Download Recommendation - Mid Suffolk District Council

X/134/02
EXECUTIVE COMMITTEE– 30 SEPTEMBER 2002
RISK MANAGEMENT STRATEGY
Authorship: Andy Radford, Head of Financial Management
(01449) 727277
1.
Summary/Main Issues
1.1
Local authorities are facing increasing risks in undertaking their services. The increased focus
on Council’s arrangements for identifying, evaluating and controlling risks places a requirement
on each Council to put procedures in place.
1.2
Such demands have traditionally come from insurers, who adjust their premiums as a result of
Councils' demonstration of effective risk management. However, demands are now coming
from issues surrounding good corporate governance, the Audit Commission and External
Audit.
1.3
The Executive Committee agreed a Strategy last year, which attempted to provide a corporate
approach to risk management. This report updates members on progress made, and areas for
further development.
2.
Recommendation
2.1
That Members note the progress made to date.
Implications
Tick the appropriate box, to indicate
whether there are implications in any of
the following areas.
Legal
Finance
Personnel
Staff Resources
Unison consulted
Community Strategy Goals
List the numbers of any of the 13 goals
that apply
Additional documents
Appendices
Background papers
Yes
(There needs to be
an appropriate
comment in the
report)
No
(The officer needs to be
prepared to answer why not, at
the member meeting)






3.
Background
3.1
Risk management developed as a concept in the public sector around ten years ago, at the
time when Municipal Mutual suffered heavy losses in providing insurance cover for local
authorities. It became clear that the local authorities had to take a more proactive approach to
managing its risks, the alternative being increases in the insurance premiums they faced.
3.2
Many local authorities have put in place a range of initiatives in order to demonstrate their
proactive approach to risk management. For example, in this Council initiatives include:
3.3

development of health and safety - there has been a significant amount of work undertaken
by the Health and Safety Officer. The level of risk assessments has increased, regular
reporting on accidents etc is now taking place

improvements in IT security arrangements- Members agreed the use of external
consultants to assess the council’s IT security issues. A report has now been issued which
is being implemented by the IT section

a comprehensive analysis of risks raised by managers across the Council identified a
number of issues where further work is required. These are described in para 4.
The PricewaterhouseCoopers report on Corporate Governance 2001/02 recommends that:
“Although it has been noted that MSDC have begun to implement a risk management policy
through the production of a strategy document in September 2001, there are currently no
formal risk management procedures in place.
This is one of the key elements of Corporate Governance which will need to be considered as
part of the CIPFA/ SOLACE framework.
The lack of a formal risk management policy and framework may lead to insufficient risk
assessment being undertaken thus exposing the Council to both operational and financial
risks.
The work already undertaken by the Council in this area should be developed to produce
formal risk management procedures.”
Officers agree with this recommendation, and the Executive Committee has already received a
report evaluating the Council’s position against the CIPFA/SOLACE framework. Officers are of
the view that the philosophy of Risk Management is a cultural issue, something which must be
considered in all of the council’s decisions. Officers do not view it as a mechanistic process, as
suggested by PricewaterhouseCoopers.
3.4
Members should be reminded that the claims record is good. It is therefore suggested that the
Council continues to adopt a pragmatic approach to risk management. There does however
continue to be the need to demonstrate that the Council has identified, evaluated and manages
the risks it is or may become exposed to.
4.
Risk Management Strategy
4.1
The Council’s Risk Management Strategy was approved by the Executive Committee in
September 2001, and is attached at Appendix A to this report. Following the formation of the
Senior Management Group in April 2002, it has assumed the role of the Risk Management
Group. In taking forward the Strategy, all Service Managers were asked to identify their key
risks which could impact on the future delivery of the services. These risks were then analysed
by the Risk Management Group and work is now in hand to reduce or remove these risks.
These can be summarized as follows:

Virus/Hacker attack to IT systems- a security audit has been undertaken, recommendations
are being implemented. Attempts to increase the council’s insurance cover in this area have
been unsuccessful.

Business Continuity- the Emergency Planning Officer has met with Heads of Service to clarify
arrangements in the event of a major incident.

Loss of manually held records- a bid for a corporate Record Management (DIP)/Workflow IT
system will be reported to the next meeting of the Executive Committee, in order to transfer all
future records held manually into electronic form. The cost of transferring all historic records
into electronic form would be prohibitive.

Loss of IT systems and Internet Security- the security audit examined the latter issue, and the
recommendations are being implemented.

Staff Sickness/ Stress- the Personnel Manager is drafting policies and procedures to assist
with the effective management of these issues.

New IT Systems- there is a need for effective project management to ensure new IT delivers
the anticipated service improvements. The recently appointed Project Manager will fulfill this
role.

Data Protection- the correct registration and application of the law is key. Documented
procedures have been drawn up.

