RISK MANAGEMENT POLICY. Head of Corporate Development and Change. Policy owners

Transcription

1 POLICY RISK MANAGEMENT Policy owners Policy holder Author Head of Corporate Development and Change Risk and Policy Manager Head of Corporate Development and Change/ Programme Manager/ Risk and Policy Manager Policy No. 35 Approved by Legal Services Policy owner N/A JJNCC 04/01/16 Note: By signing the above you are authorising the policy for publication and are accepting accountability for the policy on behalf of the Chief Constables. Publication date Review date APP Checked Note: Please send the original Policy with both signatures on it to the Norfolk CPU for the audit trail. Page 1 of 17

2 Contents 1. Introduction The Purpose of Risk Management Norfolk OPCC Risk Management Arrangements Suffolk OPCC Risk Management Arrangements Responsibility for Managing Risk Non Adherence to the Risk Management Process Risk Management Process Flowchart showing the Risk Escalation Process Definitions APPENDIX A - RISK REGISTER TEMPLATE (RAIDE) Legal Basis Other legislation which you must check this document against (required by law) Act (title and year) Human Rights Act 1998 (in particular A14 Prohibition of discrimination) Equality Act 2010 Crime and Disorder Act 1998 Health and Safety Legislation Data Protection Act 1998 Freedom Of Information Act 2000 Other Related Documents Authorised Professional Practice - including the Ten Risk Principles Page 2 of 17

3 1. Introduction 1.1 The Risk Management Policy provides a clear and concise outline of Norfolk and Suffolk Constabularies minimum requirements for risk management. The purpose of this Policy is to: establish the risk management framework within the governance structure of Norfolk and Suffolk Constabularies; set out the minimum risk management requirements and practices that should be undertaken; by whom and when; and outline the consequences for non-adherence; define key risk management requirements; responsibilities; practices; and terminology; and communicate how risk management will be implemented throughout Norfolk and Suffolk Constabularies to support the realisation of their objectives. 2. The Purpose of Risk Management 2.1 The purpose of Risk Management is to ensure that risks are effectively and appropriately identified, mitigated and escalated. Good risk management can help to reduce potential threat and harm, increase potential benefits and be used to maximise opportunities. 2.2 The identification and assessment of risk is the responsibility of all officers and staff. The management of risk is formalised and monitored through Risk Registers which are managed by Senior Management Teams (SMTs), Directors, Commanders, Department Heads and Chief Officers. 2.3 Section 7 details the proposed joint risk management process for Norfolk and Suffolk Constabularies, showing how risk is dealt with by mitigation and/or escalation to the appropriate level. 2.4 The flow chart in Section 8 describes the functions and/or meetings impacted by the risk process. It details the role of the Risk and Policy Manager and the Programme Management Office (PMO) in terms of collating and monitoring the risks identified by Commands/Departments and taking these through the governance arrangements to Joint Chief Officer Team (JCOT), Joint Organisational Improvement Group (JOIG), Programme Co-ordination Board (PCB) and, where appropriate, to the Offices of the Norfolk and Suffolk Police and Crime Commissioners (OPCCs). 2.5 The Joint Risk Management Process aligns the methodology for assessing and managing organisational, operational, strategic, project and programme risks into a single approach using the same assessment and scoring methodology. Page 3 of 17

4 2.6 Operational, organisational and strategic risks are monitored and managed by the Risk and Policy Manager in CD&C. This post works closely with the PMO who has responsibility for monitoring programme and project risks. 2.7 A single risk register template entitled Risk, Assumption, Issue, Dependency and Environmental Scanning (RAIDE) which can be found at Appendix A has been developed which will incorporate operational, organisational and strategic risks, the programme RAIDE log (incorporating programme and project risks) and a section highlighting potential emerging risks (through environmental scanning). The Risk and Policy Manager and PMO will use this single register to report on risk to the appropriate meeting forum (in accordance with Risk Escalation Flowchart at Section 8). 2.8 There are risk registers at four levels as outlined below: Command/Department Risk Register (covering operational, organisational risks): Owned by the Command/Department Head; Monitored monthly by Command/Department SMTs; Referred on a monthly basis to the Risk and Policy Manager; Via Risk and Policy Manager, joint risks on Command/Department Risk Registers which meet required scoring level are escalated on a bi-monthly basis (every two months) as the Joint Strategic Risk Register (see below) to the JOIG and to the Organisational JCOT meetings as appropriate using the single RAIDE risk register template; Via the Risk and Policy Manager, single force risks on Command/Department Risk Registers which meet the required scoring level are escalated on a regular basis to the Norfolk Chief Officer Team (COT) and the Suffolk Chief Officer Briefing (COB) as a single force Strategic Risk Register (see below) using the RAIDE risk register template. Project RAIDE Log (covering project risks, assumptions, issues, dependencies and emerging issues): Owned by the Department Head delivering the change and the Project Manager supporting them; Includes risks identified through delivery of the project; Monitored monthly by the PMO, Programme Manager and Head of CD&C; Via the PMO. Joint risks on project risk registers which meet the required scoring level are escalated on a monthly basis; Referenced against the broader programme implications which then feeds into the monthly PCB and JCOT meetings. Page 4 of 17

