Contents
What is risk and risk
management?.
3
Risk management is part
of the Performance Management Framework.
3
Risk management is
integral to corporate governance.
4
Risk management is
necessary for achieving our strategic objectives.
4
Risk Management is part
of our Behaviour Framework.
5
Risk Management
Approach..
6
Risk Management
Process.
6
Risk Levels.
7
Roles &
Responsibilities.
9
Risk Management
Process.
11
Step 1 – Risk
Identification & Assessment 11
Step 2 – Risk
Treatment 21
Step 3 – Risk
Monitoring.
22
Step 4 – Review
and Report 22
Author: Luke
Hamblin
Last reviewed: December 2024
Risk Management is the co-ordinated activities
designed and operated to manage risk and exercise internal control
within the council.
A risk is the potential of an uncertain
situation or event to impact on the achievement of the
council’s intended outcomes. Risk is usually expressed in terms of causes,
potential events, and their consequences:
·
A cause is an element which alone or
in combination with other causes has the potential to give rise to
risk
·
An event is an occurrence or change
of a set of circumstances and can be something that is expected
which does not happen or something that is not expected which does
happen. Events can have multiple causes and consequences and can
affect multiple objectives
·
the consequences, should the risk
materialise, are the outcome(s) of an event affecting objectives,
which can be certain or uncertain, can have positive or negative
direct or indirect effects on objectives. Consequences can be
expressed qualitatively or quantitatively
The Risk Management Framework supports the
consistent and robust identification and management of risks within
desired levels across the council, supporting openness, challenge,
innovation and excellence in the achievement of council
objectives.
Risk management is an essential
part of our governance arrangements, as set out in the Code of
Corporate Governance, and one of the eight elements that make up
the council’s Performance Management Framework.
Best Value Authorities are under a general
Duty of Best Value to “make arrangements to secure
continuous improvement in the way in which its functions are
exercised, having regard to a combination of economy, efficiency
and effectiveness.”
The
eight elements of the Performance Management Framework allow us to
understand the performance of the council which provides us better
context in which we are operating. The elements are inter-related;
most services contribute to every element in the framework.
The Performance Management Framework sets out
to ensure:
·
strong leadership
at all levels which is consistent and fair and challenges blame
culture
·
commitment to the
accountability that has been assigned to individuals
·
the
right information reaching the right people at the right time so
that decisions are made and actions are taken
·
ongoing
evaluation, review and learning to help improve future
performance
·
the
ability to identify and commitment to rectify poor performance at
an early stage
There is a statutory requirement for the
council to conduct a review of its system of internal control and
prepare and publish an Annual Governance Statement (AGS) at least
once every financial year. The purpose of the AGS is to demonstrate
that there is a sound system of
governance and show compliance with the Local Code
of Governance. The AGS sets actions to
strengthen governance and reviews progress of actions in the
previous year.
This diagram shows how risks should be
considered to inform our planning and audits to ensure we meet our
strategic objectives with good governance.
Our
behaviour framework provides us with a common language for how we
go about our daily work alongside our PDP objectives that describe
what we do; helping us to manage and improve our performance to
build a better, more effective organisation with better outcomes
for our customers and stakeholders. The following sections are
particularly relevant to risk management:
Efficiency
·
I scrutinise evidence, data and risks before I make a decision or a
recommendation.
·
I speak to the right person if there are any problems I can’t
solve myself.
·
I am willing to take considered risks to deliver better
results.
Leadership &
management
·
I take advantage of social, cultural, environmental and
technological change to establish the most effective and efficient
delivery of our service.
·
I look ahead to anticipate change and take time to plan for the
future.
·
I take accountability to ensure sound governance of our
organisation.
·
I consider potential risks and opportunities before I make any
decisions.
Our
risk management process is structured to include:
Step 1 – Risk
Identification & Assessment
Risk identification and assessment helps us to
determine and prioritise how risks should be managed.
You should consider emerging risks and
incidents, accurately describe the risk, including the causes and
potential consequences and use the Three Lines of Defence to
describe Existing Controls.
Use the Risk Matrix to score the Likelihood
and Impact of a risk on the achievement of your objective, taking
into account existing controls.
