RISK MANAGEMENT POLICY, STRATEGY AND RISK CONTROL PROGRAMME FOR 2010/11

Transcription

1 1 Cabinet 4 May 2010 Item: RISK MANAGEMENT POLICY, STRATEGY AND RISK CONTROL PROGRAMME FOR 2010/11 Report by Ian Jackson, Director, Corporate Services 1. INTRODUCTION This report invites Cabinet to approve:- (1) the Council s risk management performance in 2009/10; (2) its Policy, Strategy and Risk Control Programme for 2010/11; (3) the Council s Risk Management Framework (Appendix A); and (4) changes to the local Performance Indicators for risk management. 2. BACKGROUND Under current legislation Midlothian Council has to have in place a systematic and demonstrable means to identify, evaluate and treat risk. 1. Risk Management Performance in The council s approved performance indicators on risk management are presented at Appendix B. Over the year, the risks facing Midlothian Council have been significant yet they have been understood by elected members and management and have been managed well, or reasonably well, depending on the circumstances e.g. recession. Members will see from the appendix that there are some shortfalls in risk management practice and these have been carried forward into 2010/11. Cabinet is also invited to approve the alterations to PIs 4, 5 and Cabinet Policy (which sets the tone for risk management) Policy Element No.1 The Council has for some time adopted the Enterprise Risk Management Model (ERM). ERM concentrates on threats and impediments to corporate aims and objectives which have been developed from the Single Outcome Agreement, the Community Planning process, citizen consultation and other means. The following is an expanded explanation of ERM:- Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and

2 2 across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Within this process the Council views four threats as of utmost importance reputation damage, financial loss, disruption to services and missing opportunities to advance the well-being of the area. In addition the Council is conscious of the likelihood of the biggest threats existing in the matters of Finance (eg Financial Strategy, Financial Leakage), Information Technology (eg Resilience, Data Security), Property (eg Buildings fully supporting services), Employees (e.g. Performance, Duty of Care) and Customer-based services (e.g. providing quality services and duty of care over vulnerable clients). Policy Element No.2 As an aspiring Best Value Council, Midlothian is prepared to take controlled risk to advance the well-being of the area and this can be evidenced in certain joint venture and sharing of services partnerships. Policy Element No.3 The Council aims to be risk aware, not risk averse, and this means it:- aims to understand its threats and risks and applies a systematic and holistic approach; develops through management a clear risk appetite for strategic and corporate risks, operational risks and project risks and constantly drives risk exposures down to acceptable levels; is provided with analysis of risk when making key decisions and approving policy; strives to impress external inspections on its management of risk; has strong leadership in the management of risk from Elected Members and Senior Management, with the Director, Corporate Services the lead Director on the facilitation and coordination of risk management; Identifies emerging risks and analyses the threats fully; and Foresees risk issues in Major Change. Policy Element 4 The Council recognises that risk is not constrained to internal matters, as the Council has many instances of working in partnership, and it analyses risk when working with partners and in joint ventures. The Community Planning Partnership strives to be risk aware.

3 3 Policy Element 5 The Council recognises that it cannot achieve Best Value carrying high risk exposures. Therefore the Council strives to control risk as far as possible and therefore risk management is integrated with the Planning and Performance Management Framework. Risk Management is embedded into the Council s Performance Management system and registered risks are reviewed every quarter, with the most serious risks reported to senior management and elected members. The Council has an elevation process, allowing the most pressing risks to be raised to senior agendas. Policy Element 6 All risk specialists within the Council Risk Manager, Internal Audit, Insurance Officer, Information Security Officer, Health and Safety Adviser, Contingency Planning Officer and Front-Line Service Managers meet regularly and as such are integrated into a common purpose, to control risk. Risk Management and Internal Audit services are now a merged service. Policy Element 7 To ensure consistency, and high standards, the Council has adopted the ALARM/AIRMIC/IRM standards, which are nationally recognised as a blueprint for successful risk management. So as not to be insular, the Council benchmarks its management of risk on a regular basis and has risk management performance indicators. Policy Element 8 To ensure that the Policy is fully effective, the Council ensures sufficient resources are available for the facilitation and coordination of risk management, sufficient monetary resources are in place to reduce and control risk and managers and elected Members are trained in risk management. Policy Element 9 In addition, the Council ensures that the Risk Management structures and processes are enveloped within a Risk Management Framework (attached). 3. Risk Management Strategy and Control Programme 2010/11 Risk management is a continuing process, is linked to management action and Cabinet policy above dictates that it should be prominently placed at the front of decision-making. Of course risk is managed in everyday actions but the supporting guidance of the Local Government Act expects every Scottish Council to have a systematic means of understanding and assessing risk.

