Contents
Foreword
3
Statement of Intent
4
Part 1 The Risk and Opportunity Management Framework
1.1
Introduction
4
1.2
Process
5
Part 2 Identification
2.1
Identification
5
Part 3 Evaluation
3.1
Introduction
9
3.2
Risk and Opportunity Matrix
10
Part 4 Management
4.1
Introduction
13
4.2
Resource and Cost Benefit Analysis
14
4.3
Risk and Opportunity Register
15
4.4
Risk and Opportunity Escalation
15
Part 5 Review
5.1
Review
16
Part 6 Roles and Responsibilities
6.1
Political Accountability
18
6.2
Managerial Accountability
18
6.3
Staff Accountability
19
6.4
Corporate Accountability
20
6.5
Other Accountability
20
Glossary
21
Appendix 1 – Risk and Opportunity Template
22
Appendix 2 – Risk Example
23
3
Foreword
Thurrock’s character and personality has formed and evolved over centuries as agriculture, industry and the river have shaped the landscape, the make-up of its people and the quality of life. The enduring characteristics of those who live or have lived and worked in the borough – enterprise, resilience, opportunism, adaptability – represent a strength of spirit. It is this spirit that will drive a new tone and a fresh relationship between the council and everyone it does business with and is captured in the council’s vision and priorities:
“We want Thurrock to be the dynamic heart of the Thames Gateway, a place of ambition, enterprise and opportunity, where communities and businesses flourish and the quality of life for local people is continually improving.
1. Improve the education and skills of local people
2. Encourage and promote job creation and economic prosperity 3. Ensure a safe, clean and green environment
4. Provide and commission high quality and accessible services that meet, wherever possible, individual needs
5. Build pride, respect and responsibility in Thurrock’s communities and its residents.”
2011 is the 75th anniversary of Thurrock as a Borough and marks the start of a new phase of opportunity for the next generation – the next generation of young people, older people, families, vulnerable people – the next generation of people who have an opportunity to benefit from the future prosperity of the
borough.
The current regeneration programme will once again change the landscape, with the expansion of retail and Lakeside, the creation of the biggest container port in Europe, the Royal Opera House Production Park and performing arts, to name a few. All of these will bring new jobs and fresh opportunities for the future.
How people feel about where they live, how they feel about their public services, how they feel about themselves will be central to creating a collective sense of identity and direction. One in which people aspire for themselves and for their families to do well in their education, are equipped to take on the new and different types of jobs available, have the best possible quality of life and are proud of where they live.
Thurrock Council will be changing and adapting to help achieve this, enabling and facilitating change, preparing its residents for the new opportunities, engaging and involving, more in tune and in touch with the needs of local residents, partners, businesses and its employees, aligning expectations and
aspirations.
The current economic downturn provides an opportunity and a catalyst for operating differently and valuing the perspectives of everyone who has a stake in the future of the Borough.
Success will be characterised by us being a confident, well-managed and influential
council, regarded by residents, peers and partners as ambitious for the people of Thurrock and totally focussed on meeting its current and future aspirations.
The aim of the risk and opportunity policy, framework and strategy is to improve the Council’s ability to deliver these ambitions by managing the risk to and the opportunities for the achievement of the Council’s priorities and objectives.
Policy Statement
The Council’s Risk and Opportunity Management Framework and Strategy aims to apply good practice to the identification, evaluation and management of the risks to and opportunities for the achievement of the Council’s priorities and objectives.
The Risk and Opportunity Management Framework and Strategy will be reviewed each year against good practice to ensure that they are fit for purpose and continue to drive forward a robust approach to risk and opportunity management.
This framework and strategy explains the Council’s approach to risk and opportunity management and the arrangements that will operate to ensure that risks and opportunities are effectively identified, evaluated and managed.
