Risk Management Policy 2018

Transcription

1 1 Risk Management Policy 2018 Version: Final Draft 0.2 Date: March 2018 Page 1 of 24

2 2 Document Control Organisation Copeland Borough Council Title Risk Management Framework Version Author Gillian Butterworth, Performance and Risk Management Officer Filename Owner Director of Commercialisation and Corporate Resources Subject Risk Management Protective Marking None Review Date March 2020 Revision History Version Reviewed Final Draft V0.2 Date Reviewed Reviewed By Description of Revision March 2018 GB and CLT Review of draft V0.2. Progressed to Final version V1 Document Approval Version Approved By Date Corporate Leadership Team Audit and Governance Committee Executive Full Council Document Distribution This policy is to be available to all staff and elected members of Copeland Borough Council by being placed on the Council s Intranet Site. Contributors Institute of Risk Management (IRM) Fundamentals of Risk Management IRM - A Risk Practitioners Guide to ISO 31000: 2018 ISO31000 Risk Management guidelines (2018) CIPFA Delivering Good Governance in Local Government Framework Essex County Council Risk Management Strategy Northumberland City Council Risk Ready Reckoner Page 2 of 24

3 3 Contents Purpose and Benefits...4 Introduction...5 Risk Appetite Statement...5 Definitions...6 Roles and Responsibilities...7 Policy Details including procedures Approach to Risk Management...9 Stage 1. Risk Identification...10 Stage 2. Risk Assessment...12 Stage 3. Risk Control...14 Stage 4. Risk Monitoring...15 Monitoring of Policy Adherence...18 Appendices Appendix A: Risk Identification Examples...19 Appendix B: Risk identification Techniques...20 Appendix C: Risk Impact scale including examples...21 Appendix D: Risk Management Form template...23 Appendix C: Risk Register Action Plan template...24 Page 3 of 24

4 4 1. Purpose and Benefits 2.1 Copeland Borough Council (the council) has a statutory responsibility to have in place arrangements for managing risks, as stated in the Accounts & Audit Regulations 2015:- A relevant body must ensure that it has a sound system of internal control which: (a) facilitates the effective exercise of its functions and the achievement of its aims and objectives; (b) ensures that the financial and operational management of the authority is effective; (c) Includes effective arrangements for the management of risk. 1.4 This purpose of this policy is to set out the processes used by the council to ensure an effective and consistent approach to risk management. 2.3 The benefits to be gained from effective risk management include: Improved strategic management - Greater ability to deliver against corporate objectives and priorities. Improved decision making. Enhanced corporate governance. Increased capacity to anticipate and respond to change proactively (technological, social, environmental, legislative changes) Improved operational management - More effective management of resources. Improved service delivery and VFM. Prevention of loss or injury to staff and public. Improved financial management - Better informed financial decision-making leading to greater financial control and a reduction in insurance and claims costs to the Council. Greater protection of assets and guard against impropriety or poor VFM. Improved customer service - Minimal service disruption to customers and a positive external image as a result of all of the above. Reduction in complaints. Enhance the profile of the Council and increased customer/community confidence. 2. Introduction 2.1 Risk is defined as:- The possibility that an event will occur that will have an impact on the achievement of objectives 1 In its simplest sense, risk can be defined as, The effect of uncertainty on objectives This effect of uncertainty on objectives or the risk is measures by a combination of the probability of an event happening and the consequences of an event happening. 1 COSO Definition of risk. 2 The International Risk Management Standard ISO: Page 4 of 24