5 Programme RAIDE Log (covering both project and any wider programme risks, assumptions, issues, dependencies and environmental scanning): Owned by Deputy Chief Constables; Includes risks identified in Change Programme Portfolio Manager and Change Project Manager Project Risk Registers; Monitored monthly at PCB meetings; Via the PMO, joint risks on project risk registers which meet the required scoring level are escalated on a monthly basis; Referred monthly to Change Joint Chief Officer Team (CJCOT) meetings; Submitted to each Collaboration Panel for consideration of Joint Strategic Risks. Norfolk and Suffolk Strategic Risk Registers Owned by Chief Constables and PCCs; Norfolk PCC and Chief Constable will maintain a separate Strategic Risk Register for each Corporation Sole; Suffolk PCC and Chief Constable will maintain a separate Strategic Risk Register for each Corporation Sole; Constabulary Strategic Risk Register(s) will be monitored regularly at Norfolk COT meetings and Suffolk COB meetings; Escalation of joint Norfolk and Suffolk risks to Organisational JCOT for consideration via RAIDE template when appropriate; Constabulary Strategic Risk Register Managed by the Risk and Policy Manager; Constabulary Strategic Risk Register periodically reported to respective Norfolk and Suffolk Audit Committees for consideration of Constabulary Strategic Risks. 3. Norfolk OPCC Risk Management Arrangements 3.1 Norfolk OPCC has its own Risk Management Policy in place formalising the risk procedure they follow. They produce their own Strategic Risk Register which is considered and reviewed through the Norfolk OPCC meeting structure. 4. Suffolk OPCC Risk Management Arrangements 4.1 Suffolk OPCC has its own Risk Management Strategy in place formalising the risk procedure they follow. They produce their own Strategic Risk Register which is considered and reviewed through the Suffolk OPCC meeting structure. Page 5 of 17

6 5. Responsibility for Managing Risk 5.1 Responsibility for integrating risk management into normal working practices lies with the SMT of each Command and Department. 5.2 Commanders, Departmental Heads and Directors have the ultimate responsibility for ensuring that risk management is effectively managed within their areas of responsibility. 5.3 Risks that cannot be satisfactorily managed at the Command/ Department level will be "escalated" following the process in Section 7 and the flowchart in Section 8 to a level where either: resources can be found to manage the risk; or an informed decision can be made to accept the risk. 6. Non Adherence to the Risk Management Process 6.1 The consequences of not adhering to this Risk Management policy could include: Increase in the potential harm to Norfolk and Suffolk Constabularies aims and objectives; Decrease in the potential benefits to Norfolk and Suffolk Constabularies aims and objectives; Not maximising opportunities for Norfolk and Suffolk Constabularies. 7. Risk Management Process 7.1 The following process describes how risk should be assessed and managed. It shows how risk is dealt with by mitigation and/or escalation to the appropriate level in the organisations. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Identify your key objectives Identify risks which could prevent you from achieving your objectives Evaluate those risks to distinguish high risks from low risks Consider any other controls/counter measures you could introduce from within your resources and develop an action plan if appropriate Re-evaluate the risk to show any new scores once the control measure(s) has been applied Identify the current risk response Record this process in a risk register Review risks on a regular basis 7.2 STEP 1 - IDENTIFY KEY OBJECTIVES Objectives/targets/tasks may relate to: Page 6 of 17

