risk management assurance policy · 2019-01-11 · figure 2. risk management assurance framework...
TRANSCRIPT
Risk Management Assurance Policy
2
Risk Management Assurance Policy
ContentsIntroduction 3
PolicyStatementofCommitment 4
PrinciplesandCulture 5
RiskManagementFramework 6
RolesandResponsibilities 7
RiskAppetiteandTolerance 8
RiskRegisters 9
RiskManagementProcess 10
RiskMatrix 11
GovernanceReportingandEscalation 12
SupportGuidanceandTools 14
RiskGovernance,AssuranceandMaturity 15
Complementaryfunctions 24
3
Risk Management Assurance Policy
Introduction
Risk management helps us to understand the risks associated with delivering Bristol City Council’s services. It makes us think about the decisions we take, and how we manage everyday service delivery, projects and our work with partners.
Riskmanagementisoftenprimarilyconcernedwiththeadversepotentialofrisk.However,notallriskisbad.Someopportunitiescanonlybeunlockedbytakingrisks.Thekeytosuccessinthesesituationsistotakerisksknowinglyandmanagethemappropriately.
Thepurposeofthispolicyistosetoutthecouncil’sapproachforthesystematicmanagementofrisk,theculture,expectations/responsibilitiesonallmanagersanddecisionmakerswithregardtoconsideringandmanagingriskinpursuitofachievingthecouncil’sprioritiesandobjectives.
Thebenefitsfromaneffectiveriskmanagementframeworkare:
●● Improvetheassessmentandresponseforbothopportunitiesandthreats
●● Establishareliablebasisforbetterdecisionmakingandplanning
●● Improvedcustomerservice,andbetteroutcomes
●● Increasethelikelihoodofachievingitsgoalsanddeliveringoutcomes
●● Improvedstrategic,operationalandfinancialmanagementandvalueformoney
●● Enhancedreputation,andsecuringconfidence,trustfromourstakeholders
●● Effectivelyallocateanduseresourcesforrisktreatment
●● Improveorganisationalresilience
●● Continuityofknowledge
●● Improvedgovernanceandcompliance
Through this policy we aim to:
●● Identifythescopeofriskmanagement
●● Embedandintegrateriskmanagementinthecultureofthecouncil
●● Assignofroles,responsibilitiesandaccountabilityforriskmanagementactivitieswithinthecouncil
●● Raiseawarenessoftheneedforriskmanagementbyallthoseconnectedwiththecouncil’sdeliveryofservices
●● Contributetothepreventionofinjury,damageandlossestoreducethecostofrisk
●● Ensureweidentifyandrealiseopportunitiesandtheirresultingbenefits
●● Ensureconsistencythroughoutthecouncilinthemanagementofrisk
These aims will be achieved with a clear and evidenced approach consistently applied across the organisation that embeds consideration of risk in policy formulation, planning and decision making at all levels by:
●● Incorporatingriskmanagementconsiderationsintoalllevelsofbusinessplanning
●● Incorporatingriskmanagementconsiderationsintoalllevelsofprogramme,projectandpartnershiparrangements
●● Skillstraininganddevelopmentforallrelevantmanagers,staffandMembersintheeffectivemanagementofrisk
●● RegularmonitoringandreportingofrisktoidentifytrendsandlikelydirectionofrisksforMembersandSeniorManagerstobeawareofwhenmakingdecisions
APPENDIX A
4
Risk Management Assurance Policy
Policy Statement of Commitment
The Mayor, Cabinet and Corporate Leadership Board view risk management as an integral part of good internal control and corporate governance.
Thewayinwhichwemanageourrisksdirectlyimpactsoursuccessinachievingourobjectives,andindeliveringservicestothecommunitiestowhichweareaccountable.BristolCityCounciliscommittedtoadoptingbestpracticeinitsmanagementofrisktoensureretainedriskisofanacceptableandtolerablelevelinordertomaximiseopportunitiesanddemonstrateithasmadefullconsiderationoftheimplicationsofrisktothedeliveryandachievementofoutcomes,strategicaimsandpriorities.
Thecouncilis,withintheabovecontext,committedtothemanagementofriskinorderto:
●● Ensurethatstatutoryobligationsandpolicyobjectivesaremet
●● Prioritiseareasforimprovementinserviceprovisionandencouragemeetingorexceedingcustomerandstakeholderexpectations
●● Safeguarditsemployees,clientsorserviceusers,Members,pupils,tenantsandallotherstakeholderstowhomthecouncilhasadutyofcare
●● Protectitspropertyincludingbuildings,equipment,vehicles,knowledgeandallotherassetsandresources
●● Identifyandmanagepotentialliabilities
●● Maintaineffectivecontrolofpublicfundsandefficientdeploymentanduseofresourcesachievingvalueformoney
●● Preserveandpromotethereputationofthecouncil
●● Supportthequalityoftheenvironment
●● Learnfrompreviousthreats,opportunities,successesandfailurestoinformfuturemanagementofrisks
Theseaimswillbeaddressedbysystematicallyidentifying,analysingandevaluating,costeffectivelycontrollingandmonitoringrisksatstrategic,programme,project,andoperationallevels.Thecouncilacknowledgesthatriskcannotbeeliminatedandmaysometimesneedtobeembracedaspartofaninnovativeapproachtoproblemsolving.ItistheresponsibilityofSeniorLeadershiptoensurethatriskmanagementstrategiesandprocessesareimplementedandbroughttotheattentionofrelevantstaffintheirDirectorate.Everyemployeehasaresponsibilitytosupportthecouncil’spolicyinmanagingrisk.Thecouncilstrivestohaveanopenapproachtoriskandnotbeperceivedasriskaversewhilstensuringthatthemostvulnerableareprotectedandthereisincreasedcollaborationwithourpartners,communitiesandresidents.
Riskmanagementstrategiesandprocessesaretobereviewedforefficiencyandeffectivenessaspartoftheannualmanagementreviewcycle.
Thecouncil’sriskmanagementobjectivesarealong-termcommitment,inherenttogoodgovernancepracticesandfullysupportedbytheMayorandtheCorporateLeadershipBoard.
ThisRiskManagementAssurancePolicycomplementsandsupportsthestrategicaimsandprioritiesthataresetoutintheBristolCityCouncilCorporateStrategy2018-2023.
Executive Director of Resources and Head of Paid ServicesMikeJackson
Deputy MayorCllr.Cheney
APPENDIX A
Figure 1. BCC’s Risk Management Assurance Culture Model
5
Risk Management Assurance Policy
Principles and Culture
Asamodernlocalauthority,thecounciliscommittedtodeliveringqualityservicestothecitizensandcommunitiesofBristol.Indoingso,ourover-ridingattitudetoriskisthatitshouldbeidentifiedandmanagedratherthanavoidedwithanorganisationalculturethatembracesandembedsconsiderationofriskinitsdaytodayoperationsateverylevel.Ariskculturethatemanatesthroughouttheorganisationtoensurealllevelsofbuyintothecorporateriskprocess.
RiskManagementisaboutunderstandingandevaluatingopportunitiesandthreatsandmakinginformeddecisionsabouthowthesearetobemanagedinordertoachieveouraimsanddeliverbeneficialoutcomes.
ThecouncilrecognisesitneedstotakerisksbutmustdosoinacontrolledmannertoreduceitsexposuretothelevelacceptablebytheMayor,Cabinetandrelevantregulatorsandinspectors.
Innovativesolutionsareencouraged,andwhiletheyofteninvolverisk,theycanbeimplementedwithawareness,authorityandmanagementoftherisksthateachrespectivecasecarries.
