LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY JANUARY 2013 1

Version Control Reference Comments Approval date 05 09 12 19 11 12 10 01 13 2

FOREWORD Welcome to the Council s Risk Management Strategy. We are all required to manage risks on a daily basis. When we consider our collective responsibility on behalf of the Council, this requires a formal, structured approach, a positive culture, and appropriate standards for the way we behave. The current pressures on public spending, service demands, and new legislation coupled with demands for increased transparency and accountability, mean that robust and effective risk management is more essential than ever. The responsibility for managing risk is not restricted to any one person or group of specialists. It is the duty of every member of staff and elected Members. Effective risk management allows us to: Be risk aware, not risk averse; Have increased confidence in achieving the Council s priorities and in achieving key objectives; Manage threats so that the impact on effective and efficient service delivery is minimised; Make informed decisions about seizing opportunities for the Council; Ensure that there is a balance between risks and rewards; Enhance the likelihood of success of projects; and Improve the Council s partnership working arrangements and corporate governance. Effective risk management will help ensure that the Council seizes opportunities and minimises the consequences of the risks it faces in delivering priorities and improved outcomes. 3

CONTENTS Foreword RISK MANAGEMENT STRATEGY 1. Introduction 2. Mission statement 3. Aims and objectives 4. Risk appetite and tolerance 5. Benefits of risk management 6. Implementing risk management 7. Implementing risk management approach 8. Monitoring and reporting 9. Corporate Risk Register and Risk Champions 10. Partnerships and significant contracts 11. Programme and project management 12. Covalent system 13. Further advice and assistance Appendix A Risk and Opportunity Scoring Appendix B Roles and Responsibilities Appendix C How to set the Risk Appetite 4

RISK MANAGEMENT STRATEGY 1. INTRODUCTION No organisation, whether in the private, public, or third sector can achieve its objectives without taking risk. The only question is how much risk do they need to take? And yet taking risks without consciously managing those risks can lead to the downfall of organisations. (Source: UK Corporate Governance Code) 1.1 Risk is the threat that an event or action will adversely affect the Council s ability to achieve its objectives and to successfully execute its strategies. An opportunity can be defined as the opposite of a risk i.e. that an event or action will enhance the Council s ability to achieve its objectives and to successfully execute its strategies. 1.2 Risk management is the culture, processes, and structure that are directed to the proactive identification, understanding, and management of potential threats and opportunities. 1.3 Pressures on public spending and demands for increased transparency and accountability mean that robust and effective risk management is an essential part of the Council s decision-making framework. The CIPFA/SOLACE Good Governance Framework, for example, includes the principle of Taking informed and transparent decisions which are subject to effective scrutiny and managing risk. Similarly, working against the background of the current economic downturn means there is particular need for robust risk identification and management to achieve resilience. 1.4 Each manager needs to take their key objectives for the year (including relevant corporate objectives) and identify the risks to achieving these objectives. Where opportunities are identified, due diligence needs to be exercised to ensure they are realistic and afford value for money. 1.5 Action plans need to be produced to mitigate identified risks and seize relevant opportunities. 1.6 Risk management is both a statutory requirement and an indispensible element of good management. As such, its implementation is crucial to the Council and essential to its ability to discharge its various functions to stakeholders. 1.7 This Strategy provides a comprehensive framework designed to support officers in ensuring that the Council is able to discharge its risk 5

management responsibilities. It therefore outlines the objectives and benefits of managing risks and describes the responsibilities for risk management. (NOTE: Risks and Opportunities need to be considered at the same time. Therefore when this strategy refers to risk, opportunities should also be considered. In the case of opportunities the aim is to increase, rather than decrease, scoring probability). 1.8 Risk management is a key part of corporate governance, which is essentially the way the Council manages its business (including an Annual Governance Statement). It is essential that risk management is embedded into corporate processes including: Strategic planning; Financial planning; Service delivery; Policy making and review; Project management; Significant partnerships; Performance management; Change management / transformation; Emergency Planning; and Business continuity planning. 1.9 In order to ensure that the strategy remains current and responds to changing environments it is reviewed / updated annually and approved by the Audit Committee. 1.10 Risk management is a key part of the good management of the Council and, properly used, can add value. In addition to the Corporate Risk Register and departmental risk registers every service should have an up to date risk register usually as part of the annual service planning process. 1.11 To be effective, attention is paid to the Council s risks from the top to the bottom of the organisation. (Source: Solace, Chance or Choice ). This is because whilst senior managers have a bird s eye overview of the Council they cannot have the detailed knowledge and appreciation of individual service areas that other staff will have. 1.12 All known risks are considered and not simply a sub-set such as financial risks. Similarly, it is not only the impact of an incident in financial terms that needs to be evaluated but also the potential damage that such an incident could inflict upon the reputation of the organisation and the adverse effect on service delivery. Simply put, it is anything that could prevent the Council from achieving its aims and objectives. 6

