risk management procedure - oxfordshire county …...provide appropriate standard operating...

ProcedureIf you are reading a paper version of this document it may not be the latest version.

Please check on Insite.

Title Reference number

Risk ManagementAuthor (Role) Review Date

Strategic Risk and Assurance Manager August 2018Department Date of issue

Strategic Risk and Assurance Team February 2014

Contents

ContentsLinks to other documents for consideration/review ..............................................2Links to Policy Statements.......................................................................................2Procedure...................................................................................................................2Introduction................................................................................................................2

SCOPE...................................................................................................................................................................2OBJECTIVES AND PURPOSE........................................................................................................................................3SUMMARY OF RISK MANAGEMENT PROCESS ................................................................................................................3

.......................................................................................................................................................................5RECORDS...............................................................................................................................................................7REPORTING............................................................................................................................................................7OPERATIONAL RISKS ................................................................................................................................................7ORGANISATIONAL RISKS ...........................................................................................................................................8COMMUNITY RISK MANAGEMENT..............................................................................................................................9

Community and Fire-fighter Incident Risk .....................................................................................................9Business and Resident Profile Risk.................................................................................................................9

RISK TREATMENT & MITIGATION .............................................................................................................................10ROLES AND RESPONSIBILITIES ..................................................................................................................................11SCALES FOR ESTIMATING PROBABILITY AND IMPACT......................................................................................................12RISK CATEGORIES ..................................................................................................................................................12BUDGET ..............................................................................................................................................................12TEMPLATES..........................................................................................................................................................13PERFORMANCE AND EARLY WARNING INDICATORS......................................................................................................13TIMING OF RISK MANAGEMENT ACTIVITIES .................................................................................................................13COMMUNITY RISK MANAGEMENT – TIMING OF MANAGEMENT ACTIVITIES.......................................................................14RISK & PERFORMANCE MONITORING, AUDITING & REVIEWING:....................................................................................15

Appendix 1 Risk Management Form (RM1)...........................................................17THE FOUR STEPS TO RISK MANAGEMENT ...................................................................................................................17TRANSFERRING THE 4 STEPS OF RISK MANAGEMENT INTO ACTION ................................................................................18GETTING STARTED ................................................................................................................................................19IDENTIFY .............................................................................................................................................................19RISK IDENTIFICATION.............................................................................................................................................21

of 32

ASSESS ...............................................................................................................................................................23Assessing Likelihood ...................................................................................................................................23Rating the level of risk ................................................................................................................................25

PLAN ..................................................................................................................................................................26General Description of Risk Treatments ....................................................................................................26Treatment Decision.....................................................................................................................................27Implement Treatment ................................................................................................................................27Implement and Review – Re-evaluate risk ................................................................................................28

Appendix 2 – Community Risk Management Planning Cycle .............................29

Links to other documents for consideration/review

Risk Management OCC

Links to Policy Statements

NA

Procedure

Introduction

The Oxfordshire Fire and Rescue Service (OFRS) risk management strategy follows the principles of the Office of Government Commerce Management of Risk Framework (MoR).

The Risk Management Strategy describes the risk management that will be undertaken for all the service’s activities and details the relationship between our risk management activities and the government requirements to produce an Integrated Risk Management Plan (IRMP), which is called a Community Risk Management Plan (CRMP) in OFRS.

Scope

This risk management strategy refers to all the activities of OFRS, including the operational response strategy, and is applicable to all staff within OFRS. However there is specific guidance for the risk management of programmes and projects provided centrally by Oxfordshire County Council. (See OCC Programme and Project Management Guidance).

http://intranet.oxfordshire.gov.uk/cms/content/risk-management

http://projectmanagement.oxfordshire.gov.uk/wps/wcm/connect/occ/Project+Management+Framework/

of 32

Objectives and Purpose

The purpose of this document is to ensure that OFRS makes a cost-effective use of its risk management to inform decision making across the organisation whilst meeting its statutory duties.

The objective of this strategy is to ensure that all staff have a clear understanding of how risk management is applied within OFRS and that the process of risk management is consistent, appropriate and embedded within the organisation’s activities.

Actively managing risk is important to the continuous development of the organisation. Effective risk management will improve performance against the organisations strategic objectives.

Outcomes will include:

More efficient use of resources Better Service Delivery Improved innovation Increased likelihood of change initiatives being achieved More internal focus on doing the right things well

Risk Management improves internal control and supports better decision making through a good understanding of individual risks and the overall risk exposure to the service at any given time.

Summary of Risk Management process

The process of risk management is based on four steps: identify, assess, plan and implement. This is a cyclical process as shown in Figure 1: Management of risk process.

of 32

Communicate

Identify

Assess

Plan

Implement

Figure 1: Management of risk process

OFRS as a public service must apply risk management to itself and to the community it serves which is demonstrated in Figure 2.

