ITEM 9 NOTTINGHAM CITY HOMES THE BOARD REPORT OF Ian Rabett Head of Health & Safety 26 November 2015 RISK MANAGEMENT 1 SUMMARY 1.1 A review of our risk management arrangements was carried out earlier this year, supported by Zurich Municipal. The outcomes of this review and recommendations for improvement were reported to Audit Committee in October. 1.2 Audit Committee made a number of resolutions, which are reproduced at appendix 1 to this report. 1.3 This report recommends changes to the Corporate Risk Register (CRR) and to the matrix used to assess the risks in the CRR, as well as making recommendations to help the Board review its risk appetite. 2 RECOMMENDATIONS 2.1 Board is asked to consider and approve the risks described at appendix 3; if approved these will replace the risks in the current risk register. 2.2 It is recommended that Board adopt the use of a 4x4 risk matrix as described at appendix 4. 2.3 It is recommended that Board consider and approve or amend the suggested statement of risk appetite at appendix 5. 3 REPORT Corporate Risk Register 3.1 A report containing proposed changes to our risk management processes was submitted to Audit Committee in October. The Audit Committee s resolutions are reproduced at appendix 1. The most urgent of these is the creation of a draft Corporate Risk Register (CRR), for consideration by Board. 3.2 The brief for Risk Management Group was to capture the risks from the Corporate Plan and other relevant sources into a register that has a manageable number of risks, ideally no more than 10-12. To do this, risks have been described using the same headings used in the published Corporate Plan, reproduced at appendix 2.
3.3 The other relevant sources includes the Homes & Communities Agency (HCA) Sector Risk Profile 2015, which details a number of risks that the HCA expects all registered providers to manage. Our proposals in this paper comply with the guidance, which is prerequisite for our subsidiary organisation. 3.4 The draft CRR at appendix 3 was prepared by the Company s Risk Management Group. The intention is to populate our Covalent risk management system, including assessment of risks and appointing risk owners, after Board has agreed the risks. Risk owners will be responsible for specifying existing controls and further actions; the Health & Safety Team (and Internal Audit) will audit specified controls and monitor further actions. 3.5 Each risk is then split into a number of sub-risks, which break each risk down into its detail. A number of new sub-risks have been identified by the Risk Management Group in addition to those derived from the Corporate Plan and HCA. 3.6 These sub-risks also capture all the risks in the current CRR, with the exception of risk N o 23 the Oracle system and EMSS transactional support do not provide a fit for purpose and VFM service, which is considered to be a departmental risk. All of the risks on the old register have therefore been captured in the new one. 3.7 Our intention is that Board and EMT receive regular reports about the [9] main risks defined in appendix 3, while Audit Committee and the Risk Management Group monitor the more detailed sub-risks. 3.8 Appropriate reports will be developed to provide sufficient, but not overwhelming, information for each group to carry out meaningful review of the CRR. All Board members, directors and members of the Risk Management group will have direct access to the CRR in Covalent so that they are able to conduct further independent analysis where necessary. We anticipate that Board will receive a quarterly update on the main risks, including a short statement under each heading explaining any movement in risk rating and significant deviations from agreed controls or progress with mitigating actions. Audit Committee would receive more detailed reports relating to the sub-risks. Risk Matrix 3.9 A further Audit Committee resolution was that Board should review the format of the risk matrix, which is a visual representation of risk, based on impact and likelihood. This categorises risks as high, medium or low, as represented by the traffic light colours red, amber and green respectively. The current risk register uses a 5x5 matrix. Although this is an accepted industry standard, it encourages people making assessments to sit on the fence, and all risks tend to gather round the centre of the matrix. EMT recommends that this is replaced by a 4x4 matrix, which forces assessors to be more decisive, and more readily defines high, medium and low risks.