1.13 Risk and opportunity assessments, undertaken as part of the strategy, will cover all aspects of services including known risk, existing controls and their significance. 1.14 It contains a new section on setting the risk appetite. This is for guidance only, however officers may find it helpful in deciding on the acceptable target score for a risk. 1.15 The risk appetite scoring seeks to determine the target risk score. In the case of a significant risk that needs to be reduced, for example, low scores are allocated so as to provide a low risk appetite target. Conversely, where management can accept greater risk then there would usually be a higher risk appetite. 1.16 The risk management strategy does not seek to replace but complement processes for managing specific risks, including, for example, health & safety, safeguarding, business continuity and information governance. 1.17 This Strategy aims to provide an overarching framework for the management of threats and the taking of opportunities (subject to due diligence). It seeks to help officers to do more with less by reviewing the effectiveness of what they do, why they do it and how they do it. 7

2. MISSION STATEMENT The overall objective of this strategy is to set best practice for the Council to actively identify and manage its risks and opportunities. 8

3. AIMS AND OBJECTIVES 3.1 This Strategy seeks to improve the Council s ability to deliver its strategic priorities by managing threats and opportunities, and creating an environment that adds value to ongoing operational activities. It supports the vision to make Enfield a better place to live and work delivering fairness to all, growth and sustainability, and strong communities. 3.2 Specific objectives of the strategy are to: Help managers meet Council objectives and support the overall governance framework; Support and work alongside existing policies and procedures to mitigate risk; Make better management decisions by embedding risk management practices across the Council including use of the Covalent performance management system to facilitate risk management; Further embed the risk management strategy and practices within the Council; including further training for both officers and members; Further integrate risk / opportunity management into the culture of the Council and into the Council s strategic planning and decision making processes; Ensure the framework for identifying, evaluating, controlling, reviewing and communicating risks is implemented and understood across the Council; Communicate to stakeholders the Council s approach to risk and opportunity management; Ensure that Members, CMB, and external regulators can obtain the necessary assurance that the Council is mitigating the risks of not achieving its objectives and complying with good corporate governance practice; and Ensure consistency throughout the Council in the management of threats and opportunities. 3.3 Specific aims and objectives to further embed risk management at Enfield during 2012/13 include the following: Embed risk management around the Council s new public health responsibilities commencing from April 2013; Consideration of the composition of the Risk Management Working Group and the role of the Risk Champions; Ensuring that greater focus and time is spent on identifying and monitoring mitigating actions; 9

Closer working with the internal audit section to facilitate enhanced working and management of risks; Use of horizon scanning to identify new/potential challenges and production of action plans to meet these challenges; Provision of further training including Corporate Governance Briefings and risk workshops; and Encouraging users to make better use of Covalent to manage risks and opportunities including more officers being trained on Covalent and greater volume of risks being captured on Covalent. 10

4. RISK APPETITE AND TOLERANCE 4.1 Risk appetite is defined as the degree of risk that the Council is willing to accept in the pursuit of its objectives. It defines the acceptable level of risk in each area of the Council s operations. This links in with the acceptable level of variation around the achievement of a specific objective often called the risk tolerance. 4.2 No organisation can achieve its objectives without taking risk, yet taking risks without consciously managing those risks can lead to significant problems. This is illustrated by the current economic downturn where banks failed to effectively manage their risks. As a consequence Risk Appetite and Risk Tolerance are now on the agenda for all listed companies. 4.3 At corporate, department, and service level, management need to be clear what significant risks they are willing to take and equally what significant risks they are not willing to take. This is also true of partnership working. 4.4 Deciding what risks management are willing to take is called risk appetite. Risk appetite will, by definition, vary from department to department and even from service to service - for example the risk appetite for safeguarding would be different from say the allotments service. It may well vary according to time electoral services being a case in point. 4.5 Risk tolerance is closely linked to risk appetite. It simply means that whilst our usual risk appetite, say for investments, might be set at an agreed level, there may be exceptional circumstances where this might be exceeded. This would be the maximum risk tolerance management would be willing to take. Where the usual risk appetite is exceeded this should be reported to the relevant individuals and members for clearance. 4.6 Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks and these appetites may well vary over time. 4.7 The key question in calculating risk appetite and tolerance is What does successful performance look like? 4.8 All the hazards around non-achievement of identified successful performance would comprise the risk universe. 4.9 Those hazards which, in exceptional circumstances, management might tolerate would be termed the risk tolerance and would form a narrower band within the overall risk universe. 11