Embed and review

of 32

Figure 2 Integrated Risk Management process

of 32

OCC Risk Management PolicyOCC Risk Management Process

GuideOFRS Annual Report

Lessons learnt

CONTEXTSWOT & Pestle AnalysisHorizon ScanningCommunity Risk Profile analysisLife, the economy, heritage andthe environmentBusiness Profile anaylsis

Analysis DocumentsRisk Management Strategy

Lessons learnt

IDENTIFY THE RISKS121 templatesGroup TechniquesCommunity Risk AnalysisCommunity Incident andFirefighter Safety Analysis

Directorate Risk RegisterOperational Risk Register (RM1)

Comunity Incident and FirefighterSafety Risk RegisterCommunity Profiles

Performance Measures (Early

ESTIMATEClarify risk descriptionsAssessment of probability, impactand proximityAdd information to registersStategic Performance Warnings

Directorate Risk RegisterOperational Risk Register (RM1)

Community Incident andFirefighter Safety Risk Regsiter

EVALUATESumarise risks

Monthly Tactical Leadership Teamagenda items

Quarterly Summary Risk ReportsCommuity Risk Report

PLANRisk response planningCost-benefit analysis includingmedium and long term budgetaryrequirementsConsultation on Annual CRMP

Risk OwnerRisk ActioneeRisk Register

CRMP Action PlansRM1s

IMPLEMENTOperational Risk MonitoringStrategic Risk MonitroingCRMP Project Monitoring

Quarterly SLT ReportsFRS Annual Report

OFRS Integrated Risk Management Process

of 32

The following text gives a description of the activities and deliverables of each stage of the integrated risk management process. Further detail is available from the owners of the activity.

Records

Table 1: Risk Management Records lists the risk management records kept by the organisation and identifies the responsible person and the distribution of the record. The nature of certain risks means that not all records will be accessible to all.

Table 1: Risk Management Records

Record Owner DistributionDirectorate (Fire & Rescue) Risk Register Strategic Risk

and Assurance Manager

Restricted

Risk Management (RM1) Risk Register Strategic Risk and Assurance Manager

OFRS

Community Incident and Firefighter Safety Risk Register

Organisational Planning and Performance Manager

Public

Business and Resident Profile Risk Report Premises Risk and Business protection Manager/Home and Community Safety Manager

OFRS

Reporting

It is the objective of OFRS that risk management is an embedded part of everyone’s role. Risk Management is incorporated in the templates created for the regular One to One meetings conducted between managers and their staff: The standing item ‘threats and opportunities’ is designed to ensure risk management is discussed in both its positive and negative form.

Operational Risks

This entails the arrangements OFRS has in order to deal effectively, efficiently and economically with foreseeable fire and rescue related risks facing the communities within Oxfordshire along with cross border and national risks agreed to as part of the wider UK fire and rescue service and multi-agency response. The legislation that this entails includes:

The Fire & Rescue Services Act 2004

of 32

The Health and Safety at Work Act 1974o Other health and safety regulations

The Civil Contingencies Act 2004 The Fire & Rescue Services (Emergencies) (England) order 2007 Environmental Protections legislation and regulations Coroners Regulation 28 notices Learning outcomes from significant incidents within the UK (Fire

fighter deaths or major incidents)

Also considered are the local priorities determined by OFRS that are not part of their statutory responsibility including: water rescue, trauma care, rescues from heights and co-responding.

Significant risks identified will be captured using the RM1 form and the assessment, agreement and review of these risks will take part at the relevant leadership team meetings. The RM1 form is designed to assist in identification and capture of risk and then allow it to be tracked to its conclusion. See Appendix 1 Risk Management Form (RM1) for further guidance.

Risks Management discussions are standing items on the agenda for leadership team meetings and the outcomes of these discussions will be captured on the RM1 form and the meeting minutes.

Organisational Risks

OFRS Strategic risks are discussed quarterly by the Deputy Chief Fire Officer (DCFO), Assistant Chief Fire Officer (ACFO), Strategic Risk and Assurance Manager. At this meeting the Directorate (Fire & Rescue) risk register will be reviewed. Any additional risks identified by the group will be added to the register before final ratification at Strategic Leadership Team. New risks will be drawn from:

The Community Risk Management Planning process The Risk Management (RM1) Risk Register The National Risk Register Risks identified using OFRS’s intelligence gathering systems such as

fire risk audits Thames Valley Local Resilience Forum risk management and

planning process (including their risk register) National guidance (from circulars, operational guidance, bulletins,

CFRA, CFOA, CLG etc) Strategic knowledge

The Strategic Risk and Assurance Manager will prepare a report and a final version of the Strategic Risk Register for discussion at SLT before it is submitted to the OCC central team.

of 32

Community Risk Management

Integrated risk management planning is a statutory duty of the Oxfordshire Fire Authority under the Fire and Rescue Act 2004. Guidance was produced by central government following the implementation of this act and OFRS have always been cognisant of this, however recently in the Fire & Rescue Service bulletin 46 the guidance changed to state that the only criteria that must be followed was that within the ‘National Framework’. Oxfordshire Fire and Rescue Service fulfil this duty through this risk management strategy and its community risk management planning activities. The service produces a Community Risk Management Plan (CRMP) every five years and an annual risk response plan called the ‘Community Risk Management Annual Plan’.