Threats to Staff/ Lone Workers- the Health and Safety Officer is evaluating the IT solutions
available, to enable all staff at risk to be contactable at all times they are away from the office.

Capital Project Cost and Time Overruns- the Capital Strategy Officer Working Group is
developing a process where all projects are actively monitored on a corporate basis, to ensure
that effective project management is being undertaken and that the anticipated service
improvements are obtained

Major Pool Chemical Emergency- at either Stowmarket or Stradbroke. A policy for storage,
staff, checkings and readings is in place. Further work required by Leisure Centre Manager to
draft procedures for inclusion in the Environmental Action Plan

Fatalities/ Injuries- work being developed by Health and Safety Officer on First Aid access
across Council buildings. There may be a bid forthcoming for equipment at Leisure Centre and
Stradbroke Pool

Gas Escape- procedures already in place

Bribery and Corruption- the policy is being redrafted and will be submitted to the Executive
Committee for it’s approval shortly

Claim Against MSDC on Discrimination- the Personnel Manager is providing policy and
training. Guidance is required for all managers

External References for Candidates- policy and guidance required
4.2
The Risk Management Group will monitor progress against the above risks. The risk register
will be updated throughout the year. Members should be aware that the Comprehensive
Performance Assessment places Risk Management as one of it’s cornerstones, and the
Council’s philosophy towards risk management will be examined as part of this process.
4.3
Whilst it is hoped that any funding requirements come from savings which may arise there may
be a need to fund the initial costs. If this proves necessary this will come through the budget
setting process.
Andy Radford
Head of Financial Management
9 September 2002
APPENDIX A
RISK MANAGEMENT STRATEGY
1.
INTRODUCTION
1.1
Risk management is an essential requirement of corporate governance.
1.2
Risk Management is the process of identifying risks, evaluating their potential consequences
an determining the most effective methods of controlling them and/or responding to them. It is
not an end in itself. Rather, risk management is a means of minimizing the costs and
disruption to the organisation caused by undesired events.
1.3
The aim is to reduce the frequency of risk events occurring (where possible) and minimize the
severity of their consequences if they do occur.
1.4
To manage risk effectively, the risks associated with policy options or service delivery methods
needs to be systematically identified, controlled and monitored. These are central to delivering
Best Value.
1.5
A shared corporate approach is important if risks are to be identified and managed
systematically and consistently across the Council. A corporate risk management strategy
provides a framework to structure this approach.
1.6
Corporate governance requires that risk management be integral to policy, planning and
operational management. It cannot be a ‘bolt-on’, it must be embedded into the culture.
2.
RISK IDENTIFICATION
2.1
Identifying and understanding the potential risks facing the Council is crucial if informed
decisions are to be made about policies or service delivery methods.
2.2
It is recognized that there is risk in every action and every decision that is taken. The formal
risk management process needs to be activated and targeted at major processes/projects if
the organisation is to gain from this strategy.
2.3
Risks identified will be incorporated into a Risk Management Plan,
responsibilities and timescales for improvements.
3.
RISK ANALYSIS
3.1
Once the risks have been identified, all available data should then be used to provide
information to help assess the likelihood of any risk arising and the consequence or impact it
may have if it does arise.
3.2
Risks can then be profiled according to their likelihood and security using an evaluation model.
which will specify
4.
RISK CONTROL
4.1
Risk control is the process of taking action to minimize the likelihood of the risk event occurring
and/or reducing the severity of the consequence should it occur.
4.2
The Council’s Risk Management Group will have responsibility for co-ordinating corporate risks
and for approving action plans that will be produced by each Division managing these risks.
5.
RISK MONITORING
5.1
The risk management process does not finish when risk control actions have been identified.
There must be monitoring and review of:-
the implementation of the agreed control action;
the effectiveness of the action in controlling the risk;
how the risk has changed over time.
6.
CATEGORIES OF RISK
6.1
Understanding the breadth of hazard facing the organization will help managers to identify all
of the potential risks associated with providing their services. Hazards and associated risks
can be strategic or operational. Sub-dividing these into the following categories provides
managers with a useful checklist:

Strategic – hazards and risks which need to be taken into account in judgments about the
medium to long-term goals and objectives of the organization. These may be:
Political
those associated with failure to deliver either central government policy, or meet the
administration’s manifesto commitments
Economic
those affecting the ability of the organization to meet its financial commitments. These
include internal budgetary pressures, the failure to purchase adequate insurance cover,
external macro level economic changes, or the consequences of proposed investment
decisions.
Social
those relating to the effects of changes in demographic, residential or socio-economic
trends on the organisation’s ability to deliver its objectives.
Technological
those associated with the capacity of the organization to deal with the pace/scale of
technological change, or its ability to use technology to address changing demands.
They may also include the consequences of internal technological failures affecting the
organisation’s ability to deliver its objectives.
Legislative
those associated with current or potential changes in national or European Law (e.g.
the appliance or non-appliance of TUPE Regulations, Human Rights Act, Data
Protection Act, Disability Discrimination Act etc).
Environmental
those relating to the environmental consequences of progressing the organisation’s
strategic objectives (e.g. in terms of energy efficiency, pollution, recycling, landfill
requirements, emissions etc).
Competitive
those affecting the competitiveness of the service (in terms of cost or quality) and/or its
ability to deliver Best Value.
Customer/Citizen
those associated with failure to meet the current and changing needs and expectations
of customers and citizens.
Managing strategic risks is a core responsibility for senior managers in close liaison, with
elected Members. Strategic risk assessments should be undertaken a part of the community,
corporate and service planning process and as a key element of service reviews.
6.2
Operational – hazards and risks which managers and staff will encounter in the daily course of
their work. These may be:
Professional
those associated with the particular nature of each profession (e.g. clinical risk
management in the health sector, particular aspects of the Human Rights Act in the
“blue light” services, social work service concerns over children at risk, housing service
concerns as to the welfare of tenants).
Legal
those related to possible breaches of legislation
Financial
those associated with financial planning and control and the adequacy of insurance
cover and internal funds.
Physical
those related to fire, security, accident prevention and health and safety (e.g.
hazards/risks associated with buildings, vehicles, plant and equipment etc).
Contractual
those associated with the failure of contractors to deliver services or
products to the agreed cost and specification.
Reputational
those relating to the organisation’s reputation and the public perception of
the organisation's efficiency and effectiveness.
Technological
those relating to reliance on operational equipment (e.g. IT systems or
equipment and machinery).
Environmental
those relating to pollution, noise or energy efficiency of ongoing service
operation.
7.
BENEFITS OF MANAGING RISKS EFFECTIVELY
7.1
Effective risk management will deliver a number of tangible and intangible benefits to individual
services and to the Council as a whole. These can vary from division to division. However,
they will be important to the Council’s reputation and its ability to deliver ‘Best Value’.
Improved Strategy Management
-
better informed selection of strategic objectives and associated targets
greater ability to deliver against more realistic and achievable targets
Improved Operational Management
-
Reduction in interruptions to service delivery
Reduction in management time dedicated to dealing with the consequences
of a risk event having occurred
Enhanced management control as a result of the risk management process
Improved health and safety and the enhanced condition of property and
equipment
Improved control of the risks associated with contractual arrangements
Improved project management
Improved Financial Management
-
Better informed financial decision making on investment, insurance, option
appraisal etc;
Enhanced financial control;
Reduction in the financial costs associated with losses due to service
interruption, litigation etc;
Reduction or avoidance of increases in insurance premium and/or direct costs net
through self-insurance
Improved Customer Service
-
Minimal service disruption to the public and a positive external image as a
result of all of the above;
8.
IMPLEMENTING THE STRATEGY
8.1
The most effective way to achieve risk identification and risk analysis is through discussion and
input from those involved with all aspects of the business.
8.2
In each division there needs to be a small group which sits alongside but not part of the Local
Health and Safety Committee – comprising –
Head of Service
Safety Liaison Officer
UNISON representation
Risk Manager (if resource permits)
8.3
The role of this group is to manage identification of risk and implementation of risk control
measures at a local level. The frequency of meetings will need further consideration.
8.4
The Risk Management Group meeting three times per year, recommends Risk Management
Policy at a corporate level, having issues fed into it from the local groups. The Risk Manager
will be required to report to the group on issues raised locally and more corporate issues which
affect the entire Council, e.g. business continuity, training, etc. The Risk Manager will also
report corporate issues to the Local Health and Safety Committees.
8.5
The aims of the Risk Management Group are:
-
to raise the profile of Risk Management throughout the Council
to seek to prevent loss of life, personal injury and incidents of avoidable loss
suffered by the Council
to enable areas of risk within the Council to be identified, evaluated,
prioritized, controlled and monitored
to periodically review the Council’s Risk Management Strategy
to ensure common Risk Management Standards across the Council
8.6
The Strategy will be reviewed on an annual basis, which will incorporate feedback from local
groups on amendment or improvement to the Strategy, including rectifying any weaknesses
identified.
8.7
The Head of Financial Management will be responsible for the review an update of the
Strategy, including ensuring it complies with relevant best practice and legislation (e.g. Human
Rights Act, which will require an audit).
9.
SUMMARY
9.1
Risk Management is critical to the effective overall management of any organization. It should
be integral to both strategic and operational management. This will ensure that an effective
assessment of risk is undertaken when considering each policy and service delivery option
available to the Authority.
9.2
Effective risk management is merely good management and is the responsibility of all. This
framework will allow for consistency to be adopted across the Authority and with appropriate
facilitation and support will result in significant benefits in both financial and other terms.
9.3
Without effective risk management ‘Best Value’ will not be achieved.