The purpose of this report is to give an insight into the work carried out by the Corporate Risk Manager and the Corporate Risk Management Group during the period October - December 2007, and to recommend that Cabinet agree the roles and responsibilities for risk management detailed in Appendix 3 of this report.
As well as good management practice, this report also positively responds to the Key Lines of Enquiry in the Use of Resources element of the Comprehensive Performance Assessment. Risks are assessed and managed at both a service and corporate level. Throughout this report all risks are reported as Net Risk, which is based on an assessment of the impact and likelihood of the risk occurring with existing controls in place.
This report will also be presented to the newly constituted Audit Committee, in addition to CMT and Cabinet.
· Failure to effectively implement an equality proofed pay structure under Single Status and Job Evaluation. Management continue on an ongoing basis to actively address these risks.
· Failure to deliver the Building Schools for the Future programme within time and budget, with minimal disruption to service delivery. Risks are managed by the project team, and key risks are highlighted monthly to the project board.
· Failure to effectively implement the proposed Waste Management Contract. Risks are managed by the project team, and key risks are highlighted to the joint Member/ Officer Waste Management Contract project board.
3. Changes to major risks in this quarter
There have been no significant changes to the major risks during the quarter.
4. Emerging risks
In the quarter October to December 2007, the major item which emerged as raising a potential risk is security over the transmission of data to external parties or geographical locations. This follows the recently publicised problems incurred by central government on this issue. The Corporate Risk Management Group will continue to monitor developments in this area.
5. In the next Quarter
Effective risk management will play a key part in the successful reorganisation of local government in the County, and the Corporate Risk Manager will liaise with the LGR programme manager as appropriate.
Work on further developing the Magique risk management software, which is already well underway, will be progressed. The aim is to devolve access to the data and software to the Services, and the Environment Service risk manager will pilot this redeveloped software, on behalf of the Corporate Risk Management Group.
6. Risk Management Roles and Responsibilities
As part of our annual review of risk management arrangements, the Corporate Risk Management Group have considered the roles and responsibilities for risk management. The proposed roles and responsibilities are documented in Appendix 3 of this report.
7. Recommendation
It is recommended that Cabinet agree the roles and responsibilities for risk management detailed in Appendix 3.
To date within the Council, a large amount of work has already been carried out in shaping and developing our approach to risk management. In summary, Cabinet and the Corporate Management Team have designated the Deputy Leader of the Council and the County Treasurer as Member and Executive Risk Champions respectively. Together they jointly take responsibility for embedding risk management throughout the Council, and are supported by Keith Thompson (Assistant County Treasurer), the lead officer responsible for risk management, as well as the Corporate Risk Manager. Each Service also has a designated member of staff (the Service Risk Manager) to lead on risk management at a Service level, and act as a first point of contact for staff who require any advice or guidance on risk management.
Collectively, the Service Risk Managers and the Corporate Risk Manager meet together as a Corporate Risk Management Group. This group monitor the progress of risk management across the Council, advise on corporate and strategic risk issues, identify and monitor corporate cross-cutting risks, and agree arrangements for reporting and awareness training.
An Audit Committee is in place, and one of its key roles is to monitor the effective development and operation of risk management and overall corporate governance in the Authority.
It is the responsibility of the Chief Officers to develop and maintain the internal control framework and to ensure that their Service resources are properly applied in the manner and to the activities intended. Therefore, in this context, Heads of Service are responsible for identifying and managing the key risks which may impact their respective Service, and providing assurance that adequate controls are in place, and working effectively, to manage these risks where appropriate. In addition, independent assurance of the risk management process, and of the risks and controls of specific areas, is provided by Internal Audit. Reviews by external bodies, such as the Audit Commission, Ofsted and CSCI, may also provide some independent assurance of the controls in place.
Risks are assessed in a logical and straightforward process, which involves the Risk Owner (within the Service) assessing both the impact on finance, service delivery or stakeholders if the risk materialises, and also the likelihood that the risk will occur over a given period. The assessment is confirmed by the Service Management Team, and Chief Officers agree their Service Risk Register with the Cabinet Member responsible for their Portfolio Service.