Step 2 – Risk
Treatment
Selecting
and implementing the appropriate treatment (Treat, Tolerate,
Terminate or Transfer) supports the achievement of intended
outcomes and ensures risks are managed to an acceptable level.
Where appropriate, risk treatments will
further prevent the risk from occurring and/or mitigate the impact
of the risk if it does occur.
Assess the risk again, on the assumption that
all planned treatments are completed to provide a Target Risk
Score. This should be reflective of the organisations risk appetite
for that risk area.
Step 3 – Risk
Monitoring
The effective monitoring of risks ensures that
timely and insightful action can be taken.
Implement effective monitoring of the causes,
progress of actions and effectiveness of controls to understand
current risk exposure level and potential impact on the achievement
of objectives.
Step 4 - Review &
Report
Risk reporting enhances the quality of
decision-making and supports management, and oversight bodies, in
meeting their responsibilities.
Regularly review the risk descriptions,
scores, controls, and actions in light of any new information or
changes in circumstance.
When identifying and assessing the risk, it
needs to prioritised and managed at the right level within the
organisation. This could be at a strategic (corporate),
directorate, service/team or programme/project level.
The level of a risk will depend on the scope,
scale of potential impact and the type of response required. Risks
can be escalated or de-escalated between levels through
reviews.
|
Level & Risk Owner
|
What makes this type of risk?
|
Oversight
|
|
Strategic Risk (SR)
A member of the Corporate Leadership Team
(CLT)
|
Impacts on the achievement
of Council Plan outcomes
Affects multiple
directorates/ organisations
Requires cross-directorate
response
|
Cabinet
Audit, Standards &
General Purpose Committee
External & Internal
Audit
Corporate Leadership
Team
|
|
Directorate Risk (DR)
A member of a Directorate Management Team
(DMT)
|
Impacts on the achievement
of the Directorate Plan
Affects multiple services/
departments
Requires directorate level
response
|
Directorate Management
Team
|
|
Service/Team Risks
Head of Service or Team Leader
|
Limited to individual
team/ service
Impacts on achievement of
the service’s plan and objectives
Response can be managed
within service
|
Heads of Service
|
|
Programme/Project Risks
A member of the Programme/Project Board
|
Impacts on achievement of
the Programme/Project’s objectives
Response can be managed
within Programme/Project
|
Programme/Project
Board
|
Our framework uses the ‘three lines of
defence model’ to assess the effectiveness of how we manage
organisational risks. Audit, Standards & General Purpose
Committee have oversight of the risk management framework.
Strategic
risks are owned by a Corporate Leadership Team (CLT) lead. CLT
leads are responsible for discussing strategic risks with the
Cabinet portfolio lead with a view to mitigating these as
appropriate. Strategic risks are reviewed regularly by
CLT.
Directorate and strategic risks are reviewed
regularly by Directorate Management Teams (DMTs); risk registers
are live documents. Newly identified risks, suggested amendments to
strategic risks and the Directorate Risk Registers (DRR) are
reported to CLT as part of their risk review.
All
officers are expected to escalate risks to the relevant DMT lead.
Risk management training is available to all officers.
Risk Appetite
Risk Appetite is the amount of risk the
council is willing to be exposed to, in order to achieve its
objectives.
Each strategic risk has a risk appetite
statement that defines the level of risk the council is prepared to
accept for that particular scenario at any given point in time and
in the context of our strategic objectives, current priorities, and
our power to directly influence any given situation.
The risk appetite statements inform how we
approach decisions within each risk area and to ensure the council
remains within its preferred level of risk exposure.
Risk appetite enables the council to be more
considered when making decisions with potential impacts on
objectives, by creating improved awareness of the tolerance for
risk exposure.
Risk Owners, in consultation with Risk Action
Leads, must consider all contextual information when determining
the council’s level of risk appetite for each scenario and
reflect this when setting the target score for each risk.