5 5 2.3 Risk is always present in all that we do and a certain amount of risk taking is inevitable to achieve strategic ambition and business objectives. Risks can be either negative or positive, this means that can pose a threat and an opportunity to the achievement of objectives. 2.4 Risk Management is not about taking no risks at all. It is about being able to take calculated and controlled risks to achieve objectives. To manage risk, the council uses a coordinated process to identify, assess, control and monitor risks with a view to increasing the probability of success and reducing the likelihood of failure. 2.5 The Risk Management Policy supports the Council s vision and priorities which are set out in the Corporate Strategy for The Council has a clear mission that is To make Copeland a better place to live, work and visit. Risk appetite statement Copeland Borough Councils vision for 2020 is for the Council to be a commercially focused organisation with a national reputation for high quality services. All key decisions will be informed by a robust assessment of the risks, and must be able to demonstrate that the level of risk accepted against an activity, will only be undertaken where the benefits are proportionate to, or greater than, the level of risk involved. Risk assessments will use the Zurich Risk Assessment Matric set out in the policy. Through increasing the commercial activity of the Council, it is expected that there will be increased exposure to new risks. The Council recognises that there is risk in all that we do, and that while some risks pose a threat, others provide an opportunity. Acceptance of risks will be founded on an evidence based comprehensive assessment the controls and resources available. The Council s priority is to ensure that it protects the public purse in accordance with audit and governance provisions, and to this end the Council s risk appetite in relation to statutory services and functions, is one of prudence. Realisation of the Council s mission and vision is founded on the achievement of four key ambitions. Here the Councils appetite for is assessed based on the balance between cost and benefit, this is set out for each of the four ambitions below; Town Centre Regeneration - Commercialisation Employment, Skills and Social wellbeing - The Council is open to opportunities relating to its influence on generating sustainable growth throughout the borough. The Council is open to developments and innovations that will (sustainably) increase the income, efficiency and quality of its commercial services. The Council is open to opportunities to increase the employment, skills and social wellbeing of Page 5 of 24

6 6 Copeland residents. Strengthen the way we operate - The Council is open to opportunities to improve the way it operates to provide high quality statutory and discretionary services. 3. Definitions 3.1 The following definitions are used throughout this policy to define and identify key terms Risk Risk Management Zurich Risk Matrix Risk Score The effect of uncertainty on objectives. The continuous process of identification, assessment and control of risks. Matrix used by the Council to asses and score risks. Risks are assessed by putting a numerical value on the likelihood that the event will happen and impact on the Council s objectives, should that event happen. Risk Score = likelihood x impact Current Risk - Score given to a risk taking into account any controls that are already in place. Target Risk Target score for a risk, given that further controls identified in the risk action plan are put in place. Risk Owner Controls Risk Action Plans Risk Registers Risk Appetite Risk Tolerance Risk Escalation Pentana Named persons responsible for overseeing the identification, management, monitoring, and escalation and reporting of a risk. Controls are actions put in place to reduce the risk. Action plans used to identify and monitor controls that need to be implemented in order to reduce risk. Risks grouped together on a register for monitoring and reporting purposes. The amount and type of risk that The Council is willing to accept or pursue to achieve its strategic objectives. The amount a risk that the council can manage effectively or tolerate to achieve its objectives. Process which allows a risk to be escalated to next level of management. Performance management software used by the Council to record, monitor and report on its risk registers (formally called Covalent) Page 6 of 24

7 7 4. Roles and Responsibilities 4.1 The Council is committed to embedding risk management into the culture of the organisation. In order to realise this commitment, all Council employees and elected members should: - Become familiar with the Risk Management Policy. Be aware of personal roles and responsibilities in managing risk. Be proactive in the identification, assessment and control of threats and opportunities. Use the agreed procedures and templates contained within this policy to identify, assess, control, monitor and escalate risks. Immediately report any incident, accident, near misses or any other concerns that they may have with regards to risks to their manager. 4.2 Specific responsibilities and governance with regard to Risk Management are shown below, Executive Oversee risk management of the Council in delivering its strategic objectives and core services. Approve the Risk Management Strategy and Policy Provide challenge around the risks involved in key decisions Audit & Governance Committee Corporate Leadership Team Leadership & Management Group Provide independent assurance to the Council on the overall adequacy of the risk management framework including review of proposed amendments to the Risk Management Framework prior to its presentation to Executive Review the Strategic Risk Register on a quarterly basis and make recommendation for change. Champion an effective Council-wide risk management culture Ownership of the Strategic Risk Register Overview of red risks on other Risk Registers Oversee and manage escalated risks as next level of management. Ensure members receive relevant risk information Design and facilitate the implementation of a risk management framework within the Council Ensure relevant expertise is available to provide support and guidance as required Provide assurance that risks are being effectively assessed and managed Responsible for the effective management of risk in their Service and projects within their service, in line with the processes set out in this policy. This includes; Identify, assess, mitigate and monitor service based risks. Identify risk owner, controls, action and timeframes for implementation. Page 7 of 24

