risk management assurance policy · 2019-01-11 · figure 2. risk management assurance framework...

Risk Management Assurance Policy

2


ContentsIntroduction 3

PolicyStatementofCommitment 4

PrinciplesandCulture 5

RiskManagementFramework 6

RolesandResponsibilities 7

RiskAppetiteandTolerance 8

RiskRegisters 9

RiskManagementProcess 10

RiskMatrix 11

GovernanceReportingandEscalation 12

SupportGuidanceandTools 14

RiskGovernance,AssuranceandMaturity 15

Complementaryfunctions 24

3


Introduction

Risk management helps us to understand the risks associated with delivering Bristol City Council’s services. It makes us think about the decisions we take, and how we manage everyday service delivery, projects and our work with partners.

Riskmanagementisoftenprimarilyconcernedwiththeadversepotentialofrisk.However,notallriskisbad.Someopportunitiescanonlybeunlockedbytakingrisks.Thekeytosuccessinthesesituationsistotakerisksknowinglyandmanagethemappropriately.

Thepurposeofthispolicyistosetoutthecouncil’sapproachforthesystematicmanagementofrisk,theculture,expectations/responsibilitiesonallmanagersanddecisionmakerswithregardtoconsideringandmanagingriskinpursuitofachievingthecouncil’sprioritiesandobjectives.

Thebenefitsfromaneffectiveriskmanagementframeworkare:

●● Improvetheassessmentandresponseforbothopportunitiesandthreats

●● Establishareliablebasisforbetterdecisionmakingandplanning

●● Improvedcustomerservice,andbetteroutcomes

●● Increasethelikelihoodofachievingitsgoalsanddeliveringoutcomes

●● Improvedstrategic,operationalandfinancialmanagementandvalueformoney

●● Enhancedreputation,andsecuringconfidence,trustfromourstakeholders

●● Effectivelyallocateanduseresourcesforrisktreatment

●● Improveorganisationalresilience

●● Continuityofknowledge

●● Improvedgovernanceandcompliance

Through this policy we aim to:

●● Identifythescopeofriskmanagement

●● Embedandintegrateriskmanagementinthecultureofthecouncil

●● Assignofroles,responsibilitiesandaccountabilityforriskmanagementactivitieswithinthecouncil

●● Raiseawarenessoftheneedforriskmanagementbyallthoseconnectedwiththecouncil’sdeliveryofservices

●● Contributetothepreventionofinjury,damageandlossestoreducethecostofrisk

●● Ensureweidentifyandrealiseopportunitiesandtheirresultingbenefits

●● Ensureconsistencythroughoutthecouncilinthemanagementofrisk

These aims will be achieved with a clear and evidenced approach consistently applied across the organisation that embeds consideration of risk in policy formulation, planning and decision making at all levels by:

●● Incorporatingriskmanagementconsiderationsintoalllevelsofbusinessplanning

●● Incorporatingriskmanagementconsiderationsintoalllevelsofprogramme,projectandpartnershiparrangements

●● Skillstraininganddevelopmentforallrelevantmanagers,staffandMembersintheeffectivemanagementofrisk

●● RegularmonitoringandreportingofrisktoidentifytrendsandlikelydirectionofrisksforMembersandSeniorManagerstobeawareofwhenmakingdecisions

APPENDIX A

4


Policy Statement of Commitment

The Mayor, Cabinet and Corporate Leadership Board view risk management as an integral part of good internal control and corporate governance.

Thewayinwhichwemanageourrisksdirectlyimpactsoursuccessinachievingourobjectives,andindeliveringservicestothecommunitiestowhichweareaccountable.BristolCityCounciliscommittedtoadoptingbestpracticeinitsmanagementofrisktoensureretainedriskisofanacceptableandtolerablelevelinordertomaximiseopportunitiesanddemonstrateithasmadefullconsiderationoftheimplicationsofrisktothedeliveryandachievementofoutcomes,strategicaimsandpriorities.

Thecouncilis,withintheabovecontext,committedtothemanagementofriskinorderto:

●● Ensurethatstatutoryobligationsandpolicyobjectivesaremet

●● Prioritiseareasforimprovementinserviceprovisionandencouragemeetingorexceedingcustomerandstakeholderexpectations

●● Safeguarditsemployees,clientsorserviceusers,Members,pupils,tenantsandallotherstakeholderstowhomthecouncilhasadutyofcare

●● Protectitspropertyincludingbuildings,equipment,vehicles,knowledgeandallotherassetsandresources

●● Identifyandmanagepotentialliabilities

●● Maintaineffectivecontrolofpublicfundsandefficientdeploymentanduseofresourcesachievingvalueformoney

●● Preserveandpromotethereputationofthecouncil

●● Supportthequalityoftheenvironment

●● Learnfrompreviousthreats,opportunities,successesandfailurestoinformfuturemanagementofrisks

Theseaimswillbeaddressedbysystematicallyidentifying,analysingandevaluating,costeffectivelycontrollingandmonitoringrisksatstrategic,programme,project,andoperationallevels.Thecouncilacknowledgesthatriskcannotbeeliminatedandmaysometimesneedtobeembracedaspartofaninnovativeapproachtoproblemsolving.ItistheresponsibilityofSeniorLeadershiptoensurethatriskmanagementstrategiesandprocessesareimplementedandbroughttotheattentionofrelevantstaffintheirDirectorate.Everyemployeehasaresponsibilitytosupportthecouncil’spolicyinmanagingrisk.Thecouncilstrivestohaveanopenapproachtoriskandnotbeperceivedasriskaversewhilstensuringthatthemostvulnerableareprotectedandthereisincreasedcollaborationwithourpartners,communitiesandresidents.

Riskmanagementstrategiesandprocessesaretobereviewedforefficiencyandeffectivenessaspartoftheannualmanagementreviewcycle.

Thecouncil’sriskmanagementobjectivesarealong-termcommitment,inherenttogoodgovernancepracticesandfullysupportedbytheMayorandtheCorporateLeadershipBoard.

ThisRiskManagementAssurancePolicycomplementsandsupportsthestrategicaimsandprioritiesthataresetoutintheBristolCityCouncilCorporateStrategy2018-2023.

Executive Director of Resources and Head of Paid ServicesMikeJackson

Deputy MayorCllr.Cheney

APPENDIX A

Figure 1. BCC’s Risk Management Assurance Culture Model

5


Principles and Culture

Asamodernlocalauthority,thecounciliscommittedtodeliveringqualityservicestothecitizensandcommunitiesofBristol.Indoingso,ourover-ridingattitudetoriskisthatitshouldbeidentifiedandmanagedratherthanavoidedwithanorganisationalculturethatembracesandembedsconsiderationofriskinitsdaytodayoperationsateverylevel.Ariskculturethatemanatesthroughouttheorganisationtoensurealllevelsofbuyintothecorporateriskprocess.

RiskManagementisaboutunderstandingandevaluatingopportunitiesandthreatsandmakinginformeddecisionsabouthowthesearetobemanagedinordertoachieveouraimsanddeliverbeneficialoutcomes.

ThecouncilrecognisesitneedstotakerisksbutmustdosoinacontrolledmannertoreduceitsexposuretothelevelacceptablebytheMayor,Cabinetandrelevantregulatorsandinspectors.

Innovativesolutionsareencouraged,andwhiletheyofteninvolverisk,theycanbeimplementedwithawareness,authorityandmanagementoftherisksthateachrespectivecasecarries.