As part of the planning activities, two reports will be prepared on an annual basis; the Community and Fire-fighter Incident Risk Report and the Business and Resident Profile Risk

These reports (along with précis of the risk registers and other information) will be circulated to SLT before the community risk management objectives are decided for the following year’s annual plan. See Appendix 2 – Community Risk Management Planning Cycle.

Community and Fire-fighter Incident RiskCommunity and Fire-fighter Incident Risk will be assessed annually. The process will identify the risk to the community and fire-fighters attached to each of the national incident types. The risk assessment takes into account frequency of the incident type, expected impact of the incident type, health and safety risk assessment, health and safety event data as well as the quality of organisational documentation and training. This report considers the risks from travelling and extreme events as well as incidents, which occur in the home, at work and while travelling.The report will identify those incidents that create the most risk for the community and responding fire fighters.

Business and Resident Profile RiskThe Business and Resident Profile Risk is updated annually. The profiles are created from the results of Fire Safety and Fire Risk Audits of businesses and profiling of residential properties. This data is cross-referenced against historical fire data to identify the businesses and resident types most likely to have significant fires and therefore most at risk.

The items that feed the process for Business and resident profile risk includes:

Business and Household lifestyles information (Computer modelling)

https://intranet.oxfordshire.gov.uk/cms/content/national-guidelines

https://www.gov.uk/government/publications/fire-and-rescue-national-framework-for-england

https://www.gov.uk/government/publications/fire-and-rescue-national-framework-for-england

of 32

Historical incident data (usually the previous five years) Assessment of the resources currently and previously used for

prevention and protection Site specific risk information (as gathered by crews and inspecting

officers) Fire safety enforcement information Academic and practitioner research (e.g. survivability rates and long

term recovery from major physical trauma events).

Risk Treatment & Mitigation

Risk treatment & mitigation is seen as the process after risk prioritisation, where OFRS uses the risk profiling analysis to make a professional judgment as to what nature, level and combination of activities (i.e. prevention, protection and / or emergency response activities) is required and/or appropriate to eliminate, reduce and/or, mitigate those risks.

Therefore, as part of our risk management policy and procedures we will:

Establish response time standards to emergency incidents (which are endorsed and regularly scrutinised by the Fire Authority), based on:

a. the current effectiveness, efficiency and resourcing costs associated with the desired community safety outcomes

b. on-going analysis of our performance against those standardsc. research work on the survivability rates and long-term recovery from

major physical trauma.

Provide appropriate Standard Operating Procedures (SOP’s), equipment, training, command and control systems, mobilising systems & GIS information (on vehicle routing and access, as well as available water supplies) to develop and maintain effective and efficient emergency response interventions, whilst at the same time, maintaining safe systems of work.

Develop Pre-Determined Attendances (PDA’s) for specific incident types and Site Specific Risk Information (SSRI) based on risk, safe systems of work and attribute requirements (e.g. skills, equipment & assets – including water – needed for initial intervention activities).

Identify and establish overall Service response resource requirements (including mutual aid), distribution and crewing arrangements - based on the Service’s response time standards, priority risks and current risk profiles. This includes establishing a countywide geographical profile of overlapping risks, in order to determine the on-going disposition of both standard and specialist resources & equipment.

Prioritise and target high risk incidents, areas, SSRI’s and households - depending on their identified risk level and their travel time from established

of 32

response resources (e.g. fire stations) - with tailored prevention and protection activities, delivered in conjunction with our community safety partners.

To assist with this approach, OFRS currently utilises:

- National Generic Risk Assessments and National Operational Guidance- Operational Policies and Procedures (Specific Incident Procedures (SIP),

Standard Operating Procedures (SOP), Tactical Operational Guidance(TOG) and Additional Hazard Information Sheet (AHIS) documents)

- Thames Valley FRS / OFRS Incident-type Risk Assessments- Learning outcomes from other UK Fire & Rescue Service / Emergency

Responder investigations into significant safety events (e.g. operational firefighter fatalities / major injuries)

- Computer modelling such as ‘MOSAIC’ and ‘FSEC’ lifestyle data- OCC vulnerable person data- OFRS Fire Risk Audit and Enforcement information- Optima Fire Risk Modelling- Equipment research and trialling- Operational command and control software- Operational rota management & availability software

Roles and ResponsibilitiesTable 2 identifies the risk management roles of specific posts and the associated responsibilities.