8 8 Attend training and awareness sessions as appropriate Maintain the relevant Service and project risk registers using Pentana by reviewing all risks monthly. Escalate risks appropriately Encourage staff to identifying risks and opportunities Performance Collate risk information and prepare reports as necessary. and Risk Management Support Corporate Leadership Team to embed risk management through the arrangement or provision of training. Officer Support Risk Owners to manage risks by providing support and training on Pentana. Officers Manage day to day risks and opportunities effectively and report risk management concerns to the line managers. Attend training and awareness sessions as appropriate Members Champion a Council-wide risk management culture. Provide scrutiny to the risks involved in Council in delivering its strategic objectives and core services. Page 8 of 24

9 9 5. Policy Details including procedures 5.1 Our approach to Risk Management The Councils approach to risk management is an ongoing coordinated process which identifies, assesses, controls and monitors risks, with the aim of increasing the probability of success and reducing the likelihood of failure. The process is cyclical and it is often necessary to revisit a previous stage to ensure that you have a complete picture of the risks that you are assessing. There are four logical stages to the risk management process, these are outlined in the diagram and sub-sections below. Risk Identification the identification of risks that matter. What events could occur that would have an impact on the Risk Monitoring Log all risks on a Risk Register and monitor at regular intervals Monitor the implementation and effectiveness of controls. Monitor changes to the risk Horizon scanning to identify new risks emerging. Risk Control Determine how to treat the risk; Treat Tolerate Transfer Terminate Determine what controls need to be put inplace to manage the risk. Define a target risk score Risk Assessment Asses and score the risk. What is the liklihood of the event occurring and what impact could it have on the achivement of our objectives. Rank risks Page 9 of 24

10 Stage 1 - Risk Identification The first stage of the risk management process is to identify the risks. At first glance, this can seem like a daunting task, after all risks ever present and an inevitable part of business and innovation. However, risk management is about the proportionate use of resources to manage only with risks the matter i.e. risks that may have an impact in the achievement of objectives. The risk identification stage uses tools, techniques and standard templates to help the risk owner identify the risks that matter. 5.3 Understanding the risk context An integral part of identifying risks, is understanding the context. Depending on the area under review, the relevant objectives and outcomes will usually be detailed in existing documents, including the following: Corporate Strategy Service Plans Project Brief/Project Initiation Document Partnership Agreements Contractual Agreements Policies and procedures 5.4 Techniques used to Identifying where Risks. There are a number of techniques and tools that can be used to aid the identification of risks. To act as a prompt and to ensure completeness, a list of risk categories has been developed around the acronym PERFORMANCE: Political - risks arising from the political environment e.g. government policy Economic - risks arising from a unique demographic / economic features Regulatory - risk arising from legislation, legal challenges, and judicial reviews Financial - risk associated to financial implications e.g. budgeting or affordability Opportunities arising from and risks to outcomes or objectives not being met Reputation - risks that may damage the reputation of the council Management - risk to the effective management of the organisation Assets - risks relating to property, information, intellectual and ICT assets. New - risk arising from and risks to objectives not being met for new ventures Customers - risks associated with customers OR risks to customer service Environment - risk arising from environmental issues. Other examples of risks from each category are detailed in Appendix A. Further examples of risk identification techniques are listed in Appendix B. Page 10 of 24

11 Describing the Risk The way a risk is described is important to ensure that risks are clear, unambiguous and fully understood. Risk owners are required to write a risk statement which fully describes the risk. 5.6 The risk statement should tell a story and must consist of a cause, the risk and a consequence. The Cause Sources and facts to describe the existing condition As a result of... Due to... Because of... [Language] is, do, has, has not.. [present condition] The Risk a description of the uncertain event or uncertaion future...may occur Risk of... [Language] may, might, possibly The Consequence impacts - negative and positive Resulting in... Which would lead to...effect on the objectives [Language] would, will... E.g. Due to the policy being 4 years old, it may not be compliant with the latest legislation, which would lead to the incurrent of penalties due to non-compliance. 5.7 Classifying the type of risk When a risks has been identified, the Council uses two classifications to determine the type of risk; Strategic Risks - Risks that could have a long term impact on the achievement of strategic ambitions. If the risk event happens, will the consequence affect the council s strategic ambitions? Operational Risks Risks that could have an effect on the successful achievement of the objectives of an individual Service, including service lead projects and operational partnerships. If the risk event happens, will it affect the council s operational delivery and functions? Page 11 of 24