AtBristolCityCouncil,wearecommittedtoensuringriskmanagementisembeddedacrossthewholeorganisation.Todothis,wehavemappedthecouncilscorevalues,riskmanagementprinciplesandthecoreattitudesandbehavioursrequiredtodeliverastrongcultureandappetiteformanagingrisk.TheriskmanagementprinciplesarebasedontheOGC’sManagementofRiskFrameworkandinaccordancewiththeInternationalRiskManagementStandard(ISO:31000).

Theriskmanagementassurancepolicyisdesignedwiththeseprinciplesattheircore.Figure 1belowshowsBCC’sRiskManagementAssuranceCultureModelformanagingandassuringrisk.

Top down leadership

Dedicated resource

Framework

Enables achievement of our objectives

Fits the context

Engages Stakeholders

Provides framework and guidance

Enhancing & protecting values

Integration

Informs decision making

Facilitates Continual Improvement

OwnershipRespectCuriousDedicatedCollaborative

Accountability

Openness & transparency

Inclusivity

Proactivity

Integration

Informed and validated Risk based decision making

Clear focus and communications

Shared values, behaviours and principles

Risk Managem

ent PrinciplesAttitu

des and B

ehaviours

Bristol City Council Values

APPENDIX A

Risk Management Framework

AtBristolCityCouncil,wearecommittedtoensuringriskmanagementisembeddedacrossthewholeorganisation.RiskManagementneedstobeanintegralpartofhowservicesaredevelopedanddeliveredeveryday.Itisimperativethatthereisasingleflexibleapproachforthemanagementofbusinessrisk,adoptedthroughalllevelsoftheorganisation.

BristolCity’sRiskManagementAssurancePolicygivesanoutlineonhowrisksaremanagedacrossthecouncilbyeveryone.Toeffectively

managerisk,theframeworkisintegratedacrosstheorganisationinvolvingallkeystakeholdersincluding-butnotlimitedto-officers,leaders,Members,partnersandsuppliers.

Forriskmanagementtobesuccessful,itisessentialthatthereisasingleyetflexibleapproachforthemanagementofrisk,adoptedthroughalllevelsofthecouncil.ThisPolicyisonepartoftheoverallriskframework;thekeyelementsaresetoutinFigure 2below.

Figure 2. Risk Management Assurance Framework

Risk Managementistheplannedandsystematicapproachtotheidentification,analysis,evaluation,prioritisationandcontrolofrisksandopportunitiesfacingthecouncil.

Riskisthechanceofsomethinghappeningthatwillhaveanimpactonachievementofobjectives.

RiskcanbebothPositiveOpportunitiesandNegativeThreats.

6


People, Process,Technology

Assurance Framework

Governance

• Risk Maturity

• Risk Audits, Risk Reviews and Surveys

• Internal Audit Review

• Annual Risk Governance Statement

• Risk Management Assurance Policy

• Commitment

• Policy Statement

• Principles and Culture

• Risk Appetite

• Risk Governance Reporting

• Reporting Framework

• Roles and responsibilities

• Risk Management Process

• Guidance and Tools

• Learning and Development

APPENDIX A

Whenrisksareidentified,itisimportantthatweascertainboththeopportunitiesaswellaswhatmightgowrong,whatthepotentialimpactsmaybe,whatcouldtriggertheoccurrenceanddecidinghowbesttominimiseormaximisetheriskmaterialising.

Therearetimeswhenthingswillgowrongdespiteourattemptstopreventthem,whichcouldresultin‘issues’thatneedresolution.Proactiveriskmanagementofthesewillensurethatthreatimpactsarekepttoaminimumandopportunitiesaremaximised.Thecouncil’sapproachprovidesforthreats,opportunitiesandissuesmanagement.

Managementandmaintenanceofrisksandissuesareontherisk/issueregistersandsupportingreportswhichundergoregularreview,monitoringandreportinginlinewiththispolicy.

Aswellasinstinctivelymanagingriskonadaytodaybasis,considerationandrecordingofriskis

requiredinthefollowingmanagementprocesses(seeAnnexBforComplimentaryprocesses):

●● Strategic,serviceplanningandresourcing

●● Policyanddecisionmaking

●● ProjectorProgrammedelivery

●● Partnershipworking

●● Businesscontinuityplanning

●● Performancemanagement

●● Budgetplanningandmonitoringcycle

●● Planningwhenimplementingchange

●● Commissioningandprocurementactivity

●● Healthandsafetyarrangements

●● CivilProtection

Roles and Responsibilities

EffectiveRiskManagementrequiresthatthereisclarityoftheresponsibilitiesforrisk,andownershipoftherisksidentified.ThispolicyrequiresthattheelectedMayor,Membersandmangersatalllevelsassistin,andtakeresponsibilityfor,identifying,consideringandcontrollingriskandopportunities(andthebetteruseofresources)inalltheiractivitiesandareasofresponsibility.

AllMembers,seniorleaders,employeesandpartnerorganisationshavearoletoplayinensuringthatriskiseffectivelymanaged.Weacknowledgethatthisisnotalwaysunderthecouncil’sdirectcontrolbutwewilltakeallreasonablestepstoencourageandembedriskmanagementwhereverwehaveastake.Tobeeffective,theriskmanagementframeworkmustbefullyendorsedandsupportedbytheofficerandpoliticalleadershipofthecouncil,whosettheorganisationaltoneforriskmanagementandchampionthebenefitsthroughalllevelsofthebusiness.

Riskmanagementisonlyconsideredtobetrulyembeddedwhenitfunctionsaspartofthecouncil’sdaytodayoperations.EffectiveRiskManagementrequiresthatthereisclarityoftheresponsibilitiesforrisk,andownershipoftherisksidentified.ThispolicyrequiresthattheelectedMayor,Membersandmangersatalllevelsassistin,andtakeresponsibilityfor,identifying,consideringandcontrollingriskandopportunities(andthebetteruseofresources)inalltheiractivitiesandareasofresponsibility.

RecognitionfromSeniorManagementoftheimportanceofriskmanagementtotheeffectiveoperationofthecouncilisresonatedthroughtheappropriateallocationofresourcestodelivertheriskmanagementframeworkacrossBristolCityCouncil.Thekeyresponsibilitiesforeachgroup/stakeholderrolesandresponsibilitiesaresetoutinAnnexA.

7

Risk Management Assurance PolicyAPPENDIX A

Risk Appetite and Tolerance

BristolCityCouncilaimstoberiskaware,butnotoverlyriskaverseandtoactivelymanagebusinessriskstoprotectandgrowtheorganisation.Todeliveritsstrategicaims,theorganisationrecognisesthatitwillhavetotakeandmanagecertainbusinessrisks.Intolerablerisksarethosethatcouldnegativelyaffectthesafetyofemployeesorourcustomers/clients,haveadamagingimpactonourreputation,leadtobreachesoflawsandregulationsand/orendangerthefutureoperationsofthecouncil.

Risk Appetite

Riskappetiteisbestsummarisedas“theamountofriskanorganisationiswillingtoaccepttosecureitsobjectives”.TheriskappetiteofBristolCityCouncilisreflectedinthescoringschemesusedforriskandopportunityassessment,andtherecommendedhandlingstrategiesforidentifiedrisksandopportunities.Thescoringschemesdescribewhatconstitutesasignificantriskoropportunity,andtheseinturninformtheapproachtotheirmanagement.