AtBristolCityCouncil,wearecommittedtoensuringriskmanagementisembeddedacrossthewholeorganisation.Todothis,wehavemappedthecouncilscorevalues,riskmanagementprinciplesandthecoreattitudesandbehavioursrequiredtodeliverastrongcultureandappetiteformanagingrisk.TheriskmanagementprinciplesarebasedontheOGC’sManagementofRiskFrameworkandinaccordancewiththeInternationalRiskManagementStandard(ISO:31000).
Theriskmanagementassurancepolicyisdesignedwiththeseprinciplesattheircore.Figure 1belowshowsBCC’sRiskManagementAssuranceCultureModelformanagingandassuringrisk.
Top down leadership
Dedicated resource
Framework
Enables achievement of our objectives
Fits the context
Engages Stakeholders
Provides framework and guidance
Enhancing & protecting values
Integration
Informs decision making
Facilitates Continual Improvement
OwnershipRespectCuriousDedicatedCollaborative
Accountability
Openness & transparency
Inclusivity
Proactivity
Integration
Informed and validated Risk based decision making
Clear focus and communications
Shared values, behaviours and principles
Risk Managem
ent PrinciplesAttitu
des and B
ehaviours
Bristol City Council Values
APPENDIX A
Risk Management Framework
AtBristolCityCouncil,wearecommittedtoensuringriskmanagementisembeddedacrossthewholeorganisation.RiskManagementneedstobeanintegralpartofhowservicesaredevelopedanddeliveredeveryday.Itisimperativethatthereisasingleflexibleapproachforthemanagementofbusinessrisk,adoptedthroughalllevelsoftheorganisation.
BristolCity’sRiskManagementAssurancePolicygivesanoutlineonhowrisksaremanagedacrossthecouncilbyeveryone.Toeffectively
managerisk,theframeworkisintegratedacrosstheorganisationinvolvingallkeystakeholdersincluding-butnotlimitedto-officers,leaders,Members,partnersandsuppliers.
Forriskmanagementtobesuccessful,itisessentialthatthereisasingleyetflexibleapproachforthemanagementofrisk,adoptedthroughalllevelsofthecouncil.ThisPolicyisonepartoftheoverallriskframework;thekeyelementsaresetoutinFigure 2below.
Figure 2. Risk Management Assurance Framework
Risk Managementistheplannedandsystematicapproachtotheidentification,analysis,evaluation,prioritisationandcontrolofrisksandopportunitiesfacingthecouncil.
Riskisthechanceofsomethinghappeningthatwillhaveanimpactonachievementofobjectives.
RiskcanbebothPositiveOpportunitiesandNegativeThreats.
6
Risk Management Assurance Policy
People, Process,Technology
Assurance Framework
Governance
• Risk Maturity
• Risk Audits, Risk Reviews and Surveys
• Internal Audit Review
• Annual Risk Governance Statement
• Risk Management Assurance Policy
• Commitment
• Policy Statement
• Principles and Culture
• Risk Appetite
• Risk Governance Reporting
• Reporting Framework
• Roles and responsibilities
• Risk Management Process
• Guidance and Tools
• Learning and Development
APPENDIX A
Whenrisksareidentified,itisimportantthatweascertainboththeopportunitiesaswellaswhatmightgowrong,whatthepotentialimpactsmaybe,whatcouldtriggertheoccurrenceanddecidinghowbesttominimiseormaximisetheriskmaterialising.
Therearetimeswhenthingswillgowrongdespiteourattemptstopreventthem,whichcouldresultin‘issues’thatneedresolution.Proactiveriskmanagementofthesewillensurethatthreatimpactsarekepttoaminimumandopportunitiesaremaximised.Thecouncil’sapproachprovidesforthreats,opportunitiesandissuesmanagement.
Managementandmaintenanceofrisksandissuesareontherisk/issueregistersandsupportingreportswhichundergoregularreview,monitoringandreportinginlinewiththispolicy.
Aswellasinstinctivelymanagingriskonadaytodaybasis,considerationandrecordingofriskis
requiredinthefollowingmanagementprocesses(seeAnnexBforComplimentaryprocesses):
●● Strategic,serviceplanningandresourcing
●● Policyanddecisionmaking
●● ProjectorProgrammedelivery
●● Partnershipworking
●● Businesscontinuityplanning
●● Performancemanagement
●● Budgetplanningandmonitoringcycle
●● Planningwhenimplementingchange
●● Commissioningandprocurementactivity
●● Healthandsafetyarrangements
●● CivilProtection
Roles and Responsibilities
EffectiveRiskManagementrequiresthatthereisclarityoftheresponsibilitiesforrisk,andownershipoftherisksidentified.ThispolicyrequiresthattheelectedMayor,Membersandmangersatalllevelsassistin,andtakeresponsibilityfor,identifying,consideringandcontrollingriskandopportunities(andthebetteruseofresources)inalltheiractivitiesandareasofresponsibility.
AllMembers,seniorleaders,employeesandpartnerorganisationshavearoletoplayinensuringthatriskiseffectivelymanaged.Weacknowledgethatthisisnotalwaysunderthecouncil’sdirectcontrolbutwewilltakeallreasonablestepstoencourageandembedriskmanagementwhereverwehaveastake.Tobeeffective,theriskmanagementframeworkmustbefullyendorsedandsupportedbytheofficerandpoliticalleadershipofthecouncil,whosettheorganisationaltoneforriskmanagementandchampionthebenefitsthroughalllevelsofthebusiness.
Riskmanagementisonlyconsideredtobetrulyembeddedwhenitfunctionsaspartofthecouncil’sdaytodayoperations.EffectiveRiskManagementrequiresthatthereisclarityoftheresponsibilitiesforrisk,andownershipoftherisksidentified.ThispolicyrequiresthattheelectedMayor,Membersandmangersatalllevelsassistin,andtakeresponsibilityfor,identifying,consideringandcontrollingriskandopportunities(andthebetteruseofresources)inalltheiractivitiesandareasofresponsibility.
RecognitionfromSeniorManagementoftheimportanceofriskmanagementtotheeffectiveoperationofthecouncilisresonatedthroughtheappropriateallocationofresourcestodelivertheriskmanagementframeworkacrossBristolCityCouncil.Thekeyresponsibilitiesforeachgroup/stakeholderrolesandresponsibilitiesaresetoutinAnnexA.
7
Risk Management Assurance PolicyAPPENDIX A
Risk Appetite and Tolerance
BristolCityCouncilaimstoberiskaware,butnotoverlyriskaverseandtoactivelymanagebusinessriskstoprotectandgrowtheorganisation.Todeliveritsstrategicaims,theorganisationrecognisesthatitwillhavetotakeandmanagecertainbusinessrisks.Intolerablerisksarethosethatcouldnegativelyaffectthesafetyofemployeesorourcustomers/clients,haveadamagingimpactonourreputation,leadtobreachesoflawsandregulationsand/orendangerthefutureoperationsofthecouncil.
Risk Appetite
Riskappetiteisbestsummarisedas“theamountofriskanorganisationiswillingtoaccepttosecureitsobjectives”.TheriskappetiteofBristolCityCouncilisreflectedinthescoringschemesusedforriskandopportunityassessment,andtherecommendedhandlingstrategiesforidentifiedrisksandopportunities.Thescoringschemesdescribewhatconstitutesasignificantriskoropportunity,andtheseinturninformtheapproachtotheirmanagement.
Risk Tolerance
Culture,Policyandcompetitivepositionallinfluenceourtolerancetoriskanddefiningitcanbechallengingaseverycasewillbedifferent.Thediversityoftheservicesdeliveredbythecouncilandnatureoftherisksitfaces,meansitisnotpossibletoseta‘onesizefitsall’risktolerancethatmanagersandMembersalikecanapplyandembedinstrategicandoperationaldecisionmaking.Thecouncil’sapproachistorecordrisktoleranceonacasebycasebasiswithinthecouncilsRiskRegistersandtheRiskReports.