12 Stage 2 - Risk Assessment Having identified the risks that matter in stage one, the second stage of the risk management process is concerned with the assessment of the risk, this is done by giving the risk a score and a priority 5.9 Risk Score. The council uses the Zurich Risk Assessment Matrix to score risks. Risks are scored by putting a numerical value on both, the likelihood that an event will happen and the impact on the Council s objectives, should that event happen The likelihood of the risk occurring is measured using a scale of 1 6, where a value of 1 means that the likelihood of the risk occurring is almost impossible and a value of 6 means the likelihood is very high. As defined in the table below; Likelihood Almost Very Low Low Significant High Very High Impossible Value Description Will probably never happen Do not expect it to happen but it may Might happen rarely Might happen occasionally Might happen frequently Will almost certainly happen Probability Frequency Less than 1% (1 in 100) No expected to occur for years Between 2% & 5% (1 in 20) Expected to occur less than annually Between 6% & 10% (1 in 10) Expected to occur more than annually Between 11% & 30% (1 in 3) Expected to occur at least monthly Between 31% & 50% (1 in 2) Expected to occur at least weekly Depending on the risk, description, probability or frequency can be used to guide scoring. More than 50% (>1 in 2) Expected to occur at least daily The impact of a risk, should it occur, is measured using a risk impact scale of 1 4, where a value of 1 means the impact would be negligible and where a value of 4 means the impact would be catastrophic to the achievement of objectives. Impact Negligible Marginal Critical Catastrophic Value Description Minimal Impact on ability to deliver objectives / services Moderate Impact on ability to deliver objectives / services Significant impact on ability to deliver objectives / services Will not be able to deliver objectives / services A table containing detailed examples of risk impact scores is listed in Appendix C Page 12 of 24

13 To calculate the risk score, the numerical value given to likelihood is multiplied by the numerical value given to impact of the risk. Risk Score = likelihood x impact E.g. If a risk has a low likelihood of occurring (Value =3) but a Critical impact (Value =3) The Risk Score would be 3 x 3 = This is known as the Current Risk Score as it is an assessment of the risk as it is presently, taking into account any controls that are already in place to manage it Risk Prioritisation Once the current risk scores has been calculated, the priority of the risk can be determined. The higher the score, the higher the risk priority and the more it will need to be managed to mitigate adverse events. The Zurich Risk Assessment Matrix used by the council, uses a traffic light system to determine whether a risk is Low, Medium and High priority. Likelihood 6 Very High High Significant Low Very Low Almost Impossible Negligible Marginal Critical Catastrophic Impact RED (12 to 24) Risk Score is Very High - Take Immediate Action to Mitigate Risk and monitor/review monthly. AMBER (5 to 12) Risk Score is Significant Act to mitigate risk and monitor/review quarterly. GREEN (1 to 6) Risk Score is Low No Action Necessary but continue to monitor risk quarterly. Page 13 of 24

14 Risk Control Stage three of the risk management process is concerned firstly with, deciding on whether the risk is worth taking, based on information gathered in stages one and two, and secondly with taking appropriate targeted actions to control the risk through, the use of risk action plans Risk Treatment Based on the risk context, relevance to objectives, risk score and risk priority, Council uses the 4Ts to determine how the risk should be treated. Tolerate (Accept the risk) Treated (Do something to reduce the risk) Transferred (Share the risk) Terminated (Remove the risk) Accept the risk This risk is deemed acceptable in order to achieve an objective. This measure is only appropriate for low level risks (Green) We do something to reduce the risk By far the greater number of risks will be addressed in this way. The risk is deemed too high at present, however, we will continue with the risk and ensure that it is managed to an acceptable level, by putting controls in place to reduce the likelihood or the impact. Share the risk The risk is deemed too high, however, the risk to the Council can be reduced by sharing the burden of the risk. For example, insuring against the risk, outsourcing the activity, working in partnership with other organisations to share/transfer the risk Remove the risk Risk would be of such a severity that the only option is to terminate the activity that is generating the risk It may be necessary to use a combination of treatments to manage a particular risk. The reason behind the risk treatment must be recorded onto the Risk Management form. (5.21) 5.19 Risk Action Plans Controls are actions that are put in place in order to manage a risk by either, maintaining the risk at a current tolerable level or reducing the risk to a tolerable level. For each risk, it is necessary to list all current controls that are in place and any further controls that are required to manage the risk (required actions). Required actions are recorded and monitored using a risk action plan. Each required action must be assigned a named responsible officer and the date by which the action will be implemented. It is the responsibility of the risk owner to oversee the risk actions plan. Progress of risk action plans will be monitored and reviewed regularly alongside risk registers. Page 14 of 24

