Risk Management Strategy - Meetings, agendas, and minutes

Part I
F20/15
Eden District Council
Scrutiny Co-ordinating Board
23 April 2015
Risk Management Strategy
Report of the Director of Finance
1
Purpose of Report
1.1
The report presents the Council’s Risk Management Strategy for approval.
2
Recommendation
That the appended draft Strategy is approved.
3
The Strategy
3.1
The draft Risk Management Strategy is appended.
3.2
The Risk Management Strategy plays an important role in setting out the key steps in
the Council’s approach to risk management. Therefore, each annual update is
brought to Members for approval. Such approval is a key element within the Council’s
Annual Governance Statement (AGS). (The AGS is a statutory requirement that must
be presented alongside the Council’s annual financial statements).
3.3
The draft Strategy was circulated to members of the Risk Management Group for any
comments they might have. There were no proposals to amend the Strategy.
3.4
An internal audit of risk management arrangements was undertaken as part of the
2013-2014 Audit Plan. This was reported to the Accounts and Governance committee
(as part of its normal overview of internal audit) at its meeting on 26 June 2014.
Whilst the report concluded that there was a sound system of risk management it did
make a number of recommendations. Two of the recommendations (both level 3)
referred to the risk management strategy. A level 3 recommendation is defined as,’ A
recommendation which is concerned with improving operational procedures or
efficiency, but does not necessarily relate to an identified control weakness and is
unlikely to result in additional risk if not actioned’.
The two recommendations were:

The Risk Management Strategy should be review and updated to include:
 how it links to the Council’s Governance Framework and Internal Control; and
 the wider principles and good practice of risk management as detailed in the
risk management standards and codes of practice
1