8
Risk Management Assurance PolicyAPPENDIX A
Risk Registers
Aspartofgoodgovernance,thecouncilmanagesandmaintainsaworkingregisterofitskeystrategicandoperationalbusinessrisksatvariouslevels-assigningnamedindividualsasresponsibleofficersforensuringtherisksandtheircontrolmeasuresaremonitoredandeffectivelymanaged.
ServiceRiskRegistersaretheworkinglivetoolforthedetailedcapturingofriskinformationtoenablereportingonriskactivityandtheorganisationsriskprofile.Theworkingriskregisterisalivedatarecordwherenewrisksarecaptured,othersaremanagedtoeliminationandsomerequirecloseandregularmonitoring.TheCorporateandDirectorateRiskReportsaregeneratedfromtheworkingriskregistersforpublication.AllkeycouncildecisionswillbesupportedbyasupportingRiskReport.
Standardtemplatesaretobeusedforrecordingrisk.Thecouncilsriskregisterandreporttemplateincludesprovisionforrecordingthreatsandopportunitiesaswellasthoserisksthathaveoccurredwhicharenow‘issues’tobeaddressed.Wheremoredetailedplansareinplace,theriskregisterneednotduplicatethesebutsimplycrossrefertothem.
TheCorporateRiskReport(CRR)containsrisksthat,shouldtheyoccur,couldhaveafundamentalimpactonthecouncil’sabilitytooperate,achieveitsstrategicobjectivesorsuccessfuldeliveryofoutcomes.
TheCorporateRiskReportisthemeansbywhichMembersandleadersoftheorganisationwillbefocussedonthestrategicandbusinesscriticalrisksandreviewtheeffectivenessofriskmanagementarrangementsinplacetomonitorandmanagetheserisks.TheCRRis‘owned’bytheCorporateLeadershipBoard(CLB)andusedbythemandCabinettoensurethemostcritical/significantrisksarebeingmanagedeffectivelywithinanagreedrisktolerance.
TheDirectorateRiskReports(DRR)detailsthekeyrisksfacedbyeachDirectorateindeliveringtheirDirectoratePlan.TheyalsoincludesignificantissuesthathaveimpactedtheDirectorateobjectives.ThesereportsareownedbytherelevantExecutiveDirectorsandarereviewedatleastquarterlybyDirectorateLeadershipTeams(DLT)andCabinetMembersinlinewiththeirportfolio.ScrutinyandtheAuditCommitteewillreceivetheCorporateandDirectorateRiskReportsatperiodendfollowingthequarterlyCabinetRiskReport.
TheprocessinuseisadministeredbytheRiskandInsuranceTeam.TheRiskandInsuranceTeampromoteself-serviceapproachbyprovidingguidance,supportanddeliveringtrainingacrossallservices.
9
Risk Management Assurance PolicyAPPENDIX A
Risk Management Process
Carryingoutanassessmentoftherisksagainstbusinessobjectivesisprimarytobusiness&serviceplanning,coredecision-makingprocessesinfluencingpolicy,financialplanning&spending,agendamanagement,changemanagement,projectmanagementandperformancemanagement.
Theriskassessmentmethodologyisdesignedtoassistmanagersinfocusingonthekeyrisksandensuringthatactionsareinplacetoeffectivelymanagetheserisks.
TheRiskManagementProcess(seeFigure 3opposite)isaseriesoflogicalstepswhicharecarriedoutinsequencetoprogressthrougheachstageofmanagingarisk.Theprocessiscyclicalanditisoftennecessarytorevisitearlierstepsandcarrythemoutagaintoensureyouhaveacompletepictureoftheriskstotheactivity/outcomebeingassessed.
Theriskmanagementprocessbeginsbyestablishingthecontextaroundwhichyouwanttoidentifyandassessrisks.Thiscouldrelatetoanactivity,objectiveoroutcome.Riskidentificationsetsouttoidentifyanorganisation’sexposuretouncertainty.Thisrequiresknowledgeoftheorganisation,themarketinwhichitoperates,thelegal,social,politicalandculturalenvironmentinwhichitexists,aswellasthedevelopmentofasoundunderstandingofitsstrategicandoperationalobjectives,includingfactorscriticaltoitssuccessandthethreatsandopportunitiesrelatedtotheachievementoftheseobjectives.
Onceidentified,therisksneedstobeassessedandassignedascoreforboththeirimpactandprobability–thecombinedoutcomeofthisproducestheriskrating.
Riskidentificationshouldbeforwardlookingandfocusonbothpotentialthreatsto,andopportunitiesthatmaypresentinachievementofobjectives.Theassessmentwillidentifywhetherthematterisarisk(aneventinthefuture)oranissue(aneventthatisalreadyhappening).
Toensureconsistencyandtheabilitytocompareandreportonthevariouslevelsofrisk;BristolCityCouncilhasadoptedariskmatrixtobeusedwhendeterminingtheriskrating.ThisisdetailedinFigure 4onthenextpage.
Followingidentificationandassessment,adecisionmustbetakenonhowbesttorespondtotheriskandifacceptedthenstrategiestomanagetheriskneedtobedetermined.Thereshouldbecommunicationandconsultationthroughouttheprocessandtheneedforcontinualmonitoringandreviewoftherisk(s)throughoutthelifecycleoftheactivity/objective/outcome.
Eachriskshouldhaveaclearlinktooneormoreofthestrategicofthecouncil.Therelevantstrategicaimisincludedaspartofthecapturedriskinformationprovidingincreasedassurancethatthereiseffectiveidentificationandmanagementofrisk.
Risk Assessment
Monitor and Review
Evaluation
AnalysisCo
ntinu
ous
Impr
ovem
ent
Comm
unication and ReportingManagement Response
Risk Identification
Establish the Context
Figure 3. Risk Management Process
10
Risk Management Assurance PolicyAPPENDIX A
Figure 4. Risk Matrix
11
Risk Management Assurance Policy
Theriskmatrixisusedtoevaluatetherisksandthereisanunderstandingoftheriskexposurefaced,thelevelofriskwillinfluencesthetypeofmanagementresponseandmanagementactionwechoosetomanagetheriskseediagramFigure 4below.
Foreachrisk,considerationshouldbegiventotheimpactundereachcategoryandthehighestimpactcategoryusedinassessingtheimpactlevelmeasuresthatshouldbeusedinmakingthisassessment.Thescoringcategoriesforthelikelihoodandimpactaresetoutintheriskmanagementprocessguidance.
Thecurrentlevelofriskneedsthentobeconsideredagainsttherisktoleranceforeachrisk(thelevelofriskthecouncilispreparedtoaccept).ThiswillvaryaccordingtothenatureoftheriskandmustbeagreedbyExecutiveDirectorManagementifnotinthegreen/lightblueareaofthematrix.Wherethecurrentlevelofriskishigherthantherisktolerance,anactionplanisrequiredthatwillresultintherisklevelreducing.Wherecurrentrisklevelsarelowerthantherisktolerance,removalofsomecontrolsispermittedtoreleasecoststootherriskmanagementpriorities.
Whereissuesareidentified,thesecanbeassessedagainsttheimpactguidelineswithintheRiskManagementProcess,tojudgewhethertheissueneedstobeaddressed,whetheracontingencyplanhadalreadybeendevelopedorifaplanoffurtheractionisneeded.Therewillalsobeaneedtoassesswhetherthismeansthatariskhasceasedtoexist,orwhetherthereisapossibilitythatitmayrecur.