Part 1 – The Risk and Opportunity Management Framework
1.1 Introduction
The management of risk and opportunity is now acknowledged as a feature of public sector
management. It is an integral part of the Council’s Corporate Governance arrangements and the Council has a statutory responsibility under the Account and Audit Regulations to put in place arrangements for the management of risks.
Risk and opportunity management describes the approach used to identify, evaluate and manage the whole range of business risks and opportunities facing an organisation.
Thurrock Council’s definition of Risk and Opportunity Management is:
“the planned and systematic approach to identify, evaluate and manage the risk to and the opportunities for the achievement of objectives”
The Council’s aim for risk and opportunity management is to:
• Embed risk and opportunity management into the culture of the Council.
• Integrate risk and opportunity management with other management practices to ensure that risk and opportunities are managed effectively at strategic and operational level & for all key projects and partnerships.
• Identify and effectively manage the key risks and opportunities facing the Council.
• Maximise the opportunities for the achievement of objectives and minimise the risk of service failure. • Learn from opportunity outcomes and risk failures to improve risk and opportunity management
awareness, systems and processes.
• Support Members and managers in carrying out their responsibilities. • Support the decision making process at all levels within the Council.
• Ensure that effective risk and opportunity management arrangements are in place to support the Annual Governance Statement and Corporate Governance arrangements.
• To comply with the requirements of the Account & Audit Regulations.
The risk and opportunity management process is designed to ensure that the key risks to, and the opportunities for, the achievement of objectives are identified and managed. Too little awareness and management of these key issues can impact on performance but an obsessive level of management of all possible risk and opportunity could easily overwhelm the Council. Between these two extremes is a turning point, a balanced area of high performance through the sensible management of risk and opportunity and this is the status the Council aims to achieve through implementation of its Risk and Opportunity Management Policy, Framework and Strategy.
5 Sensible management of risk and opportunity to add value
1.2 Process
The Council has a four-step cycle for identifying, evaluating, managing and reviewing risk/opportunity. The process is outlined below and described in subsequent parts of the framework.
Risk and Opportunity Management Process
Part 2 – Identification
2.1 Identification
What is a risk or opportunity? A risk or opportunity is:
The initial stage of risk and opportunity management sets out to identify the exposure to these
uncertainties. This requires knowledge of the service, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to success and the achievement of objectives.
Corporate objectives are set out in the Corporate Plan/Medium Term Financial Strategy and Service objectives are shown in Service Plans. Service plans outline how the service contributes to delivering the corporate objectives. They also include details of any corporate or cross cutting objectives that directly or indirectly affect the service as well as any objectives for key projects that the service is responsible for, or contributing to during the course of the year.
There are likely to be some risks or opportunities that could have adverse or beneficial effects on the achievement of objectives. The establishment of a Service Risk and Opportunity Register proactively manages the main risks and opportunities that services face and helps the Council identify and manage priority issues. The priority issues that have corporate or strategic significance will then feed directly into the Strategic/Corporate Risk and Opportunity Register. For this reason it is important that every service and key project has an up to date and regularly reviewed Risk and Opportunity Register.
The starting point for services should be the corporate objectives as shown in the Corporate
Plan/Medium Term Financial Strategy and the service objectives set out in the service plan. There will be overlap here as the service is delivering corporate objectives. There will also be some cross cutting corporate objectives that impact on the service, as well as objectives that the service has for key
projects. Key project risks or opportunities may be contained within the service or the corporate/strategic risk and opportunity register as well as the project risk and opportunity register.
It is clear that only those risks and opportunities that have been identified can be managed, therefore the more comprehensive the approach to identification, the better placed the service will be to manage risk and opportunity.
The diagram below outlines some of the key categories of risk and opportunity facing the Council.
Categories of Risk and Opportunity
The tables on pages 7 to 8 provide some further information and examples of issues that may arise for each of the categories. The categories are neither prescriptive nor exhaustive but provide a prompt for identifying a broad range of risks/opportunities facing the Council and draws on identification techniques such as PESTLE (Political, Economic, Social, Technical, Legal, Environmental), Operational and SWOT (strengths, weaknesses, opportunities and threats) analyses.