4.10 An even narrower band would those hazards and risks that management are usually comfortable in dealing with - this is called the risk appetite. 4.11 Risk appetite and risk tolerance should be used as part of the decision making process. Accepting a potential higher level of risk in one area but less risk in another will help the Council to focus its resources on mitigating key risks to achieving key objectives. 4.12 The Council seeks to be risk aware, not risk averse. Being clear as to what risks a service is willing and not willing to accept can really assist in decision making. 4.13 Help in deciding what level of risk or risk appetite may be acceptable is provided. This is for guidance only and officers may find it a useful tool to determine risk appetite and tolerance. 4.14 The guidance may initially appear counter-intuitive with scoring opposite to risk identification. Low scores are allocated to significant risks and high scores allocated to less important risks. 4.15 This is because where there is a significant risk (e.g. safeguarding) the target would be to reduce the risk to the lowest practical score. It is this target score that comprises the risk appetite. Note: Guidance on setting the risk appetite is contained in Appendix C. 12

5. BENEFITS OF RISK MANAGEMENT 5.1. Benefits of risk management include the following: Helps to drive decision making and the achievement of key objectives; Reduced time spent fire fighting ; Increased confidence moving into new areas, or undertaking new projects; Improved management information; Enhanced service planning and service delivery; Focused financial performance and resource management - the cost-effectiveness of actions; Enhanced reputation through the delivery of community outcomes and meeting external standards; Assisting managers in their strategic thinking and enhanced service delivery leading to enhanced reputation; Effective Human Resources management; Targeted Business Continuity Management (BCM). (Risk management links in with business continuity management by seeking assurance that BCM plans are in place and are up to date); Improved corporate governance and compliance issues; and Consideration of Opportunities. Effective risk management assists in the identification and assessment of opportunities to improve service delivery. Note: Management must always carry out due diligence when considering possible opportunities and these would also be subject to the Council s financial regulations and procedures including report writing. 13

6. IMPLEMENTING RISK MANAGEMENT (LIKELIHOOD, IMPACT, AND INHERENT / RESIDUAL RISK) 6.1 The basic steps to undertaking a risk assessment are: Provide a succinct description of the risk, its cause and consequence; Link the risk to the relevant corporate / departmental / service objective; Use the 5x5 risk scoring matrix for likelihood and impact (see below); Include risk rating at Gross or Inherent Risk (initial rating without any controls), current rating with existing set of controls, and target score (level of risk the owner is prepared to accept); Decide how to manage the risk treat, tolerate, terminate, or transfer (please see below); Measure the effectiveness of existing controls; Identify actions required to fill any gaps with the set of existing controls and to achieve the required target risk rating; Ensure any actions are cost effective that the cost of managing risk does not exceed potential outcomes; Allocate a named individual with responsibility for implementing actions together with a target date; and If applicable identify reasons for closing risks. 6.2 When following these steps it is helpful to categorise risks in seven ways: Strategic risk those risks affecting the medium (say next twelve months) to long term goals and objectives; Operational risk those risks that managers and staff will encounter in the daily course of their work; People risk risks associated with employees and management; Financial risk covering budgets and costs. Losing monetary resources or incurring unacceptable liabilities; Reputation risk relating to the image of a service / department or to the whole Council; Information risk relating to loss or inaccuracy of data, systems, or reported information (including non-it information); and Regulatory risk relating to the regulatory environment. 6.3 In addition, opportunities need to be considered. These will frequently be ways of dealing with identified risks and therefore often appear in risk management action plans. 14