OFRS Management of Risk Role

Chief Fire Officer Senior Manager

- Ensures the risk management policy is implemented- Ensures that adequate resources are available to

implement the risk management strategy- Owns and manages escalated risks as appropriate- Agrees on information to be reported to more senior

stakeholdersStrategic Leadership Team

Senior Team - Reviews the risk management strategy- Monitors the risk profile- Assists with assessing the risk context- Ratification of Directorate (Fire & Rescue) Risk

RegisterStrategic Risk & Assurance Team

Strategic Risk & Assurance Manager

- Owns Risk Management (RM1) Risk Register - Owns Directorate (Fire & Rescue) Risk Register- Escalates or delegates risk to appropriate level as

appropriate- Agrees the content or risk progress reports- Establishes how risk management will be integrated

with performance management- Reviews progress and plans in developing and

applying risk management policy- Reviews the results of the assessments of

management of risk- Makes formal assessments and reports- Ensures risk information is available to inform

decision making

of 32

- Facilitates risk meetings

Elected Members (Cabinet and Performance Scrutiny Committee)

Stakeholders - Review, scrutinise and approve Community Risk Management Plan

- Review, scrutinise and approve Community Risk Response Action Plans (Risk Response Plan)

Scales for estimating probability and impact

OFRS will follow the probability and impact scales and escalation rules created by the County Council for its strategic risks to ensure cross-organisational risks are compared fairly. Details of the probability and impacts scales used for other registers and reports will be included within the documents themselves.

Risk categories

Risks will be grouped using two categories. Figure 2 shows how risk will be categorised as part of our integrated approach.

Community risks will be categorised under the five headings as shown in Figure 3: home, work, travelling, heritage and extreme events.

Budget

Risk management activities are embedded in the organisations work and do not have an allocated budget however where possible suitable training should be provided for the Strategic Risk Assurance Team (M_o_R Risk Management Foundation course is recommended).

A budget is provided for Community Risk Management planning and this will be used to provide effective consultation of plans and for the production of key documents.

Projects within the CRMP will be based within the structure of normal financial planning constraints and as part of the project management software system they will be measured against costs within their projected budget.

of 32

Templates

Templates for strategic risk registers will be provided by the County Council. Operational risks should be captured using the RM1 Risk Management form – see Appendix 1 Risk Management Form (RM1).

Performance and Early Warning Indicators

Our risk management is performance based. As part of the risk identification, it should be clear where the realisation of the risk would impact performance. Poor performance or strategic performance indicators serve as early warning that the risk management processes are failing and this will trigger a review of all risk by the organisation.

Timing of risk management activities

Strategic RisksThe County Council Risk Management Policy requires that Strategic Risk Registers are submitted for each quarter. These submissions are forecasts and will be completed at the beginning of each quarter once the performance information for the previous quarter has been published.

Performancefor previous

quarterpublished

Risk reviewmeeting

Risk registercompleted

Risk Reportto SLT

Risk Registersubmitted to

ChiefExecutives

Office

Figure 2: Strategic Risk Management forecast process

Operational RisksOperational risk should be identified by all staff and discussed with Managers (see Appendix 1 Risk Management Form (RM1)). The process should be continuous but discussed with managers at 121 meetings. Matters that need discussion immediately with Managers are more likely to be issues (i.e. they are happening now and are therefore not a risk).

of 32

Monthly/ six weekly one to onemeetingsRisk as Standing Item

Risk Management Agenda Item forMonthly Tactical Leadership Teammeeting

Quarterly strategic risk meeting

Figure 3: Operational risk and escalation

Community Risk Management – Timing of management activities

Community Risk Management activities ensures that the service continuously improves in reducing the risk to the community and fire fighters. Community risk management involves assessing the overall impact of all risks to the community and the service and responding accordingly.

The service produces a risk response plan called the Community Risk Management Action Plan every year. This plan is designed to achieve the overall objectives set in the Community Risk Management Plan (which is a five year overarching document).This plan details the highest risks and the planned risk reduction activity to be undertaken. The success and outcomes of these activities will be reported in the Fire and Rescue Service Annual Report.

The integrated risk management planning cycle is detailed in Appendix 2 – Community Risk Management Planning Cycle. For further details, see the current community risk management plan and community risk management action plans available on both the intranet and the Oxfordshire County Council website.

of 32

Risk & Performance Monitoring, Auditing & Reviewing:

The monitoring, auditing and reviewing of both the foreseeable fire and rescue related risks facing OFRS and our performance in relation to our management of those risks are seen as the key processes that ensure we continue to provide effective, efficient and economically sustainable activities (i.e. prevention, protection and emergency response) that help us to maintain both public and firefighter safety across Oxfordshire - as well as protecting people’s property, the environment and providing humanitarian assistance.