Risk Tolerance

Culture,Policyandcompetitivepositionallinfluenceourtolerancetoriskanddefiningitcanbechallengingaseverycasewillbedifferent.Thediversityoftheservicesdeliveredbythecouncilandnatureoftherisksitfaces,meansitisnotpossibletoseta‘onesizefitsall’risktolerancethatmanagersandMembersalikecanapplyandembedinstrategicandoperationaldecisionmaking.Thecouncil’sapproachistorecordrisktoleranceonacasebycasebasiswithinthecouncilsRiskRegistersandtheRiskReports.

8


Risk Registers

Aspartofgoodgovernance,thecouncilmanagesandmaintainsaworkingregisterofitskeystrategicandoperationalbusinessrisksatvariouslevels-assigningnamedindividualsasresponsibleofficersforensuringtherisksandtheircontrolmeasuresaremonitoredandeffectivelymanaged.

ServiceRiskRegistersaretheworkinglivetoolforthedetailedcapturingofriskinformationtoenablereportingonriskactivityandtheorganisationsriskprofile.Theworkingriskregisterisalivedatarecordwherenewrisksarecaptured,othersaremanagedtoeliminationandsomerequirecloseandregularmonitoring.TheCorporateandDirectorateRiskReportsaregeneratedfromtheworkingriskregistersforpublication.AllkeycouncildecisionswillbesupportedbyasupportingRiskReport.

Standardtemplatesaretobeusedforrecordingrisk.Thecouncilsriskregisterandreporttemplateincludesprovisionforrecordingthreatsandopportunitiesaswellasthoserisksthathaveoccurredwhicharenow‘issues’tobeaddressed.Wheremoredetailedplansareinplace,theriskregisterneednotduplicatethesebutsimplycrossrefertothem.

TheCorporateRiskReport(CRR)containsrisksthat,shouldtheyoccur,couldhaveafundamentalimpactonthecouncil’sabilitytooperate,achieveitsstrategicobjectivesorsuccessfuldeliveryofoutcomes.

TheCorporateRiskReportisthemeansbywhichMembersandleadersoftheorganisationwillbefocussedonthestrategicandbusinesscriticalrisksandreviewtheeffectivenessofriskmanagementarrangementsinplacetomonitorandmanagetheserisks.TheCRRis‘owned’bytheCorporateLeadershipBoard(CLB)andusedbythemandCabinettoensurethemostcritical/significantrisksarebeingmanagedeffectivelywithinanagreedrisktolerance.

TheDirectorateRiskReports(DRR)detailsthekeyrisksfacedbyeachDirectorateindeliveringtheirDirectoratePlan.TheyalsoincludesignificantissuesthathaveimpactedtheDirectorateobjectives.ThesereportsareownedbytherelevantExecutiveDirectorsandarereviewedatleastquarterlybyDirectorateLeadershipTeams(DLT)andCabinetMembersinlinewiththeirportfolio.ScrutinyandtheAuditCommitteewillreceivetheCorporateandDirectorateRiskReportsatperiodendfollowingthequarterlyCabinetRiskReport.

TheprocessinuseisadministeredbytheRiskandInsuranceTeam.TheRiskandInsuranceTeampromoteself-serviceapproachbyprovidingguidance,supportanddeliveringtrainingacrossallservices.

9


Risk Management Process

Carryingoutanassessmentoftherisksagainstbusinessobjectivesisprimarytobusiness&serviceplanning,coredecision-makingprocessesinfluencingpolicy,financialplanning&spending,agendamanagement,changemanagement,projectmanagementandperformancemanagement.

Theriskassessmentmethodologyisdesignedtoassistmanagersinfocusingonthekeyrisksandensuringthatactionsareinplacetoeffectivelymanagetheserisks.

TheRiskManagementProcess(seeFigure 3opposite)isaseriesoflogicalstepswhicharecarriedoutinsequencetoprogressthrougheachstageofmanagingarisk.Theprocessiscyclicalanditisoftennecessarytorevisitearlierstepsandcarrythemoutagaintoensureyouhaveacompletepictureoftheriskstotheactivity/outcomebeingassessed.

Theriskmanagementprocessbeginsbyestablishingthecontextaroundwhichyouwanttoidentifyandassessrisks.Thiscouldrelatetoanactivity,objectiveoroutcome.Riskidentificationsetsouttoidentifyanorganisation’sexposuretouncertainty.Thisrequiresknowledgeoftheorganisation,themarketinwhichitoperates,thelegal,social,politicalandculturalenvironmentinwhichitexists,aswellasthedevelopmentofasoundunderstandingofitsstrategicandoperationalobjectives,includingfactorscriticaltoitssuccessandthethreatsandopportunitiesrelatedtotheachievementoftheseobjectives.

Onceidentified,therisksneedstobeassessedandassignedascoreforboththeirimpactandprobability–thecombinedoutcomeofthisproducestheriskrating.

Riskidentificationshouldbeforwardlookingandfocusonbothpotentialthreatsto,andopportunitiesthatmaypresentinachievementofobjectives.Theassessmentwillidentifywhetherthematterisarisk(aneventinthefuture)oranissue(aneventthatisalreadyhappening).

Toensureconsistencyandtheabilitytocompareandreportonthevariouslevelsofrisk;BristolCityCouncilhasadoptedariskmatrixtobeusedwhendeterminingtheriskrating.ThisisdetailedinFigure 4onthenextpage.

Followingidentificationandassessment,adecisionmustbetakenonhowbesttorespondtotheriskandifacceptedthenstrategiestomanagetheriskneedtobedetermined.Thereshouldbecommunicationandconsultationthroughouttheprocessandtheneedforcontinualmonitoringandreviewoftherisk(s)throughoutthelifecycleoftheactivity/objective/outcome.

Eachriskshouldhaveaclearlinktooneormoreofthestrategicofthecouncil.Therelevantstrategicaimisincludedaspartofthecapturedriskinformationprovidingincreasedassurancethatthereiseffectiveidentificationandmanagementofrisk.

Risk Assessment

Monitor and Review

Evaluation

AnalysisCo

ntinu

ous

Impr

ovem

ent

Comm

unication and ReportingManagement Response

Risk Identification

Establish the Context

Figure 3. Risk Management Process

10


Figure 4. Risk Matrix

11


Theriskmatrixisusedtoevaluatetherisksandthereisanunderstandingoftheriskexposurefaced,thelevelofriskwillinfluencesthetypeofmanagementresponseandmanagementactionwechoosetomanagetheriskseediagramFigure 4below.

Foreachrisk,considerationshouldbegiventotheimpactundereachcategoryandthehighestimpactcategoryusedinassessingtheimpactlevelmeasuresthatshouldbeusedinmakingthisassessment.Thescoringcategoriesforthelikelihoodandimpactaresetoutintheriskmanagementprocessguidance.

Thecurrentlevelofriskneedsthentobeconsideredagainsttherisktoleranceforeachrisk(thelevelofriskthecouncilispreparedtoaccept).ThiswillvaryaccordingtothenatureoftheriskandmustbeagreedbyExecutiveDirectorManagementifnotinthegreen/lightblueareaofthematrix.Wherethecurrentlevelofriskishigherthantherisktolerance,anactionplanisrequiredthatwillresultintherisklevelreducing.Wherecurrentrisklevelsarelowerthantherisktolerance,removalofsomecontrolsispermittedtoreleasecoststootherriskmanagementpriorities.

Whereissuesareidentified,thesecanbeassessedagainsttheimpactguidelineswithintheRiskManagementProcess,tojudgewhethertheissueneedstobeaddressed,whetheracontingencyplanhadalreadybeendevelopedorifaplanoffurtheractionisneeded.Therewillalsobeaneedtoassesswhetherthismeansthatariskhasceasedtoexist,orwhetherthereisapossibilitythatitmayrecur.