6.4 For every decision there is an associated risk that delivery will not take place. This risk is broken down into two components: Likelihood and Impact. Relevant guidance is provided in Appendix A. To be effective there must be a culture of risk awareness throughout the Council to engage all Members and officers in the process of risk identification and of risk mitigation. 6.5 Likelihood represents the statistical chance of an event taking place. Such events are classified at Enfield in a number of statistical ways summarised into these five broad stratified headings: Remote, Unlikely, Possible, Probable, and Highly Probable. 6.6 Impact represents the expected disruption to the Council. Such events are classified in a number of statistical ways, summarised into these five broad stratified headings: Insignificant, Minor, Moderate, Major, and Catastrophic / systemic failure. (NOTE: in the case of opportunity management this final level of impact would be termed Transformational). 6.7 The above defines gross or inherent risk i.e. it takes no account of the controls the Council has in place or can put in place to manage the identified risk. 6.8 To offset this, Council managers apply controls to reduce the gross risk and to obtain the net or residual risk. The controls come in many forms but the means of prioritising them are as follows: Terminating a risky activity, Transference of Risk (possibly by insurance), Treating the Risk (such as taking certain action that may reduce the likelihood and/or impact of a future event taking place) and Tolerating the Risk. Tolerating a risk is where a risk cannot be reduced to a tolerable level but is essential to the delivery of an operational objective. 6.9 Another way of expressing this is through the 4 T s whereby risks can be: Treated (such as by appropriate remedial actions); Tolerated (where they fall below the risk appetite ); Transferred (such as for the 20% or so of risks that can be insured); and Terminated (where it may be possible not to embark on an activity deemed to be very high risk). 15

7. IMPLEMENTING RISK MANAGEMENT THE RISK MANAGEMENT APPROACH 7.1 Identification. Across the Council a number of techniques are used for risk identification of which the most common are individual interviews and workshops including SWOT analyses (strengths, weaknesses, opportunities, and threats). Horizon scanning technique is also used in accordance with HM Treasury Management of Risk Principles and Concepts to identify new risks and opportunities that the Council is likely to face. 7.2 Analysis. We measure or analyse this in two ways: By the likelihood or frequency of the risk occurring; and By the severity or impact on the Council of the risk event occurring. 7.3 Risk Mapping is utilised to plot risks according to the above analysis on a 5 x 5 matrix so that High (Red), Medium (Amber), and Low (Green) categories can be seen at a glance. These are defined as follows: High (Red) scoring risks have scores of 16 and over; Medium (Amber) scoring risks have scores from 9 to 15 inclusive; and Low (Green) scoring risks have scores from 1 to 8 inclusive. 7.4 Control of risks is effected therefore by management action plans for medium and high scoring risks to determine the best course of action i.e. should the risk be avoided, eliminated, reduced, transferred, or accepted. 7.5 Action plans must also identify the individual to deliver the improvements, with key dates and deadlines. 16

Risk scoring matrix 10 15 20 25 5 8 12 16 20 4 LIKELI- 6 9 12 15 HOOD 3 4 6 8 10 2 1 2 3 4 5 IMPACT NOTE: The above table records the scoring for Risk Management where we are trying to decrease the scores by aiming for the green areas. Opportunity scoring matrix 10 15 20 25 5 8 12 16 20 4 LIKELI- HOOD 3 6 9 12 15 4 6 8 10 2 1 2 3 4 5 IMPACT NOTE: The above table records the scoring for Opportunity Management where we are trying to increase the score (rather than decrease as in the case of risk management) by aiming for the green coloured areas. 17

8. MONITORING AND REPORTING 8.1 Progress in managing risks will be monitored and reported as part of a continuous cycle so that losses are minimised and intended actions are achieved. Appendix B lists relevant roles and responsibilities. Every service centre must produce an up to date risk register this should usually be done as part of the service planning process. 8.2 Risks scoring 16 and above will usually be escalated to the next level e.g. from service risk registers to department risk registers, and from departmental risk registers to the Corporate Risk Register. Management actions will be checked by relevant departmental management teams, CMB, and Audit Committee as appropriate. 8.3 Directors and key staff will review their risks at least quarterly at their DMTs so that the whole management team are aware of the key risks faced by the service / department and the mitigations in place to control them. There is a timetable for risk reporting. 8.4 CMB will review the Corporate Risk Register on a quarterly basis and this can be more frequent for key risks (e.g. as happened with the Olympics). 8.5 The Terms of Reference of the Audit Committee include the words, To monitor the effective development and operation of risk management and corporate governance in the Council. This duty is exercised through: Six monthly review of the Corporate Risk Register; and On a rolling programme, review of Departmental Risk Registers. 8.6 Cabinet will review the Corporate Risk Register every six months. 8.7 A report will go to full Council at least once per annum. 8.8 All reports include a section on KEY RISKS. 18