Ensuringthatallbusinessrisksareassessedandmanagedthroughtheadoptedriskmanagementprocessdrivesconsistencythroughtheriskmanagementframeworkandenablesriskstobecomparedandreportedonagainstalikeforlikebasis.Italsoprovidesthecouncilwiththeabilitytomapitscollectiveriskexposureofanactivity,objective,outcome,function(s)orindeedwholecounciloperationtosupportitsStrategicAims.Therisktoleranceforeachriskisalsorecordedtogetherwithfurtheractionsrequiredtoensurethecurrentlevelofrisksisinlinewiththeagreedrisktoleranceasidentifiedintheriskregister.
Threat Impact(Negative risks)
Opportunity Impact(Positive Risk)
Thre
at L
ikel
ihoo
d
4(Low)
12(Medium)
20(High)
28(Critical)
28(Significant)
20(High)
12(Medium)
4(Low)
Op
portu
nity Likelih
ood
3(Low)
9(Medium)
15(High)
21(High)
21(High)
15(High)
9(Medium)
3(Low)
2(Low)
3(Low)
10(Medium)
14(High)
14(High)
10(Medium)
6(Medium)
2(Low)
4
3
2
1
4
3
2
11
(Low)3
(Low)12
(Medium)12
(Medium)7
(Medium)5
(Medium)3
(Low)1
(Low)
Almostcertain
Likely
Unlikely
Rare
Almostcertain
Likely
Unlikely
Rare
1 3 5 7 7 5 3 1
Minor Moderate Major Critical Exceptional Significant Modest Slight
APPENDIX A
12
Risk Management Assurance Policy
Governance Reporting and Escalation
TheCorporateRiskReport(CRR)issubjecttoquarterlyreviewbytheCorporateLeadershipBoardandCabinetandissubjecttothecall-inprocedurefollowingCabinet.TheDirectorateRiskReportsaresubjecttoquarterlyreviewbyExecutiveDirectorManagementmeetingsandMemberPortfolioholders.TheRiskManagementActionTable(Figure 5) belowshowstheactionlevelstobetakeninthemanagementandreportingofrisk.
AuditCommitteeareprovidedwiththeCorporateRiskReportquarterlyeachyeartoprovideindependentchallengeandassurethemselvesthatriskmanagementarrangementsareeffective.Theycanrequestadditionalinformationasnecessary.
AnoverviewoftheeffectivenessoftheriskmanagementprocessisalsoprovidedannuallybytheInternalAuditTeamtogivethemtherelevantassurancethatthewholeprocessisworkingeffectively.
TheCorporateRiskReportandDirectorateRiskReportswillbemadeavailabletoScrutinyTaskandFinishGroupsonfollowingperiodendandCabinetreporting.IndividualRiskReportsbasedonthe
informationcontainedwithintheDRR’sforareasinlinewiththeirrolesmayberequestedassetoutinthereportingprocessguide.Otherregistersaremaintainedandreviewedmonthlyaspartofcoremanagementprocessessuchasserviceplanningandperformanceandprojectmanagementprocesses.
Thecouncil’sRiskManagementAssurancePolicyreliesonescalationofrisksfromservice/operationlevelthroughtostrategicCorporateRiskReporttoensureCLBandMembersareawareofthemostsignificantrisks.TheescalationprocessisshowninFigure 6onthefollowingpage.Aspartofthisprocessconsiderationcanbegiventotheactionsproposedtomanagetherisk,whetherthetolerancelevelrecordedisappropriateandwhetheritisalignedtothecorrectservicearea.Additionally,inreviewingtheCorporateRiskReportboththeCorporateLeadershipandCabinetmayidentifyriskstowhichtheassessmentmayneedtoberevisedorrisktransferred.
Riskswithacurrentriskscoreof14to28(highandcritical/significantrisk)needtobeescalatedatExecutiveDirectorateManagementmeetingsforconsiderationforinclusionintheCorporateRiskReport.
ThreatLevel
OpportunityLevel
Levelofrisk ActionRequired
1-4 1-4 Low Maynotneedanyfurtheraction/monitoratservicelevel.
5-12 5-12 Medium Actionrequired,manageandmonitorattheDirectorateLevel.
14-20 14-20 High Mustbeaddressed-IfDirectoratelevelriskconsiderescalatingtotheCorporateRiskReport,ifCorporateconsiderescalatingtotheCabinetLead.
28 28 Significant Actionrequired-escalate(ifDirectoratelevelrisk,escalatetotheCorporateLevel,ifCorporatebringtoattentionoftheCabinetLeadtoconfirmactionstobetaken.
Figure 5. Risk Management Action Table
APPENDIX A
13
Risk Management Assurance Policy
All risks scoring 20 to 28 (high, critical / significant risk) will automatically be escalated to the Corporate Risk Report. Issues that have arisen that are significantly impacting on the council are recorded within CRR report.
TheExecutiveDirectorManagementwilldeterminewhererisksaremonitoredviatheDirectorateRiskReportandServiceRiskRegisters.EscalationsmustbeflaggedinatimelymannertoenablediscussionpriortothenextquarterlyExecutiveTeamRiskmeeting.
DirectorateManagementTeamswillconsiderwhatcorerisksneedtobeescalatedtotheCorporateRiskReportandifso,theStrategicDirectormustensurethisescalationoccursthroughthereportingprocess.
WhereasignificantandurgentriskemergesoutsideofthereportingperiodwhichyoubelieveneedstobediscussedassoonaspossiblecompleteaRiskEscalationReporttotheappropriatemanagerfordiscussionandaction.
A risk may need to be escalated to a higher level if:
●● theriskbecomestoounwieldytomanageatthecurrentlevel
●● theriskratingcannotbecontrolled/contained
withinitscurrentlevel
●● theriskremainsveryhighevenaftermitigationsareimplemented
●● theriskwillimpactonmorethanoneservice/projectorfunctioniftheriskeventmaterialises
●● theriskmovesoutsidetheappetiteboundaries/comfortzone
A risk may need to be moved to a lower level if:
●● theriskcanbecontrolled/managedatalowerlevel
●● theriskratingdecreasessignificantly
●● theriskeventwillonlyaffectoneteam/servicearea/teamandtheimpactwillbelimitedthenthisshouldbecontrolledmorelocallyatalowerlevel
Thereshouldbecommunicationandconsultationthroughouttheprocessandtheneedforcontinualmonitoringandreviewoftherisk(s)throughoutthelifecycleoftheactivity/objective/outcome.
Theprocessiscyclical,anditisoftennecessarytorevisitstepsandcarrythemoutregularlytoensureyouhaveacompletepictureoftheriskstotheactivity/outcomebeingassessedaspartofcontinuousimprovementinthemanagementofrisk.
Figure 6. Risk Governance Reporting Framework
Monitoring and Review
Risk Reporting EscalationResponsibility
StrategicDirector
Service DirectorService / Project
Manager
Scrutiny
Quarterly ReviewDirectorate Management Teams Quarterly Review - Cabinet Portfolio Holders
Operational / Project Risks
Owned by Service Directors and Service Project Managers
Risks/issues that significantly impact on service team / project delivery
Business Planning / Finance/ Health, Safety and Wellbeing / Partnership / Performance/ Business Continuity the
ability to operate and achieve objectives
Directorate Risk Report (DRR)
Owned by Directorate Management Teams
Risks/issues that significantly impact on the ability to operate and achieve objectives
Corporate Risk Report (CRR)
Owned by Corporate Leadership Team
Risk scoring 20 or above
Risks/issues that significantly impact on the ability to operate and achieve objectives
Quarterly ReviewCabinet and Corporate
Leadership Team
Monthly ReviewService DirectorService Project
Manager
APPENDIX A
14
Risk Management Assurance Policy
Support Guidance and Tools
AllstaffhavearoletoplayinriskmanagementandtheCorporateRiskManagementGroup(CRMG)haveresponsibilityforhelpingtodelivertheRiskManagementAssurancePolicyandfordevelopingthenecessarytrainingoradvicetoenablethecounciltoimplementthemeasurescontainedinthisPolicythroughoutthecouncil.