The Risk Management Strategy should be reviewed and updated to detail:
 full Council and Audit Committee members’ role and responsibility for risk
management;
 the risk management policy statement;
 risk management processes that includes the identification, assessment,
prioritisation and treatment of risks;
 risk management activities and improvement actions that includes individual
risks assessment action plans, the allocating the ownership of actions and a
schedule of activities for implementation or mitigation risks; and
 the roles and responsibilities all those involved in the risk management
arrangement.
These two recommendations have been addressed in the appended draft Strategy.
This means that all the recommendations have now been addressed.
4
Policy Framework
4.1
The Council has four corporate priorities which are:
Housing
Quality Environment
Economic Vitality
Quality Council
Council, on 29 September 2011, agreed strategic actions to achieve these priorities.
4.2
Whilst this Strategy is not one of the identified elements of the budgetary and policy
framework, it is an element within the Council's AGS, which is an element of that
framework.
5
Implications
5.1
Legal
5.1.1 There are no implications.
5.2
Financial
5.2.1 Any decision to reduce or increase resources must be made within the context of the
Council’s stated priorities, as set out in its refreshed Corporate Plan.
5.2.2 There are no direct implications. However, one of the key reasons for controlling risk
is to reduce the cost of insurance and any uninsured losses.
2
5.3
Equality and Diversity
5.3.1 The Council has to have regard to the elimination of unlawful discrimination and
harassment and the promotion of equality under the Equality Act 2010 and related
statutes.
5.3.2 An Equality Impact Assessment is included at Annex 2 in the Strategy.
5.4
Environmental
5.4.1 The Council has to have due regard to conserving biodiversity under the Natural
Environment and Rural Communities Act 2006.
5.4.2 There are no implications.
5.5
Crime and Disorder
5.5.1 Under the Crime and Disorder Act 2004, the Council has to have regard to the need to
reduce Crime and Disorder in exercising any of its functions.
5.5.2 There are no implications.
5.6
Children
5.6.1 Under the Children Act 2004, the Council has to have regard to the need to safeguard
and promote the welfare of children in the exercise of any of its functions.
5.6.2 There are no implications.
5.7
Risk Management
5.7.1 Risk management is a process whereby attempts are made to identify, actively control
and reduce risk to protect the Council. This covers not only the traditional areas of
insurable risk, but also the organisational risk that the Council faces in undertaking all
its activities.
5.7.2 Risk management covered elsewhere in the report.
6
Reasons for Recommendation
6.1
Effective risk management is vital for a sound system of corporate governance. A
Risk Management Strategy is important in setting out clearly the main steps that the
Council takes.
D J Rawsthorn
Director of Finance
Governance Checks:
Checked by, or on behalf of, the Chief Finance Officer
✓
Checked by, or on behalf of, the Monitoring Officer
✓
3
Background Papers:
Eden Corporate Risk Register
Internal Audit Report - Audit of Risk Management
Contact Officer:
Telephone Number:
David Rawsthorn
01768 212211
4
Appendix
Risk Management Strategy 2015
Updated:
Update Frequency
By:
April 2015
Annual
Director of Finance
www.eden.gov.uk
Customer Services
Telephone: 01768 817817
Fax:
01768 890470
Write To:
Director of Finance, Eden District Council, Town Hall, Penrith, Cumbria
CA11 7QF
E-Mail:
E-mail the Director of Finance at: dof@eden.gov.uk
Internet:
Information on all of our services is available on our website: www.eden.gov.uk
Accessible Information
ENGLISH:
A summary of the information contained in this document is available in
different languages or formats upon request. Contact Eden District Council’s
Communication Officer, telephone: 01768 817817 or email:
communication@eden.gov.uk
POLISH:
Streszczenie informacji zawartych w niniejszym dokumencie można uzyskać na
życzenie w innym języku lub formacie. Prosimy o kontakt telefoniczny z
Referentem Rady ds. Komunikacji Okręgu Eden pod numerem telefonu 01768
817817 lub pocztą e-mail na adres communication@eden.gov.uk.
TRADITIONAL CHINESE:
若閣下要求,本文件的摘要資訊可以其他版式和語言版本向您提供
請聯絡伊甸區地方政府傳訊主任 (Eden District Council's Communication
Officer) ,其電話為:01768
817817,或發電郵至:communication@eden.gov.uk
URDU
(‫ﺍﺱ ﺩﺳﺘﺎﻭﯾﺰ ﻣﯿﮟ ﺷﺎﻣﻞ ﻣﻌﻠﻮﻣﺎﺕ ﮐﺎ ﺧﻼﺻﮧ ﺩﺭﺧﻮﺍﺳﺖ ﮐﯿﮯ ﺟﺎﻧﮯ ﭘﺮ ﻣﺨﺘﻠﻒ ﺯﺑﺎﻧﻮﮞ ﺍﻭﺭ ﻓﺎﺭﻣﯿﭩﻮﮞ )ﺷﮑﻠﻮﮞ‬
‫ ﭘﺮ‬01768817817 ‫ﻣﯿﮟ ﺩﺳﺘﯿﺎﺏ ﮨﮯ۔ ﺍﯾﮉﻥ ﮈﺳﭩﺮﮐﭧ ﮐﺎﻭﻧﺴﻞ ﮐﮯ ﺍﻓﺴﺮ ﺑﺮﺍﺋﮯ ﻣﻮﺍﺻﻼﺕ ﺳﮯﻓﻮﻥ ﻧﻤﺒﺮ‬
‫ﺭﺍﺑﻄﮧ ﮐﺮﯾﮟ ﯾﺎ‬communication@eden.gov.uk‫ﭘﺮ ﺍﯼ ﻣﯿﻞ ﮐﺮﯾﮟ۔‬
1
1.
What is Risk Management?
Risk Management is a process whereby attempts are made to identify, actively control
and reduce risk to protect the Council. This covers not only the traditional areas of
insurable risk, but also the organisational risk that the Council faces in undertaking all
its activities.
The Health and Safety Executive has published its principles of sensible risk
management. These are:
1.
Sensible risk management is about:
✓ Ensuring that workers and the public are properly protected
✓ Providing overall benefit to society by balancing benefits and risks, with a
focus on reducing real risks - both those which arise more often and those
with serious consequences
✓ Enabling innovation and learning not stifling them
✓ Ensuring that those who create risks manage them responsibly and
understand that failure to manage real risks responsibly is likely to lead to
robust action
✓ Enabling individuals to understand that as well as the right to protection,
they also have to exercise responsibility
2. Sensible risk management is not about:
✗ Creating a totally risk free society
✗ Generating useless paperwork mountains
✗ Scaring people by exaggerating or publicising trivial risks
✗ Stopping important recreational and learning activities for individuals where
the risks are managed
✗ Reducing protection of people from risks that cause real harm and suffering
This Strategy aims to follow these principles.
2.
Key Aims
The key Risk Management aims are as follows:

to provide members of the public and employees with a safe and secure
environment

to protect Council assets, including its image
2
3.
Key Steps
The key Risk Management steps are as follows:
4.