9. CORPORATE RISK REGISTER AND RISK CHAMPIONS 9.1 The Corporate Risk Register contains those risks and opportunities that could have a significant impact upon the Council. A risk is included on the Corporate Risk Register if it would have a significant adverse effect on the achievement of corporate aims and objectives, or to the delivery of the Medium Term Financial Strategy and Financial Plan. 9.3 A major (but not exclusive) source of information for the corporate risk register are those risks found on departmental risk registers. Where these are red risks they will usually be considered for inclusion on the Corporate Risk Register. 9.4 Management of risks is a function of management at all levels under the auspices of CMB. Each risk is allocated a risk owner whose responsibility is to ensure mitigating actions are carried out by the stated deadline. 9.5 Each department has one or more Risk Champions. Their role is to act as a liaison between the Risk Manager and their departments and to help identify risks and opportunities. They also feed back confirmation that mitigations identified within the action plans have been implemented within agreed timescales. They may be the Assistant Director (Resources) from each department or at senior officer level. 19

10. PARTNERSHIPS AND SIGNIFICANT CONTRACTS 10.1 The risk management process will specifically identify risks in relation to significant partnerships and contracts and provide for assurances to be obtained about the management of those risks. This will include joint ventures, the extended enterprise, and potential for risks arising from Council funding of community and voluntary groups under the Big Society. 10.2 Officers will provide information and work in a proactive way to ensure that opportunities as well as threats are considered. 10.3 Risk management monitoring will take place on an ongoing basis during the life of partnerships to ensure that the Council s interests are safeguarded. 10.4 NOTE: partnership risks need to be considered in terms of: 1. Risks to the Council from the partnership; and 2. Joint risks (in which case a joint risk register should be prepared). 20

11. PROGRAMME AND PROJECT MANAGEMENT 11.1 The Risk Manager is involved in discussions on aligning the risk element of the Council s Programme and Project management approach with the current corporate risk management framework. 11.2 Programme and Project management includes transformational projects and capital works projects in addition to IT projects. 11.3 Proposals support alignment through the adoption of Office of Government Commerce (OGC) good practice guidance for Programme and Project management e.g. the Managing Successful Programmes (MSP) methodology for managing Programme level risks and the PRINCE 2 methodology for managing project-level risks. 11.4 This will enhance the way the Council manages the links and dependencies between corporate and Programme / Project level risk management. 11.5 A system specific to programme and project management, Verto, is being rolled out and this should be used to capture detailed risks to programmes and projects. The broader programme and/or project risks, however, should still be held on the Corporate Risk Register or Departmental Risk Registers, via Covalent, as appropriate. 21

12. COVALENT SYSTEM 12.1 Risk assessments at any level should usually be carried out using the Covalent computer system that the Council uses to record, manage and report risk and associated controls and action plans. 12.2 Users are encouraged to make better use of Covalent to track risks and risk actions. An external review of Covalent during 2012/13 will help in forming a view on how the system can further help users. 12.3 Covalent can be used to capture an unlimited number of risks and as such can be particularly helpful in horizon scanning to record and evaluate potential future issues facing the Council s services. As a result it can be used to reflect those risks that are not designated significant, at a point in time, but could develop to have a significant adverse impact if circumstances and the Council s operating environment change. 22

13. FURTHER ADVICE AND ASSISTANCE 13.1 Further advice and assistance on risk management can be obtained from the Risk Manager on 020-8379 4654 or email David.hulme@enfield.gov.uk 13.2 Detailed guidance on conducting a risk assessment is available on the Enfield Eye. 23