Examples and pros and cons of both options are shown at appendix 4. 3.10 An example of how impact and likelihood might be defined in conjunction with a 4x4 risk matrix is also provided at appendix 4. Risk Appetite 3.11 Finally, Audit Committee resolved that Board review its risk appetite. Risk appetite is the amount and type of risk an organisation is willing to take or tolerate in order to achieve its strategic objectives. Board should state, and periodically review, its risk appetite, so that executive directors and senior managers do not make decisions outside the Board s acceptable limits. 3.12 Just as it can be damaging for the organisation to take uncontrolled risks or to set its risk appetite too high, it can be unhealthy and unrealistic to create a zero tolerance policy, as this would effectively stifle the organisation s ability to grow and diversify, as well as placing impossible strictures on its managers and requiring every decision to be referred back to Board. 3.13 The Board may, however, have a lower risk appetite in some areas than in others; for example, the Board may wish to tolerate less risk in areas of regulatory compliance and activities exposing the organisation to reputational damage than for new business opportunities. 3.14 A simple and recommended way to state risk appetite is therefore to set the Board s expectations for each of the risks in the CRR, using the risk matrix. This expectation will then become the target risk, and suitable controls will be put in place to ensure that the risk is controlled within that target. Quarterly risk reports will then detail which risks are not operating within the Board s acceptable limits, and any movement towards or deviation from their set target. 3.15 Board is therefore asked to review and agree or amend the suggested statement of risk appetite at appendix 5. This statement expands the nature of risks that are controlled, and allows Board to vary its approach to each risk according to the likely outcomes. The statement also allows for Board to keep its appetite for each risk under continual review, rather than setting an annual review target. 4 FINANCIAL, LEGAL AND RISK IMPLICATIONS 4.1 Financial 4.1.1 These proposals will not incur any additional costs as the work involves improvements to policy and procedures, and management of risk is carried out using existing resources. 4.2 Legal 4.2.1 Although there is no legislation that requires risk management within NCH,
risk management processes are audited by and will also be subject to HCA scrutiny if RP status is conferred. 5 IMPLICATIONS FOR NOTTINGHAM CITY HOMES OBJECTIVES 5.1 Effective risk management is conducive to ensuring that strategic objectives are achieved within expectations. 6 EQUALITY AND DIVERSITY IMPLICATIONS 6.1 Has the equality impact of these proposals been assessed? Yes (EIA attached) No (this report does not contain proposals which require an EIA)
7 FURTHER INFORMATION 7.1 HCA Sector Risk Profile (2015) 8 APPENDICES 8.1 Appendix 1: Audit Committee Resolutions October 2015 8.2 Appendix 2: Published Risks (Corporate Plan 2015-2018) 8.3 Appendix 3: Proposed Draft Corporate Risk Register 8.4 Appendix 4: Current and Alternative Risk Matrix 8.5 Appendix 5: Current and Alternative Statement of Risk Appetite
APPENDIX 1: AUDIT COMMITTEE RESOLUTIONS OCTOBER 2015 15/08 CORPORATE RISK REGISTER Consideration was given to a report of the Company Secretary ( CS ) which outlined the need for the Company to review its Risk Management approach to suit its new governance arrangements and the formation of two subsidiaries.. The AC was informed that the Health and Safety Team were going to assume responsibility for administering the company s risk management strategy. New risks needed establishing in line with the Corporate Plan. A review of existing arrangements had been conducted by Zurich Municipal. Discussions were held on Risk Management. A report would be submitted to Board based on the recommendations of the report. RESOLUTIONS: The Audit Committee agreed that: 1. The Head of Health and Safety review the risk Management Framework and propose any amendments needed to Board; 2. The Company Secretary and the Risk Management Group will review the Corporate Risk Register and develop a draft for Board approval; and 3. Directorate level risk registers will be developed and feed onto the CRR; and 4. Board should review the risk matrix; re-define their risk appetite and what they would like to see on regular reports. 5. Risk training for Board and company managers should be refreshed 6. The future internal Audit plan to be developed from the revised corporate risk register. Back to report
APPENDIX 2: PUBLISHED RISKS (CORPORATE PLAN 2015-2018) The numbers in red type indicate where these risks can be found in the proposed draft CRR. Back to report