TheRiskandInsuranceTeamisresponsiblefordevelopingworkforceriskmanagementcapabilityacrosstheorganisation,throughtheprovisionofguidance,education,trainingandsupport.RiskmanagementformspartofthecorporatelearningandprogrammeatvariouslevelstoprovidetherightleveloftrainingandsupportforMembersandmanagersandeffectivetoolsandmethodologyforidentifying,assessingandprioritisingrisks.Areasofsupportinclude:
●● Corporateinduction
●● Inductionfornewmanagers
●● Riskmanagementisalsoincludedinthegenericskillssetintheworkforceplanforallemployeesandwillbesupportedbyasuiteofcorporatetraining
●● Moreadvancedtrainingneedswillbeidentifiedthroughthe‘LeadershipandManagementDevelopmentFramework’
Guidancematerialsareunderregularreviewtoensuretheyreflecttheneedsoftheorganisationandarecompatiblewiththeorganisationsstructurehavingtheflexibilitytoadapttonewandchangingstructures.Newwaystoengagewithofficersandleaderstohelpwiththeunderstandingandembeddingofeffectiveriskmanagementisunderregularreview,withtheoptionsfordigitallearninganddevelopmenthighontheagenda.
TheriskmanagementPolicy,guidanceandtrainingmaterialsarereviewedonaregularbasistoensuretheycontinuetomeettheneedsoftheorganisationandincorporatetheverylatestindustrybestpractice.
TrainingonriskmanagementisalsoofferedtoallstaffandmembersperiodicallyeitheronspecificsubjectsorasidentifiedthroughPersonalisedDevelopmentPlans.
Theriskmanagementintranetpagesarecontinuallybeingimproved.Outliningwhatriskmanagementis,andhowallemployeescanplaytheirpartinreportingandmanagingrisks.ItwillalsocontainCRMGguidancenotesandotherusefulinformation.Newtrainingandguidancewillcontinuallybedevelopedandrolledout.RiskmanagementrecordswillbemangedviaSharePoint.TheRiskManagementPolicyandsupportingarrangementswillbeavailableandcommunicated.
APPENDIX A
15
Risk Management Assurance Policy
Risk Governance, Assurance and Maturity
TheAudit&AccountsRegulations2015requiresthecounciltohaveeffectivearrangementsforthemanagementofriskandeachyear,inthecouncil’sAnnualGovernanceStatement,thecouncilisrequiredtocommentontheeffectivenessofitsarrangementsinthisregard.Thestatementmustalsoidentifyanysignificantgovernanceissuesthatmayhaveresultedfromfailuresingovernanceandriskmanagement.Legalrequirementsaside,effectiveriskmanagementisrequiredtoensurethecontinuedfinancialandorganisationalwell-beingofthecouncilandcouncil-wideownershipandaccountabilityformanagingriskiscriticaltothesuccessofdeliveringtheorganisationsprioritiesandobjectives.Managementofriskisinseparablefromeffectivemanagementofthecouncilsperformance.
TheRiskManagementAssurancePolicycomplementsBristolCityCouncil’sinternalcontrolenvironment,alongsideotherfinancial,operationalandcompliancecontrols.Assuranceprovidesconfidence,basedonenoughevidence,thatinternalcontrolsareinplaceandoperatingeffectivelyandthatobjectivesarebeingachieved.
Membersandseniormanagementareresponsiblefordeterminingthenatureandextentoftheprincipalrisksitiswillingtotakeinachievingitsstrategicobjectives.Theymaintainasoundriskmanagementandinternalcontrolsystems.
AnnexAofthisPolicyoutlinestherolesandresponsibilities,andthegovernancereportingframeworkforRiskManagementwithinBristolCityCouncil(page 13),demonstratingourarrangementsfordispersingaccountabilityandresponsibilityforriskmanagementthroughouttheorganisation.Withfocusoninternalcontrol,theAuditCommitteearetheorganisation’soversightbodyforriskmanagement,providingcheckandchallengeto
theriskmanagementassurancepolicy,processanddelivery.TheRolesandresponsibilityoftheAuditCommitteearesetoutinAnnexA.
TheRiskandInsuranceTeamworkcloselywithinternalauditandgovernancecolleaguestoensuretheprinciplesofgoodgovernanceareadopted.AuditingoftheRiskManagementAssurancePolicyisundertakenbythecouncil’sinternalauditteaminaccordancewiththeirauditplanandrecommendationsarisingarefedbackthroughtheriskmanagementannualplantoensurecontinualimprovement.
BristolCityCounciladoptsthethree-linedefencemodelforeffectiveriskmanagementandcontrolasshownintheFigure 7RiskManagementAssuranceModelonthefollowingpage.TheRiskAssuranceModelclarifiesresponseatbothanoperationalandstrategicleveloftheorganisation.Withinthismodel,managementcontrolisseenasthefirstlineofassurance;thisshowshoweachserviceareacomplieswithriskmanagementsourcesofassurance.ThesecondlineofassuranceshowstheoversightfunctionsofAssuranceServices.ThethirdlineofassuranceprovidesInternalAudit’sassessmentoftheriskmanagementsourcesofassurance.Assuranceisalsoofferedfromexternalsourcessuchasexternalauditandregulators.Thismodelprovidesactivescrutinyandchallengetoensureassuranceisachieved.
Attheendofeachyear,theExecutiveTeamassurestheAuditCommitteethatsignificantriskshavebeenadequatelymanaged.InternalAuditperformsanindependentauditofRiskManagementatthecouncileachyear,whichtheyreporttotheAuditCommittee.TheAuditCommitteethenprovideastatementofassurancetotheCabinetthatourmajorrisksareadequatelymanaged.