Appendix A RISK AND OPPORTUNITY SCORING RISK LIKELIHOOD Score 1 = Remote: Extremely unlikely; Happens less than once in ten years. Score 2 = Unlikely: Happens no more than once in ten years. Score 3 = Possible: Could occur; Happens once every five years on average. RISK IMPACT Score 1 = Insignificant: Minimal financial impact of less than 250,000; Local newspaper comment only - a one-off event. Score 2 = Minor: Not material but still relevant adverse impact on financial objectives. From 250,000 up to 500,000; Repeated coverage on local level. Score 3 = Moderate: Material impact on financial objectives for the year (Over 500,000 up to 2.5 million); National newspaper coverage. Score 4 = Probable: Score 4 = Major: Very likely to take place - say a Material critical impact on financial minimum of once in every two years. objectives for the current and subsequent years. Over 2.5 million up to and including 5 million. TV coverage of incident. Score 5 = Highly Probable; A near certainty. Likely to occur every year. Score 5 = Catastrophic / systemic failure Abuse resulting in death of the vulnerable (e.g. Baby P tragedy); Special Measures for a department or the Council overall; Financial loss of over 5 million; Sustained national campaign on all media. 24

NOTE: Financial thresholds should be reviewed periodically as the ability to absorb the impact of loss will change, particularly in the current economic environment. Risk Scoring Red / High = 16 to 25 inclusive Amber / Medium = 9 to 15 inclusive Green / Low = 1 to 8 inclusive 25

OPPORTUNITY LIKELIHOOD Score 1 = Remote: Extremely unlikely; Happens less than once in ten years Score 2 = Unlikely: Happens no more than once in ten years. Score 3 = Possible: Could occur; Happens once every five years on average. Score 4 = Probable: Very likely to take place - say a minimum of once in every two years. Score 5 = Highly Probable; A near certainty. Likely to occur every year. OPPORTUNITY IMPACT Score 1 = Insignificant: Minimal financial impact of less than 250,000; Beneficial effect on one service. Score 2 = Minor: Positive impact on financial objectives from 250,000 up to 500,000; Beneficial influence on several services. Score 3 = Moderate: Material positive impact on financial objectives for the year (Over 500,000 up to 2.5 million); Beneficial impact on departmental aims and objectives; Positive effect on a division. Score 4 = Major: Material positive impact on financial objectives for the current and subsequent years. Over 2.5 million up to and including 5 million. Positive/beneficial effect on one or more departments and achieving corporate aims and objectives; Sustained local press coverage. Score 5 = Transformational. A recurring and material annual saving, or a one-off saving of material significance say of over 5 million; Significant beneficial effect on longterm corporate aims and objectives; Sustained national press coverage; A national lead. NOTE: Financial thresholds will be reviewed periodically as the impact of a saving will change, particularly in the current economic environment. Opportunity Scoring High = 16 to 25 inclusive Medium = 9 to 15 inclusive Low = 1 to 8 inclusive

Appendix B ROLES AND RESPONSIBILITIES Groups The risk management service is primarily that of an advisory, support, and critical friend function and to support this, the following groups have responsibilities: Reviewing Group Corporate Management Board Cabinet (and Elected Members) Audit Committee (and Chair of Audit Committee) Departmental Management Teams (DMT s) Responsibilities Express duty to act on concerns where the risk appetite and risk tolerance are exceeded to ensure risk is mitigated to acceptable levels. Defines the risk appetite and risk tolerance framework. Reviews Corporate Risk Register prior to submission to Audit Committee; Ensuring that there is dynamic management of corporate risk; Ensuring that risk is given due consideration in all management processes and decisions and ensure ownership of corporate risks. Reviews the Corporate Risk Register; Monitors and acts on escalated risks from Audit Committee. Overall Member responsibility and accountability for Councilwide risk management; The lead councillor body which approves the Risk / Opportunity Management Strategy, which will include the process for managing risks and opportunities; Raising any concerns on risk management with Cabinet; Reviewing the annual Risk Management Report prior to its presentation to Cabinet; Monitors the effective development and operation of risk management in the Council; Receives periodic updates on the corporate and department risks and opportunities; Periodically asks for further detailed information about actions to mitigate key risks. Monitor risk appetite and tolerance for their department risks. Acts to effect change where the risk appetite and risk tolerance are exceeded. Ensuring that there is dynamic management of risk across their department;

