corporate risk framework

City & County of Swansea

Corporate Risk ManagementFramework

PurposeThis framework describes the specific risk management activities that will be undertaken within the City & County of Swansea aiming to help managers at all levels apply the principles consistently across their area of responsibility.

Clear identification and assessment of risks will lead to more effective use of resources and direct improvements to the service, our customers, as well as improve corporate governance and performance.

The Council recognises that it has a responsibility to manage risks effectively in order to reduce uncertainty in achieving its goals and objectives and to benefit from opportunities. This framework applies to all Council staff and its principles should be applied when working internally or externally with partners and other stakeholders.

Definition of Risk“Risk is an event, action, or lack of action that could adversely affect the Council’s ability to achieve objectives and to successfully execute its strategies. Risk arises as much from failing to capture opportunities whilst pursuing business objectives as it does from a threat that something bad will happen”

ApprovalTitle Date

Reference No.: Version 0.4

Date: 22/10/2010

Author: Strategic Risk Group

Website http://staffnet/riskmanagement

http://staffnet/riskmanagement

Risk Management Framework

Contents

No Title Page1 Foreword 22 Corporate Commitment to Risk 33 Aims of Risk Management 34 Benefits of Risk Management 35 Roles and Responsibilities 3

- Cabinet/Elected Members 3- Chief Executive and CMT 3- Performance & Finance Scrutiny and Overview Board 4- Individual Directors 4- Strategic Risk Group 4- Directorate Risk Co-ordinator 4- Internal Audit 4- Business Performance Team 4- Council Officers 4- Partners 4

6 Risk Management Cycle 5- Step 1 Risk Identification 5- Step 2 Risk Evaluation 5- Step 3 Risk Response 6- Step 4 Risk Monitoring and Control 7

7 Glossary of Terms 7

Document Control

Version No. Revision Date Summary of ChangesN/A

Page 1 of 8


1. Foreword

This framework aims to help managers at all levels apply risk management principles consistently across their area of responsibility. Clear identification and assessment of risks will lead to more effective use of resources and direct improvements to the service to our customers, as well as improve corporate governance and performance.

As a council we are increasingly involved in dealing with uncertainty and managing major change. At the same time we are under increasing pressure to deliver better services in new and innovative ways, sometimes through partnership working. All of this attracts risk which needs to be managed and controlled effectively if we are to achieve the desired outcomes.

Risk management is the process of identifying significant risks, evaluating the potential consequences and implementing the most effective way of responding to, controlling and monitoring them.

Risk management is about making informed decisions, achieving objectives and delivering results once those decisions are made. By being more risk aware, the Council will be better placed to avoid threats and take advantage of opportunities when they arise.

Signed …………………….…………………..

Jack Straw Executive Director, Resources

Page 2 of 8


2. Corporate Commitment to Risk ManagementThe Council views the management of risk as an essential part in improving services and enhancing accountability as well as securing compliance with formal policies and procedures. Risk will therefore be managed positively rather than in a purely reactive manner.

It will be a key element in corporate and service business planning requiring both a ‘top down’ and ‘bottom up’ approach. Management responsibility for delivery will lie with the Chief Executive with Elected Members reviewing its effectiveness on an annual basis. This will be a continuous, evolving process which the Council will integrate into its other management and planning processes supporting the achievement of its aims and objectives.

3. Aims of Risk Management Through this framework, the Council aims to:

further develop a consistent approach to risk management and raise its profile through meetings, training and e-learning,

integrate risk management into its culture; place greater emphasis on prevention rather than detection and correction; improve management and member awareness of strategic and operational risks; embed risk management through ownership and management as part of all decision

making processes; protect and enhance the assets and image of the Council; enhance the ability to justify the Council’s decisions.

4. Benefits of Risk Management Risk Management protects and adds value to the Council and its stakeholders through supporting the Council’s objectives by:

Providing a framework to undertake business in a consistent and controlled manner when assessing risk;

Improving decision making, planning and prioritisation with a structured understanding of business activity, uncertainty and opportunity

Contributing to more effective use and allocation of capital and resources Protecting and enhance the assets and reputation of the Council

5. Roles and ResponsibilitiesTo implement this framework, specific roles and responsibilities for key stakeholders have been identified as outlined below:

Cabinet/Elected Members Champion risk management and provide leadership to achieve a cultural change; Formally approve the Council’s risk management framework; Consider the strategic risks associated with decisions they are required to make; Monitor the Council’s risk management arrangements via strategic/audit reports; Participate in reviews of risk at the annual business conference; Assess/challenge risk management implications on Cabinet reports.