As part of our risk management policy and procedures, OFRS will:

Regularly monitor, audit and review all foreseeable local, cross-border and national fire & rescue-related risks using:

a. our own Community Risk Management Planning (CRMP) processesb. Thames Valley Local Resilience Forum (TVLRF) risk management

planning processesc. National guidance & information (i.e. Government’s National Risk

Register, National FRS risk assessments, National FRS Operational guidance).

Regularly monitor and report service performance against key performance indicators, response time standards and community safety outcomes at station, team, tactical leadership team, strategic leadership team, and OCC performance scrutiny levels – with a view to making decisions at the appropriate level that either re-evaluate, maintain or improve performance, dependent on Service priorities.

Proactively monitor and review operational performance at incidents – with a view to making changes at the appropriate level that either re-evaluate, maintain or improve performance dependent on Service priorities (e.g. this could result in changes to policies, procedures, processes, resources, training &/or equipment)

In line with the Service’s Community Risk Management Annual Action Planning cycle, regularly monitoring and reporting on the implementation of key CRMP projects – with a view to making decisions at the appropriate level that either re-evaluate, maintain or improve performance, dependent on Service priorities.

Thematically audit functional aspects of the Service – with a view to making recommendations to the Service’s Strategic Leadership Team in respect to changes at the appropriate level that either re-evaluate, maintain or improve performance dependent on Service priorities.

In line with the Service’s Strategic Community Risk Management Planning cycle, review the county’s future medium and longer-term risk profiles – with a view to undertaking an analysis and treatment of those risks, making

of 32

recommendations to meet them and informing the decision-making process in respect to future funding needs (capital and revenue funding), collaboration opportunities and changes in the way services need to be delivered.

Any changes that arise from the monitoring, auditing and review processes are fed back into the risk profiling process, along with any changes to the financial circumstances of the organisation and any internal or external influences - in order to re-evaluate, maintain and/or improve the way we deliver our operational response.

of 32

Appendix 1 Risk Management Form (RM1)

In order to complete the Risk Management Form RM1, the identified risk must be described in full and evaluated. The author of the RM1 is also expected to provide potential risk treatment options and evaluate the effects of their implementation.

This is not a quantitative process; it relies on the judgements and informed decisions of the team/individual conducting the assessment.

The four steps to risk management

Step 1 Identify

Step 2 Assess

Step 3 Plan

Step 4 Implement

"Risk is the chance of something

happening that will have an impact on

objectives."

Remember: Before your start assessing the risk, the amount of work conducted in assessing the risks to an objective should be proportionate with the intended outcome gains of that objective.

of 32

Assess

PlanImplement

Identify

Transferring the 4 steps of Risk Management into action

Evaluate theRisk

Rate the risk

TreatmentOptions

TreatmentDecision

ImplementTreatment

ReviewRe-evalute Risk

Identify theRisk

of 32

Getting Started

Before Step 1 the initial box must be completed containing the date that it is being created, the current version and who is completing the form, the date of the next review and the risk owner.

Date original completed:

Date review completed:

Current Version Date of next Review:Maximum date for next review should be six months

Current version completed by:Risk Owner (responsible manager):

Current Version The current version will be 1.0. As the RM1 form is reviewed the version number should be

changed. If only minor changes are made (for example; a change in author or

risk owner) then the second number should be changed 1.1. If a major change is made (for example; a change in priority level

or risk treatment option then the first number should be changed 2.0.

Date of next Review The date of next review should be set depending on the nature of

the risk and how dynamic it is. The maximum amount of time before a review should be six

months. Reviews should be carried out by the leadership team who hold the

risk.

Risk Owner This is the manager within the organisation who is accountable for

the management of the risk that has been identified and they will sit on the leadership team that are holding the risk.

Identify

Firstly a risk must be identified. There are essentially 3 elements to a 'risk' – an Event that has a Consequence that leads to an Impact on our objectives.

Event > Consequence > ImpactRisk or issue? – ‘if it is already happening, the risk has been

realised and it is an issue that need dealing with now!’

of 32

If what you are considering is an event that has occurred, is occurring or is imminent, then it is an issue that needs managerial action and falls outside the risk management process.

Once the event occurs the risk has been realised, the organisation will face the consequences and impact on the organisation. Managerial decisions will have to be made to deal with the impact. We can no longer try and influence whether the event occurs, alter the consequences or affect the impact!

Risks will normally be seen on the ‘horizon’ when our actions can either increase or decrease the likelihood of the event occurring, alter the consequences and reduce or magnify the impact.