Project Boards and Strategic Procurement Board. Internal Audit Risk and opportunity management to be included within the department planning process; Departmental risk registers to be reviewed quarterly or more regularly as necessary; Ensuring that agreed actions to manage risk exposure to an acceptable level are undertaken on a timely basis and in accordance with departmental risk registers; Ensuring that risks identified within the department are managed at an appropriate level, including escalation to a corporate level where appropriate; Ensuring that risk is given due consideration in all management processes and in taking key decisions. Participates in the identification, assessment, planning and management of threats and opportunities; Understands the Risk Management Strategy and their accountabilities; Ensures risk management is actively considered before, during, and after key projects / procurement including lessons learned. Understands Council s risk management strategy; Supports the risk management process including discussing risks with management; Focus internal audit plan on significant risks via risk registers and liaison with Risk Manager; Provides the Risk Management Service with updates on risks identified from audits; Provides assurance on risk management across the Council based on reviews though audit risk assessments. Risk Management Service Providing guidance, advice & support on the Council s Risk Management approach including risk appetite and tolerance; Co-ordinating risk management across the Council; Running risk workshops across the Council as required; Ensuring that the risk management process is operated on a current basis; Performing quality and performance checks on RM documents as first line assurance; Arranging risk management awareness, support and training interventions for managers, staff and councillors; Liaison with various specialists across the Council such as Insurance, Internal Audit, Health & Safety, and Emergency Planning to assess the risks in specific areas.

Roles To help clarify an individual s responsibility for managing risks within their role, a set of risk management competencies have been developed. Role Chief Executive Directors and Assistant Directors Chair of Audit Committee Responsibilities Overall executive responsibility and accountability for Council-wide risk management; Ensuring that the Corporate Risk Register and Departmental Risk Registers are subject to regular review. Responsibility to ensure risks are mitigated to agreed levels of risk appetite and tolerance; In addition, individuals may have specific responsibilities in relation to the role of local authority statutory officers including the following roles: The head of paid service; The officer responsible for financial administration (aka the section 151 officer); The monitoring officer; Director of Public Health; Director of social services; and Director of children s services. Some of these offices may be held by the same person. Each of these posts have specific legal responsibilities attached to it along with a limited range of legal powers to compel a local authority to take (or restrain from) certain courses of action. Such individuals will need to ensure that risks relating to these additional roles are adequately identified and mitigated to acceptable risk appetite levels. Overall Member responsibility and accountability for Councilwide risk management. Risk Manager Senior Managers / Heads of Service To update the Council s Corporate Risk Register and link it with the Council s aims and objectives; To consider new risks and opportunities via Horizon Scanning ; To raise the level of management awareness and accountability for the business risks of the Council; To provide guidance on setting risk appetite and tolerance; Help to embed risk management as part of the culture of the Council; To facilitate risk workshops, and general facilitation and coordination of risk management activities. Agree calculation of risk appetite and tolerance for each risk identified for their service; Operational responsibilities for controlling threats and

Report Authors Risk Management Champions Risk Action Owners All Staff managing opportunities (subject to due diligence); Ensuring that there is dynamic management of risk across their service, formally reflected in quarterly review of risk registers; Ensuring that agreed actions to manage risk exposure to an acceptable level are undertaken on a timely basis; Ensuring that risks identified within the service are managed at an appropriate level; Reporting on the adequacy of risk management arrangements to the relevant director on a regular basis; Ensuring that risk is given due consideration in all management processes. Consider key risks in their reports including those to Council, Cabinet, and CMB, must include a summary of the key risks and opportunities arising from or being addressed by the content / actions of the report. Main contact for the department for risk management including liaising with the Risk Manager; Oversees the corporate approach to risk management within their department; Ensure Covalent is updated to ensure key risks are captured and updated regularly; Working with relevant senior managers within their department to use the risk management approach in assisting the delivery of service and departmental objectives; Driving the development and embedding of effective risk management across their department / service area; Contributing to the development of the Council s risk management processes. Ensure effective action is taken to manage risk within target timeframe; Ensures the integrity of information recorded on the risk register; Monitors progress against mitigating actions. Identifying opportunities as well as hazards and risks in performing day-to-day duties; Taking appropriate action to take advantage of opportunities or to limit likelihood and impact of risks; Awareness of risk management policies; Understand their role in managing risk.