Chief Executive and CMT Key champions and overall responsibility for risk management within the Council; Ensure that the Council manages risk effectively and identifies opportunities; Considers risks associated with decisions they are required to take; Review the Corporate risk register on a six monthly basis and sign it off annually as part

of the annual business conference;

Page 3 of 8


Performance & Finance Scrutiny & Overview Board Involvement in the development and review of the Councils risk management

framework, monitoring progress on risk management.Individual Directors

Make arrangements for embedding risk management throughout their Directorate; Nominate a risk co-ordinator for the directorate to oversee the development and

maintenance of a Directorate risk register ensuring key Directorate risks are identified managed and responded to;

Participate in reviews of Directorate risk registers every 3 months at PFM as required; Ensure countermeasure actions for dealing with key risks are included in service

business plans.Strategic Risk Group

Manage the Corporate Risk Register on behalf of CMT; Monitor performance and provide assurance to CMT on effectiveness; Ensure the Corporate Risk Register is reviewed by CMT on a six monthly basis; Engage with Members in the management of risk process; Ensure Directorates have a nominated officer who will act as a Risk Co-ordinator; Ensure all Directorate Risk Registers are reviewed on a three month basis; Ensure appropriate training is undertaken on the process of risk management; Maintain the Council’s Risk Management e-learning tool.

Directorate Risk Co-ordinators Manage the Directorate Risk Register at PFM ensuring all key Directorate risks are

identified, managed and responded to every three months in a timely and effective manner;

Receive risk related training as required; Co-ordinate and advise on risks within their Directorates; Actively consult with the Strategic Risk Group on a frequent basis.

Internal Audit Review and report on the risk management process; Use risk registers to inform internal audit planning; Share risk information with the risk co-ordinators; Monitor effectiveness through management assurance; Consult Heads of Service annually to identify auditable business risks; Undertake a risk assessment for each service/system.

Business Performance Team Review the Corporate risks to help inform the development of the Council’s

improvement objectives as part of the Local Government (Wales) Measure; Embed risk management discipline into business planning arrangements

Council Officers Identify opportunities and manage risk effectively in their jobs and report risk

management concerns to their line managers; Report any incidents or ‘near misses’ to line managers. Be responsible to identify risks ensuring they are documented on relevant risk

registers/trackers/reporting templates.Partners

Participate in the joint compilation of a partnership risk tracker; Actively manage risks within the partnership; Report on risk management issues to respective partnership boards; Show a clear link between objectives and outcomes that are customer focused.

6. Risk Management CyclePage 4 of 8


The Council will adopt the ‘Four Step’ Risk Management Cycle and this process will promote the authority wide consistent approach to managing risk.

6.1 Step 1 - Risk identification This is about describing the risk in order to fully understand the potential likelihood of an event happening and the possible impact. Once identified, all risks are entered into the relevant Risk Tracker or respective Corporate/Directorate Risk Registers.

When wording risks, the Council suggests using the “If and then” statement. The “If” being the risk and the “then” being the impact if it’s not dealt with.

It is important to ensure that when a risk has been identified, the risk description is clear and precise.

Here is an example of wording a risk:

Figure 1 – Risk Cycle

“If the Council does not meet WAG targets to achieve diversions from landfill then the Council will be subject to penalties and payments”

6.2 Step 2 - Risk Evaluation There are two factors that determine how important a risk is. These are:

The chances of it happening (likelihood); The cost or consequences if it does (impact).

Within the Council, a RAG (Red, Amber, and Green) status will be used to evaluate these factors and it’s important to recognise that each RAG colour represents a particular meaning as follows:

Red - There are significant problems which will have a significant impact on the Council if it is not managed;

Amber - will affect the Council if it is not properly monitored and controlled;

Green - Going to plan but needs to be monitored on a regular basis.

- Assessing Likelihood and ImpactOnce the risks have been identified the likelihood of risk occurring and the impact they will have if they occur must be assessed. It is important to note that the likelihood and impact of the risks identified need to be considered and ranked on the worse case credible scenario with existing controls in place.

- Risk Proximity

Page 5 of 8

Risk Management FrameworkWhen considering a risk’s likelihood, another aspect is when the risk might occur. Some risk will be predicted to be further away than others and so attention should be focused on the more immediate ones first. This prediction is called the risk’s proximity.