Ensuringthatallbusinessrisksareassessedandmanagedthroughtheadoptedriskmanagementprocessdrivesconsistencythroughtheriskmanagementframeworkandenablesriskstobecomparedandreportedonagainstalikeforlikebasis.Italsoprovidesthecouncilwiththeabilitytomapitscollectiveriskexposureofanactivity,objective,outcome,function(s)orindeedwholecounciloperationtosupportitsStrategicAims.Therisktoleranceforeachriskisalsorecordedtogetherwithfurtheractionsrequiredtoensurethecurrentlevelofrisksisinlinewiththeagreedrisktoleranceasidentifiedintheriskregister.

Threat Impact(Negative risks)

Opportunity Impact(Positive Risk)

Thre

at L

ikel

ihoo

d

4(Low)

12(Medium)

20(High)

28(Critical)

28(Significant)

20(High)

12(Medium)

4(Low)

Op

portu

nity Likelih

ood

3(Low)

9(Medium)

15(High)

21(High)

21(High)

15(High)

9(Medium)

3(Low)

2(Low)

3(Low)

10(Medium)

14(High)

14(High)

10(Medium)

6(Medium)

2(Low)

4

3

2

1

4

3

2

11

(Low)3

(Low)12

(Medium)12

(Medium)7

(Medium)5

(Medium)3

(Low)1

(Low)

Almostcertain

Likely

Unlikely

Rare

Almostcertain

Likely

Unlikely

Rare

1 3 5 7 7 5 3 1

Minor Moderate Major Critical Exceptional Significant Modest Slight

APPENDIX A

12


Governance Reporting and Escalation

TheCorporateRiskReport(CRR)issubjecttoquarterlyreviewbytheCorporateLeadershipBoardandCabinetandissubjecttothecall-inprocedurefollowingCabinet.TheDirectorateRiskReportsaresubjecttoquarterlyreviewbyExecutiveDirectorManagementmeetingsandMemberPortfolioholders.TheRiskManagementActionTable(Figure 5) belowshowstheactionlevelstobetakeninthemanagementandreportingofrisk.

AuditCommitteeareprovidedwiththeCorporateRiskReportquarterlyeachyeartoprovideindependentchallengeandassurethemselvesthatriskmanagementarrangementsareeffective.Theycanrequestadditionalinformationasnecessary.

AnoverviewoftheeffectivenessoftheriskmanagementprocessisalsoprovidedannuallybytheInternalAuditTeamtogivethemtherelevantassurancethatthewholeprocessisworkingeffectively.

TheCorporateRiskReportandDirectorateRiskReportswillbemadeavailabletoScrutinyTaskandFinishGroupsonfollowingperiodendandCabinetreporting.IndividualRiskReportsbasedonthe

informationcontainedwithintheDRR’sforareasinlinewiththeirrolesmayberequestedassetoutinthereportingprocessguide.Otherregistersaremaintainedandreviewedmonthlyaspartofcoremanagementprocessessuchasserviceplanningandperformanceandprojectmanagementprocesses.

Thecouncil’sRiskManagementAssurancePolicyreliesonescalationofrisksfromservice/operationlevelthroughtostrategicCorporateRiskReporttoensureCLBandMembersareawareofthemostsignificantrisks.TheescalationprocessisshowninFigure 6onthefollowingpage.Aspartofthisprocessconsiderationcanbegiventotheactionsproposedtomanagetherisk,whetherthetolerancelevelrecordedisappropriateandwhetheritisalignedtothecorrectservicearea.Additionally,inreviewingtheCorporateRiskReportboththeCorporateLeadershipandCabinetmayidentifyriskstowhichtheassessmentmayneedtoberevisedorrisktransferred.

Riskswithacurrentriskscoreof14to28(highandcritical/significantrisk)needtobeescalatedatExecutiveDirectorateManagementmeetingsforconsiderationforinclusionintheCorporateRiskReport.

ThreatLevel

OpportunityLevel

Levelofrisk ActionRequired

1-4 1-4 Low Maynotneedanyfurtheraction/monitoratservicelevel.

5-12 5-12 Medium Actionrequired,manageandmonitorattheDirectorateLevel.

14-20 14-20 High Mustbeaddressed-IfDirectoratelevelriskconsiderescalatingtotheCorporateRiskReport,ifCorporateconsiderescalatingtotheCabinetLead.

28 28 Significant Actionrequired-escalate(ifDirectoratelevelrisk,escalatetotheCorporateLevel,ifCorporatebringtoattentionoftheCabinetLeadtoconfirmactionstobetaken.

Figure 5. Risk Management Action Table

APPENDIX A

13


All risks scoring 20 to 28 (high, critical / significant risk) will automatically be escalated to the Corporate Risk Report. Issues that have arisen that are significantly impacting on the council are recorded within CRR report.

TheExecutiveDirectorManagementwilldeterminewhererisksaremonitoredviatheDirectorateRiskReportandServiceRiskRegisters.EscalationsmustbeflaggedinatimelymannertoenablediscussionpriortothenextquarterlyExecutiveTeamRiskmeeting.

DirectorateManagementTeamswillconsiderwhatcorerisksneedtobeescalatedtotheCorporateRiskReportandifso,theStrategicDirectormustensurethisescalationoccursthroughthereportingprocess.

WhereasignificantandurgentriskemergesoutsideofthereportingperiodwhichyoubelieveneedstobediscussedassoonaspossiblecompleteaRiskEscalationReporttotheappropriatemanagerfordiscussionandaction.

A risk may need to be escalated to a higher level if:

●● theriskbecomestoounwieldytomanageatthecurrentlevel

●● theriskratingcannotbecontrolled/contained

withinitscurrentlevel

●● theriskremainsveryhighevenaftermitigationsareimplemented

●● theriskwillimpactonmorethanoneservice/projectorfunctioniftheriskeventmaterialises

●● theriskmovesoutsidetheappetiteboundaries/comfortzone

A risk may need to be moved to a lower level if:

●● theriskcanbecontrolled/managedatalowerlevel

●● theriskratingdecreasessignificantly

●● theriskeventwillonlyaffectoneteam/servicearea/teamandtheimpactwillbelimitedthenthisshouldbecontrolledmorelocallyatalowerlevel

Thereshouldbecommunicationandconsultationthroughouttheprocessandtheneedforcontinualmonitoringandreviewoftherisk(s)throughoutthelifecycleoftheactivity/objective/outcome.

Theprocessiscyclical,anditisoftennecessarytorevisitstepsandcarrythemoutregularlytoensureyouhaveacompletepictureoftheriskstotheactivity/outcomebeingassessedaspartofcontinuousimprovementinthemanagementofrisk.

Figure 6. Risk Governance Reporting Framework

Monitoring and Review

Risk Reporting EscalationResponsibility

StrategicDirector

Service DirectorService / Project

Manager

Scrutiny

Quarterly ReviewDirectorate Management Teams Quarterly Review - Cabinet Portfolio Holders

Operational / Project Risks

Owned by Service Directors and Service Project Managers

Risks/issues that significantly impact on service team / project delivery

Business Planning / Finance/ Health, Safety and Wellbeing / Partnership / Performance/ Business Continuity the

ability to operate and achieve objectives

Directorate Risk Report (DRR)

Owned by Directorate Management Teams

Risks/issues that significantly impact on the ability to operate and achieve objectives

Corporate Risk Report (CRR)

Owned by Corporate Leadership Team

Risk scoring 20 or above

Risks/issues that significantly impact on the ability to operate and achieve objectives

Quarterly ReviewCabinet and Corporate

Leadership Team

Monthly ReviewService DirectorService Project

Manager

APPENDIX A

14


Support Guidance and Tools

AllstaffhavearoletoplayinriskmanagementandtheCorporateRiskManagementGroup(CRMG)haveresponsibilityforhelpingtodelivertheRiskManagementAssurancePolicyandfordevelopingthenecessarytrainingoradvicetoenablethecounciltoimplementthemeasurescontainedinthisPolicythroughoutthecouncil.