15 Target Risk Score At this stage in the risk management process it may be necessary to assess and score the risk for a second time, this is to establish a Target Risk Score. The Target Risk Score shows the direction of where we want and expect the risk to be if all required controls are successfully put in place Documenting the risk The Council uses a standard Risk Management Form as a template to record all risks. The form is designed to work in tandem with this policy and to allow employees to develop the correct approach to managing risks. Details taken from the risk monitoring form will be used by the Risk Management Officer to record all risks onto the councils risk registers held on Pentana. ( ) Risk Management Form Appendix D 5.22 Risk Monitoring The fourth stage of the Risk Management process is the review and monitoring of the risks Reviewing Risks Risks are reviewed regularly by looking at; How the risk has changed over time Change in either the likelihood or impact values The implementation of the agreed risk control action plan The effectiveness of the action in controlling the risk Risk management is on ongoing process, and it may often be necessary to revisit earlier stages and carry them out again to ensure that you have an up-to-date and relevant picture of the risk Escalation of risks Upon reviewing a risk, it may be necessary to escalate the risk to a higher level in the organisation. Risk may need to be escalated if; The risk becomes too unwieldy to manage at the current level The risk remains very high even after controls are implemented The risk will impact on more than one service/project/function if the risk event materialises Instinct tells the owner it is out of their control 5.25 Risks that require escalation onto the Strategic Risk Register are identified through monthly and quarterly risk monitoring and reporting. It is the responsibility of the risk owner to alert the Corporate Leadership Team of any risks that may need to be Page 15 of 24

16 16 escalated. The Corporate Leadership Team will decide whether the risk is escalated and managed through the Strategic Risk Register Risk Registers Risks are monitored through risk registers. Risk registers group together risks, for the purpose of monitoring and reporting. The table below gives details about the risk registers used by the council and how these are monitored and reported. Register What is on the register? How will it be monitored and reported? Strategic Risk Register Operational Risk Register The Strategic Risk Register (SRR) is a central register of all the risks that may prevent the Council meeting its long term strategic objectives. It is owned and managed by the Corporate Leadership Team (CLT). Strategic Risks are identified by the Corporate Leadership Team or through the escalation of risks from the Operational Risk Register, or via Horizon Scanning as part of the monthly review of the SRR. The Operational Risk Register (ORR) is a central register of Service level risks produced as part of the annual service plan. Operational risks are owned and managed and updated by the Service Manager. Operational risks can be identified as part of the annual Service plan or team meetings, process improvements or staff appraisals. The Strategic Risk Register is uploaded to Pentana (Performance and risk management software). The Risk Management Officer is responsible for ensuring all details are entered onto Pentana The SRR and action plan are monitored and reviewed monthly by Corporate Leadership Team. All SRR risks are reported quarterly to Audit and Governance Committee and the Executive. The Operational Risk Register is uploaded to Pentana The Risk Management Officer is responsible for ensuring all details are entered onto Pentana and for setting monthly reminders to prompt Service Managers to review and update their Operational Risks Operational risks are monitored by the Service Managers and the Corporate Leadership Team through monthly reports, departmental team meetings and meetings. All high priority (red) risks are reported and reviewed at departmental team meetings monthly. All high priority (red) risks are monitored and reported to Audit and Governance Committee, the Executive quarterly. Page 16 of 24

17 Project Risk Register Project risks are identified, assessed and controlled following the risk management process outlined in this policy. Monitoring and reporting of project risks will follow the Project Management Framework; whereby, each project will have its own risk register and the Project Manager will be responsible for managing or escalating the project risks, and all high priority (red) risks will be reported to and monitored monthly by the Corporate Project Group Partnership Risks Partnership risk registers are usually devised as part of the partnership agreement and are managed by the partnership board/group and not solely by the Council. Copies of the risk registers are held by the Director of Customer and Community, who is responsible for identifying and managing any risks to the Council. Any high priority (red) risks must be reported to Corporate Leadership Team for consideration and addition to the appropriate risk register Risk Register vs Issues log The main difference between a risk and an issue is that a risk is concerned with the effect of uncertainty, it is something that may or may not affect the achievement of objectives. Whereas, an issue is something that has already happened that must be addressed or corrected. When progressing through the Risk Management Process, it may be helpful to keep a separate issues log, so that issues which require a management response, are not confused with risks Pentana Performance and Risk Management system The Council s Pentana Performance Management Software to monitor and record risk registers and risk action plans. Strategic and Operational Risks Registers will be entered onto Pentana by the Risk Management Officer. The Risk Management Officer is responsible for ensuring the Strategic Risk Register is updated on Pentana. Service Managers are responsible for ensuring the Operational Risks Register is updated monthly on Pentana. Pentana will generate reminder to each risk owner to prompt the monthly review. 6. Monitoring of Policy Adherence Page 17 of 24