Strategic risks are presented to Cabinet at
least annually. Cabinet, and the relevant Cabinet Lead, take
account of the risk appetite when considering whether the target
score is appropriate and provide support and challenge to the risk
owner. For example, where cabinet believes that the risk appetite
should be lower than what the risk owner has proposed they will
recommend further mitigating actions to reduce the risk exposure,
by reducing the likelihood or impact.
Similarly, where Cabinet, or the relevant
Cabinet Lead, believe that the risk appetite should be higher than
what the risk owner has proposed they can recommend removing some
of the mitigating actions.
The below table provides a general description
of each appetite level.
|
Appetite Level
|
General description (for guidance
only)
|
|
Averse
|
We are
unwilling to take risks in this area
Will always
select the lowest risk option
Avoidance of
risk is key to organisation objective
Close to zero
tolerance for uncertainty
|
|
Minimal
|
We will take
the lowest possible risks in this area
Preference
for ultra-safe, low risk actions
Only when
essential, with strong governance in place and
limited possibility or impact
of failure
|
|
Cautious
|
We will
consider taking risks within this area
Limited risk
taking
Willing to
consider acting where benefits outweigh the
risks
Prefer to
avoid
|
|
Open
|
Willing to
take risks in the right conditions
Expect a
level of uncertainty
Will take
risks but manage impact
|
|
Eager
|
Will take
reasonable risks
Accept
uncertainty
Will choose
action with highest return, and innovation,
accepting some possibility of failure
|
|
Role
|
Responsibilities
|
|
Audit, Standards & General Purpose
Committee
|
Oversight of the risk management
framework and recommend improvements to strengthen risk
management
|
|
Cabinet Portfolio Leads
|
Oversight of relevant risks
|
|
Corporate Leadership Team
(CLT)
|
Accountable for the Strategic Risk
Register
Review the strategic risk register,
ensuring it contains appropriate risks and they are managed
effectively
Agree recommendations in changes to
strategic risks
Promote culture of risk
management
Each CLT member is responsible for their
Directorate Risk Register
|
|
Directorate Management Team
(DMT)
|
Management of the directorate risk
register, ensuring it contains appropriate risks and they are
managed effectively
Escalation/de-escalation of risks between
service, directorate and strategic levels
|
|
Risk Owner
|
Accountable for the management of
assigned risks, ensuring descriptions, assessments and risk scores
are accurate, and suitable controls and actions are in place to
mitigate the risk
Provide updates on the risk, including
any emerging information which may impact the risk
|
|
Risk Action Lead
|
Responsible for delivering the action
assigned
Provide progress updates
Support the risk owner to describe and
mitigate the risk
|
|
Programme Manager responsible for
risk
|
Maintain the Strategic Risk Register
through regular reviews with DMTs and CLT
Support DMTs to review their Directorate
Risk Registers
Implement and review the risk management
framework
|
Identifying risks is the first stage of the
risk management process. Risks can be identified by anyone, but
they need to be carefully described so that the organisation is
fully aware of the causes and potential consequences to ensure the
right controls and actions can be put in place and the risk
mitigated.
Risk Description
The risk description (or risk title) is a
short summary that clearly explains the risk event. The risk title
often begins with terms such as:
·
Loss
of …
·
Uncertainty of
…
·
Ineffective
Partnership with …
·
Slow
Development of …
·
Unable to take up
Opportunity to …
·
Threat of
…
·
Failure to
…
·
Lack
of…
Causes are the
reasons why the risk event could occur and potential consequences
are the potential outcomes if the risk event does occur. It is
important to consider equality and sustainability implications, as
well as legal and reputational.
Describing risks
is best done in groups of stakeholders who are responsible for
delivering or impacted by the objectives that the risk may impact.
It is important to identify risks when:
·
Setting strategic
aims
·
Setting business
objectives
·
Writing
directorate or service plans
·
Project
planning
·
Appraising
options
·
Making changes to
business set up or service provision
·
Reviewing
audits
·
Learning from
incidents
The risk categories below can be useful to
help prompt areas where risks could be identified.