4 4 This Council s Risk Management Framework at appendix A demonstrates compliance with the guidance. However, Cabinet members will see from the 2009/10 PIs the Framework does not guarantee success and there is room for improvement. In 2010/11 Cabinet is invited to adopt a strategy and control programme that:- Continues the best practice; and Addresses known weaknesses. To this end, and underneath the overriding policy, the strategy should be to seek reliable risk assessment, robust reporting and risk mitigation in:- Specific Actions (the control programme) During 2010/11, the intention is to pursue the following actions:- 1. Ensure robust risk assessment and reporting is in place for all aspects of the Corporate Change Programme, computer projects, key partnerships, major construction projects, divisional and operational risks and generic and corporate risks. (These will be listed, discussions will be undertaken with managers and risk assessment and reporting policed); 2. The Business Continuity Group continues to improve resilience (This will be in accordance with actions arising from the group s gap analysis and performance reporting); 3. Concentration on potential for reputation damage, financial loss, disruption to services and missing opportunities (a particular focus will be made on these potential show-stoppers and the council s important services like housing, economic development, schools, care in the community etc.); 4. Robust risk assessment and reporting on the council s corporate priorities (the Corporate Management is now receiving a six-weekly risk analysis on threats to corporate priorities and managing actions to mitigate any serious risk); 5. Closure of any gaps in health and safety practice (this will be through the health and safety annual plan and risk register, focusing on where there have been trends in accidents and insurance claims); 6. Improving employee driving standards (this will be through improving analysis of accidents, insurance claims and compliance with the driver handbook); 7. Reducing the amount of spurious insurance claims, at the same time ensuring that bon-fide claimants receive compensation (analysis of insurance is ongoing through the risk management group); 8. Addressing any weaknesses which will be highlighted during the forthcoming Statement of Corporate Governance (by ensuring that any weaknesses are brought into improvement plans);

5 5 9. Reviewing specific duties of care e.g Adult and Child Protection (this will be through the interpretation of risk assessment and through a specific internal audit of case governance); 10. Risk assessment and reporting on future legislation compliance (this will be through the risk management group identifying future legislation and regulation and encouraging robust risk assessment) an; 11. Identifying serious gaps between the residual risk exposure and the risk appetite/tolerance levels 3. RESOURCE IMPLICATIONS Financial Implications There are no direct financial or resource implications in this report. The actions in 2010/11 may actually save money or avoid financial penalties. Risk Implications In law, the council is required to manage risk through a systematic and holistic approach. This requirement is met through the council s risk management policy, strategy, framework and annual control programme. The council is facing unprecedented change, which is risky, and the policy and strategy for 2010/11 reduces the risk of objectives and priorities not being met. The strategy includes an elevation process if a new risk appears that is likely to be problematic or a known risk exposure deteriorates. Risks of this nature are automatically presented to cabinet and senior management through quarterly performance reporting. Policy Implications The Risk Management Policy of the Council is one of the key policies in demonstrating best value. In Risk Identification, Evaluation and Treatment all known risks are taken into account, including those relating to Equalities and Sustainability. 4. RECOMMENDATIONS Cabinet is invited to:- (1) Note the performance of risk management in 2009/10; (2) Approve the Risk Management Policy, Strategy and Risk Control Programme for 2010/11 (3) Endorse the planned actions and focus for 2010/11; (4) Approve the changes to the Risk Management Performance Indicators for 2010/11;

6 6 (5) Approve the attendant Risk Management Framework; and (6) Note that this report will be scrutinised by the PSA Committee on a quarterly basis. Contact: Gerald Tait or Gerald.tait@midlothian.gov.uk