- Control Measures/CountermeasuresWhen evaluating risk, there is a need to identify existing control measures that are currently in place to manage the risks and any new countermeasures that need to be put in place to manage the risk.

- Risk MatrixWhen evaluating the likelihood and impact of risks through meetings, workshops or as an individual via the risk tracker, the risk matrix (as shown in figure 2) can be used to help plot the risks. This is a simple mechanism to increase visibility of risks and assist management decision making.

- Risk ToleranceWhen identifying risk tolerance, a risk tolerance line could be plotted on the matrix to show that any risks above this line needs to be referred upwards for decisions.

6.3 – Step 3 Risk ResponseOnce risks have been identified and adequate control measure assessed, decisions need to be taken on how to respond to specific risks by taking action to improve the outcome. Possible responses to risk should include the four T’s as follows:

Transfer - Transferring some aspects of risk is a recognised method either by paying a third party to take it on or if available, an insurance policy. Tolerate - Perhaps nothing can be done at a reasonable cost to mitigate it, although, ideally, the risk should be monitored to ensure it remains acceptable.Treat - Treating the risk – take action to control it in some way by applying containment or contingent actions. Within this categorisation:

Containment actions are those which lessen the likelihood of the risk or the consequences, and are applied before the risk materialises.

Contingent actions are those which are put into place after the outcome from the risk has happened. Here the focus is on reducing the impact of the risk. These actions can be pre-planned so that people know what to do in advance.

Terminate - By doing things differently and thus removing the risk, where it is either feasible or practical to do so.

6.4 – Step 4 Risk Monitoring and ControlPage 6 of 8

Figure 2 – Risk Matrix

Risk Management FrameworkThe initial aim for this step is to ensure that the planned responses to the identified risk have been implemented, understanding if they have been successful, identifying and assessing any residual risk where responses have not been entirely successful and planning and implementing additional risk countermeasures.

It is important to monitor the risk management process. Regular reporting and monitoring progress on the management of risk and the effectiveness of the actions taken will improve the efficiency and effectiveness of the Council.

The Strategic Risk Group will work closely with nominated Risk Co-ordinators, Programme/Project Assurance and Programme/Project Managers to audit Risk Registers and Trackers. Reports will be presented to CMT and various other boards on a frequent basis.

7. Glossary of Terms

Term Definition

Control Measures When evaluating risk, there is a need to identify any existing measures that are currently in place to manage the risk.

Corporate Risk Register

This is a live database used to identify and manage any corporate/strategic risks that could impact the Council managed by the Chief Executive, the Corporate Management Team and the Strategic Risk Group.

Countermeasures These are any new measures to be put in place to manage the risks.Directorate Risk Co-ordinator

Responsible on behalf of the corporate director to manage and respond to directorate risks via the Directorate risk register.

Directorate Risk Register

This is a live database used to identify, manage and respond to any Directorate risks that could impact the Council managed by a Directorate risk co-ordinators and DMT/PFM.

E-learning tool This is an online training website proving staff with information regarding risk management within the Council

Impact This determines the cost or consequences to the Council if the risk happens measured using a RAG (Red, Amber, Green) status based on High, Medium or Low.

Likelihood This is the chance of the risk happening measured using a RAG status based on High, Medium or Low.

Proximity This is the length of time when a risk will impact the Council if nothing is done to stop it.

Risk Cycle This is the four step process to manage all risks within the Council.

Risk Evaluation This is used to determine how important a risk is. Impact and likelihood are measured using a RAG status.

Risk identification This is about describing the risk in order to fully understand the potential likelihood of an event happening and the possible impact using the "If" and "Then" scenario.

Risk Management This incorporates all the activities required to identify and control the exposure to risk which may have an impact on the achievement of the Council.

Page 7 of 8


Risk Matrix When evaluating the likelihood and impact of risks through meetings, workshops or as an individual, the risk matrix can be used to help plot the relative importance of the risks

Risk Response Once risks have been identified and adequate control measure assessed, decisions need to be taken on how to respond to specific risks by taking action to improve the outcome (Transfer, Tolerate, Treat, Terminate).

Strategic Risk Group Responsible on behalf of the Corporate Management team to manage and respond to Corporate risks via the Corporate risk register.

Tolerance This is the permissible deviation above and below a plan's estimate without escalating the deviation to the next level of management.

Page 8 of 8

corporate risk framework

Documents