Risk Categories Checklist
|
Risk category
|
Category description
|
|
Strategy risks
|
Risks
from poorly defined strategy, flawed data, or failure to support
commitments due to changing macro-environment.
|
|
Governance risks
|
Risks
from unclear plans, priorities, authorities, and ineffective
oversight of decision-making and performance.
|
|
Operations risks
|
Risks
from inadequate internal processes causing fraud, error, impaired
service, non-compliance, and poor value for money.
|
|
Legal risks
|
Risks
from defective transactions, claims, or legal events causing
liability or failure to meet legal requirements.
|
|
Property risks
|
Risks
from property deficiencies or ineffective safety management causing
non-compliance and harm to individuals.
|
|
Financial risks
|
Risks
from poor financial management causing poor returns,
asset/liability mismanagement, and non-compliant reporting.
|
|
Commercial risks
|
Risks
from weak management of partnerships, supply chains, and contracts
causing poor performance and fraud.
|
|
People risks
|
Risks
from ineffective leadership, suboptimal culture, and non-compliance
with employment legislation impacting performance.
|
|
Technology risks
|
Risks
from technology not delivering expected services due to deficient
system development and performance.
|
|
Information risks
|
Risks
from failure to produce and exploit suitable data/information
effectively.
|
|
Information Security risks
|
Risks
from failure to prevent unauthorized access to key systems and
assets, including cyber security.
|
|
Project/Programme risks
|
Risks
from misaligned projects that do not deliver requirements and
benefits to time, cost, and quality.
|
|
Reputational risks
|
Risks
from adverse events causing damage to reputation and trust.
|
Existing Controls
Controls are measures that are embedded to
either prevent the risk event from occurring or reduce the impact
of the risk if it does occur.
The Three Lines of Defence model has been
practiced for a number of years, particularly within financial
services, central government and the NHS and our Corporate Risk
Assurance Framework (CRAF) uses the ‘three lines of defence
model’ to assess the effectiveness of how we manage
organisational risks.
The Three Lines of Defence model outlines
three levels of assurance. Using the Three Lines of Defence for
Existing Controls for each risk provides an ‘assurance
map’ so that we can clearly see the sources of assurance and
existing processes specific to that risk.
The use of the Three Lines of Defence model
demonstrates:
·
your plan to ensure that proper controls are in place
·
that checks are in place for all areas of control
·
that you are making best use of the assurance process, i.e. all
areas are checked by someone and duplication is avoided.
Assess – Current Risk
Score
Risks are prioritised by assigning risk scores 1-5
to the likelihood (L) of the risk occurring, and the potential
impact (I) if it should occur. These L and I scores are multiplied;
the higher the result of L x I, the greater the risk. e.g. L4xI4
which denotes a Likelihood score of 4 (Likely) x Impact score of 4
(Major), which gives a total risk score of 16.
A colour
coded system, similar to the traffic light system, is used to
distinguish risks that require intervention. Red risks are the
highest (15-25), amber risks are significant (8-14), yellow risks
are moderate (4-7), and then green risks are lowest
(1-3).
The purpose of scoring is to prioritise risks
to ensure resources are allocated to the most significant risks.
Heat maps are a helpful way to see how risk scoring compares.
The Strategic Risk Register mostly includes
high (red) and significant (amber) risks. Directorate Risk
Registers are likely to include high, significant, moderate
(yellow) and low (green) risks.
The current risk score considers existing
controls that are already embedded.
Scoring should be a realistic assessment
without optimism bias. The risk scoring guidance below can support
you to assess the risk score by providing examples of what the
impact may be in relation to specific impact areas. If the risk has
the potential to impact multiple areas, this should be taken into
consideration when determining the overall impact score for the
risk, as the overall impact to the organisation may be higher as a
result. For example, if the risk has a moderate impact in 3
separate areas, you may wish to score the overall impact as
major.
It should be noted that the below tables, and
definitions, are to provide guidance and support when considering
how to score risks. They are not intended to provide specific
instruction when scoring the level of impact, and as such should be
amended appropriately based on the risk being scored.
Likelihood Risk Score
|
Risk Score
|
Likelihood Descriptor
|
Guidance
|
|
1
|
Almost Impossible
|
Difficult to see how this could
occur.