APPENDIX A
Executive Management reporting and oversight
Cabinet
External Audit
Audit Committee
Regulators
• Foster a risk intelligent culture, receive the Risk Management Assurance Policy and periodical reports
• Foster a risk intelligent culture, approve the risk appetite, consult and ratify key components of the Risk Management framework, discuss and challenge corporate risks, receive and challenge periodical reports
• Foster a risk intelligent culture, approve the risk appetite, consult and ratify key components of the Risk Management framework, discuss and challenge corporate risks, receive and challenge periodical reports
Management Controls
Internal Control Measures
Services and functions that own and manage risk
Service AreasManagement operations in an established risk and control environment:• Day to day risk management activity• Take intelligent risks• Identify and assess risks• Respond to risks• Monitor risks and report• Follow the risk management framework
and process• Apply internal controls and risk
responses
Key risk complimentary functions• Provide guidance / support to the
service areasand the Strategic Risk Management Group
1st Line Defence Governance AssuranceRisk Ownership
Internal AuditFunction that provides independent assurance
• Provide assurance on the effectiveness of the risk management framework, and the controls andresponse actions for significant risks
• Independent challenge to the levels of assurance provided by the 1st line assurance service operations
• Independent challenge of policy and process to the levels of assurance provided by the 2nd line assurance oversight functions
• Monitor compliance and provide independent challenge
• Annual Governance Statement
3rd Line Defence Governance AssuranceInternal Control and Assurance
InfrastructureManagement oversight and Review
Services and functions that oversee or specialisein risk management and compliance
Leadership• Define the risk appetite• Evaluate strategies against risk appetite• Provide timely risk information
Risk Management and Insurance Function• Create a common framework• Provide direction in applying the framework• Implement and manage technology systems• Provide guidance and training• Periodical reporting and Annual Risk Management Report• Assurance statement contribution
Corporate Risk Management Group• Aggerate risk information• Identify and assess thematic risk• Monitor corporate risks and responses
Key risk complimentary functions• Functions that provide strategic management, policy
and procedure setting• Provides a maturity assessment and maintains
oversight of improvement actions• Provide oversight, monitoring and upward reporting
providing assurance of the effectiveness of controls
2nd Line Defence Governance AssuranceRisk Infrastructure and Management
Risk Management Assurance Policy
16
APPENDIX A
Figure 7. Risk Management Assurance Model
Risk Management Maturity
Allorganisations,includingBristolCityCouncil,areonariskmanagementjourney.Riskmaturityreferstowherethebusinessisonthatjourneyandhowwell-establishedriskmanagementisasadisciplineacrosstheorganisation.Thereisincreasingcomplexityofrisksfacingpublicserviceorganisationsandourseniorleadersrecogniseandactivelysupportthedrivingforwardoftheriskmanagementagenda.Throughself-assessmentandbenchmarketingwewillcontinuetoreviewourcurrentriskmanagementcapabilitytohelpusdirectourresourcestoareasthatneedimprovementandfurtherdevelopment,ensuringthatriskmanagementarrangementsremainfitforpurposeinthischangingenvironment.
Wenetworkandshareinformationwithothercouncilswhichenablesustobenchmarkourselvesagainstsimilarorganisations.ThecouncilregularlyengageswithexternalriskmanagementbodiessuchasAlarm(thePublicRiskManagementAssociation),andtheInstituteofRiskManagement.TheseprovideadditionalopportunitiesforBristolCityCounciltocompareitselfwithindustrybestpracticeandensurethatitcontinuestomoveforwardontheriskmanagementjourney.
Annuallyamaturityassessmentwillbeundertakenincludingself-assessment,performancemetricsandstakeholderopinionswhichwillinformtheriskmanagementcomplianceandperformance.Thecouncilwilladditionallycarryoutanannualbenchmarkingexercise.ThediagrambelowshowsthematuritylevelsadoptedbyCIPFA.
Risk Management Review and Audit
ToensuretheRiskManagementAssurancePolicy,guidanceandassociatedtoolsremainfitforpurpose,wecontinuallyseektoreviewandimproveourriskmanagementmethodologyandembracenewinitiatives,newlegislation,governmentguidanceorinternalchangesinpracticearecapturedandreflected.Weadapttoourchangingoperatingenvironmentandeconomicconditionsandhaveaframeworkwithenoughflexibilitytocopewiththesechanges.Weaimtoimprovise,innovateandexperimentinaddressingchallengesandexploitingopportunitieslearningfrombothsuccessandfailure,whichstrengthenstheorganisationanditsdependentnetworks.
RiskmanagementissubjecttothecouncilsinternalauditpracticesandassuchisauditedinlinewiththetimetablingsetbytheInternalAuditPlan.Anyrecommendationsarisingfromauditactivityischannelledbackthroughourannualworkplanstoensuretheyareaddressed.ThecouncilisalsosubjecttoPeerReviewsandExternalAudit.
Awareness Happening Working Embeded & Integrated Driving
17
Risk Management Assurance PolicyAPPENDIX A
Group / Individual
Responsibilities
MEMBERS
Elected Mayor and Cabinet
●● OverseedeliveryoftheRiskManagementAssurancePolicy●● Determineoverallriskappetiteandtoleranceforthecouncil●● Ensureconsiderationofriskindecisionmaking●● Reviewprogressofthemanagementofstrategicrisks●● QuarterlyreviewofCorporateRiskandIssuesRegisters●● MayortosigntheAnnualGovernanceStatement●● ApprovetheRiskManagementAssurancePolicy
Cabinet Member Leads
●● Overseerisksrelatingtotheirportfolio●● Overseeriskmanagementpolicy(CabinetMemberResources)
Directorate Scrutiny Commissions
●● ChallengedecisionsmadebyCabinetwhereriskshavenotbeenproperlyconsidered.●● Taskandfinishgroupscanrequestriskreportinformationforareasinlinewiththeirportfolios
Audit Committee ●● Provideindependentassurancetothecouncilontheeffectivenessofriskmanagementandinternalcontrolby:•ReviewingtheCorporateRiskReporttoensureitisreflectiveofthestrategicrisks
tothedeliveryofthecouncil’sobjectivesandmanagementofrisksiseffective•ScrutinisingtheAnnualGovernanceStatementtoensureitisacorrectreflection
ofinternalcontrol,riskmanagementandgovernance•ReceivingreportsfromInternalAudit,ExternalAuditandotherinspection
bodiesindicatingstrengthsandweaknessesininternalcontrol,riskmanagementorgovernance
●● Reviewtheeffectivenessofriskmanagementarrangements●● Providecommentandchallengeonriskmanagementactivityandprogress
Leadership
Head of Paid Service/Corporate Leadership Board
Overallresponsibilityto:
●● EnsuretheAnnualGovernanceStatementisanaccuratereflectionofinternalcontrol,riskmanagementandgovernance(HeadofPaidServicetosign)●● Overseecorporateandcrosscuttingrisksandresolveconflictsandcompetingdemandsforresources
Director Finance Overallleadershipfortheeffectivedeliveryoftheorganisation’sriskmanagementserviceinaccordancewithindustrybestpractice.