7 7 APPENDIX A MIDLOTHIAN COUNCIL RISK MANAGEMENT FRAMEWORK (NB Where required, under each section, further detail is provided on the usefulness of each part of the Framework) Statutory background to Local Authority Risk Management This is contained within the Local Government in Scotland Act 2003, commonly referred to as the Best Value and Community Planning Act. This Act brought new risk management responsibilities to Councils to assess risk at all levels and mitigate it in so far as it doesn t impact heavily on corporate aims and objectives. Best Value Guidance supplied by the Government builds on this and indicates that a Council that does not control, or take, risk is unlikely to be a Best Value Council. In reality the Council is looking towards avoiding serious:- Financial loss (in fact it may wish to take controlled risk to achieve financial gain); Disruption to services (in fact it may wish to take controlled risk to enhance services further); Damage to the area/environment (in fact it may wish to take controlled risk to enhance the area/environment); Reputation Damage; and Missing of opportunities (in fact it may wish to take controlled risk to improve the area and meet need). Risk Management Framework (the envelope of all risk matters in Midlothian) The Risk Management Framework outlines the structures, systems, events, processes, reporting lines that make up Midlothian Council s approach to the management of risk in threats and opportunities. RISK MANAGEMENT POLICY (is a brief statement of intent by the Cabinet and is ratified annually)

8 8 1. Midlothian Code of Corporate Governance Is the overarching Code that indicates that the council has a risk management policy and other structures listed elsewhere in this framework. The Code is approved by council and is reviewed and updated every two years. It is regularly audited by external and internal audits. (The code is Midlothian s document that regulates the business affairs of the Council, maintains accountability, standards, governance and openness). 2. Annual Risk Management Strategy This normally accompanies the Policy being reported to Cabinet in March each year. It sets out what the Council is trying to do in relation to risk management during the ensuing year. It therefore sets the scene, context and the tactics to be employed. 3. Annual Risk Control Programme This is the means by which the strategy will be achieved in the ensuing year of account and is normally a series of actions to be progressed by officials. The Policy, Strategy and Risk Control Programme are subject to a mid-year monitoring reported presented in October/November to Cabinet and the Performance, Scrutiny and Audit Committee a month later. The Programme picks up any outstanding actions from the previous year. 4. Adoption of Risk Management Standards Within the Policy and Strategy are included references to Enterprise Risk Management (ERM) and the adoption of this risk management model which monitors and controls risk in relation to risks and opportunities that could impede or achieve Council aims and objectives. This is downside as well as upside risk management and examples of both are:- downside Payroll the risk appetite (attitude to risk) has to be very, very low because the Council cannot take risks and make mistakes with payroll processing upside Shawfair Project the council is in partnership with the City of Edinburgh Council in relation to developing a new settlement as part of the South East Wedge. We are using Council owned land essentially to develop infrastructure, to build houses (including social housing), develop a community and link this new town into the Waverley Rail Project. Therefore we are taking controlled risk because the financial rewards are likely to be significant as well as meeting housing need.

9 9 The Council has adopted the IRM/AIRMIC/ALARM joint standards for risk management which are nationally recognised as best practice. These can be referred to in the IRM/AIRMIC/ALARM booklet. (It is important to show external inspection agencies that we are following best practice standards) 5. Corporate Management Team (CMT) reviews Corporate and Divisional Management Teams (DMT) review Strategic Risks In Covalent, Management has coded around 35 risks which are axiomatic to the welfare of the Council. These are generally Strategic Risks, possibly of national or regional importance or they are in relation to a major project. They may be Corporate Risks which affect every service across the Council like sickness absence, health and safety, data protection, IT and Modernising Midlothian. CMT receives a report every six weeks on Corporate risks and monitors the success of previously agreed actions and risk exposure trends. DMTs review strategic risks on an ongoing basis but as a minimum quarterly. There is a system for elevating problematic risks (red risks) from operational and project risk registers if they require CMT attention. The Council s corporate priorities (actions and indicators) supporting the Single Outcome Agreement, Community Plan and Corporate Strategy are assessed on a regular basis to highlight any possible impediments. (It is essential that the Council is aware of the significant threats and is regularly reviewing them). 6. Risk Management Group of divisional representatives The Risk Management Group is chaired by the Risk and Audit Manager and is attended by divisional representatives, generally at Principal Officer or Head of Service levels. All risk disciplines attend ie Risk Management, Internal Audit, Health and Safety, Insurance, Contingency Planning and Information Security, as well as Service Management. The Group monitors risk performance targets, discusses risk exposures, promotes risk management and internal control across Divisions and suggests mitigating measures for risk hotspots. The Group minutes are issued to Divisional Management Teams and the Chair of the PSA Committee. Any important recommendations are presented to CMT and become part of the Strategic and Corporate Risk Register. Every six months the Group assesses its own effectiveness.