Risks will have an impact on one or more organisational objectives; this may be directly or via a chain of consequences. A significant risk may have an effect on a number of objectives or a very serious consequence on one objective.

When you are satisfied that what you have identified is a risk, start the risk identification process.

Issues should be dealt with at the right level.

General Description of the Risk: Threat Opportunity Uncertainty

General Description of the Risk This should be a brief overview of the risk to make referring to the

risk less onerous It may be easier to complete this section once you have completed

the Risk Identification Process.

Threat, Opportunity, Uncertainty This identifies the most likely outcome of the impact of the risk to

the organisation and its objectives. Check the box which is the most likely effect on outcomes. When there is real uncertainty over whether the impact will be

positive or negative, check the uncertainty box.

The Fire and Rescue Service has objectives governed by a number of factors. However, the performance against all our objectives is recorded in the Fire and Rescue Balanced Scorecard. A risk, if realised, will have an effect on one of the measures within the Balanced Scorecard, otherwise it is not a significant risk to the organisations objectives.

of 32

Risk Identification

General Description of the Risk: Threat Opportunity Uncertainty

Event

Trigger/ Drivers for Event to occur

If the event has/ is already occurring or is imminent then the event should be treated as an ‘issue’ and will require immediate managerial action and falls outside the Risk Assessment Process.

Consequence

Who (Stakeholders affected)How (Nature of Risks, at what level will it impact)ImpactObjective (organisational objective affected and performance indicators)

Event – What is the actual event that may occur in the future? Remember, if the event has already occurred then you are dealing with an issue. If however an event has occurred that may cause another event to occur in the future, you may have identified a risk but it is the secondary event that you need to consider.

Triggers/ Drivers of risk – What is going to cause the event to happen? The risks that the Fire and Rescue Service face can result from both internal and external factors. Identifying the factors driving the risk event helps us to assess how we can influence the risk event.

Consequence – What is the consequences of the event occurring that will lead to the impact on the organisations objectives.

Impact – Who or what will be impacted upon? Consider the groups most affected by the consequences of the event. This could be the Fire and Rescue Service, the County Council, elected members, the community, or any other significant groups.

Impact - How will they be affected? In what way will the consequences affect them? What is the nature of the risk? The impact of the risk will affect strategy and/or service delivery – the table below outlines the key areas that may be affected. Only record the most significant.

of 32

Strategic Impacts Delivery ImpactsPolitical: associated with local, regional or central government policy

Professional: associated with the particular nature of each profession.

Economic: affecting the ability of the organisation to meet its financial commitments including internal budgetary pressures

Legal: relating to possible breaches of budgetary pressures.

Social: relating to the effects of changes in demographic, residential or socio-economic trends on the organisation's ability to deliver its objectives

Financial: associated with financial planning and control

Technological: associated with the capacity of the organisation to deal with the pace and scale of technological change, or its ability to use technology to address changing demands. Also includes the consequences of internal technological failures

Physical: relating to health and safety, fire and security and accident prevention

Legislative: associated with current or potential changes in national or European law

Contractual: associated with the failure of contractors to deliver services or products to the agreed cost and/or specification

Reputational: relating to the organisation's reputation (Fire Authority and Service) and the public perception of the organisation's efficiency and effectiveness

Reputational: relating to the organisation's reputation and the public perception of the organisation's efficiency and effectiveness

Environmental: relating to the environmental consequences (built and natural) of progressing the organisation's strategic objectives

Technological: relating to reliance on operational equipment including IT systems

Competitive: affecting the competitiveness of the service, in terms of cost, capacity and quality, including its ability to deliver value for money

Environmental: relating to the effect of delivering services on the built and natural environment

Customer: associated with failure to meet the current and changing needs and expectations of the community

Customer service: associated with the failure to deliver a specific service to the community

Descriptions of risk may use the phraseology below:Event Consequence ImpactLoss to… leads to… resulting in…Failure of… leads to… resulting in…Lack of… leads to… resulting in…Partnership with… leads to… resulting in…Development of… leads to… resulting in…

ObjectiveA significant risk will impact upon the delivery of our strategic objectives. Our performance against our strategic objectives is measured by the elements of the Fire and Rescue balanced scorecard. Identify the

of 32

elements from the Fire and Rescue Service scorecard in this section. The elements of the Fire and Rescue Scorecard can be found using the Scorecard login.

Assess

Now the risk has been identified, the threat and opportunity that it poses must be evaluated. The likelihood of the risk being realised and its impact on stakeholders and the organisation must be evaluated.