TheRiskandInsuranceTeamisresponsiblefordevelopingworkforceriskmanagementcapabilityacrosstheorganisation,throughtheprovisionofguidance,education,trainingandsupport.RiskmanagementformspartofthecorporatelearningandprogrammeatvariouslevelstoprovidetherightleveloftrainingandsupportforMembersandmanagersandeffectivetoolsandmethodologyforidentifying,assessingandprioritisingrisks.Areasofsupportinclude:

●● Corporateinduction

●● Inductionfornewmanagers

●● Riskmanagementisalsoincludedinthegenericskillssetintheworkforceplanforallemployeesandwillbesupportedbyasuiteofcorporatetraining

●● Moreadvancedtrainingneedswillbeidentifiedthroughthe‘LeadershipandManagementDevelopmentFramework’

Guidancematerialsareunderregularreviewtoensuretheyreflecttheneedsoftheorganisationandarecompatiblewiththeorganisationsstructurehavingtheflexibilitytoadapttonewandchangingstructures.Newwaystoengagewithofficersandleaderstohelpwiththeunderstandingandembeddingofeffectiveriskmanagementisunderregularreview,withtheoptionsfordigitallearninganddevelopmenthighontheagenda.

TheriskmanagementPolicy,guidanceandtrainingmaterialsarereviewedonaregularbasistoensuretheycontinuetomeettheneedsoftheorganisationandincorporatetheverylatestindustrybestpractice.

TrainingonriskmanagementisalsoofferedtoallstaffandmembersperiodicallyeitheronspecificsubjectsorasidentifiedthroughPersonalisedDevelopmentPlans.

Theriskmanagementintranetpagesarecontinuallybeingimproved.Outliningwhatriskmanagementis,andhowallemployeescanplaytheirpartinreportingandmanagingrisks.ItwillalsocontainCRMGguidancenotesandotherusefulinformation.Newtrainingandguidancewillcontinuallybedevelopedandrolledout.RiskmanagementrecordswillbemangedviaSharePoint.TheRiskManagementPolicyandsupportingarrangementswillbeavailableandcommunicated.

APPENDIX A

15


Risk Governance, Assurance and Maturity

TheAudit&AccountsRegulations2015requiresthecounciltohaveeffectivearrangementsforthemanagementofriskandeachyear,inthecouncil’sAnnualGovernanceStatement,thecouncilisrequiredtocommentontheeffectivenessofitsarrangementsinthisregard.Thestatementmustalsoidentifyanysignificantgovernanceissuesthatmayhaveresultedfromfailuresingovernanceandriskmanagement.Legalrequirementsaside,effectiveriskmanagementisrequiredtoensurethecontinuedfinancialandorganisationalwell-beingofthecouncilandcouncil-wideownershipandaccountabilityformanagingriskiscriticaltothesuccessofdeliveringtheorganisationsprioritiesandobjectives.Managementofriskisinseparablefromeffectivemanagementofthecouncilsperformance.

TheRiskManagementAssurancePolicycomplementsBristolCityCouncil’sinternalcontrolenvironment,alongsideotherfinancial,operationalandcompliancecontrols.Assuranceprovidesconfidence,basedonenoughevidence,thatinternalcontrolsareinplaceandoperatingeffectivelyandthatobjectivesarebeingachieved.

Membersandseniormanagementareresponsiblefordeterminingthenatureandextentoftheprincipalrisksitiswillingtotakeinachievingitsstrategicobjectives.Theymaintainasoundriskmanagementandinternalcontrolsystems.

AnnexAofthisPolicyoutlinestherolesandresponsibilities,andthegovernancereportingframeworkforRiskManagementwithinBristolCityCouncil(page 13),demonstratingourarrangementsfordispersingaccountabilityandresponsibilityforriskmanagementthroughouttheorganisation.Withfocusoninternalcontrol,theAuditCommitteearetheorganisation’soversightbodyforriskmanagement,providingcheckandchallengeto

theriskmanagementassurancepolicy,processanddelivery.TheRolesandresponsibilityoftheAuditCommitteearesetoutinAnnexA.

TheRiskandInsuranceTeamworkcloselywithinternalauditandgovernancecolleaguestoensuretheprinciplesofgoodgovernanceareadopted.AuditingoftheRiskManagementAssurancePolicyisundertakenbythecouncil’sinternalauditteaminaccordancewiththeirauditplanandrecommendationsarisingarefedbackthroughtheriskmanagementannualplantoensurecontinualimprovement.

BristolCityCounciladoptsthethree-linedefencemodelforeffectiveriskmanagementandcontrolasshownintheFigure 7RiskManagementAssuranceModelonthefollowingpage.TheRiskAssuranceModelclarifiesresponseatbothanoperationalandstrategicleveloftheorganisation.Withinthismodel,managementcontrolisseenasthefirstlineofassurance;thisshowshoweachserviceareacomplieswithriskmanagementsourcesofassurance.ThesecondlineofassuranceshowstheoversightfunctionsofAssuranceServices.ThethirdlineofassuranceprovidesInternalAudit’sassessmentoftheriskmanagementsourcesofassurance.Assuranceisalsoofferedfromexternalsourcessuchasexternalauditandregulators.Thismodelprovidesactivescrutinyandchallengetoensureassuranceisachieved.

Attheendofeachyear,theExecutiveTeamassurestheAuditCommitteethatsignificantriskshavebeenadequatelymanaged.InternalAuditperformsanindependentauditofRiskManagementatthecouncileachyear,whichtheyreporttotheAuditCommittee.TheAuditCommitteethenprovideastatementofassurancetotheCabinetthatourmajorrisksareadequatelymanaged.

APPENDIX A

Executive Management reporting and oversight

Cabinet

External Audit

Audit Committee

Regulators

• Foster a risk intelligent culture, receive the Risk Management Assurance Policy and periodical reports

• Foster a risk intelligent culture, approve the risk appetite, consult and ratify key components of the Risk Management framework, discuss and challenge corporate risks, receive and challenge periodical reports

• Foster a risk intelligent culture, approve the risk appetite, consult and ratify key components of the Risk Management framework, discuss and challenge corporate risks, receive and challenge periodical reports

Management Controls

Internal Control Measures

Services and functions that own and manage risk

Service AreasManagement operations in an established risk and control environment:• Day to day risk management activity• Take intelligent risks• Identify and assess risks• Respond to risks• Monitor risks and report• Follow the risk management framework

and process• Apply internal controls and risk

responses

Key risk complimentary functions• Provide guidance / support to the

service areasand the Strategic Risk Management Group

1st Line Defence Governance AssuranceRisk Ownership

Internal AuditFunction that provides independent assurance

• Provide assurance on the effectiveness of the risk management framework, and the controls andresponse actions for significant risks

• Independent challenge to the levels of assurance provided by the 1st line assurance service operations

• Independent challenge of policy and process to the levels of assurance provided by the 2nd line assurance oversight functions

• Monitor compliance and provide independent challenge

• Annual Governance Statement

3rd Line Defence Governance AssuranceInternal Control and Assurance

InfrastructureManagement oversight and Review

Services and functions that oversee or specialisein risk management and compliance