APPENDIX 3: PROPOSED DRAFT CORPORATE RISK REGISTER The risk categories used in the Corporate Plan (appendix 2) are used to define each risk. There are therefore 9 risks, which are not expected to change significantly over time. Each risk is then broken down into its constituent sub-risks. Sub risks are likely to change regularly over time, and may be added or removed according to changing circumstances and strategic objectives. 1. STRATEGIC LEADERSHIP Weaknesses in the leadership provided by Board and senior management, our planning processes or governance arrangements lead to poor performance, lack of confidence or breach of statutory requirements a) Board lacks the competence, structure and authority to provide strategic direction and oversight, and appropriate challenge to senior management. b) NCH lacks the knowledge, resources and procedures required to ensure that the statutory requirements of running a company are complied with. c) Present governance arrangements are insufficient to meet the HCA s economic and consumer standards (including the financial viability standard), which would be necessary to obtain Registered Provider status. d) NCH management structure may have neither the competence nor capacity to manage its 2 new subsidiaries. e) Mismanagement of funding allocated to NCH, including poor financial management or failure to follow financial regulations. 2. FINANCIAL Variations in assumptions made for business planning purposes or the adverse effects of external influences create a shortfall in funding levels and potential failure to maintain sufficient credit to operate as a going concern a) Rental income is reduced by 1% p.a. from 2016-2020, creating a XX m shortfall against projected income. b) Demands are made on NCH income in order to reduce the Council s deficit, resulting in an inability to maintain stock to DH standard c) Funding income for Highwood House and NOC are reduced, resulting in reduced services or increased costs for the most vulnerable residents. d) Failure to maintain performance results in withdrawal of insourcing income from NCC
e) Right to Buy becomes more affordable and easier for tenants, reducing NCC stock and NCH rental income. f) The introduction of Universal Credit impacts on tenants' ability to afford rents, and directs rents payments directly to them, requiring additional resources to maintain rent collection at current levels. g) The Company does not carry out regular or structured stress testing to ensure that it remains financially viable in the event of severe income variations, resulting in potential income shortfalls and failure to meet HCA's Financial Viability Standard h) Increases in inflation rates create additional costs (for services and materials) and an expectation for increased staff pay, while implementing government cuts in public service spending. i) Pensions deficits are unaffordable, and create additional financial burdens on the organisation j) Interest rates increase creating additional burdens on debt repayments k) Property values decrease (or East Midlands property values fall behind national averages) l) Increasing energy supply costs (e.g. oil / gas / electricity) create additional overheads for running a business, and increase fuel poverty amongst residents 3. HEALTH AND SAFETY A failure to manage risk, comply with statutory requirements or plan effectively for emergencies results in severe injury, ill-health or fatality, legal action or inability to deliver services a) Employees or residents are severely injured or incapacitated as a result of the company's activities, resulting in extended lost time and employer's / public liability claims. b) The company fails to meet its statutory health and safety and fire safety obligations (including gas servicing), resulting in prosecution or public censure 4. BUSINESS CONTINUITY A failure to plan effectively for emergencies results in threats to residents' welfare, loss of homes or a temporary inability to deliver services a) Business continuity risks are not recognised or managed, resulting in business disruption following an unexpected event.
b) NCH fails to plan for and resource its response to emergencies, resulting in poor response, increased risk to employees and customers and reputational damage c) Strike or other industrial action (e.g. fuel strikes) reduces or prevents NCH service delivery.
5. RELATIONSHIPS WITH CUSTOMERS & KEY STAKEHOLDERS Poor performance, customer service and relationships with stakeholders results in loss of confidence in the company to meet its objectives a) Poor performance and customer service creates dissatisfaction and failure to retain confidence of key stakeholders, particularly the City Council b) Poor relationship with local press and failure to promote company's achievements creates a detrimental public image 6. EMPLOYEE ENGAGEMENT A lack of consistent leadership and employee engagement or diminishing terms and conditions of employment lead to loss of employee confidence, reducing morale and an inability to retain / recruit competent employees a) Ineffective employee relations, reductions in training budgets and poor leadership creates a failure to maintain a competent and motivated workforce b) The cumulative effects of changes to terms and conditions, pensions and pay freezes creates uncompetitive terms and conditions, resulting in increased staff turnover and failure to recruit competent employees 7. CHANGES IN POLICY OR LEGISLATION Adverse or frequent changes to government [or NCC] housing policy and / or legislation [in particular the Housing Bill] creates additional burdens on resources, an inability to plan effectively for the future, and loss of income or loss of identity / assets a) The introduction of Pay-to-Stay requires additional resources to track household incomes and amend rent payments, and encourages higher income families to exercise Right to Buy. b) NCC is forced to sell off higher value properties, reducing the numbers and desirability of its housing stock. c) Frequent changes to legislation and policy prevent effective planning for the future. 8. INFORMATION & COMMUNICATIONS TECHNOLOGY [ICT] Loss of data, failure of networks or operating systems, insufficient data security or a failure to invest in technological improvements prevents efficient delivery of services or results in legal action a) Critical ICT systems and data are not backed up securely, resulting in significant data loss or inability to provide effective services.