APPENDIX C HOW TO SET THE RISK APPETITE This Appendix provides help to determine the maximum acceptable risk score, through determining a risk appetite. It is provided for guidance only and officers may wish to use another method to determine risk appetite and a target risk score for each risk that they are managing. The key steps are as follows: 1. Identify risks as normal, including scoring the risks based on the five by five matrix set out in Appendix A. 2. Assess each risk according to the following five criteria: i) Priority ii) Safeguarding issues (human risk) iii) Financial Impact iv) Reputational Impact v) Legal / statutory requirement. 3. Score each criteria from 1 to 5 as follows: Risk Appetite Scoring CRITERIA Key objective, aim, or priority Safeguarding issues (human risk) IMPACT Insignificant Minor Moderate Major Catastrophic 5 4 3 2 1 5 4 3 2 1 Financial impact 5 4 3 2 1 Reputational impact 5 4 3 2 1 Legal / statutory requirement 5 4 3 2 1 Where criteria are considered important this should be reflected by a low score i.e. low risk appetite.

Conversely, where it is considered there would be little financial impact if a risk crystallised then this should be given a high score i.e. high risk appetite. Scores are added up for each of the five criteria with a minimum possible score of 5 and a maximum of 25. The lower the score the lower the amount of risk we are willing to tolerate in this area. Scores can then be used to generate a target risk score (i.e. where we would like to be). Risk Appetite Scoring Criteria Definitions Score 5 = Insignificant Score 4 = Minor Score 3 = Moderate Score 2 = Major Score 1 = Catastrophic / systemic failure Key objective aim, or priority No key objective, aim, or priority. Ongoing aims e.g. general staff training. Enhancements to corporate planning e.g. to Project Management or to Business Continuity Management. A fundamental aim or objective e.g. delivery of regeneration projects. A key objective, aim, or priority e.g. safeguarding of vulnerable children and adults. Safeguarding issue (human risk) Virtually no human risk (e.g. hire of allotments). Minor human risk (e.g. ensuring safeguards over contractors carrying out maint-enance work in schools). Possible risk to vulnerable members of society (e.g. those with access to sensitive information). Potential for abuse of the vulnerable (e.g. recent national issues involving the elderly in care homes). Abuse resulting in death of the vulnerable (e.g. Baby P tragedy). Financial impact Minimal financial impact of less than 250,000. Not material but still relevant adverse impact on financial objectives. From 250,000 up to 500,000. Material impact on financial objectives for the year. Over 500,000 up to 1m. Material critical impact on financial objectives for the current and subsequent years. Over 1m up to 5m. Financial loss of over 5m. Reputati onal impact Local newspapers comment only a one-off Repeated coverage at a local level. Social media One-off national newspaper coverage. Local TV National TV coverage of incident. Repeated Sustained national campaign on all media.

Score 5 = Insignificant Score 4 = Minor Score 3 = Moderate Score 2 = Major Score 1 = Catastrophic / systemic failure event. Limited social media coverage. Minor / temporary service failure. coverage. Service failure with minimal financial or reputational impact Recommenda tions for improvement in external inspections. coverage. Extensive social media coverage. Major service failure with notable financial or reputational impact. national newspaper coverage. Major service failure involving material financial loss or significant reputational damage. Adverse external inspection. Catastrophic service failure involving safeguarding incident. Adverse external inspection coupled with intervention. Some censure in external inspection. Legal / statutory requirement No legal or statutory requirement or best practice. No legal or statutory requirement or best practice, but where there is public pressure to provide a service (e.g. refuse collections carried out every week rather than every fortnight). No statutory requirement but best practice (e.g. accounting standards). Best practice with a specific urgency / time constraint (e.g. implementation of International Financial Reporting Standards). A statutory / legal requirement e.g. having to provide children s education.

Worked example 1: Provision of allotments: CRITERIA IMPACT Key objective, aim, or priority 4 Safeguarding issue (human risk) 5 Financial impact 4 Reputational impact 3 Legal / statutory requirement 2 TOTAL MAXIMUM RISK APPETITE 18 Therefore the total target score for this risk needs to be at or below 18 (high risk appetite). Worked example 2: Safeguarding of children: CRITERIA IMPACT Key objective, aim, or priority 1 Safeguarding issue (human risk) 1 Financial impact 2 Reputational impact 1 Legal / statutory requirement 1 TOTAL MAXIMUM RISK APPETITE 6 Therefore the total target score for this risk needs to be at or below 6 (very low risk appetite). Worked example 3: Financial / budgetary pressures CRITERIA IMPACT Key objective, aim, or priority 2 Safeguarding issue (human risk) 3 Financial impact 1 Reputational impact 2 Legal / statutory requirement 2 TOTAL MAXIMUM RISK APPETITE 10 Therefore the total target score for this risk needs to be at or below 10 (low risk appetite).