Has happened very rarely before or
never
Is a highly unlikely climate
scenario, even at the extremes of climate projections
|
|
2
|
Unlikely
|
Do not expect occurrence but it is
possible.
Less than 10% chance of
occurrence
May have happened in the past;
unlikely to happen in the next three years
|
|
3
|
Possible
|
May occur occasionally.
Only likely to happen once in 3 or
more years
Has happened in the past;
reasonable possibility it will happen as part of climate change
scenarios
|
|
4
|
Likely
|
Will occur persistently but is not
an everyday occurrence.
Likely to happen at some point
within the next 1-2 years
Circumstances occasionally
encountered within likely climate change scenarios
|
|
5
|
Almost Certain
|
High probability of situation
occurring
Regular occurrence, Circumstances
frequently encountered, daily/weekly/monthly
|
Impact Risk Score
The below tables provide guidance on how to
score the impact of the risk within specific areas.
|
Impact Area
|
1
Insignificant
|
2
Minor
|
3
Moderate
|
4
Major
|
5
Catastrophic
|
|
Health &
Safety
|
minor injury, basic first aid required, 1
person affected, no days absence, no delay
|
non-permanent harm, short-term injury,
resulting in absence of up to 3 days. 1 – 2 persons
affected
|
causing semi-permanent disability, injury,
disease, or harm which could interrupt attendance at work for 3-28
days AND/OR affects 3 - 50 people
|
causing death, permanent disability, serious
injury or harm, e.g. loss of function or body part(s), serious
disability, single death of any person. 51-200 people affected.
Long term absence from work (28-84 days), extended medical
attention required, e.g. up to a month in hospital
|
multiple deaths involving any persons, greater
than 200 people affected, more than 84 days absence, more than 30
days extended hospital stay
|
|
City &
community
|
insignificant disruption to community
services, including transport services and infrastructure
|
minor localised
disruption to community services or infrastructure less than 24
hours
|
damage that is
confined to a specific location, or to a number of locations, but
requires additional resources. Localised disruption to
infrastructure and community services
|
significant damage that impacts on and
possible breakdown of some local community services. Requires
support for local responders with external resources
|
extensive damage to properties and built
environment in affected areas. General & widespread
displacement of more than 500 people for prolonged duration.
Community unable to function without significant support
|
|
Service Delivery
|
No or marginal service disruption
No noticeable drop in service
performance
|
service disruption or partial closure for 1 or 2 days
Drop in service
performance
|
service disruption or total closure for 1-3
days
Poor service performance
Slight impact on Council Plan outcomes
|
service disruption or total closure for 3-7
days
Repeated poor service performance
Impact to delivery of Council Plan
outcomes
|
Service disruption or total closure for 7+
days
Ongoing failure to provide an adequate
service
Failure to deliver on Council Plan
outcomes
|
|
Economic
|
none/minimal
financial burden (less than £100, can be resolved at local
service / department level), minor interruption to income
generation, no permanent loss
|
minimal financial burden or disruption to
income generation (less than £1,000
but greater than £100). Can be resolved at line
manager/ service manager level through usual budgetary measures
|
moderate financial burden (less than
£10,000 but greater than £1,000). Interruption to
income generation lasting less than 14 days, majority of income
recoverable but at additional cost
|
major financial
burden (less than £100,000 but greater than £10,000).
Can include significant extra clean up and recovery
costs.
|
catastrophic
financial burden (greater than £100,000). Extensive
clean up and recovery costs
|
|
Environment
|
insignificant impact on environment
|
minor impact on environment with no lasting
effects
|
limited
impact on environment with short-term or long-term
effects
|
significant impact on environment with medium
to long term effects
|
serious long-term impact on environment and/or
permanent change.