Likelihood event will occur

Impact on stakeholders Priority Level

Unlikely Insignificant Service Leadership

Possible Minor Strategic Leadership Team

Likely Moderate SLT - CCMTVery Likely Major

Most Severe

Assessing Likelihood

LIKELIHOODRATING

DESCRIPTION (THREATS & OPPORTUNITIES)

UNLIKELY This is not likely to happen but it could (less than 10% probability)

POSSIBLE There a possibility that this could happen (10% - 40%)

LIKELY There is a distinct likelihood that this will happen (40%-75%)

VERY LIKELY This risk is very likely to occur (over 75% probability)

of 32

Assessing Impact or Opportunity

DESCRIPTION (THREATS and OPPORTUNITIES)

INSIG

NI-

FICAN

T

Minimal risk impact to organisation

Complaint from individual/small group of arguable merit

Potential for positive or negative local publicity Local performance indicators &

service priorities unaffected

MIN

OR

Little positive or negative impact on area plans &priorities

Some disruption to normal operations

Possible delay in achieving objectives Low impact on performance

Minor injury risk to personnel Adverse local publicity/local public opinion awareness

Minor risk of damage to resources Financial impact (gain or

expenditure) <£10k

MO

DER

ATE

Minimum financial implications (gain or expenditure) e.g. £25k OR more than 15% of a specific budget

ORup to 15% of a specific budget

Political mandate Serious environmental consequences

Positive or negative Impact on safe systems of work Positive or negative medium impact

on performance

Attract scrutiny from regulatory bodies

Significant financial/budgetary implications (gain or expenditure) e.g. £100k OR more than 30% of a specific budgetM

AJO

R

Major injury risk to personnel Adverse or positive local publicity of major and persistent nature

Statutory/legislative mandate

Major financial/budgetary implications (gain or expenditure) e.g. £250k OR more than 50% of a specific budget

Contractual infringement Irreversible environmental consequences

Prosecution by enforcing bodies Persistent adverse or positive national media coverage

Major injury/death risk to personnel

Opportunity to negotiate a new contract leading to considerable efficiencies

Loss or significant interruption to service

Significant increase in service output & impactM

OS

T S

EVER

E

Significant impact on performance Opportunity for a significant

improvement in delivery

of 32

Rating the level of riskWhen you have decided on the likelihood and impact of the risk, use the table below to rate the level of risk in to one of the three categories.

Risk CategoriesTLT Risks evaluated at this level will need attention and should be

taken to the next Tactical Leadership Team meeting.SLT Risks evaluated at this level will need urgent attention and

should be taken to the next SLT meeting.

SLT - CCMT Risks evaluated at this level will need immediate attention and will need to be taken to the County Council Management Team

Risk Rating Categories

Most Severe SLT SLT SLT-CCMT SLT-CCMT

Major SLT SLT SLT-CCMT SLT-CCMT

Moderate TLT TLT SLT SLT

Minor TLT TLT TLT TLT

Insignificant TLT TLT TLT

IMP

AC

T

Unlikely Possible Likely Very Likely

Likelihood

of 32

Plan

When completing the RM1 form you are expected to formulate the different possible risk treatment options. This need not be exhaustive as other options may be explored during the leadership team meeting. The person whose business the risk will affect will normally be in the best position to suggest possible risk treatments.

General Description of Risk Treatments

Avoid Not undertaking the activity that is likely to trigger the risk

Reduce (modify)

Controlling the likelihood of the risk occurring, or controlling the impact of the consequences if the risk occurs

Transfer Moving the responsibility to another party or sharing the risk through a contract, insurance, or partnership/joint venture

Accept Retaining the risk and managing its potential impact

This section should contain the option for control recommended by the risk identifier.

The Option for Control section of the form should be completed prior to the meeting and should include a range of available options. Further Options for Control may be identified at the meeting which should be added to this section.

For each control option the Priority level of the risk should be re-evaluated to estimate the forecasted priority level if the control option is successful.

The Recommended Option for Control should be suggested by the form author but maybe altered if following a Tactical Leadership Team meeting the recommended option is changed before being escalated to the Strategic Leadership Team.

of 32

Option for Control 1Treatment Avoid Reduce Transfer AcceptDescription of treatment

Likelihood Impact Priority Level estimated after treatmentRisk Assessment





Recommended Option for Control (highlight above)Reason

Treatment Decision

Review at:Meeting Date:

Hold at Service Level/ Refer to SLTAgreed Option for Control number and treatment

Reason Actions

Following the leadership team meeting, risks and the decisions around the risk will be recorded on the RM1 by the Risk Owner. The completed RM1 should then be sent to the Strategic Risk and Assurance Manager to record the decision on the RM1 risk register. The Strategic Risk and Assurance Manager will be responsible for ensuring risks are reviewed.

Risks will be reviewed by leadership teams prior to their recorded review dates and the effect of risk treatments will be evaluated. The risk treatment will often take the form of a project and will be monitored within the Council Project Management Framework.

