APPENDIX 2: A guide on the risk management process
including the questions Members might want to ask of Risk Owners in relation to Strategic Risks
1. Across the
council there are a number of risk registers which prioritise
risks consistently by assigning risk scores 1-5 to the
likelihood (denoted by ‘L’) of the risk occurring, and
the potential impact (denoted by ‘I’) if it should
occur. These L and I scores are multiplied; the higher the result
of L x I, the greater the risk.
e.g. L4xI4 which denotes a Likelihood score of 4 (Likely) x Impact score of 4 (Major), which gives a total risk score of 16.
2. A colour coded system, similar to the traffic light system, is used to distinguish risks that require intervention. Red risks are the highest, followed by Amber risks and then Yellow, and then Green.
3. The Strategic Risk Register (SRR) mostly includes Red and Amber risks. Each strategic risk has a unique identifying number and is prefixed by ‘SR’ representing that it is a strategic risk.
4. Each risk is scored twice with an Initial ‘Current’ level of risk and a Revised ‘Target’ risk score:
a) The Current Risk Score reflects the Existing Controls already in place under the ‘Three Lines of Defence’ methodology. This represents good practice as it identifies the First Line – Management Controls; Second Line – Corporate Oversight; and Third Line – Independent Assurance and the currency and value of each control in managing the risk. Therefore the Initial Risk Score represents the ‘as is’/ ‘now’ position for the risk, taking account of existing controls.
b) The Target Risk Score focuses on the application of time and expenditure to further reduce the likelihood or impact of each risk. It assumes that any future Risk Actions, as detailed in risk registers, will have been delivered to timescale and will have the desired impact.
c) The Risk Owners are asked to consider the 4Ts of Risk Treatments – Treat, Tolerate, Terminate, Transfer. Risk actions should reduce the likelihood and/or impact – if neither are true, there will not be any reason to undertake the action.
Suggested questions for Members to ask Risk Owners and officers on Strategic Risks
The Audit & Standards Committee has a role to monitor and form an opinion on the effectiveness of risk management and internal control. As part of discharging this role, the Committee focuses on at least two Strategic Risks at each of their meetings.
The Committee invite the Risk Owners of Strategic Risks to attend Committee and answer their questions based on a CAMMS Risk report appended to each Report. In the CAMMS Risk report, the Risk Owner:
1. Describes the risks, the causes and potential consequences and provides an Current Risk Score which takes account of the existing controls in place to mitigate the risk.
2. Existing Controls are set out using the Three Lines of Defence model:
· 1st line: management controls
· 2nd line: corporate oversight
· 3rd line: independent assurance
This is provided in order that Members can identify where the assurance comes from, and how frequently it is reviewed and in the case of the 3rd line, then whether audits of inspections have happened and if so when that did it happen and what the results were. Risk Owners ensure that existing controls continue to operate effectively.
Effectiveness of controls should be reviewed based on the certainty of how the existing controls will mitigate the risk – adequate, uncertain, inadequate
3. (Future) Risk Actions then are detailed and allocated to individuals with progress percentages achieved against target dates, with commentary on the current position. This provides the Target Risk Score which assumes that all the risk actions have been successfully delivered.
The Risk Owners of Strategic Risks will always be an Executive Leadership Team (ELT) officer. They may bring with them to Committee other officers who are more closely connected to the mitigating work.
Three areas of enquiry are suggested to be explored by the A&S Committee:
1. Is the Risk Description appropriately defined? Does the Committee understand the cause and potential consequences?
2. Is the Committee reassured that each (future) Risk Action either reduces the impact or the likelihood of the risk? Are members reassured that risk actions are actually being delivered?
3. In respect of the Initial ‘Current’ and Revised ‘Target’ Risk Scores, does the Committee feel comfortable with Risk Owner’s assessment? This represents the risk level that the organisation is prepared to accept.
How Members and officers can input on Strategic Risks (SRs)
The risk management process benefits from input by Council Members and by staff at all levels. The opportunities to do this are:
Members to ELT leads:
· Any Members can approach an ELT lead with risks that they foresee.
· Any risk suggestion from Members will be reviewed by ELT and any actions taken will be reported back to the relevant Member(s).
· Each SR is discussed between Members and ELT leads at the regular meetings with Committee Chairs and annually at the relevant policy committee.
Officers to Line Manager, Directorate Management Team (DMT) or corporate risk management lead:
· The Behaviour Framework expects all officers to escalate risks and/or or suggest mitigations to their line managers. If officers feel they do not have appropriate access to their line managers, they may escalate the risk to the corporate risk management lead
· Risks may get discussed as part of staff meetings, PDPs/121s/ team and service meetings or part of projects or programmes. Any significant risks to be escalated through to their Head of Service/ Assistant Director to raise through the management chain and discuss at quarterly DMT risk reviews.
· The ELT lead within a directorate will discuss escalated risks with the DMT at least on a fortnightly basis and will seek assistance as required. They have access to ELT and determine the way forward in consultation with the Risk Management Lead.
DMT to ELT:
· The quarterly SR review at ELT includes a summary of Directorate Risks reviewed at DMTs
· The ELT lead within a directorate will discuss escalated risks with the ELT and determine the way forward i.e. whether to amend the Strategic Risk Register