Appendix 2: A guide on the risk management process and how Members might want to ask questions of Risk Owners in relation to Strategic Risks
1.0 Across the council there are a number of risk registers which prioritise risks consistently by assigning risk scores 1-5 to the likelihood (denoted by ‘L’) of the risk occurring, and the potential impact (denoted by ‘I’) if it should occur. These L and I scores are multiplied; the higher the result of L x I, the greater the risk e.g. L4xI4 which denotes a Likelihood score of 4 (Likely) x Impact score of 4 (Major).
2.0 A colour coded system, similar to the traffic light system, is used to distinguish risks that require intervention. Red risks are the highest, followed by Amber risks and then Yellow, and then Green.
3.0 The Strategic Risk Register (SRR) mostly include Red and Amber risks. Each strategic risk has a unique identifying number and is prefixed by ‘SR’ representing that it is a strategic risk.
4.0 Each risk is scored twice with an Initial (‘Now’) level of risk and a Revised (Future) risk score:
a) Initial Risk Score reflects the Existing Controls under the ‘Three Lines of Defence’ methodology which is good practice and helps to establish the First Line – Management Controls; Second Line – Corporate Oversight; and Third Line – Independent Assurance and the currency and value of each control in managing the risk. Therefore the Initial Risk Score represents the ‘as is’/ ‘now’ position for the risk, taking account of existing controls.
b) The Revised Risk Score focuses on the application of time and expenditure to future reduce the likelihood or impact of each risk and is based on the assumption that any future Risk Actions, as detailed in risk registers, will have been delivered to timescale and will have the desired impact.
c) Where initial and revised scores are the same – the Risk Owners are asked to consider the 4Ts of Risk Treatments (Treat/Tolerate/Terminate/Transfer) and change the scoring or remove all future risk actions/move them to existing control. This is on the understanding that the risk action should either reduce the likelihood and/or reduce the impact – if none of this is true, there will not be any reason to undertake the action.
Suggested questions for Members to ask Risk Owners and officers on Strategic Risks
The Audit & Standards Committee has a role to monitor and form an opinion on the effectiveness of risk management and internal control. As part of discharging this role the Committee focuses on at least two Strategic Risks at each of their meetings.
The Committee invite the Risk Owners of Strategic Risks to attend Committee and answer their questions based on a CAMMS Risk report appended to each report. In the CAMMS Risk report, the Risk Owner:
1. Describes the risks, the cause and potential consequences, the officers involved and provides an Initial Risk Score which takes account of the existing controls in place to mitigate the risk.
2. Existing Controls are set out using the Three Lines of Defence model:
· 1st line: management controls
· 2nd line: corporate oversight
· 3rd line: independent assurance
in order that Members can identify where the assurance comes from, and how frequently it is reviewed and in the case of the 3rd line if audits of inspections have happened, when did it happen, what the results were. Risk Owners ensure that existing controls continue to operate effectively.
3. (Future) Risk Actions then are detailed and allocated to individuals with percentage achieved against target dates, with commentary on the current position. This provides the Revised Risk Score which is based on the assumption that all the risks actions have been successfully delivered.
The Risk Owners of Strategic Risks will always be an Executive Leadership Team (ELT) officer, and they may bring other officers who are more closely connected to the mitigating work.
Three questions are suggested to be explored by the A&S Committee:
1. Is the Risk Description appropriately defined? Does the Committee understand the cause and potential consequences?
2. Is the Committee reassured that each (future) Risk Action either reduces the impact or likelihood of the risk? Are members reassured that risk actions are actually being delivered?
3. In respect of the Revised Risk Score does the Committee feel comfortable with Risk Owner’s assessment? This represents the risk level that the organisation is prepared to accept.
How Members and officers can input on Strategic Risks (SRs)
The risk management process benefits from input by Council Members and by staff at all levels. The opportunities to do this are:
Members to ELT leads |
Officers to Line Manager or Risk Manager |
Officers to their lead Directorate Management Team (DMT) |
DMT to ELT |
Each SR is discussed between the regular meetings with Committee Chairs |
The Behaviour Framework expects all officers to escalate risks and/or or suggest mitigations to their line managers. If officers feel they do not have appropriate access to their line managers, they may escalate risk to the Risk Management Lead who can offer internal consultancy support |
Risks may get discussed as part of staff meeting, PDPs/121s/ team and service meetings. Any significant risks to be escalated through to their Head of Service/Assistant Director to raise through the management chain and discuss at quarterly DMT risk reviews facilitated by the Risk Management Lead. DMTs may request that the Risk Management Lead offers risk management support, e.g. to assist officers to develop a robust risk register. |
The quarterly SR review includes a summary of Directorate Risks reviewed at DMTs |
Members are responsible for raising risks that they identify with their contract officers, often the Head of Service, Assistant Director or Executive Director |
Any Member risk suggestion should be responded to by the officer once the ELT discussion has taken place. |
The ELT lead within a directorate will discuss escalated risks with the DMT at least on a fortnightly basis and will seek assistance as required. They have access to ELT and determine the way forward in consultation with the Risk Management Lead, |
The ELT lead (i.e. an Executive Director/Lead Officer) within a directorate will discuss escalated risks with the ELT and determine the way forward i.e. whether to add to the Strategic Risk Register in consultation with the Risk Management Lead |