7 Business as usual Projects or contributions to projects managed by other units Contributions to the broader programmes of work 7.3 STEP 2 IDENTIFY RISKS TO THE ACHIEVEMENT OF OBJECTIVES This step is undertaken using intuitive knowledge of past events and understanding the risks faced in the achievement of objectives. As well as own experience, other sources of information to help identify risks may include: Results of Performance Management Inspection and Review visits Results of Her Majesty s Inspectorate of Constabulary (HMIC) Baseline and specific focus Assessments Comparison from benchmarking activity Work done for business continuity processes Health and Safety Risk Assessments Opinions and recommendations from External Audit Opinions and recommendations from Internal Audit It is important to consider those risks which could impact on the achievement of objectives, e.g., the Health and Safety Risk Assessment process will highlight a number of risks but at the operational level they are only appropriate if they represent a risk to the objective. To help structure thinking, the following risk types have been developed. Service Delivery Risks associated with the ability to plan and maintain appropriate levels of service to customers and stakeholders when monitored and tested within the constabularies or by various inspection agencies. Performance Risks associated with the ability to achieve priorities and realise objectives. Reputation Risks associated with the ability to maintain the image of both Norfolk and Suffolk Constabularies and prevent loss of public confidence. Environmental Risk of environmental damage caused by the service and other environmental considerations in service delivery. Page 7 of 17

8 Finance Risks associated with financial planning, control and management of financial transactions. Scope Risks relating to the product/objectives ultimate ability to be fit for purpose. Time Risks relating to the product/objective being delivered within a reasonable timeframe. Legal Risks relating to possible non-compliance or breaches of regulation and/or legislation. 7.4 Once risks to the Command/Department have been identified, it is helpful to be able to express risk in a manner which is consistent throughout both constabularies, e.g., EVENT CONSEQUENCE IMPACT Typical phrasing would be: Loss to.. ) Failure of.. ) Lack of.. ) leads to.. resulting in. Partnership with.. ) Development of.. ) e.g. Failure of Uninterrupted Power Supply leads to inability to power up computer systems during power outage resulting in personnel unable to use computer systems to undertake normal duties. or Insufficient probationer training leads to inappropriate actions by officers resulting in allegations of malfeasance and civil claims against both Constabularies Page 8 of 17

9 7.5 STEP 3 RISK EVALUATION This step involves thinking about how likely it is that the risk will actually occur and the damage it can do to the achievement of our objectives if it does occur. Likelihood - the evaluated (often intuitive) probability of a risk actually happening and how often it may arise, e.g., the risk not having enough experienced officers to deal with an operational incident may be expected to happen six times per year. The assessment should be based on the risk as it stands including any controls already in place. Impact - the evaluation of the damage the risk can do if it actually occurs. Again this is an intuitive process. The assessment should be based on the risk controls already in place. In other words, look at the impact as this risk stands today. It is important to achieve a common understanding of likelihood and impact. A common understanding of risk will be maintained throughout both constabularies so the following definitions assist this evaluation process. Likelihood of Risk Occurring Objective Assessment Criteria LIKELIHOOD SCORING Score Likelihood Description 4 Almost Certain Is expected to occur in most circumstances 3 Likely Will probably occur at some time, or in most circumstances 2 Possible Fairly likely to occur at some time, or in some circumstances 1 Remote Possibility Is unlikely but could occur at some time When evaluating the impact, all risk scores are relevant and there can be more than one risk outcome arising out of the same activity. Page 9 of 17

10 Impact should Risk Occur - Objective Assessment Criteria IMPACT SCORING Impact Description Criteria Service Delivery Significant disruption to OPCCs/Constabularies organisation unable to function and customers not serviced (loss of service for more than 7 days) Performance Non delivery of corporate objective Critical 4 Serious 3 Marginal 2 Reputation Environmental Finance Extensive adverse coverage in national press/broadsheet editorial and national TV item Significant local, national and/or international environmental damage Financial Loss (more than 3% of Budget) Scope Significant impact on the product/objectives ultimate ability to be fit for purpose. Time Significant effect on the product/objective being delivered within a reasonable timeframe. Legal Significant prospect of possible noncompliance or breaches of regulation and/or legislation. Service Delivery Major disruption to OPCCs/Constabularies serious damage to organisation s ability to service customers (loss of service of more than 48 hours but less than 7 days) Performance Major impact on achieving corporate objective Reputation Environmental Finance Scope Time Legal Service Delivery Performance Reputation Environmental Finance Adverse coverage in national Broadsheet press and/or local and national TV reporting Major damage to local environment Financial Loss (more than 1% and up to 3% of Budget) Major impact on the product/objectives ultimate ability to be fit for purpose. Major effect on the product/objective being delivered within a reasonable timeframe. Major prospect of possible noncompliance or breaches of regulation and/or legislation. Noticeable disruption to OPCCs/Constabularies would affect some customers (loss of service less than 48 hours) Noticeable impact on achieving corporate objective Adverse coverage in national tabloid press and/or extensive front page coverage in local press and local TV Moderate damage to local environment Financial Loss (more than 0.5% and up to 1% of Budget) Page 10 of 17