|
|
Reputation
|
organisation(s) reputation remains intact
|
minimal impact on organisation(s)
reputation
|
moderate impact on organisation(s)
reputation
|
major impact on organisation (s) reputation /
National adverse publicity
|
catastrophic impact on organisation(s)
reputation. International adverse publicity
|
|
Personal Privacy
Infringement
|
No personal details compromised/ revealed
|
Isolated individual personal detail
compromised/ revealed
|
All personal details compromised/ revealed
|
Many individual personal details compromised/
revealed
|
Personal Data revealed which leads to serious
incident and lack of credibility in organisation’s ability to
manage data, fine
|
|
Project Delivery
|
1
Insignificant
|
2
Minor
|
3
Moderate
|
4
Major
|
5
Catastrophic
|
|
Project Status
|
Project on
schedule to deliver the planned works on time and to
budget
|
Project on
schedule to deliver the planned works on time and to
budget
|
The project has
encountered some issues which could affect the delivery of the
planned works within agreed time, costs, and resources
|
The project has
encountered some issues which could affect the delivery of the
planned works within agreed time, costs, and resources
|
Delivery of the
planned works within agreed time, costs and resources is presently
threatened
|
|
Timescales
|
No delays
anticipated
|
The project is
delayed by 1 week or under
|
The project is
delayed by 1 week – 2 weeks
|
The project is
delayed by 2 weeks or over
|
The project is
delayed for an indefinite period
|
|
Resources
|
The project is
fully resourced
|
The project is
fully resourced
|
A lack of human
resources which could impact overall delivery and require Programme
Board attention
|
Lack of human
resource is impacting successful delivery and needs to be addressed
immediately
|
Lack of human
resource is impacting successful delivery and needs to be addressed
immediately
|
|
Issues
|
All issues
under control and no outstanding issues requiring Programme Board
attention
|
All issues
under control and no outstanding issues requiring Programme Board
attention
|
Outstanding
issues which could impact overall delivery and require Programme
Board attention
|
Outstanding
issues which could impact overall delivery and require Programme
Board attention
|
Outstanding
issues which will impact the overall delivery require URGENT
Programme Board attention
|
|
Risks
|
All risks under
control and no outstanding issues requiring Programme Board
attention
|
All risks under
control and no outstanding issues requiring Programme Board
attention
|
Risks that have
a medium probability of occurring and will have a medium impact on
the programme and require Programme Board attention if there is no
change or is increasing
|
Risks that have
high or medium probability and impact if they occur and require the
Programme Board attention
|
Risks that have
high or medium probability and impact if they occur require the
Programme Board attention
|
|
Budget
|
Predicted costs
are on track and within the cash limit budget
|
Predicted costs
are on track and within the cash limit budget
|
Predicted costs
are under 10% of budget
|
Predicted costs
are up to 10% over budget
|
Predicted costs
are higher than 10% over budget
|
Risk Appetite
Determine the risk appetite level for the
risk, taking into consideration the current risk exposure based on
the identification and analysis, and what effect the potential
impacts may have on the council’s ability to achieve its
objectives. The risk appetite statement will support you in
determining the Risk Treatment.
Based on the Current Risk Score, the Risk
Matrix provides a colour rating to help you choose one or more of
the Risk Treatments - the four T’s and record the reason for
your choice.
·
Treat
- take further action to reduce the likelihood or
impact.
·
Tolerate - decide
the risk level is tolerable and that no extra resources will be
applied due to a cost-benefit analysis or elements being outside of
our control.
·
Terminate - stop
undertaking the activity which leads to the risk.
·
Transfer - pass
to another party or organisation to deal with mitigations to reduce
the council's liability and exposure, for example, through
insurance. We would still own the risk. Often this is not possible
due to costs or legal duty.
|
Risk Rating
|
Risk Score
|
Recommended action
|
|
High
|
15-25
|
Immediate action and escalation required. Mitigating actions must
be taken.
|
|
Significant
|
8-14
|
Review and ensure effective controls. Mitigating actions should be
taken.
|
|
Moderate
|
4-7
|
Monitor in case the risk levels increase.
|
|
Low
|
1-3
|
Monitor periodically.
|
Mitigating Actions
If you have decided that the risk should be
treated, then mitigating actions should be taken to reduce the
likelihood and/or impact of the risk. When developing mitigating
actions, Risk Owners are strongly encouraged to work with all key
stakeholders, including external partners to ensure the right
actions are identified and stakeholder buy in into the delivery of
these actions. The actions should be SMART (Specific, Measurable,
Achievable, Realistic and Timebound) and agreed by the Risk Action
Lead who is named responsible for delivering the action. Mitigating
actions should have a start and end date and progress should be
regularly tracked.