Leadership• Define the risk appetite• Evaluate strategies against risk appetite• Provide timely risk information

Risk Management and Insurance Function• Create a common framework• Provide direction in applying the framework• Implement and manage technology systems• Provide guidance and training• Periodical reporting and Annual Risk Management Report• Assurance statement contribution

Corporate Risk Management Group• Aggerate risk information• Identify and assess thematic risk• Monitor corporate risks and responses

Key risk complimentary functions• Functions that provide strategic management, policy

and procedure setting• Provides a maturity assessment and maintains

oversight of improvement actions• Provide oversight, monitoring and upward reporting

providing assurance of the effectiveness of controls

2nd Line Defence Governance AssuranceRisk Infrastructure and Management


16

APPENDIX A

Figure 7. Risk Management Assurance Model

Risk Management Maturity

Allorganisations,includingBristolCityCouncil,areonariskmanagementjourney.Riskmaturityreferstowherethebusinessisonthatjourneyandhowwell-establishedriskmanagementisasadisciplineacrosstheorganisation.Thereisincreasingcomplexityofrisksfacingpublicserviceorganisationsandourseniorleadersrecogniseandactivelysupportthedrivingforwardoftheriskmanagementagenda.Throughself-assessmentandbenchmarketingwewillcontinuetoreviewourcurrentriskmanagementcapabilitytohelpusdirectourresourcestoareasthatneedimprovementandfurtherdevelopment,ensuringthatriskmanagementarrangementsremainfitforpurposeinthischangingenvironment.

Wenetworkandshareinformationwithothercouncilswhichenablesustobenchmarkourselvesagainstsimilarorganisations.ThecouncilregularlyengageswithexternalriskmanagementbodiessuchasAlarm(thePublicRiskManagementAssociation),andtheInstituteofRiskManagement.TheseprovideadditionalopportunitiesforBristolCityCounciltocompareitselfwithindustrybestpracticeandensurethatitcontinuestomoveforwardontheriskmanagementjourney.

Annuallyamaturityassessmentwillbeundertakenincludingself-assessment,performancemetricsandstakeholderopinionswhichwillinformtheriskmanagementcomplianceandperformance.Thecouncilwilladditionallycarryoutanannualbenchmarkingexercise.ThediagrambelowshowsthematuritylevelsadoptedbyCIPFA.

Risk Management Review and Audit

ToensuretheRiskManagementAssurancePolicy,guidanceandassociatedtoolsremainfitforpurpose,wecontinuallyseektoreviewandimproveourriskmanagementmethodologyandembracenewinitiatives,newlegislation,governmentguidanceorinternalchangesinpracticearecapturedandreflected.Weadapttoourchangingoperatingenvironmentandeconomicconditionsandhaveaframeworkwithenoughflexibilitytocopewiththesechanges.Weaimtoimprovise,innovateandexperimentinaddressingchallengesandexploitingopportunitieslearningfrombothsuccessandfailure,whichstrengthenstheorganisationanditsdependentnetworks.

RiskmanagementissubjecttothecouncilsinternalauditpracticesandassuchisauditedinlinewiththetimetablingsetbytheInternalAuditPlan.Anyrecommendationsarisingfromauditactivityischannelledbackthroughourannualworkplanstoensuretheyareaddressed.ThecouncilisalsosubjecttoPeerReviewsandExternalAudit.

Awareness Happening Working Embeded & Integrated Driving

17


Group / Individual

Responsibilities

MEMBERS

Elected Mayor and Cabinet

●● OverseedeliveryoftheRiskManagementAssurancePolicy●● Determineoverallriskappetiteandtoleranceforthecouncil●● Ensureconsiderationofriskindecisionmaking●● Reviewprogressofthemanagementofstrategicrisks●● QuarterlyreviewofCorporateRiskandIssuesRegisters●● MayortosigntheAnnualGovernanceStatement●● ApprovetheRiskManagementAssurancePolicy

Cabinet Member Leads

●● Overseerisksrelatingtotheirportfolio●● Overseeriskmanagementpolicy(CabinetMemberResources)

Directorate Scrutiny Commissions

●● ChallengedecisionsmadebyCabinetwhereriskshavenotbeenproperlyconsidered.●● Taskandfinishgroupscanrequestriskreportinformationforareasinlinewiththeirportfolios

Audit Committee ●● Provideindependentassurancetothecouncilontheeffectivenessofriskmanagementandinternalcontrolby:•ReviewingtheCorporateRiskReporttoensureitisreflectiveofthestrategicrisks

tothedeliveryofthecouncil’sobjectivesandmanagementofrisksiseffective•ScrutinisingtheAnnualGovernanceStatementtoensureitisacorrectreflection

ofinternalcontrol,riskmanagementandgovernance•ReceivingreportsfromInternalAudit,ExternalAuditandotherinspection

bodiesindicatingstrengthsandweaknessesininternalcontrol,riskmanagementorgovernance

●● Reviewtheeffectivenessofriskmanagementarrangements●● Providecommentandchallengeonriskmanagementactivityandprogress

Leadership

Head of Paid Service/Corporate Leadership Board

Overallresponsibilityto:

●● EnsuretheAnnualGovernanceStatementisanaccuratereflectionofinternalcontrol,riskmanagementandgovernance(HeadofPaidServicetosign)●● Overseecorporateandcrosscuttingrisksandresolveconflictsandcompetingdemandsforresources

Director Finance Overallleadershipfortheeffectivedeliveryoftheorganisation’sriskmanagementserviceinaccordancewithindustrybestpractice.

●● Ensureriskmanagementfeaturesaspartoftheorganisationsproperadministrationtoprotecttheauthorityfromfinancialandreputationalrisk●● LeadaquarterlyreviewofCorporateRiskswiththeStrategicLeadershipTeam,andCabinet●● ArrangefortheannualreviewoftheRiskManagementAssurancePolicy●● Supporttheroll-outofaRiskManagementAssurancePolicyacrossthecouncil,includingadviceandtraining,includingtoMembers●● ReportprogresswithriskmanagementtoMembers,particularlytheAuditCommittee,andtoExecutiveDirectors●● Identifyandmonitorkeyrevenuebudgetandcapitalprogrammerisks●● Ensureappropriateexternalinsurancecover,andasS151OfficerprovidesassurancesregardingoverallfinancialriskmanagementofthecouncilfortheAnnualGovernanceStatement

18


Group / Individual

Responsibilities

Corporate Leadership Board (CLB)

●● Overallaccountabilityforriskmanagementacrossthebusinessincludingensuringthecorporateriskinformationisaliveanduptodaterecordofthecurrentriskexposure●● Setthetoneforriskmanagement,promotethebenefitsofeffectiveriskmanagementandleadbyexampleinembeddingtheRiskManagementAssurancePolicy●● Establishacontrolenvironmentandculturewhereriskcanbeeffectivelyassessedandmanaged●● RegularlydiscussandreviewtheCorporateRiskReportandassociatedriskreports

Executive Director Management Team

●● Ensureriskisappropriatelyconsideredinitemsthatrequirepoliticalandmanagementdirection●● RegularlyreviewCorporateandDirectorateRiskinformation●● Signofriskinformation●● AttendAuditCommitteewhenrequestedtofurtherexplaintheirstrategiestomanageriskboththreatsandopportunitiesandissues●● Ensurethatworkingriskregisterentriesaremaintainedanduptodate●● SubmitperiodicalupdatedriskregistersandreportstotheRiskandInsuranceTeaminlinewithreportingtimelines