18 Compliance with this policy will be monitored via on an annual audit undertaken by the Business Support Manager. The results will be reported to the Leadership and Management Group and the Corporate Leadership Team. 6.2 The Internal Audit Service also has a planned programme of performance management audits that will measure compliance with this policy and will report results to the Corporate Leadership Team and the Audit & Governance Committee. Page 18 of 24

19 19 Appendix A: Risk Identification Examples Political Economic Regulatory Financial Opportunities Reputation Management Assets (Including technology) New Partnerships/ Projects/ Contracts Customers/ Citizens Environment Change in Government policy - Member support / approval Political personalities - New political arrangements Demographics Economic downturn - prosperity of local businesses / local communities Legislation and internal policies/regulations Grant funding conditions Legal challenges, legal powers, judicial reviews or public interest reports Budgetary pressures Loss of/reduction in income/funding, increase in energy costs Cost of living, interest rates, inflation etc. Financial management arrangements Investment decisions, Sustainable economic growth System / procedure weaknesses that could lead to fraud Add value or improve customer experience/satisfaction Reduce waste and inefficiency Raising educational attainment and improving the lives of children, young people and families Maximising independence for older people with disabilities Developing sustainable places and communities Protecting the community and making Copeland a safer place to live Negative publicity (local and national), increase in complaints Loss of key staff, recruitment and retention issues Training issues Lack of/or inadequate management support Poor communication/consultation Capacity issues - availability, sickness absence etc. Emergency preparedness / Business continuity Property - land, buildings and equipment, Information security, retention, timeliness, accuracy, intellectual property rights ICT integrity, security, availability, e-government Environmental - landscape, countryside, historic environment, open space New initiatives, new ways of working, new policies and procedures New relationships accountability issues / unclear roles and responsibilities Monitoring arrangements Managing change Changing needs and expectations of customers - poor communication/consultation Poor quality / reduced service delivery - impact on vulnerable groups Crime and disorder, health inequalities, safeguarding issues Recycling, green issues, energy efficiency, land use and green belt issues, noise, contamination, pollution, increased waste or emissions, Impact of planning or transportation policies Climate change hotter drier summers, milder wetter winters and more extreme events heat waves, flooding, storms etc. Page 19 of 24

20 Risk Management Framework Draft v Appendix B: Risk Identification techniques (Source IRM Risk Management Standard) Brainstorming Questionnaires Industry benchmarking Scenario analysis Risk assessment workshops Incident investigation Auditing and inspection HAZOP (Hazard & Operability Studies) Test marketing/ Market Surveys Business impact analysis SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) Event tree analysis Business continuity planning BPEST (Business, Political, Economic, Social, Technological) analysis Decision taking under conditions of risk and uncertainty Statistical inference PESTLE (Political Economic Social Technical Legal Environmental) Page 20 of 24

21 Risk Management Framework Draft v Appendix C Risk Impact scale with examples Likelihood 6 Very High High Significant Low Very Low Almost Impossible Examples Service disruption Statutory duties Finance Projects Negligible Marginal Critical Catastrophic Impact Minor errors in systems/operations or processes Service unavailable for < 8 hours Statutory duties are being complied with but there is scope for improvement and without an improvement plan in place, there is a risk that statutory duties may be affected. Budget base exceeded by less than 10% Negligible delays < 5% of project spend exceeded Minor deviations from project specification; does not affect final benefits Significant short-term minimal disruption of activities. Service Unavailable for up to 1 day There are isolated unrelated incidents of a failure to deliver a statutory duty with such failure being rectified immediately but the improvement plan already in place is failing to deliver improvements. Budget base exceeded by 10-50% Minor delays with some uncertainties < 10% of project spend exceeded Notable change to project specification Significant disruption of core activities. Service Unavailable for up to 3 days There have been a number of incidents within a single service delivering a statutory duty with delays occurring in rectifying the failures but as yet the impact has not affected the community. AND/OR The Council is at risk of receiving or has received a statutory notice or condemnation in connection with a failure or is at risk of being prosecuted for such. Budget Base exceeded by % Significant Delays in project implementation > 10% of project spend exceeded requiring a review and reframe of the costings. Potential for reduced quality or redesign of Product/Service. Cessation of core activities, Strategies Service Unavailable for 3 days or more There have been a number of incidents in one or more services delivering a statutory duty which is impacting on the community. AND/OR The Council is at risk of receiving or has received a statutory notice or condemnation in connection with a failure or is at risk of being prosecuted for such". Budget base exceeded by over 100% Project Benefits will not be realised in current project plan. Additional or Punitive costs that require major financial replanning or project no longer sustainable Product/Service not fit for purpose Page 21 of 24

