people with disabilitiesDeveloping sustainable places and communitiesProtecting the community and making Copeland a safer place to live
Reputation Negative publicity (local and national), increase in complaintsManagement Loss of key staff, recruitment and retention issues
Training issuesLack of/or inadequate management supportPoor communication/consultationCapacity issues - availability, sickness absence etc.Emergency preparedness / Business continuity
Assets(Includingtechnology)
Property - land, buildings and equipment,Information – security, retention, timeliness, accuracy, intellectual property rightsICT – integrity, security, availability, e-governmentEnvironmental - landscape, countryside, historic environment, open space
NewPartnerships/Projects/Contracts
New initiatives, new ways of working, new policies and proceduresNew relationships – accountability issues / unclear roles and responsibilitiesMonitoring arrangementsManaging change
Customers/Citizens
Changing needs and expectations of customers - poor communication/consultationPoor quality / reduced service delivery - impact on vulnerable groupsCrime and disorder, health inequalities, safeguarding issues
Environment Recycling, green issues, energy efficiency, land use and green belt issues, noise,contamination, pollution, increased waste or emissions,Impact of planning or transportation policiesClimate change – hotter drier summers, milder wetter winters and more extremeevents – heat waves, flooding, storms etc.
Risk Management Framework Draft v0.3
Page 20 of 24
20Appendix B: Risk Identification techniques(Source – IRM Risk Management Standard)
• Brainstorming• Questionnaires• Industry benchmarking• Scenario analysis• Risk assessment workshops• Incident investigation• Auditing and inspection• HAZOP (Hazard & Operability Studies)• Test marketing/ Market Surveys• Business impact analysis• SWOT analysis (Strengths, Weaknesses, Opportunities, Threats)• Event tree analysis• Business continuity planning• BPEST (Business, Political, Economic, Social, Technological) analysis• Decision taking under conditions of risk and uncertainty• Statistical inference• PESTLE (Political Economic Social Technical Legal Environmental)
Risk Management Framework Draft v0.3
Page 21 of 24
21Appendix C – Risk Impact scale – with examples
6 Very High 6 12 18 245 High 5 10 15 204 Significant 4 8 12 163 Low 3 6 9 122 Very Low 2 4 6 8Li
kelih
ood
1 Almost Impossible
1 2 3 4
Negligible Marginal Critical Catastrophic
1 2 3 4Examples ImpactService disruption Minor errors in
systems/operations or processes Service unavailable for < 8 hours
Significant short-term minimal disruption of activities. Service Unavailable for up to 1 day
Significant disruption of core activities.Service Unavailable for up to 3 days
Cessation of core activities, StrategiesService Unavailable for 3 days or more
Statutory duties Statutory duties are being complied with but there is scope for improvement and without an improvement plan in place, there is a risk that statutory duties may be affected.
There are isolated unrelated incidents of a failure to deliver a statutory duty with such failure being rectified immediately but the improvement plan already in place is failing to deliver improvements.
There have been a number of incidents within a single service delivering a statutory duty with delays occurring in rectifying the failures but as yet the impact has not affected the community. AND/ORThe Council is at risk of receiving or has received a statutory notice or condemnation in connection with a failure or is at risk of being prosecuted for such.
There have been a number of incidents in one or more services delivering a statutory duty which is impacting on the community. AND/ORThe Council is at risk of receiving or has received a statutory notice or condemnation in connection with a failure or is at risk of being prosecuted for such".
Finance Budget base exceeded by less than 10%
Budget base exceeded by 10-50%
Budget Base exceeded by 50-100%
Budget base exceeded by over 100%
Projects Negligible delays
< 5% of project spend exceeded
Minor deviations from project specification; does not affect final benefits
Minor delays with some uncertainties
< 10% of project spend exceeded
Notable change to project specification
Significant Delays in project implementation
> 10% of project spend exceeded requiring a review and reframe of the costings.
Potential for reduced quality or redesign of Product/Service.
Project Benefits will not be realised in current project plan.
Additional or Punitive costs that require major financial re-planning or project no longer sustainableProduct/Service not fit for purpose
Risk Management Framework Draft v0.3
Page 22 of 24
22ICT Failure Minor disruption in
services delivery or function due to ICT systems failure (own or other department - ICT system interdependence)Service unavailable for < 8 hours
Significant short-term minimal disruption of services delivery or function due to ICT systems failure (own or other department - ICT system interdependence)Service Unavailable for up to 1 day
Significant disruption to services delivery or function due to ICT systems failure in own or other interdependent systemService Unavailable for up to 3 days
Cessation of core activities, Strategies due to ICT systems failure in in own or other interdependent systemService Unavailable for 3 days or more
Staffing/HR Short-term low staffing level that temporarily reduces service quality No impact on staff morale
Increase in staff turnoverpotential impact on service quality and team performance & morale
Significant staff turnover (proportional to team size) including key personnel.impact on service quality and team performance & morale
Inability to fill key posts.strike action, key staff turnover Severe impact on service quality and team performance & morale
Health & Safety Risk of injuries or stress with no workdays lost or minimal medical treatment
Risk of Injuries or stress level requiring some medical treatment, potentially some workdays lost.
Risk of Serious injuries or stressful experience requiring medical many workdays lost.
Risk of Life threatening or multiple serious injuries or prolonged work place stress
Reputational Short term adverse local public opinion.
Adverse local publicity / local public opinion
Persistent adverse local media coverage / local public opinion
Persistent adverse national media coverage / serious lack of confidence in the Council to provide the required service
Environmental Customer and Public awareness of environmental safety required in delivering service. No public health concern
Limited but repairable environmental damage No Public Health Concern
Moderate / Medium Term Environmental DamagePublic Health Concern requiring engagement
Severe / Irreparable environmental damageSerious Public Health Concerns
Contracts Failure by a contractor to meet a single minor term of a contract
A failure by a contractor or the Council to meet a number of minor terms of a contract which do not impact on delivery
A failure by a contractor (including liquidation/ bankruptcy) or the Council to perform a major term resulting in a fundamental breach of contract putting the contract at risk of or causing termination and relates to any service but which does not directly impact on the delivery of the Council's statutory duties
A failure by a contractor (including liquidation/ bankruptcy) or the Council to perform a major term resulting in a fundamental breach of contract putting the contract at risk of or causing termination and relates to a service which has a direct impact on the delivery of one or more of the Council's statutory duties;
Risk Management Framework Draft v0.3
Page 23 of 24
23Appendix D: Risk Management Form
Risk Risk Statement – Description of cause, risk and consequence Type of Risk e.g. strategic, operational,
Risk Scope Description of risk, which areas it covers Risk Owner
Risk Score XX LIKELIHOOD: XX (Value X) IMPACT: XX (Value X) Target Risk Score XX LIKELIHOOD XX (XX) IMPACT XX (XX)
Risk Treatment Tolerate Treat Transfer Terminate Reason for treatmentCauses
(Causes or existing conditions)
Risks(Uncertain Events)
Consequences Risk owner Date Last Reviewed
Action/ Controls already in place
Required risk management action/control
A full list of events which may cause the
risk to occur
Consequences that the Council will suffer if the risk
is unmanaged
All risks must have a risk
owner Strategic risk must have an
Executive, CLT, and LMG
Owner assigned.
Operational Risks must have a CLT and LMG
Owner assigned.
Date when the risk was
last reviewed
A list of activities that are already in place to reduce the impact or likelihood
of the risk.
A list of activities that needs to be undertaken in order to reduce the likelihood and/or the impact
of the risk to tolerable levels.