Risk Management Strategy

(A pdf version of the Risk Management Strategy is available for download here)

Introduction

This document forms St Erth Parish Council’s Risk Management Strategy. It sets out:

• What risk management is;
• Why the Council needs a risk management strategy;
• The Council’s philosophy on risk management;
• The risk management process;
• Roles and responsibilities;
• Future monitoring.

The objectives of this strategy are to:

• Further develop risk management and raise its profile across the Council;
• Integrate risk management into the culture of the organisation;
• Embed risk management through the ownership and management of risk as part of all decision-making processes; and
• Manage risk in accordance with best practice.

What Risk Management is

Risk is the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives and to successfully execute its strategies.  Risk management is the process by which risks are identified, evaluated, and controlled.  It is a key element of the framework of governance together with community focus, structures and processes, standards of conduct and service delivery arrangements.’ Audit Commission, Worth the Risk: Improving Risk Management in Local Government, (2001: 5) 

Risk management is an essential feature of good governance.  An organisation that manages risk well is more likely to achieve its objectives.  It is vital to recognise that risk management is not simply about health and safety but applies to all aspects of the Council’s work.

Risks can be classified into various types, but it is important to recognise that for all categories the direct financial losses may have less impact than the indirect costs such as disruption of normal working.  The examples below are not exhaustive:

• Strategic Risk – Long-term adverse impacts from poor decision-making or poor implementation. Risks damage to the reputation of the Council, loss of public confidence, in a worst-case scenario Government intervention.
• Compliance Risk – Failure to comply with legislation, laid down procedures or the lack of documentation to prove compliance. Risks exposure to prosecution, judicial review, employment tribunals and the inability to enforce contracts.
• Financial Risk – Fraud and corruption, waste, excess demand for services, bad debts. Risk of additional audit investigation, objection to accounts, reduced service delivery, dramatically increased Council Tax levels / impact on the Council reserves.
• Operating Risk – Failure to deliver services effectively, malfunctioning equipment, hazards to service users, the public or staff, damage to property. Risk of insurance claims, higher insurance premiums, lengthy recovery processes.

These risks can be broken down further into specific areas which could impact on the achievement of the Council’s strategic objectives and day-to-day delivery of services:

• Political – Those associated with the failure to deliver local, regional, or national policy.
• Financial – Those affecting the ability of the Council to meet its financial commitments; failure of major projects; internal and external audit requirements; failure to prioritise and allocate resources effectively; poor contract management; initiative overload.
• Social – Those relating to the effects of changes in demographic, residential, or socio-economic trends on the Council’s ability to deliver its strategic priorities.
• Technological – Those associated with the capacity of the Council to deal with the pace/scale of technological change, or its ability to use technology to address changing demands. This includes the consequences of internal failures on the Council’s ability to deliver its objectives.
• Legal – The ability of the Council to meet legislative demands affecting breaches of legislation.
• Environmental – Those relating to the environmental consequences of progressing the Council’s objectives in terms of energy-efficiency, pollution, recycling, emissions etc.
• Partnership/Contractual – Those associated with the failure of partners/contractors to deliver services to an agreed cost and specification and similarly failure of the Council to deliver services to an agreed cost and specification; compliance with procurement policies (internal/external); ensuring open and fair competition.
• Human Resources – Those associated with the professional competence of staff; training and development; over-reliance on key personnel; ineffective project management; recruitment and selection issues.
• Organisational – Those associated with the review of services and delivering continuous improvement.
• Health & Safety/Physical – Those related to fire, safety, accident prevention and health & safety which pose a risk to both staff and the public, safeguarding and accounting of physical assets.
• Reputational – Those associated with the changing needs of customers and the electorate; ensuring appropriate consultation; avoiding poor public and media relations.

Not all these risks are insurable and for some the premiums may not be cost effective.  Even where insurance is available, a monetary consideration might not be an adequate recompense.  The emphasis should always be on eliminating or reducing risk before costly steps to transfer risk to another party are considered.  

Risk is not restricted to potential threats but can relate to missed opportunities.  Good risk management can facilitate proactive, rather than merely defensive responses.  Measures to manage adverse risks are likely to help with managing positive ones.

Why the Council needs a Risk Management Strategy

Risk management will strengthen the ability of the Council to achieve its objectives and enhance the value of services provided.

The Risk Management Strategy will help to ensure that the Council understands risk and adopts a uniform approach to identifying and prioritising risks.  This should in turn lead to conscious choices as to the most appropriate method of dealing with each risk, be it elimination, reduction, transfer or acceptance.

Strategic risk management is an important element in demonstrating continuous service improvement.

There is a requirement under the Accounts and Audit Regulations 2015 to establish and maintain a systematic strategy, framework, and process for managing risk.

Risk Management Policy Statement

The Council recognises that it has a responsibility to manage risks effectively to protect its employees, assets, liabilities, and community against potential losses, to minimise uncertainty in achieving its aims and objectives and to maximise the opportunities to achieve its vision.

The Council is aware that some risks can never be eliminated fully, and it has in place a strategy that provides a structured, systematic, and focussed approach to managing risk.

Risk management is an integral part of the Council’s management processes.