OFFICERS

Risk and Insurance Manager supported by the Risk and Insurance Team

●● TheRiskandInsuranceManagersupportedbytheRiskandInsuranceandTeam,complimentaryserviceshaveakeyroletoplayinsupportingtheoperatingprinciplesofthecouncilandhelpingtoachievethestrategicaimsandprioritiesbyprovidingoversight,challengeandassurancethatriskisbeingeffectivelymanagedacrosstheorganisation;whilstdeliveringahighperforming,customerfocusedservice●● TheteamdevelopsanddeliverstheRiskManagementAssurancePolicyforthecouncilandisresponsiblefordevelopingworkforceriskmanagementcapabilityacrosstheorganisation,throughtheprovisionofguidance,education,training,andsupporttoenabletheorganisationtotakecontroloftherisksthatthreatenoroptimisedeliveryandtoembedtheriskmanagementprinciplesandpracticesacrossthebusinessensuringthatthisaddsvalueandisinlinewiththeindustrystandardsandrequirements

Corporate Risk Management Group (CRMG)

TheCRMGhasaroletofurtherembeddedriskmanagementaspartofthecouncil’scultureofgovernance,withmembers,managersandpartnersatalllevelsrecognisingthatriskmanagementispartoftheirjobandheldaccountableformanagingrisksby:

●● Embeddingtheprocessesacrossthecouncilaspartoftheriskmanagementarrangements●● Establishingarobustandsystematicapproachforidentifying,managingandrespondingtoriskincludingevaluation,review,development,consultationandcommunicationtosupportwellthoughtthroughrisktakinganddecisionmaking●● DevelopingappropriatetrainingandawarenessarrangementsforMembers,SeniorOfficers,Staff,PartnersandtheCommunity●● Promotinggoodcorporategovernanceandcontributetotheannualgovernancestatement

19


Group / Individual

Responsibilities

Executive Directors (All)

●● EnsurethereareeffectiveriskmanagementarrangementsintheirdirectorateinlinewiththispolicyandensureadherencewiththeRiskManagementAssurancePolicy●● Championthebenefitsofeffectiveriskmanagement●● ToappointariskcoordinatortodriveforwardstheriskmanagementarrangementswithintheirService●● Holdworkshopsfortheassessmentofrisk●● MaintaintheworkingDirectorateRiskReports,ensuretheyarereviewedatleastquarterlybytheDirectorateManagementTeamandthatrisksareescalatedtotheCorporateRiskReportwhereappropriate●● Approveactions/planswithresiduallyhighriski.e.thoseoutsidetheCityCouncil’srisktoleranceandwherenecessaryareescalatedtoCLB●● Takeownershipforriskswithintheirserviceandensureriskregisters,riskassessmentsincludingprojectregistersareregularlydiscussed,reviewed,updatedandescalatedasappropriate●● Ensurekeydecisionreportscontainbalancedandconsideredriskassessments

Monitoring Officer

●● ProvideassurancesregardingoveralllegalriskmanagementofthecouncilfortheAnnualGovernanceStatementandinputtoriskreportsandregistersasrequired●● EnsuretheAnnualGovernanceStatementisanaccuratereflectionofinternalcontrol,riskmanagementandgovernancetosignoff

Directors, third and fourth tier managers

●● Hereensurethatriskstoservicesareproperlyrecordedonriskreportsandregistersandmanageriskseffectivelyintheirservicearea,inaccordancewiththeriskmanagementarrangementsensuringthat:•Serviceworkingriskregistersaremaintainedasneededandreviewedregularly•Anysignificantnewrisksidentifiedthroughthebusinessplanningprocess

arefedthroughtothelinemanagerandescalatedforconsiderationbytheDirectorateManagementTeam

•Theriskmanagementarrangementsareembeddedintheirserviceareas,andthatstaffareawareoftheunderlyingriskmanagementprinciples.

•WherenecessaryescalateriskstoManagementTeams•Ensuretheirstaffhaveappropriateunderstandingandtrainingonrisk

management•Championthebenefitsofriskmanagementacrosstheirserviceand

communicatethecorporateapproachtomanagingrisk

Councillor(s) Support Officers

●● MonitorinclusionofriskassessmentinallreportstoCabinetrequiringadecision

Corporate Safety Team

●● ProvidetechnicalandadvisoryassistancetoStrategicDirectors,Managersandstafftopromoteandmaintaineffectivesafety,health,andwelfareservices●● Conductauditsofhealthandsafetyarrangements,includingthecompletionofHealthandSafetyriskassessments

20


Group / Individual

Responsibilities

Civil Contingency Manager/ Civil Protection Unit

●● Ensure:•Serviceshavethetemplatesandsupporttoensureservicecontinuityrisksaffecting

acriticalservicearecanbeaddressedinaBusinessContinuityPlanandreflectedintheDirectorateBusinessContinuityPlan

•TheDirectorateManagementTeamsareawareofemergingnewhighriskstobusinesscontinuityplanning

•EnsureCorporateContinuityPlanningtakesaccountofrisksintheCorporate,DirectorateandServicePlanningworkingRiskRegisters,aswellasexternalrisksintheLocalResilienceForm(LRF)-CommunityRiskRegister

•PromoteandassistcontingencyplanningandbusinesscontinuityatCorporate,DirectorateandServiceDeliveryleveltomitigaterisksoutsidethecouncil’srisktolerance

Strategic Intelligence & Performance Team

●● Supportthedevelopmentofstrategicandserviceplanningwhichensuresrobustconsiderationofriskinachievementofobjectives

Internal Audit ●● Planauditworktotakeintoaccountkeyrisks,andhoweffectivelytheyaremanagedprovidingassurancesfortheAnnualGovernanceStatement,theCorporateRiskRegisterandAuditCommittee

●● Undertakeperiodicreviewsoftheeffectivenessofriskmanagement

●● Undertakeproactivefraudpreventionanddetectionworkbasedonanassessmentoffraudrisktothecouncil

●● Prepare,onbehalfoftheMayorandHeadofPaidService,theAnnualGovernanceStatement

All Staff ●● Manageriskaspartoftheirroleandreportriskstotheirmanagersby:•DevelopunderstandingandbecomefamiliarwiththeRiskManagementand

AssurancePolicy•Maintainawarenessofrisks,theirimpact,includingcosts,andfeedthesethrough

theadoptedriskmanagementprocessincludingalertingmanagementto:•Riskswhicharenoteffectivelymanaged,orthelevelofcurrentriskis

unacceptablyhigh(amberorabove)•Issuesthatariseornearmisses

21


22


Complementary functions

Thereareseveralcomplimentaryfunctionslinkedtothemanagementofriskincluding:

BusinessPlanning,Health&Safety,BusinessContinuityandPerformanceManagement.Allhavesignificantrisksassociatedwiththemwhichmayhaveamajorimpactacrossthecouncil.Itisvitallyimportantthatrisksintheseareasareidentified,assessedandprioritised.RepresentativesofthebelowteamsattendtheCorporateRiskManagementGroupasandwhenneeded.