10 10 (The Group coordinates all risk management matters to assist consistency across the Council. It also acts as a forum where alarm bells can be rung in relation to existing risks and emerging risks). 7. Business Continuity Group The BCG is chaired by the Chief Executive and focuses on compliance with the Civil Contingencies Act and potential loss of accommodation, computer systems, staffing and other resources. There are Divisional and Generic (e.g. IT) Business Continuity Plans The Group also monitors Emergency Planning and has input to the Regional/Community Risk Register. The Group reports to CMT and the PSA Committee. When required, the Risk and Audit Manager provides the risk assessment expertise. 8. Operational Risk Improvement Plans (RIPs) Every six months Heads of Service receive RIPs which focus on the high and medium risks within their services, inviting extra mitigating actions. There is continuing validation of risk registers by service managers to support this. The Risk and Audit Manager, through the Risk Management Group, has issued guidance to Divisions on how Divisional risk management governance should be applied. (It is important for operational services to produce reports that show risk problems and progress) 9. Risk Management Statements in reports to Council, Cabinet, Committees, CMT All levels of Management have guidance on how these statements should be compiled and presented with the aim of having proper and meaningful risk data supporting policy/practice decisions. (Elected Members and Chief Officials must be fully aware of the risk implications in taking certain courses of action) 10. Risk Management Guidance and Training Ad hoc and ongoing formal training is given to Elected Members and all levels of Management on Risk Management and Covalent/Risk. A quarterly risk newsletter supports the guidance. There is a risk management website (Finance > FAQ > Risk Management) which is updated every quarter. New Elected Members and Senior or Middle Managers are always visited to explain the Council s risk management framework.

11 11 (Risk awareness cannot be achieved without this Framework and regular training and guidance) 11. Risk Registers Risk Registers are used to formally register all threats and opportunities of consequence. Covalent hosts all the Council s risks in formal risk registers, for strategic and corporate risks, operational risks, change management risks, partnership risks, thematic risks, joint venture risks and computer and construction project risks. Risk assessments for some major projects, like the Waverley Rail, are held outside Covalent. Covalent risk data is presented in quarterly performance reports and there are a host of standard risk reports available to Managers. As the schools risk register affects up to 40 schools, a separate risk management website has been created on the schools intranet, where Head Teachers can view the risk register and other Risk Management matters. The risk register contains around 15 key school site risks. Management is urged to register emerging risks as soon as they appear on the horizon. (The Council can systematically demonstrate it has assessed the risk in everything it does) 12. Risk Management included in Major Strategies and Plans Risk assessment supports many of the Council s main strategies and plans ie the Strategy or Plan may highlight what the risks are and provides solutions to help achieve the strategy or plan. (Again this demonstrates that Management is risk aware) 13. Specialist Risk Management Adviser This is 50% of the time of the Risk and Audit Manager and 50% of the time of the Auditor 2 post. This risk management service facilitates and coordinates all the risk management work within the Council and ensures that this framework is operating. The Manager reports to the Head of Finance and then the Director, Corporate Services. The service uses the free risk management consultancy expertise of Gallagher Bassett (GB), the Risk Management arm of the Council s insurers. Around four times a year GB surveys discrete risk management aspects and provides a survey report which is presented to the Risk Management Group and to the Performance, Scrutiny and Audit Committee. Some previous surveys have included school trips, driving standards, violent incidents and the categorising and scoring of risks.