11 Negligible 1 Scope Time Legal Service Delivery Performance Reputation Environmental Finance Scope Time Legal Moderate impact on the product/objectives ultimate ability to be fit for purpose. Moderate effect on the product/objective being delivered within a reasonable timeframe. Moderate prospect of possible noncompliance or breaches of regulation and/or legislation. Some disruption to OPCCs/Constabularies internal business only no loss of customer service Little impact on achieving corporate objective Minimal adverse coverage (local press only) Minor damage to local environment Financial Loss (up to 0.5% of budget) Minimal impact on the product/objectives ultimate ability to be fit for purpose. Minimal effect on the product/objective being delivered within a reasonable timeframe. Minimal prospect of possible noncompliance or breaches of regulation and/or legislation. The next step is to "plot" the risk on the matrix below using the traffic light system of red, amber, yellow, green, e.g., a risk defined with a likelihood of possible and an impact as marginal scores 4 on the matrix and is "green" on the traffic light system. Risk Score Matrix Risk Tolerance Level/Escalation Both constabularies are prepared to accept risk scores of between 1 and 6. Any risk scoring 8 or above is deemed significant and will be subject to escalation for Chief Officer intervention, i.e., all amber and red risks. Page 11 of 17

12 7.6 STEP 4 CONSIDER COUNTER MEASURE/OTHER CONTROLS This step involves the consideration of any other control/counter measures you could introduce from within your resources and, if appropriate, the development of action plan(s) to progress these. 7.7 STEP 5 RE-EVALUATE THE RISK ONCE CONTROL MEASURE APPLIED This step involves the re-evaluation of the risk (following the same process as shown in Step 3) to reflect any new score once the counter measure or other controls have been applied. The following Scoring Matrix is then used to identify the most critical risks: Scoring Matrix - to determine Level of Risk Identifying the most critical risks Risk levels/ Scores Low Risk 1, 2, 3 and 4 Medium Risk 6 High Risk 8 and 9 Very High Risk 12 and 16 Action required Limited action Accept risk, manage and undertake regular review Review and monitor Manage and actively monitor quarterly Incorporate into plans Control improvements required and monitored bi-monthly (every two months) Incorporate into plans Action is required immediately and monitored monthly 7.8 STEP 6 RISK RESPONSE A risk response is the action(s) we can take (or are already taking) to eliminate or reduce the risk to the achievement of our objective. Examples of risk responses are: Terminate the risk (Avoid the activity) This is often not a technique available to the public sector given that we are looking at how we achieve objectives. However, there are times when not undertaking an activity is a legitimate tool of risk management, e.g., a vehicle repair facility may have a bulk fuel store. If the fuel store is old and needs high investment to avoid ground pollution a solution may be to cease storage of bulk fuel and use third party fuelling facilities (although this would present a different set of risks). Page 12 of 17

13 Treat the risk (Reduce uncertainty, likelihood and impact) This is a technique used many times in operational policing. It involves getting further and better information, on which decisions are made, it is policing intelligence or improving the quality of management information. Reduce the likelihood This technique is used to reduce the chance of the event occurring, e.g., if there is defective equipment the likelihood of an injury sustained whilst using the defective kit can be reduced by taking the equipment out of service until it is repaired. Reduce the impact In the event a risk actually occurs, this technique will attempt to reduce the impact on both constabularies. A good example is the duplication and off-site retention of data media so that in the event of a fire in a computer suite there is off-site backup of data. Tolerate the risk (within tolerance levels) Do nothing accept and understand the nature of the risk to which exposed. After assessing the impact and likelihood of the risk and assessing the control and counter measures required to further reduce the risk, it may be decided that the risk will be accepted without further mitigation. Transfer the risk Risks can be transferred to a: Contractor Partner Supplier Hirer Insurance Company If a risk is transferred, the risk of failure to achieve the objective and the implications of failure (the business risks) remains with both constabularies. Step 4 identifies the existing risk response(s) and Step 5 highlights any additional controls and counter measures that can help reduce the risk further in a cost effective way. 7.9 STEP 7 - COMMAND/DEPARTMENTAL RISK REGISTERS Each Command and Department will maintain a risk register of all the risks identified to the achievement of the operational objectives. A template is attached at Appendix A. Page 13 of 17