All employees and Members in the Council have an implied role to play in managing risk, and ensuring that risk management is successfully embedded into all aspects of the Council’s aims and activities. This includes being aware of risks which fall into their area of responsibility, the possible impacts these may have on other areas and the consequences other areas may have on them, and their accountability for managing specific risks. It also involves reporting systematically and promptly to line management any perceived new risks or failures of existing control measures However, there are specific roles and responsibilities assigned for managing risk across the Council, and these are outlined below. TITLE | ACTION | |
Cabinet | Take appropriate action to ensure that corporate business risks are being actively managed, including reporting to full Council as appropriate | |
| Endorse and approve risk management policy and risk management strategy. | |
| Determine the overall level of risk that the Council is prepared to live with corporately. i.e. the Risk Appetite | |
| Consider the relevant risks when making key decisions | |
| Ensure that assurance is obtained from Corporate Management Team that a framework for effective management of risks is in place, is adequate and is being adhered to | |
Corporate Management Team | Recommend the changes proposed by CRMG to the risk management policy and risk management strategy for approval by Cabinet | |
| At least annually, review the status of corporate strategic risks | |
| Ensure that a risk-based approach to service planning and delivery is in place. | |
| Allocate a risk owner to each of the Corporate Strategic Risks | |
| Recommend to Cabinet the overall level of risk that the Council is prepared to live with corporately. i.e. the Risk Appetite | |
Audit Committee | Receive quarterly risk management report and take appropriate action to ensure that corporate business risks are being actively managed | |
| Ensure that independent assurance is provided over the Authority’s governance arrangements, the adequacy of the risk management framework and the associated control environment. | |
| Provide independent scrutiny of the Authority’s financial and non-financial performance to the extent that it affects the authority’s exposure to risk and weakens the control environment, and oversee the financial reporting process | |
| Monitor the effective development and operation of risk management and overall corporate governance in the Authority | |
Member Risk Champion | Act as risk management sponsor among elected representatives. | |
| Together with the Executive Risk Champion, jointly champion risk management throughout the Council. | |
Executive Risk Champion | Act as risk management sponsor among Council officers. | |
| Together with the Member Risk Champion, jointly champion risk management throughout the Council. | |
Member with Portfolio responsibility for a Service | Agree the risk register for their Service after it has been formally reviewed in line with business planning schedule | |
Chief Officers | For all services for which the Chief Officer is responsible, ensure satisfactory arrangements are in place for the identification, assessment and management of risks associated with service planning and delivery, major projects and partnerships. | |
| Prime responsibility for ensuring that adequate controls are in place, and working effectively, to manage these risks where appropriate. | |
| Ensure risks associated with Key Decisions are identified and highlighted in the Cabinet reports for which they are responsible. | |
| Ensure risks associated with significant non-executive decisions are identified and highlighted in the relevant reports to Members for which they are responsible. | |
| Where appropriate, make relevant Members aware of risk issues impacting any services for which the Chief Officer is responsible | |
Heads of Service | Lead the identification and assessment of risks in their area of responsibility at the Service Planning stage i.e. when the draft priorities for improvement are being developed | |
| Obtain appropriate assurance that adequate controls are in place, and working effectively, to manage these risks where appropriate. | |
| Implement and maintain risk management processes within their area of responsibility, linked to the service business planning processes and any projects, partnerships or joint ventures associated with delivery of services. | |
Service Management Teams | Determine the level of Gross and Net risk that is acceptable to the Service. | |
| Review revised risk assessments after each service risk register review and confirm which risks to be included in the register. | |
| Monitor progress on implementing mitigating actions and controls within target dates. | |
| Ensure risks are identified at the Service Planning stage i.e. when the draft priorities for improvement are being developed. | |
Lead Officer | Ensure the implementation of the corporate policy and strategy for the management of risk. | |
| Support the Corporate Risk Manager in taking responsibility for embedding risk management throughout the Council. | |
Corporate Risk Manager | Recommend and lead the implementation of the policy and strategy for the management of risk | |
| Advise and support Service Risk Managers and business unit managers on risk assessment, control measures and improvements | |
| Overall co-ordination of the Strategic and Service Risk Registers to provide a consolidated view of the key risks to CMT and Cabinet | |
| Ensure arrangements/ processes in place to produce risk management information | |
| Present risk management reports to diverse audiences with varying responsibilities | |
| Co-ordinate the identification and analysis of emerging risks | |
| Work closely with Elected Members, senior management, Service Risk Managers and Audit Managers on highlighting and communicating risk management issues | |
| Participate and assist in the facilitation of risk management training at a Corporate and Service level | |
| Manage the implementation of the Risk Management Implementation Programme | |
| Promote a risk aware culture, and risk management skills development, within the Council, including appropriate education and training | |
| Provide core administration and maintenance of the Magique system | |
| Provide risk management consultancy on general matters e.g. projects, partnerships etc,. | |
Corporate Risk Management Group | Oversee the implementation of business risk management across the Council. | |
| Act as forum for exchange of best practice between Service Risk Managers | |
| Ensure risk management reports are provided to CMT, Cabinet and Audit Committee during the year. | |
| Provide appropriate and timely guidance and direction to Services on Risk Management | |
| Identify and monitor common or cross-functional business risks from Service risk registers. | |
| Advise the Corporate Management Team and Cabinet on strategic risk issues | |
| Agree emerging business risks. | |
| Ensure that service specific and corporate risk management training needs for staff and Members are addressed | |
| Annually review the business risk management process, including a review of key documents. | |
| Annually review the Corporate Risk Management Policy and Strategy and where necessary propose changes to CMT and Cabinet for their approval and adoption | |
| Own the process for producing the annual Statement of Internal Control (SIC), and monitor the implementation of actions in the SIC. | |
| Agree content and monitor progress of implementing the actions contained in the Risk Management Implementation Plan | |
Service Risk Manager | Monitor the implementation of mitigating actions / controls improvements against risks in their service risk register, and report appropriately to Service Management Team. | |
| Act as a first point of contact for staff who require any advice or guidance on risk management. | |
| Champion/ lead risk management in an appropriate method in their Service. | |
| Represent the Service at CRMG. | |
Risk owners | Ensure that risks for which they are allocated ownership are adequately assessed | |
| Ensure that risks for which they are allocated ownership are effectively managed | |
| Determine whether to treat, transfer or tolerate a risk, or terminate the activity causing the risk. | |
| Where treating the risk, identify cost effective actions to mitigate the risk to an acceptable level. | |
| Allocate the mitigating actions / control improvements to named individuals for implementation | |
| Agree target implementation dates with named individuals | |
| Monitor that existing controls and mitigating actions / control improvements are being implemented within target date | |
| Report progress on mitigating actions / control improvements to the Service Risk Manager. | |
Internal Audit | Provide assurance that appropriate risk management arrangements are in place, that systems and processes are adequate and are being adhered to. | |
| Provide assurance that adequate controls are in place to mitigate key risks in the Services, projects and partnerships and are being adhered to. | |
Regulatory Committees and Pension Fund Committee | Consider the relevant risk when making non-executive decisions | |