●● Ensureriskmanagementfeaturesaspartoftheorganisationsproperadministrationtoprotecttheauthorityfromfinancialandreputationalrisk●● LeadaquarterlyreviewofCorporateRiskswiththeStrategicLeadershipTeam,andCabinet●● ArrangefortheannualreviewoftheRiskManagementAssurancePolicy●● Supporttheroll-outofaRiskManagementAssurancePolicyacrossthecouncil,includingadviceandtraining,includingtoMembers●● ReportprogresswithriskmanagementtoMembers,particularlytheAuditCommittee,andtoExecutiveDirectors●● Identifyandmonitorkeyrevenuebudgetandcapitalprogrammerisks●● Ensureappropriateexternalinsurancecover,andasS151OfficerprovidesassurancesregardingoverallfinancialriskmanagementofthecouncilfortheAnnualGovernanceStatement
18
Risk Management Assurance PolicyAPPENDIX A
Group / Individual
Responsibilities
Corporate Leadership Board (CLB)
●● Overallaccountabilityforriskmanagementacrossthebusinessincludingensuringthecorporateriskinformationisaliveanduptodaterecordofthecurrentriskexposure●● Setthetoneforriskmanagement,promotethebenefitsofeffectiveriskmanagementandleadbyexampleinembeddingtheRiskManagementAssurancePolicy●● Establishacontrolenvironmentandculturewhereriskcanbeeffectivelyassessedandmanaged●● RegularlydiscussandreviewtheCorporateRiskReportandassociatedriskreports
Executive Director Management Team
●● Ensureriskisappropriatelyconsideredinitemsthatrequirepoliticalandmanagementdirection●● RegularlyreviewCorporateandDirectorateRiskinformation●● Signofriskinformation●● AttendAuditCommitteewhenrequestedtofurtherexplaintheirstrategiestomanageriskboththreatsandopportunitiesandissues●● Ensurethatworkingriskregisterentriesaremaintainedanduptodate●● SubmitperiodicalupdatedriskregistersandreportstotheRiskandInsuranceTeaminlinewithreportingtimelines
OFFICERS
Risk and Insurance Manager supported by the Risk and Insurance Team
●● TheRiskandInsuranceManagersupportedbytheRiskandInsuranceandTeam,complimentaryserviceshaveakeyroletoplayinsupportingtheoperatingprinciplesofthecouncilandhelpingtoachievethestrategicaimsandprioritiesbyprovidingoversight,challengeandassurancethatriskisbeingeffectivelymanagedacrosstheorganisation;whilstdeliveringahighperforming,customerfocusedservice●● TheteamdevelopsanddeliverstheRiskManagementAssurancePolicyforthecouncilandisresponsiblefordevelopingworkforceriskmanagementcapabilityacrosstheorganisation,throughtheprovisionofguidance,education,training,andsupporttoenabletheorganisationtotakecontroloftherisksthatthreatenoroptimisedeliveryandtoembedtheriskmanagementprinciplesandpracticesacrossthebusinessensuringthatthisaddsvalueandisinlinewiththeindustrystandardsandrequirements
Corporate Risk Management Group (CRMG)
TheCRMGhasaroletofurtherembeddedriskmanagementaspartofthecouncil’scultureofgovernance,withmembers,managersandpartnersatalllevelsrecognisingthatriskmanagementispartoftheirjobandheldaccountableformanagingrisksby:
●● Embeddingtheprocessesacrossthecouncilaspartoftheriskmanagementarrangements●● Establishingarobustandsystematicapproachforidentifying,managingandrespondingtoriskincludingevaluation,review,development,consultationandcommunicationtosupportwellthoughtthroughrisktakinganddecisionmaking●● DevelopingappropriatetrainingandawarenessarrangementsforMembers,SeniorOfficers,Staff,PartnersandtheCommunity●● Promotinggoodcorporategovernanceandcontributetotheannualgovernancestatement
19
Risk Management Assurance PolicyAPPENDIX A
Group / Individual
Responsibilities
Executive Directors (All)
●● EnsurethereareeffectiveriskmanagementarrangementsintheirdirectorateinlinewiththispolicyandensureadherencewiththeRiskManagementAssurancePolicy●● Championthebenefitsofeffectiveriskmanagement●● ToappointariskcoordinatortodriveforwardstheriskmanagementarrangementswithintheirService●● Holdworkshopsfortheassessmentofrisk●● MaintaintheworkingDirectorateRiskReports,ensuretheyarereviewedatleastquarterlybytheDirectorateManagementTeamandthatrisksareescalatedtotheCorporateRiskReportwhereappropriate●● Approveactions/planswithresiduallyhighriski.e.thoseoutsidetheCityCouncil’srisktoleranceandwherenecessaryareescalatedtoCLB●● Takeownershipforriskswithintheirserviceandensureriskregisters,riskassessmentsincludingprojectregistersareregularlydiscussed,reviewed,updatedandescalatedasappropriate●● Ensurekeydecisionreportscontainbalancedandconsideredriskassessments
Monitoring Officer
●● ProvideassurancesregardingoveralllegalriskmanagementofthecouncilfortheAnnualGovernanceStatementandinputtoriskreportsandregistersasrequired●● EnsuretheAnnualGovernanceStatementisanaccuratereflectionofinternalcontrol,riskmanagementandgovernancetosignoff
Directors, third and fourth tier managers
●● Hereensurethatriskstoservicesareproperlyrecordedonriskreportsandregistersandmanageriskseffectivelyintheirservicearea,inaccordancewiththeriskmanagementarrangementsensuringthat:•Serviceworkingriskregistersaremaintainedasneededandreviewedregularly•Anysignificantnewrisksidentifiedthroughthebusinessplanningprocess
arefedthroughtothelinemanagerandescalatedforconsiderationbytheDirectorateManagementTeam
•Theriskmanagementarrangementsareembeddedintheirserviceareas,andthatstaffareawareoftheunderlyingriskmanagementprinciples.
•WherenecessaryescalateriskstoManagementTeams•Ensuretheirstaffhaveappropriateunderstandingandtrainingonrisk
management•Championthebenefitsofriskmanagementacrosstheirserviceand
communicatethecorporateapproachtomanagingrisk
Councillor(s) Support Officers
●● MonitorinclusionofriskassessmentinallreportstoCabinetrequiringadecision
Corporate Safety Team
●● ProvidetechnicalandadvisoryassistancetoStrategicDirectors,Managersandstafftopromoteandmaintaineffectivesafety,health,andwelfareservices●● Conductauditsofhealthandsafetyarrangements,includingthecompletionofHealthandSafetyriskassessments
20
Risk Management Assurance PolicyAPPENDIX A
Group / Individual
Responsibilities
Civil Contingency Manager/ Civil Protection Unit
●● Ensure:•Serviceshavethetemplatesandsupporttoensureservicecontinuityrisksaffecting
acriticalservicearecanbeaddressedinaBusinessContinuityPlanandreflectedintheDirectorateBusinessContinuityPlan
•TheDirectorateManagementTeamsareawareofemergingnewhighriskstobusinesscontinuityplanning
•EnsureCorporateContinuityPlanningtakesaccountofrisksintheCorporate,DirectorateandServicePlanningworkingRiskRegisters,aswellasexternalrisksintheLocalResilienceForm(LRF)-CommunityRiskRegister
•PromoteandassistcontingencyplanningandbusinesscontinuityatCorporate,DirectorateandServiceDeliveryleveltomitigaterisksoutsidethecouncil’srisktolerance
Strategic Intelligence & Performance Team
●● Supportthedevelopmentofstrategicandserviceplanningwhichensuresrobustconsiderationofriskinachievementofobjectives
Internal Audit ●● Planauditworktotakeintoaccountkeyrisks,andhoweffectivelytheyaremanagedprovidingassurancesfortheAnnualGovernanceStatement,theCorporateRiskRegisterandAuditCommittee
●● Undertakeperiodicreviewsoftheeffectivenessofriskmanagement
●● Undertakeproactivefraudpreventionanddetectionworkbasedonanassessmentoffraudrisktothecouncil
●● Prepare,onbehalfoftheMayorandHeadofPaidService,theAnnualGovernanceStatement
All Staff ●● Manageriskaspartoftheirroleandreportriskstotheirmanagersby:•DevelopunderstandingandbecomefamiliarwiththeRiskManagementand
AssurancePolicy•Maintainawarenessofrisks,theirimpact,includingcosts,andfeedthesethrough
theadoptedriskmanagementprocessincludingalertingmanagementto:•Riskswhicharenoteffectivelymanaged,orthelevelofcurrentriskis
unacceptablyhigh(amberorabove)•Issuesthatariseornearmisses
21
Risk Management Assurance PolicyAPPENDIX A
22
Risk Management Assurance Policy
Complementary functions
Thereareseveralcomplimentaryfunctionslinkedtothemanagementofriskincluding:
BusinessPlanning,Health&Safety,BusinessContinuityandPerformanceManagement.Allhavesignificantrisksassociatedwiththemwhichmayhaveamajorimpactacrossthecouncil.Itisvitallyimportantthatrisksintheseareasareidentified,assessedandprioritised.RepresentativesofthebelowteamsattendtheCorporateRiskManagementGroupasandwhenneeded.