14 The Risk Register will inform the Strategic Risk Register as any operational risks which have an organisation-wide impact on the achievement of objectives will become strategic risks with measures taken across both constabularies to manage them. Any risks that score 8 or above ( amber and red ) can be escalated through the process shown in Section 7 and the flowchart at Section 8 so that an informed decision can be made as to how to manage such risks or indeed whether they will have to be accepted. The risk register forms the basic tool to manage the operational and organisational risks in an informed and consistent manner STEP 8 - REGULAR REVIEW OF RISKS Risks should be reviewed on a regular basis to determine if: Likelihood / impact levels are the same / remain unchanged from the last review; and Whether the current controls in place are sufficient to mitigate the risk or whether a change in action is required. If the risk can no longer be handled locally within the Command/Department that owns it, the risk should be escalated in accordance with this policy (Section 7 and the flowchart at Section 8 refer). Page 14 of 17

15 8. Flowchart showing the Risk Escalation Process Reporting of Risk Register Department / Command Risk Registers Monthly monitoring by SMTs to Risk and Policy Manager Project Risk Registers Monthly monitoring by PM / Dept Head Risk and Policy Manager reviews PMO / Programme Manager reviews STRATEGIC RISK RIGISTER (Guidance = Risk Policy) Single Risk Template (PMO, R&P Manager only) Identify as Operational, Organisational, Strategic, Programme or Project risks. Identify as Norfolk, Suffolk or Joint risks Filter Template Above threshold Filter Template Above threshold JOIG (bi-monthly) Operational, Organisational and Strategic Risk Filter above threshold only Filter above threshold only PCB (Monthly) Programme Risk Exceptions reported to Exceptions reported to OJCOT (following JOIG) N CTM Operational, Organisational, Strategic, Programme and Project Norfolk Only S COB Operational, Organisational, Strategic, Programme and Project Suffolk Only Change JCOT (Monthly) Quarterly Norfolk Audit Committee Quarterly Suffolk Audit Committee Page 15 of 17

16 9. Internal and External Audit 9.1 The risk management process is subject to internal and external audit. 9.2 The top strategic risks are reported to Norfolk and Suffolk Audit Committees on a regular basis. 10. Definitions 10.1 RAIDE Risk an uncertain event (or events) which, should it occur, will have an effect on the achievement of objectives. Assumption a statement that is taken as being true for the purposes of planning but could change later. Any change could cause significant replanning. Issue a relevant event that has happened was not planned and requires management action. Dependency a relationship that exists between one or more conditions, events or tasks. Environmental Scanning new and emerging issues Risk Description to include an indication of the timeframe that is available to resolve/mitigate the risk Scoring of risk to include the scoring of risk both before and after the mitigating action, control/counter measures have been applied. This will show how effective the mitigating action actually is. Page 16 of 17

17 Liklihood Impact Score Liklihood Impact Score (mitigated) Likelihood Impact Score Likelihood Impact Score (mitigated) APPENDIX A - RISK REGISTER TEMPLATE (RAIDE) Norfolk and Suffolk RAIDE (Risk, Assumptions, Issues, Dependencies and Environmental Log) RESTRICTED RISKS - An uncertain event (or events) which, should it occur, will have an effect on the achievement of objectives No Department Programme/Organi sational/operation al/project/strategic Norfolk/ Suffolk/ Joint/ OPCC Type Direction of Travel Date Added/ Date Closed Description Owner Control/C ounter measure Respons e Status Live/Clos ed ASSUMPTIONS - A statement that is taken as being true for the purposes of planning but could change later. Any change could cause significant re-planning. No Department Operational/ Organisational/ Programme/ Project/Strategic Norfolk/ Suffolk/ Joint/ Type Direction of Travel Date Added/ Date Closed Description Owner Control/Counter measure Status Live/Closed ISSUES - A relevant event that has happened, was not planned and requires management action. No Department Operational/ Organisational/ Programme/project /Strategic Norfolk/ Suffolk/ Joint/ OPCC Type Direction of Travel Date Added/ Date Closed Description Owner Control/C ounter measure Respons e Status Live/Clos ed DEPENDENCIES - A relationship that exists between one or more conditions, events or tasks. No Department Operational/ Organisational/ Programme/ Project/Strategic Norfolk/ Suffolk/ Joint Type Direction of Travel Date Added/ Date Closed Description Owner Control/Counter measure Status Live/Closed Environmental Scanning - New and Emerging Issues No Department Operational/ Organisational/ Programme/ Project/Strategic Norfolk/ Suffolk/ Joint Type Direction of Travel Date Added/ Date Closed Description Owner Status Live/Closed Page 17 of 17