to operate a Risk Management Group to ensure that the management of insurable
risk is properly planned and focused across the whole Authority

to produce a Risk Register to include key organisational risks and regularly review
this by senior management and Members

to gain the support of all staff, but in particular of senior management, for the
Strategy

to include a Risk Management Implications section in the committee report pro
forma.
Roles and Responsibilities
a)
Risk Management Group
The Council’s Risk Management Group is an important driver of the Council’s
approach to Risk Management.
Its terms of reference are to look at all aspects of risk to which the Authority is
exposed, so as to minimise both the cost of insurance and the cost of direct
exposure and to further the well-being of employees and residents of Eden
District Council.
The tasks of the Risk Management Group are to:
•
recommend a Risk Management Strategy setting out the Council’s
approach to Risk Management to the Scrutiny Board
•
consider reports undertaken by the Council’s insurers on Risk Management
issues within the Authority
•
review recent trends in claims and accidents
•
ensure commitment from senior management
•
publicise the workings of the Group and the concept of Risk Management
•
consider any training requirements
The Group is comprised of the Director of Finance as Chairman, the Insurance
Officer as Secretary, the Human Resources Manager and the Contracts and
Property Manager. There is also an open invitation to the Risk Management
representative from the Council’s insurers.
The Group meets on a quarterly basis and its minutes are reported through to
Management Team.
3
b)
Management Team
Management Team will, on a quarterly basis:
c)
•
consider the minutes of the Risk Management Group
•
review the Risk Register
Senior Managers’ Group
The Senior Managers’ Group will, on an annual basis, review the Risk Register.
d)
e)
Members
•
the Risk Register is reviewed quarterly by the Executive and annually by the
Scrutiny Co-ordinating Board.
•
the Scrutiny Co-ordinating Board approves the annual Strategy.
Staff
After the annual review, the Risk Register is put on the Corporate Bulletin
Board.
5
The Role of Risk Management in Corporate Governance
Effective Risk Management arrangements are a key element within the Council’s
governance framework. The governance framework is set out in the Annual
Governance Statement (AGS). This is agreed annually by Management Team, the
Executive and the Accounts and Governance Committee. The AGS seeks to meet
the six principles of good governance (best practice as set down by the Chartered
Institute of Public Finance and Accountancy). Principle 4 is, ‘taking informed and
transparent decisions which are subject to effective scrutiny and managing risk’. The
AGS refers to the key Risk Management controls in place, that is, those referred to in
this Strategy.
6
Following Best Practice
The Checklist at Annex 1 shows how the Council’s arrangements compare to good
practice.
7
Risk Management Processes
There are two key processes that ensure the Council’s Risk Management is soundly
based. These are:

the Corporate Risk Register - the quarterly review by Management Team is where
the completeness and accuracy of the Register is reviewed. Each risk sets out:
 the risk owner - this is a named officer
 the likelihood of the risk occurring plus the impact of the risk. This gives the
risk rating
4
 an action plan if the risk rating is above an acceptable level
 any action plan states the responsible officer, the action required and date
required by
 action plan implementation is the key focus of the review of the Register