22 Risk Management Framework Draft v ICT Failure Staffing/HR Health & Safety Reputational Environmental Contracts Minor disruption in services delivery or function due to ICT systems failure (own or other department - ICT system interdependence) Service unavailable for < 8 hours Short-term low staffing level that temporarily reduces service quality No impact on staff morale Risk of injuries or stress with no workdays lost or minimal medical treatment Short term adverse local public opinion. Customer and Public awareness of environmental safety required in delivering service. No public health concern Failure by a contractor to meet a single minor term of a contract Significant short-term minimal disruption of services delivery or function due to ICT systems failure (own or other department - ICT system interdependence) Service Unavailable for up to 1 day Increase in staff turnover potential impact on service quality and team performance & morale Risk of Injuries or stress level requiring some medical treatment, potentially some workdays lost. Adverse local publicity / local public opinion Limited but repairable environmental damage No Public Health Concern A failure by a contractor or the Council to meet a number of minor terms of a contract which do not impact on delivery Significant disruption to services delivery or function due to ICT systems failure in own or other interdependent system Service Unavailable for up to 3 days Significant staff turnover (proportional to team size) including key personnel. impact on service quality and team performance & morale Risk of Serious injuries or stressful experience requiring medical many workdays lost. Persistent adverse local media coverage / local public opinion Moderate / Medium Term Environmental Damage Public Health Concern requiring engagement A failure by a contractor (including liquidation/ bankruptcy) or the Council to perform a major term resulting in a fundamental breach of contract putting the contract at risk of or causing termination and relates to any service but which does not directly impact on the delivery of the Council's statutory duties Cessation of core activities, Strategies due to ICT systems failure in in own or other interdependent system Service Unavailable for 3 days or more Inability to fill key posts. strike action, key staff turnover Severe impact on service quality and team performance & morale Risk of Life threatening or multiple serious injuries or prolonged work place stress Persistent adverse national media coverage / serious lack of confidence in the Council to provide the required service Severe / Irreparable environmental damage Serious Public Health Concerns A failure by a contractor (including liquidation/ bankruptcy) or the Council to perform a major term resulting in a fundamental breach of contract putting the contract at risk of or causing termination and relates to a service which has a direct impact on the delivery of one or more of the Council's statutory duties; Page 22 of 24

23 Risk Management Framework Draft v Appendix D: Risk Management Form Risk Risk Statement Description of cause, risk and consequence Type of Risk e.g. strategic, operational, Risk Scope Description of risk, which areas it covers Risk Owner Risk Score XX LIKELIHOOD: XX (Value X) IMPACT: XX (Value X) Target Risk Score XX LIKELIHOOD XX (XX) IMPACT XX (XX) Risk Treatment Tolerate Treat Transfer Terminate Reason for treatment Causes (Causes or existing conditions) Risks (Uncertain Events) A full list of events which may cause the risk to occur Consequences Risk owner Date Last Reviewed Consequences that the Council will suffer if the risk is unmanaged All risks must have a risk owner Strategic risk must have an Executive, CLT, and LMG Owner assigned. Operational Risks must have a CLT and LMG Owner assigned. Date when the risk was last reviewed Action/ Controls already in place A list of activities that are already in place to reduce the impact or likelihood of the risk. Required risk management action/control A list of activities that needs to be undertaken in order to reduce the likelihood and/or the impact of the risk to tolerable levels. Page 23 of 24

24 Risk Management Framework Draft v Appendix E: Risk Register Action Plan Template Risk Number Action Number Date Added Action CLT Owner LMG Owner Original Deadline Date Updated Progress Update Status Date Closed Page 24 of 24