It is important to ensure that mitigating risk
actions map to directorate or service plan actions, so that they
are planned and resourced adequately to be completed within the
timeframe indicated.
Target Risk Score
The target risk score is scored similarly to
the current risk score but is based on the assumption that the
mitigating risk actions are completed at the stated time and
reflects the council’s risk appetite for that scenario. This
shows the level of risk the council is willing to operate at but
the score needs to be realistic and take into account the
uncertainty of the situation and resources available to deliver
actions so the target risk score can sometimes remain as a high
‘red’ score regardless of mitigation.
Risks need to be regularly monitored to
support understanding of whether the level of risk exposure is
changing and to what extent the existing controls, or mitigating
actions, are impacting the risk.
A monitoring structure should be agreed that
identifies key indicators to show progress or effect of controls
and actions at suitable intervals.
Consideration should be given to whether the
costs, efforts or disadvantages of the controls and action being
taken balances against potential benefit of achieving the
objective.
Risk Register
Risk Registers are a tool to help manage risk.
The Strategic Risk Register is recorded on the Camms Risk system
and the Directorate, Service, Programme and Project Risk Registers
use the Excel/Word Risk Register template.
The risk register should contain:
·
Risk code i.e. SR1 ‘Strategic Risk 1’ or EEC DR1
‘Environment, Economy & Culture Directorate Risk
1’
·
Risk title – clearly and succinctly describing the risk
·
Risk Owner
·
Causes
·
Potential Consequences
·
Existing Controls – ‘Three lines of defence’
·
Current Risk Score – Likelihood, Impact and Total
·
Mitigating Actions (if risk is treated, or rationale for risk to be
terminated, tolerated or transferred)
·
Target date to complete actions
·
Risk Action Lead
·
Target Risk Score – Likelihood, Impact and Total
·
Last reviewed date
·
Risk Status – Open or Closed
Risk Reviews
It is important to regularly review risks,
especially if there is new information or changing circumstances
that may relate to certain risks.
Strategic risks are reviewed regularly by the
Corporate Leadership Team (CLT). Directorate and strategic
risks are reviewed regularly by Directorate Management Teams
(DMTs), but it is important to note that risk registers are live
documents. Newly identified risks suggested amendments to strategic
risks and the Directorate Risk Registers are reported to CLT as
part of their risk review. All officers are expected to
escalate risks to the relevant DMT lead. Risk management training
is available to all officers and resources can be found on the
intranet.
Standing agenda for DMT Risk Review
·
Strategic Risk Register – review and recommend amendments to
CLT
·
Upcoming dates in the Risk Reporting Timetable
·
Reminders of the risk management approach
·
Directorate Risk Register – review risks and mitigating
actions
Standing agenda for CLT Risk Review
·
Strategic Risk Register – review and agree recommendations
from Risk Owners & DMTs
·
Strategic Risk Register – emerging risks and requests from
members
·
Upcoming dates in the Risk Reporting Timetable
·
Focus area of the risk management approach
·
Directorate Risk Registers – to note
The diagram below shows the risk review cycle.
Risk reviews occur quarterly at DMTs and CLT as a minimum, but it
is also recommended for risk owners and services to take deep dives
into risks where risk scores are not reducing or where
circumstances impacting the risk significantly change.
Risk Reporting
The Risk Reporting Timetable sets out the
quarterly reporting dates. Risk reviews are the best time to ensure
risks are considered, although risks should be escalated at any
time there is a change to the level of risk exposure. The timetable
informs Risk Action Leads and Risk Owners the dates by which they
should update on the progress of their risk action and review the
description of the risk, as well as the dates of Risk Reviews.
Cabinet and the Audit, Standards & General
Purpose Committee have oversight of the risk management process.
The Risk Management Framework is reviewed annually.
The Annual Governance Statement (AGS) is
published each year alongside the council’s accounts and is
largely based on our risk management approach, strategic risks and
internal audit.
With all reports, it is important to ensure
they are written considering the audience and purpose of the
report.