b) ICT projects and system improvements are not delivered as planned, causing delays to major projects and additional costs c) Inadequate ICT security allows data theft, fraud and malware infections of NCH and customer information. d) ICT databases and web pages are not kept up to date or contain incorrect information, resulting in poor customer services and experience e) Failure to match company requirements and ICT systems results in inefficient service delivery. 9. BUSINESS DEVELOPMENT NCH fails to diversify, compete effectively in open markets or manage the risks associated with new business activities, resulting in a reducing core business, poor investments and loss of confidence in the organisation a) Our failure to identify new business opportunities and to grow and diversify appropriately results in a net reduction of the company's business and assets. b) A failure to identify and manage the risks attached to new business results in financial loss or reputational damage for Nottingham City Homes c) A lack of commercial awareness and expertise at Board and Executive Management level results in early failure of new business models d) Competition and other market forces impact on the success and profitability of new business ventures e) Forced sale of new build homes at below market rates through RTB leaves NCH with outstanding debt and no rental income for affected properties. f) Inability to acquire land suitable for development in Nottingham reduces scope and increases cost of new build programmes Back to report
APPENDIX 4: CURRENT AND ALTERNATIVE RISK MATRIX The current risk matrix is on a 5x5 scale, indicating consequence vs likelihood: 5 Likelihood 4 3 2 1 1 2 3 4 5 Impact The advantages of this matrix are: - it is a recognised industry standard - it is familiar to employees who already use Covalent - it is familiar to Board / EMT who receive risk management reports. The main disadvantage of this matrix is that people will tend to assess likelihood and consequence at 3 because it is easier than making a decision either way. This artificially centres risks around the median. For example, the matrix above right shows the current spread of risks as reported by our existing CRR. EMT recommends a 4x4 matrix: Likelihood 4 3 2 1 1 2 3 4 Impact Likelihood 4 Simple controls. 3 2 1 Audit. Urgent measures. Prevent or avoid. Insurance. Accept. Contingency planning. 1 2 3 4 Impact The advantages of this matrix are: - it forces people to make a decision either way - the spread of high, medium and low risk is more intuitive. - It is easier to see how risk should be treated. For example, the matrix above right shows how the Board might elect to treat risks in the CRR.
The main disadvantage of this matrix is its unfamiliarity, and that it is not the one currently used in Covalent (although this can be changed in-house relatively easily) For reference, the numbers for likelihood and impact ratings need to mean something. At the moment, impact is only expressed as financial loss or delays to programmes. It is desirable to include legal and reputational impact, and to score likelihood in terms that people can easily relate to. The scores could look something like this: Likelihood: in any 12 month period Rating Description 4. Almost Certain Is expected to occur I would bet my house on it 3. Likely More likely to occur than not I expect this to happen sooner or later 2. Unlikely Is less likely to occur than not I would be surprised if this happened 1. Remote Is very unlikely to occur, but not impossible I m almost certain that this won t happen Impact: most likely outcome Rating On objectives Financial loss Reputational Legal 4: Catastrophic Unable to meet multiple objectives > 5m Non-rescuable situation; may require Board resignation Prosecution of organisation and / or senior managers 3: Major Delays or adjustments to multiple objectives 2: Minor Delays or adjustments to single objective 1-5m Severe, sustained damage at sector level; may require CE resignation 250k - 1m Sustained damage at local level; may require internal investigation 1: Negligible No effect < 250k Single article at local level District Auditor / HCA investigation; possible referral to CPA Enforcement action: prohibition or improvement notice No action: advisory letter or fixed penalty. Back to report
APPENDIX 5: CURRENT AND ALTERNATIVE STATEMENT OF RISK APPETITE Existing statement on risk appetite taken from the Risk Management Framework Acceptable Risk Risk appetite is the extent to which NCH is prepared to tolerate risk and take on additional risk in order to achieve its objectives. As a general principle, NCH will seek to eliminate and control all those risks which could: - Impact on its ability to meet its Corporate Objectives; - Have a substantial adverse financial impact; - Cause a loss of public confidence in NCH from stakeholders, - Prevent it from meeting its obligations under the Partnership Agreement. Risk cannot always be eliminated completely, but can usually be reduced to an acceptable level and changing nothing could itself be a high-risk strategy. What constitutes an acceptable level of risk will be subject to discussion by the Board. It is important to strike the right balance between how much it costs to manage risk and the exposure of taking no action. The most cost-effective controls should be in place for each risk, with managers having considered the cost against the benefit of the control. This means that certain risks will always have an impact on the organisation because the cost of reducing the risk is higher than the cost of the risk actually occurring. NCH works in a sector of considerable political and social importance and it would be inconsistent with NCH s vision, purpose and objectives, to just take risks in order to secure high financial returns. Suggested alternative statement Risk Appetite Risk appetite is the extent to which NCH is prepared to tolerate risk and take on additional risk in order to achieve its objectives. As a general principle, NCH will seek to control to an acceptable level all those risks which could substantially: - impact on its ability to meet its Corporate Objectives; - have an adverse financial impact; - cause a loss of public confidence in NCH from stakeholders; - prevent it from meeting its obligations under the Partnership Agreement; - bring the organisation into disrepute; - cause the organisation to be in breach of its legal obligations; or: - restrict the organisations capacity to grow and diversify. What constitutes an acceptable level of risk is a matter reserved for Board. Board will therefore set a target for each of the risks in the Corporate Risk Register, and keep that target under review. Board may wish to set targets that require stricter controls for some
risks, for example those relating to statutory requirements and reputational risks, than for others such as developing new business, where more flexibility is desirable. Our Risk Management Group will provide regular reports to Board and its Audit Committee about risks that exceed the Board s stated risk appetite, progress towards achieving targets set by Board, and variations from expected performance. Back to report