Implementing the Strategy

Risk Control

Risk control is the process of taking action to minimise the likelihood of the risk event occurring and/or reducing the severity of the consequences should it occur.  Typically, risk control requires the identification and implementation of revised operating procedures, but in exceptional cases more drastic action may be required to reduce the risk to an acceptable level.  Options for control include:

• Elimination – The circumstances from which the risk arises are removed so that the risk no longer exists;
• Reduction – Loss control measures are implemented to reduce the impact/ likelihood of the risk occurring;
• Transfer – The financial impact is passed to others e.g. by revising contractual terms;
• Sharing – The risk is shared with another party;
• Insuring – Insure against some or all the risk to mitigate financial impact; and
• Acceptance – Documenting a conscious decision after assessment of areas where the Council accepts or tolerates risk.

Risk Register

‘The Risk Register’ (Appendix A) will be regularly refined and updated as part of this Risk Management Strategy.

Risk Monitoring

The risk management process does not finish with putting risk control procedures in place. Their effectiveness in controlling risk must be monitored and reviewed.  It is also important to assess whether the nature of any risk has changed over time.  The Risk Management Strategy will be reviewed at least annually by the Chair and the Council as the body corporate.  The information generated from applying the risk management process will help to ensure that risks can be avoided or minimised in the future.  It will also inform judgements on the nature and extent of insurance cover and the balance to be reached between self-insurance and external protection.

Risk Management System

Risk Identification – Identifying and understanding the hazards and risks facing the Council is crucial if informed decisions are to be made about policies or service delivery methods. The risks associated with these decisions can then be effectively managed.

Risk Analysis – Once risks have been identified they need to be systematically and accurately assessed using proven techniques. Analysis should make full use of any available data on the potential frequency of events and their consequences.  If a risk is seen to be unacceptable, then steps need to be taken to control or respond to the risk.

Risk Prioritisation – Using the matrix set out in the Risk Register at Appendix A, an assessment should be undertaken of the impact and probability of risks occurring, with impact and probability being scored.  Risks scoring High (6 and above) will be subject to detailed consideration and preparation of a contingency  action plan to appropriately control the risk.

Roles and Responsibilities

It is important that risk management becomes embedded into the everyday culture and performance management process of the Council.  The roles and responsibilities set out below, are designed to ensure that risk is managed effectively right across the Council as the body corporate and its operations, and responsibility for risk is located in the right place. The process must be driven from the top but must also involve staff and contractors throughout the organisation.

Councillors – Risk management is seen as a key part of Councillors’ stewardship role and there is an expectation that Councillors will lead and monitor the approach adopted, including:

• Approval of the Risk Management Strategy;
• Analysis of key risks in reports on major projects, ensuring that all future projects and services undertaken are adequately risk managed;
• Consideration, and if appropriate, endorsement of the Annual Governance Statement; and
• Assessment of risks whilst setting the budget, including any bids for resources to tackle specific issues.

Employees – will undertake their job within risk management guidelines ensuring that their skills, experience, and knowledge are used effectively.  All employees and councillors will maintain an awareness of the impact and costs of risks and how to feed information into the formal process.  They will work to control risks or threats within their roles, monitor progress and report on task related risks to the Chair or the Chair of the Staffing Committee.

Chair of the Council – The Chair of the Council assisted by the Clerk will be responsible for overseeing the implementation of the Risk Management Strategy.  The Clerk, in consultation with the Chair of the Council, will:

• Provide advice as to the legality of policy and service delivery options;
• Provide advice on the implications for service areas of the Council’s strategic aims and objectives;
• Update the Council on the implications of new or revised legislation;
• Assist in handling any litigation claims;
• In consultation with the Council’s external advisors (CALC) as necessary, provide advice on any human resource issues relating to strategic policy options or the risks associated with operational decisions and assist in handling cases of work-related illness or injury;
• In consultation with external Health and Safety advisors as necessary, advise on any health and safety implications of the chosen or proposed arrangements for service delivery;
• Assess and implement the Council’s insurance requirements;
• Assess the financial implications of strategic policy options;
• Provide advice on budgetary planning and control;
• Ensure that the financial information systems and processes allow effective budgetary control;
• Ensure the Council’s Risk and Asset Registers are maintained;
• Effectively manage the Council’s investments.

Role of Internal Audit – Internal Audit provides an important scrutiny role by carrying out audits to provide independent assurance to the Council that the necessary risk management systems are in place and all significant business risks are being managed effectively.  Internal Audit assists the Council in identifying both its financial and operational risks and seeks to assist the Council in developing and implementing proper arrangements to manage them, including adequate and effective systems of internal control to reduce or eliminate the likelihood of errors or fraud.  Internal Audit reports, and any recommendations contained within, will help to shape the Annual Governance Statement.

The Council (as the body corporate) – Review and future development of the Risk Management Strategy.

Training – The aim will be to ensure that both Staff and Councillors have the skills necessary to identify, evaluate and control the risks associated with the services they provide.  Risk Management training and development will be provided through a range of methods such as workshops, literature and inhouse service familiarisation.

In addition to the roles and responsibilities set out above, the Council is keen to promote an environment within which individuals and groups are encouraged to report adverse incidents promptly and openly.

Future Monitoring

Review of Risk Management Strategy – This Strategy will be reviewed annually by the Council as the body corporate.

Conclusion

The adoption of a sound risk management approach should achieve many benefits for the Council.  It will assist in demonstrating that the Council is committed to continuous service improvement and effective corporate governance.