Risk management in Business Planning, budget planning and decision making
Theriskmanagementprocess,practicesandthehierarchyofriskregistershelpsustomanagetherisksthatthecouncilandCityfaces.Thecounciliscommittedtousingriskinformationtoinformdecisionmakingandplanning:
●● Strategicandoperationalserviceplanningguidelinesrequirethatallserviceplansincluderelevantriskinformation(e.g.fromriskregisters)withintheiractionplans
●● Departmentsarerequiredtouseinformationonsignificantrisks,containedinriskregisterstoinformdecisionsonbudgetre-alignmentsandinvestments
●● Allproposedbudgetreductionsmustincludeadetailedanalysisoftherisksurroundingthedeliveryofsuchreductionsaswellastheadditionalriskspresentedbytheirsuccessfulimplementation
●● Allefficiencyimprovementsmustbeaccompaniedbyadetailedanalysis,includingproposedstrategiestomanagerisk.Oftherisksthatthreatenthedeliveryofthesavings,whethertheyarecashableornon-cashable
●● Allprojectsandpartnershipsmustbeplannedinrecognitionoftherisksthatthreatentheireffectiveoperationandthedeliveryoftheiroutcomes
●● AllDecisionPathwayreportsshouldbesupportedbyariskassessment
Risk management in project management
TheCouncil’sapproachtoprojectriskmanagementidentifiesandprioritisestheprioritiesoftheprojectsothatthemostsignificantrisksaremanagedproportionately.Projectriskmanagementisanimportantaspectofprojectmanagement.Projectriskisdefinedas,“anuncertaineventorconditionthat,ifitoccurs,hasapositiveornegativeeffectonaproject’sobjectives.”AllmanagersareexpectedtomanagerisksinaccordancetotheCouncilpolicyandguidanceandensurethattheriskmanagementisproportionatetothecomplexityandsignificanceoftheproject.RiskManagementisacriticalandcontinuousprocessandappropriateRiskAssessmentswhereappropriatewillbeundertaken,reviewedandmanagedthroughoutthelifeofaproject.
Risk management in partnerships and stakeholder engagement
Thecouncil’sapproachtopartnershipriskmanagementidentifiesandprioritisestheprioritiesofthepartnershipsothatthemostcriticalrisksaremanagedproportionately.Partnershipgovernancebodiesshouldensurethatpartnerships(includingtheirconstituentprojectsand/orpartnerships)areriskmanagedaccordingtothecouncilpolicyandguidanceandensurethattheriskmanagementisproportionatetothecomplexityandsignificance
APPENDIX B
23
Risk Management Assurance Policy
ofthepartnership.Riskmanagementforthepartnershipsmustbedesignedtoworkacrosstheappropriateorganisationalboundariesandaccommodateandengagethedifferentstakeholdersinvolved.Largeandorcomplexstakeholdercommunitiescanintroducetheirownriskandneedtobeexplicitlymanaged.Wherethecouncilisnotthe‘leadingpartner’that‘sets’themanagementculture,itistheresponsibilityofcouncilcolleaguesinthepartnershiptoensurethatthepotentiallydifferentriskmanagementapproachesworktogetherharmoniouslytothebenefitofallpartners.
Risk management in procurement
Thecouncil’sapproachtoprocurementmanagementofriskincludestheidentification,managementandprioritisationforcontractsawardsothattheriskscanbemanagedproportionately.Allmanagersareexpectedtomanagerisksinaccordancetothecouncilpolicyandguidanceandensurethattheriskmanagementisproportionatetothecomplexityandsignificanceofthecontract.RiskManagementisacriticalandcontinuousprocess,andappropriateRiskAssessmentswhereappropriatewillbeundertaken,reviewedandmanagedthroughouttheProcurementJourney.Itisimportanttoengagewiththemarketplaceintermsofidentifyingthedesiredoutcomes,risksandissues.
Health, Safety and Wellbeing
Thecouncilhasresponsibilitiesunderhealthandsafetylegislationtoensurethehealth,safetyandwelfareatworkofemployeesandotherpeopleaffectedbythecouncil’sbusiness.Managinghealthandsafetyrisksisanintegralpartofbusinessriskmanagementandthemanagementofsuchrisksshouldnotbetakeninisolation.Poorhealthandsafetymanagementcanhaveanegativeimpacton
otherbusinessriskssuchasreputation,insurance,businesscontinuityandfinancialresources.
Healthandsafetyrisksvaryacrossthecouncilduetothediversityofworkactivities.Theeffectivemanagementoftherisks,aswithallsignificantcorporaterisks,isanessentialpartoftheroleoftherelevantmanagers.TheorganisationandarrangementsformanaginghealthandsafetywithinthecouncilaredetailedinthecouncilandDirectorate/Directorate’sHealthandSafetyPolicydocuments.
ThehealthandsafetymanagementsysteminBristolCityCouncilisbasedonthemodeldetailedintheHealthandSafetyExecutivepublication“SuccessfulHealthandSafety.
Management”(HSG65)andtakesintoaccounttheInstituteofDirectors/HealthandSafetyCommissionguidance“LeadingHealthandSafetyatWork–LeadershipActionsforDirectorsandBoardMembers”.
Business Continuity
BusinessContinuityManagement(BCM)iscomplementarytoariskmanagementframeworkthatsetsouttounderstandtheriskstothecouncil,andtheconsequencesofthoserisksseekingtomanageriskaroundthekeyservicesthatthecouncildelivers,servicedeliverycanbedisruptedbyawidevarietyofincidents,manyofwhicharedifficulttopredictoranalysebycause.Byfocusingontheimpactofdisruption,BCMidentifiestheserviceswhichthecouncilmustdeliver,andcanidentifywhatisrequiredforthecounciltocontinuetomeetitsobligations.
ThroughBCM,thecouncilcanrecognisewhatneedstobedonebeforeanincidentoccurstoprotectitspeople,premises,technology,information,supplychain,stakeholders,reputationandimportantlytheservicesthatthecouncildeliverstothepeopleofBristol.
APPENDIX B
24
Risk Management Assurance Policy
Withthatrecognition,thecouncilcanthentakearealisticviewontheresponsesthatarelikelytobeneededasandwhenadisruptionoccurs,sothatitcanbeconfidentthatitwillmanageanyconsequenceswithoutunacceptabledelayindeliveringitsservices.
Risk management and performance management
Thecouncilacknowledgesthecruciallinksbetweenriskandperformancemanagement.Riskmanagementisanintegralpartofthebusinessperformancemanagementframework.Performancecannotbereviewedorreportedonwithoutanaccompanyingreviewandreportontherisksinplay,whethertheyareadirectthreattoprogressorarisefromaninitiativetoachievenewandcriticalbenefits.
Insurance
Insuranceactsasarisktransfermechanismwhichreducesthefinancialrisktothecouncil.Thecounciltransferstheinsurableriskstoaninsurancecompanybycontributingapremium.
Intheeventofafinancialloss,thecouncilisentitledtoindemnity,subjecttothetermsandconditionsthatareinplace.Theadministrationofthecouncil’sinsurancearrangementsisundertakenbytheRiskManagementandInsuranceSection,withinResources.ThesectionprovidesacomprehensiveandprofessionalInsuranceserviceincludinginsuranceprovisionsandotherrelatedinsuranceactivitiesaswellasprocessingnewandoutstandingclaims.
ThecouncilisrequiredtoprovideInsuranceCoveroralternativefundingforavarietyofpossibleorprobableeventsandliabilitiesthatcouldarise.ThemajorityofrisksidentifiedthroughCorporate,Directorate,ProgrammeorProjectriskregisterswillnotbeinsurableandsome,onbalance,maynotbefinanciallyviableorofbenefittothecounciltoinsure.
Thecouncilcurrentlyhavemultipleinsurancepoliciesinplace,themainpoliciesbeingPublicLiability,Employers’Liability,MotorandProperty.The‘WhatIsInsured?’documentprovidesacompleteoverviewofinsurance
InformationandGuidanceisprovidedviathesource.
APPENDIX B