Implement Treatment

Risk owners will ensure that risk treatment is delivered as decided. This could be within normal operational activity, as a program or project. Monitoring of the completion of this work will be the responsibility of the risk owner or may become the project or programme sponsor.

of 32

Implement and Review – Re-evaluate risk

Likelihood event will occur

Impact on stakeholders Priority Level

Unlikely Insignificant Service Leadership

Possible Minor Strategic Leadership Team

Likely Moderate SLT - CCMTVery Likely Major

Most Severe

On completion of the risk treatment, the risk must be re-evaluated to assess the success of the treatment applied. This must be recorded on the RM1 form and taken to next Tactical Leadership Team meeting for ratification.

Where the risk treatment has affected the risk as required the risk should be closed.

Where the risk treatment has not delivered the expected effect on the risk, further action or risk treatment may be required and this should be recorded on the RM1 form.

Where the risk treatment has created a different risk then this may need to be captured in a new form.

Date of Review:Review completed by:

Effectiveness of risk

treatment Evidence for assessmentClose RiskFurther action actions required (describe actions below)New Risk identified as result of treatments (start new form)Further Actions and Action OwnersDate of next review if required

of 32

Jan

Feb

Mar

Apr

May

JunJul

Aug

Sep

Oct

Nov

Dec

Appendix 2 – Community Risk Management Planning Cycle

Agree Projects & produce Action Plan

Staff/ stakeholders consulted about projects

to meet objectives

Consultation with community, staff and other

stakeholders

Consider outcomes of consultation/ amend/ postpone/ remove projects

SLT prioritise Risks to be addressed and decide on

objectives

Evaluation of projects from previous year

Statistical Analysis of National IRMP returns

Review of Organisational Risk Register

Projects finishedAction Plan published -Projects Started

Annual Report Published

Previous year’s consultation

Oxfordshire Fire & Rescue ServiceOrganisational Document Management Procedure

SM Mick Clarke Projects and Water Officer

Month Activity Output Co-ordinated/led by

April Project evaluations completed

Project managers.

Process review Strategic Risk and Assurance Manager

May

Produce Annual Report Annual Report Strategic Risk and Assurance Manager

Jun Risk and Performance Information presented to relevant managers.

Presentation to SLT Strategic Risk and Assurance Manager

Jul Objectives to be consulted on decided

Consultation document

SLT

Aug Consultation with staff and specific stakeholders

Strategic Risk and Assurance Manager

Consolidate Responses Projects ideas proposed


Sep

Presentation of projects to SLT

Projects for consultation decided

Relevant Functional Managers/ SLT

Draft projects for Deputy Leader delegated decision

Draft Annual Action Plan

Deputy Chief Fire OfficerOct

Submission of Action Plan and supporting documents for Performance Scrutiny Committee

Papers ready for Scrutiny Committee in early November


Present CRMP Action Plan to Performance Scrutiny Committee

Approval by Scrutiny Deputy Chief Fire Officer

Consultation plan to SLT Strategic Risk and Assurance Manager

Nov

Consultation begins Strategic Risk and Assurance Manager

Jan Prepare papers for SLT Strategic Risk and Assurance Manager

Consultation endsFebReport to Full Cabinet Deputy Chief Fire OfficerResponses to consultation complete

Report to SLT Strategic Risk and Assurance Manager

Publish findings Strategic Risk and Assurance Manager

Mar

Project entered into Register

Reporting can start in April


of 32

Service and Community Impact Assessment

SCIADocument Completed by: SM Simon Belcher Date: 18/07/13

Outcomes: No issues

Freedom of Information Assessment

FOI OfficerDocument Accepted Yes / No Date:

Data Protection Assessment

DP OfficerDocument Accepted Yes / No Date:

Training Implication

SLT None Control None

Middle Managers Awareness of RM1 process

Non–Uniform Managers

Awareness of the RM1 process

Supervisory Managers

Awareness of the RM1 process

Non–Uniform Staff None

Fire-fighters None Others (specify) None

of 32

Abbreviations

CFOA Chief Fire Officers AssociationCRMP Community Risk Management PlanFSEC Fire Service Emergency Cover (Toolkit)GIS Geographical Information SystemIRMP Integrated Risk Management PlanMOR Management of RiskOCC Oxfordshire County CouncilOFRS Oxfordshire Fire & Rescue ServicePDA Pre-Determined AttendanceSOP Standard Operating ProcedureSSRI Site Specific Risk InformationTVLRF Thames Valley Local Resilience ForumUK United Kingdom

Final Document Approvals

Document Review Period

Risk(tick box)

High Normal Low Reason for low risk:

Functional Manager or SDM/SSMDocument Accepted Yes / No Date

Comments