Risk Management implications in committee reports:
 every formal report to Members must include a Risk Management Implications
section, completed by the report author. For major decisions, this will often be
an extensive section
 the stated implications are reviewed at draft report stage as part of the
governance checks process: the Director of Finance and the Director of
Corporate and Legal Services have to sign off all reports
8.
Review
This Strategy will be reviewed on an annual basis by the Risk Management Group
and Management Team before final approval by the Scrutiny Co-ordinating Board.
The Director of Finance will be responsible for initiating the review.
9.
Publication
This Strategy will be published on the Corporate Section of SharePoint. It will also be
put on the Corporate Bulletin Board for a short time to publicise the annual review.
Updated April 2015
5
Annex 1
Best Practice – Risk Management Checklist
1. Risk Management Framework
1.1
Does the organisation have an
established risk management function,
for example, a risk champion, risk
manager, risk management department,
risk committee?
Yes, the Director of Finance and the
Risk Management Group.
1.2
How is risk management sponsored by
the Accounting Officer, and responsibility
shared with the Board and the Senior
Management Team?
The Director of Finance is the lead
officer. The Corporate Risk Register is
collectively owned by the Management
Team.
1.3
Is the organisation’s approach to risk
fully documented and widely distributed?
(risk appetite)
Yes, set out in the Risk Register and the
Risk Management Strategy.
1.4
Does the organisation have a Risk
Management Strategy?
Yes.
1.5
Has the Risk Management Strategy
been endorsed by the Accounting
Officer/Board/Audit and Risk
Committee?
Yes, it is drawn up by the Director of
Finance and is approved by
Management Team and the Accounts
and Audit Committee.
1.6
How has the Risk Management Strategy
been promulgated to staff?
1.7
How often is the risk management
strategy reviewed? When was the
strategy last reviewed/updated?
Reviewed and updated annually. This
checklist is appended to the latest
annual review.
2. Risk Management Process
2.1
Are the responsibilities of all staff clearly
defined and regularly reviewed?
2.2
Do risk registers record the following
information: – Identified risks – Inherent
risk assessment (impact and likelihood)
– Response to risk – Residual risk
assessment (impact and likelihood) –
Risk ownership – Timescale for actions
required?
2.3
Is there a Risk Register in place which
has identified the risks to the
organisation at a strategic
(organisational) level?
Yes.
Yes.
Yes.
6
2. Risk Management Process (continued)
2.4
Are risk registers maintained at an
operational (divisional) level?
No, given the size of the Council there is
one Risk Register covering corporate
and key operational risks.
2.5
Are risk registers maintained at a project
level or does evidence exist that risks
are assessed for projects individually?
Risk Registers are maintained as
appropriate, for example, the shared IT
service maintains a Risk Register which
is reviewed at each Shared IT Board.
2.6
How often are risk registers reviewed?
Quarterly.
2.7
What techniques are used by the
organisation in identifying risks?
By review of Management Team – given
the size of the Council, the Chief Officers
can reasonably be expected to be aware
of key risks.
2.8
How regularly are the responses to key
risks monitored?
Quarterly, unless an individual action
plan indicates more frequent monitoring
is required.
2.9
Who is responsible for monitoring the
risks?
Management Team.
2.10
Is there a policy in place for managing
the risks associated with working with
partners at project level?
A Protocol for Partnership Arrangements
is in place.
3. Accountability
Have responsibilities for identifying,
managing and reporting risk been
established?
Included in the Risk Register.
How regularly are these responsibilities
reviewed?
Quarterly.
3.2
Are responsibilities in relation to risk
reflected in personal objectives and the
performance appraisal system?
No, not considered appropriate.
3.3
Have any significant internal control
issues relating to identified risks been
highlighted in the Statement on Internal
Control in recent years?
No.
3.4
Does the Internal Audit Service use the
risk management framework when
planning their work?
Yes.
3.1
7
3. Accountability (continued)
3.5
How does the organisation gain
independent assurance on the
effectiveness of its risk management
process?
Internal Audit of risk management
undertaken in 2014.
External Audit review the Annual
Governance Statement annually.
Source: Summarised version of Good Practice in Risk Management – Northern Ireland Audit Office
8
Intentionally Blank
9
Annex 2
Impact Assessment – Risk Management Strategy 2015
1. About the policy/service/function
Name of Policy/Service/Function being assessed
Risk Management Strategy
Job Title of Officer completing EIA
Director of Finance
Department/service area
Finance
Telephone number and email contact
01768 212211; david.rawsthorn@eden.gov.uk
Date of Assessment
April 2015
Main aims and objectives of policy/service/function
The main aims are to provide members of the public and
employees with a safe and secure environment and to protect
Council assets, including its image
Is this a: (please copy ✓ and place into appropriate box)
New Policy/service/function or a proposal?
Review of an existing policy?
✓
A changing/updated policy/service/function?
Who are the stakeholders?
Officers and members of the public
2. Gathering relevant information, evidence, data and research
Consider the sources of information, evidence, data and research that will help you build up a picture of the likely impacts of your policy/service/function on the
protected characteristic groups.
List your sources of information and what they tell you. (Refer to Section 7.0, Step 2 on page 6 of the Guidance Notes).
Information Source
Location of data/information
(give a link here if applicable)
What does the data/information tell us?
Previous Risk Management
Strategy
Council records
The Risk Management Strategy plays an important role in setting out
the key steps in the Council’s approach to risk management.
1
3. Assessing the Impacts
From the information, evidence, data and research you have gathered, use this section to identify the risks and benefits for each of the different protected
characteristic groups.
Protected
Characteristic Group
Positive
Impact or
benefit (Y/N)
Negative
Impact or
risk (Y/N)
No impact
(✓)
Age
✓
Disability
✓
Gender
✓
Race
✓
Religion or Belief
(including non-belief)
Marriage and
Civil Partnership
Pregnancy and
Maternity
Gender Reassignment
✓
Sexual Orientation
✓
Rural Resident
✓
Details of likely
impact(s)
✓
✓
✓
2
How do
you
know?
Action required to
address impact(s)
Give justification if
action not
possible
Note any opportunities to
promote equality
4. Action Planning
What is the negative/
adverse impact or
area for further
action?
Not Applicable
Actions proposed to
reduce/eliminate the
negative impact
Who will lead on the
action(s)?
Resource
implications/
resources required
When? (target
completion date)
Monitoring
Arrangements
5. Outcome of Equality Impact Assessment (tick appropriate box)
No major change needed - the analysis shows the policy is robust and evidence shows no potential for discrimination
Adjust the policy/service/function - alternatives have been considered and steps taken to remove barriers or to better advance equality. Complete the
action plan.
Adverse impact(s) identified but continue - this will need a justification or reason. Complete the action plan.
6. Review
Date of the next review of the Equality Impact Assessment
April 2016
Who will carry out this review?
Director of Finance
3
✓