12 12 (Under Best Value Guidance, it is important to demonstrate that the Risk Management culture is led by a Chief Official and a middle manager has the specialist knowledge) 14. Preparation for External Inspections Generally external inspectors seek details of the Council s Risk Management framework and we demonstrate effective and ongoing risk management through this framework. External inspections are reported to CMT as a Corporate risk. ( Risk is an oft-used work in inspection regimes and indicates agencies are expecting the Council to be fully risk aware) 15. Preparation for New Legislation All major pieces of legislation are risk assessed and reported to DMT and occasionally CMT. If there are considerable resource issues, Cabinet may receive a report. (When breaking new ground it is essential the Council is aware of the implications) 16. Risk Management in Partnership Working Risk management is included in the Community Planning Partnership (CPP) governance agreement. The CPP has six subordinate Strategic Groups which have 10 key risks to manage. There is a partnerships risk register which is reviewed quarterly by the Policy and Performance Team. (Being a relatively new requirement, the Community Planning framework must be risk aware and partnership risk management is important) 17. Joined up Internal Audit and Risk Management Services Since the summer of 2008 risk management and internal audit have been merged services, facilitating greater integration and enhanced recruitment and retention possibilities and allowing an integrated approach to risk. Independent Internal Auditors critically examine the management of risk registers as part of their audit and audits generally take a risk-based approach. The financial year saw an amended approach to internal auditing. Instead of devoting the whole internal audit plan to core financial systems, the service is using around 40% of the audit resource to review Strategic and Corporate Risks. The resource is particularly applied to risks that are showing signs of reduction in exposure; Internal Audit examines and tests whether internal control can actually be relied upon.

13 13 (This places Internal Audit right in the centre of the Council s main business affairs and is able to provide effective assurance) 18. Risk Performance and the Performance, Scrutiny and Audit Committee To support quarterly divisional and whole-council performance reporting, Managers are expected to review the risks under their management and flag any problem risks to their Head of Service and Director/Cabinet spokesperson. If a risk is very urgent it should be elevated immediately. 19. Risk Management and the Audit Committee Midlothian s Audit committee principles, in accordance with the CIPFA Toolkit, are managed through the Performance, Scrutiny and Audit Committee. The committee scrutinises the Risk Management Policy, Strategy and Risk Control Programme, the Strategic and Corporate Risk Register and this Framework and generally promotes the sound management of risk. (It is important that Elected Members making policy are risk aware but, equally, it is important that Elected Members scrutinising policy and performance are risk aware too). 20. Risk analysis in Option Appraisal As from June 2009 the Council has a corporate option appraisal, which supports the Capital Investment Strategy. Whenever options are identified, the risk management service assists in risk analysis; the threats and opportunities of each option. (Option Appraisal assists the Council in making major decision; risk management is at the centre of this) 21. Risk Management Benchmarking and Performance Indicators While the ultimate test of the Council s Risk Management arrangements is through the Best Value reports of Audit Scotland, the Council has a number of ways of testing the efficiency and effectiveness of its management of risk viz:- Comparing Midlothian s Best Value report with the other 31 Scottish Councils; Reviewing and applying best practice from the professional bodies; Occasionally completing survey questionnaires and interpreting the results; Twice yearly review of the success of the Council s Risk Management Group; and

14 14 Review of around 20 PIs which are then reported to CMT, Cabinet and the PSA Committee 22. Summary The Council is confident the 21 points listed above meets the requirement of ERM, Risk Management Standards and its own Risk Management Policy but accepts that all 21 require regular monitoring. Version Control 1 Framework drawn up February 2005 Drawn up to consolidate all previous risk management work 2 January 2009 Including piece under 5 about risk assessing corporate priorities 3 May 2009 Adding information on school s risk register; internal audit of corporate and strategic risk, risk in option appraisal; benchmarking and PIs and use of Gallagher Bassett on risk surveys 4 May 2010 Minor changes to wording 5 6