Risk management in Business Planning, budget planning and decision making

Theriskmanagementprocess,practicesandthehierarchyofriskregistershelpsustomanagetherisksthatthecouncilandCityfaces.Thecounciliscommittedtousingriskinformationtoinformdecisionmakingandplanning:

●● Strategicandoperationalserviceplanningguidelinesrequirethatallserviceplansincluderelevantriskinformation(e.g.fromriskregisters)withintheiractionplans

●● Departmentsarerequiredtouseinformationonsignificantrisks,containedinriskregisterstoinformdecisionsonbudgetre-alignmentsandinvestments

●● Allproposedbudgetreductionsmustincludeadetailedanalysisoftherisksurroundingthedeliveryofsuchreductionsaswellastheadditionalriskspresentedbytheirsuccessfulimplementation

●● Allefficiencyimprovementsmustbeaccompaniedbyadetailedanalysis,includingproposedstrategiestomanagerisk.Oftherisksthatthreatenthedeliveryofthesavings,whethertheyarecashableornon-cashable

●● Allprojectsandpartnershipsmustbeplannedinrecognitionoftherisksthatthreatentheireffectiveoperationandthedeliveryoftheiroutcomes

●● AllDecisionPathwayreportsshouldbesupportedbyariskassessment

Risk management in project management

TheCouncil’sapproachtoprojectriskmanagementidentifiesandprioritisestheprioritiesoftheprojectsothatthemostsignificantrisksaremanagedproportionately.Projectriskmanagementisanimportantaspectofprojectmanagement.Projectriskisdefinedas,“anuncertaineventorconditionthat,ifitoccurs,hasapositiveornegativeeffectonaproject’sobjectives.”AllmanagersareexpectedtomanagerisksinaccordancetotheCouncilpolicyandguidanceandensurethattheriskmanagementisproportionatetothecomplexityandsignificanceoftheproject.RiskManagementisacriticalandcontinuousprocessandappropriateRiskAssessmentswhereappropriatewillbeundertaken,reviewedandmanagedthroughoutthelifeofaproject.

Risk management in partnerships and stakeholder engagement

Thecouncil’sapproachtopartnershipriskmanagementidentifiesandprioritisestheprioritiesofthepartnershipsothatthemostcriticalrisksaremanagedproportionately.Partnershipgovernancebodiesshouldensurethatpartnerships(includingtheirconstituentprojectsand/orpartnerships)areriskmanagedaccordingtothecouncilpolicyandguidanceandensurethattheriskmanagementisproportionatetothecomplexityandsignificance

APPENDIX B

23


ofthepartnership.Riskmanagementforthepartnershipsmustbedesignedtoworkacrosstheappropriateorganisationalboundariesandaccommodateandengagethedifferentstakeholdersinvolved.Largeandorcomplexstakeholdercommunitiescanintroducetheirownriskandneedtobeexplicitlymanaged.Wherethecouncilisnotthe‘leadingpartner’that‘sets’themanagementculture,itistheresponsibilityofcouncilcolleaguesinthepartnershiptoensurethatthepotentiallydifferentriskmanagementapproachesworktogetherharmoniouslytothebenefitofallpartners.

Risk management in procurement

Thecouncil’sapproachtoprocurementmanagementofriskincludestheidentification,managementandprioritisationforcontractsawardsothattheriskscanbemanagedproportionately.Allmanagersareexpectedtomanagerisksinaccordancetothecouncilpolicyandguidanceandensurethattheriskmanagementisproportionatetothecomplexityandsignificanceofthecontract.RiskManagementisacriticalandcontinuousprocess,andappropriateRiskAssessmentswhereappropriatewillbeundertaken,reviewedandmanagedthroughouttheProcurementJourney.Itisimportanttoengagewiththemarketplaceintermsofidentifyingthedesiredoutcomes,risksandissues.

Health, Safety and Wellbeing

Thecouncilhasresponsibilitiesunderhealthandsafetylegislationtoensurethehealth,safetyandwelfareatworkofemployeesandotherpeopleaffectedbythecouncil’sbusiness.Managinghealthandsafetyrisksisanintegralpartofbusinessriskmanagementandthemanagementofsuchrisksshouldnotbetakeninisolation.Poorhealthandsafetymanagementcanhaveanegativeimpacton

otherbusinessriskssuchasreputation,insurance,businesscontinuityandfinancialresources.

Healthandsafetyrisksvaryacrossthecouncilduetothediversityofworkactivities.Theeffectivemanagementoftherisks,aswithallsignificantcorporaterisks,isanessentialpartoftheroleoftherelevantmanagers.TheorganisationandarrangementsformanaginghealthandsafetywithinthecouncilaredetailedinthecouncilandDirectorate/Directorate’sHealthandSafetyPolicydocuments.

ThehealthandsafetymanagementsysteminBristolCityCouncilisbasedonthemodeldetailedintheHealthandSafetyExecutivepublication“SuccessfulHealthandSafety.

Management”(HSG65)andtakesintoaccounttheInstituteofDirectors/HealthandSafetyCommissionguidance“LeadingHealthandSafetyatWork–LeadershipActionsforDirectorsandBoardMembers”.

Business Continuity

BusinessContinuityManagement(BCM)iscomplementarytoariskmanagementframeworkthatsetsouttounderstandtheriskstothecouncil,andtheconsequencesofthoserisksseekingtomanageriskaroundthekeyservicesthatthecouncildelivers,servicedeliverycanbedisruptedbyawidevarietyofincidents,manyofwhicharedifficulttopredictoranalysebycause.Byfocusingontheimpactofdisruption,BCMidentifiestheserviceswhichthecouncilmustdeliver,andcanidentifywhatisrequiredforthecounciltocontinuetomeetitsobligations.

ThroughBCM,thecouncilcanrecognisewhatneedstobedonebeforeanincidentoccurstoprotectitspeople,premises,technology,information,supplychain,stakeholders,reputationandimportantlytheservicesthatthecouncildeliverstothepeopleofBristol.

APPENDIX B

24


Withthatrecognition,thecouncilcanthentakearealisticviewontheresponsesthatarelikelytobeneededasandwhenadisruptionoccurs,sothatitcanbeconfidentthatitwillmanageanyconsequenceswithoutunacceptabledelayindeliveringitsservices.

Risk management and performance management

Thecouncilacknowledgesthecruciallinksbetweenriskandperformancemanagement.Riskmanagementisanintegralpartofthebusinessperformancemanagementframework.Performancecannotbereviewedorreportedonwithoutanaccompanyingreviewandreportontherisksinplay,whethertheyareadirectthreattoprogressorarisefromaninitiativetoachievenewandcriticalbenefits.

Insurance

Insuranceactsasarisktransfermechanismwhichreducesthefinancialrisktothecouncil.Thecounciltransferstheinsurableriskstoaninsurancecompanybycontributingapremium.

Intheeventofafinancialloss,thecouncilisentitledtoindemnity,subjecttothetermsandconditionsthatareinplace.Theadministrationofthecouncil’sinsurancearrangementsisundertakenbytheRiskManagementandInsuranceSection,withinResources.ThesectionprovidesacomprehensiveandprofessionalInsuranceserviceincludinginsuranceprovisionsandotherrelatedinsuranceactivitiesaswellasprocessingnewandoutstandingclaims.

ThecouncilisrequiredtoprovideInsuranceCoveroralternativefundingforavarietyofpossibleorprobableeventsandliabilitiesthatcouldarise.ThemajorityofrisksidentifiedthroughCorporate,Directorate,ProgrammeorProjectriskregisterswillnotbeinsurableandsome,onbalance,maynotbefinanciallyviableorofbenefittothecounciltoinsure.

Thecouncilcurrentlyhavemultipleinsurancepoliciesinplace,themainpoliciesbeingPublicLiability,Employers’Liability,MotorandProperty.The‘WhatIsInsured?’documentprovidesacompleteoverviewofinsurance

InformationandGuidanceisprovidedviathesource.

APPENDIX B

risk management assurance policy · 2019-01-11 · figure 2. risk management assurance framework...

Documents