15 15 Appendix B RISK MANAGEMENT PIs PI Results at 31 March % of agreed corporate priorities Over the years, corporate priorities have had that have been risk assessed in the associated risk assessments. For the present year corporate priorities the CMT has conducted an early risk assessment in March 2010; the assessment is being developed further and is to be presented regularly to the CMT. The main direction is to highlight the various potential threats to each of the corporate priorities and split them in two threats that are managed to low risk and those that may prove problematic. Thereafter, the main focus will be 2. Risk Registers in place for the Community Planning Partnership (CPPs) and other key partnerships and reviewed by the partnerships at least twice a year 3. Local Code of Corporate Governance reviewed in the year and used to support the Statement of Corporate Governance 4. % of Strategic residual risks that are red and yellow when viewed against the total 5. % of operational residual risks that are red and yellow when viewed against the total 6. % of construction projects over 250k that have solid risk analysis and reporting in place 7. % of new computer projects that have solid risk analysis and reporting in place 8. Risk assessments supporting all pending new, major legislation 9. Risk Assessments supporting preparation for major external inspections on the latter. There remains some consolidation work regarding 10 key risks for each of the CPP s strategic groups. This was reviewed, updated and approved by Council and is now being used to prepare the 2009/10 Statement of Corporate Governance. This PI has changed to:- No. of all risks within a division that are coded red; and No. of red risks that have completed actions or actions in progress There was an 85% target with bullet point two and each division has achieved this. Each of these high risks is subject to quarterly scrutiny. Another element of assurance is if a risk is coded high it is immediately elevated to Director level attention. Ditto This is an area that requires improvement. Computer projects follow PRINCE2 principles, requiring risk registers and risk reporting. Project Managers have achieved certain levels of assurance with this but subject to review. This routine has lapsed. While management is managing risk in this area, it is not consistently carried out using a front-end risk assessment. This requirement is complied with through selfassessments e.g schools, SWIA inspections.

16 16 PI Results at 31 March % of risk registers reviewed and Compliance updated four times a year by Management to coincide with quarterly performance reporting to PSA 11. Risk Manager reports in March each year to Cabinet on ensuing year s Risk Management Strategy and provides a follow up in October. Furthermore, the report provides elected members to review the council s risk management framework 12. Risk Manager reports quarterly progress on risk management to the PSA committee. 13. When deciding policy, or policy changes, elected members are presented with adequate information on risk. 14. % of Divisional Risk Improvement Plans reviewed in the year 15. When viewed against the total, % of outstanding actions in risk registers, sitting against high, medium and low risks that are time expired. 16. Expenditure on risk management initiatives as a % of the overall Council budget 17. Total expenditure on the corporate Risk Management function as a % of the overall Council budget 18. Achievements of the Risk Management Group are monitored 19. % of public liability insurance claims with nil payouts when viewed against the total Considered more appropriate for this report to be approved by Cabinet in May of each year, allowing time to analyse the results of the previous year. Compliance. This is in accordance with the Audit Committee Reporting Calendar. Compliance through official reports to Full Council, Cabinet, PSA Committee and other committees. Each Divisional Management Team has been provided with RIPs and support to manage risks. During 2009/10, it was found that several actions have become out of date or time expired. Through the RIPs above, this problem is gradually being progressed. This PI is considered to be meaningless. Sound risk management can often be realised without funds. However, it is retained for the purposes of the CIPFA Directors of Finance PIs. Ditto A list is maintained, reviewed quarterly, of where the Group has:- Directly influenced enhanced risk management practice; Indirectly influenced enhanced risk management; and Still some influencing to carry out in certain risk exposures. From this list, there are positive results that the Group is making a difference The Council continues to have a robust record in rebutting claims but also ensuring legitimate claims are met with positive results for the claimants. 20. % of employers liability Occasionally health and safety practice has been

17 17 PI Results at 31 March 2010 insurance claims with a nil pay out found to be deficient and this has led to expensive when viewed against the total insurance claims. The Council s record in rebutting claims remains good but occasionally successful claims are expensive. The Risk Management Group continues to review the cause of accidents and the mitigating actions that are required to prevent further 21. Reduction in motor accidents and insurance claims on the previous year 22. % of current Best Value reviews that are supported by risk analysis 23. % of major Strategies, Plans and Policies that include risk management within them 24. Overall the council s residual risk exposure is in line with its risk appetite/tolerance accidents. According to recent claims, vehicle accidents have risen in the past but this is because of better accident reporting. Problems of reporting accidents, and attendant costs, to the Insurance Officer, had been a problem during 2009/10 but are now resolved. Best Value reviews always involve risk analysis. The important requirement for 2010/11 is that all the major changes and projects with the overall Corporate Change Programme must be risk assessed. There are a few high profile Strategies, Policies and Plans containing risk analysis but a review is required to uncover any shortfall. Each keeper of a risk register (there are 75 in the council covering strategic, corporate, project and operational risks), is obliged to aim for a residual risk exposure (after internal controls have been put in place) that is near the acceptable level of risk. Certain circumstances, mainly associated with the recession, have meant that during 2009/10 the matching of the residual risk exposure with the risk appetite/tolerance levels has not always been possible.