7 PESTLE Analysis
Arising from the political situation
P
o
li
ti
c
a
l.
• • Change in Government Policy Change of Local Policy and Strategic Priorities • Delivery of policy and priorities.• Election cycles • Political make-up • Leadership issues. • Decision making structure • Political personalities
• Political uncertainty (e.g. challenging decisions with significant political consequences or local repercussions).
• Response to potential transformation in local government • Reputation
Arising from the national, local and organization specific economic situation
E
c
o
n
o
m
ic
.
• Treasury – Investments, reforms, budget cuts. • General and regional economic situation. • Prolonged recession and recovery.• Borrowing, lending situations, investments and interest rates. • Budgetary position.
• Key employment sectors (existing and future). • Poverty indicators.
• Demand predications (e.g. on demand led services like social care).
• Competition between suppliers and the affect on service/pricing. • Increase employment, education and training
• Impact on regeneration schemes
Arising from national and local demographics and social trends
S
o
c
ia
l.
• Demographic profile (age, race, etc).
• Social changes – needs, expectations and attitudes
• Residential patterns / profile (e.g. commuter belt, state of housing stock, public/private mix).
• Health statistics/trends – health inequalities. • Leisure and cultural provision.
• Crime statistics/trends. • Children at risk
• Older people – ageing population. • Employment.
• Life-long learning. • Regeneration.
• Disadvantaged groups or communities.
Arising from technological change and organizational technological situation
T
e
c
h
n
o
lo
g
ic
a
l.
• Technological strategy• Technological change/advance – capacity to deal with change/advance.
• Current use of/reliance on technology. • Current or proposed technology partners. • State of architecture.
• Obsolescence of technology. • Current performance and reliability.
• Security and standards
• Resilience, back up and disaster recovery arrangements. • Technological demand – customer needs and expectations • Technological support for innovation.
• Procurement of best technology and sustainability of systems. • Data security/protection – Council and supply chain partners with who
information is transferred or shared.
Arising from current and potential legal changes and the organisation’s regulatory information.
L
e
g
is
la
ti
v
e
/
R
e
g
u
la
to
ry
.
• New and existing legislation – National and European Law • Inspection/Regulators (e.g. CSCI, OFSTED).• Regulation – Self Regulation, Governance Standards • European Directives – e.g. procurement
• Localism Bill
• Impact of the Health Reform • Impact of the Police Reform • Equality Act
• Human Rights • Employment Law • Health & Safety
• Section 17 Crime & Disorder Act
• Civil Contingencies Act – Category 1 Responder statutory duty. • Statutory duties - Capability & capacity to meet duties
Arising from inherent issues concerned with the physical environmental.
E
n
v
ir
o
n
m
e
n
ta
l
• Nature of environment (e.g. urban, rural). • Land use – green belt, brown field sites. • Waste disposal and recycling issues.
• Exposure to drainage problems (e.g. flooding, subsidence). • Pollution (e.g. emissions, noise).
• Climate Change and impact of severe weather (e.g. flood, heat wave, drought, snow).
• Carbon Reduction
• Energy Efficiency
• Traffic congestion and emissions.
• Encourage the use of public transport, cycling, walking, etc.
• Crime & disorder – e.g. Reduce crime, ASB, fly tipping, vandalism ( & the fear of crime).
Operational Analysis
Arising from the organisation’s competitive spirit and the competitiveness of services, etc.
C
o
m
p
e
ti
ti
v
e
.
• Benchmarking.• Relationships with neighbours and partners, e.g. competitive or collaborative.
• Plaudits held/sought, e.g. LGC awards. • Success in securing funding. • Nature of service provision.
• Competition for service users. e.g. car parks. • Value for money – cost & quality of service.
• Public Service model against Private Sector, Other Agency or Community model.
Arising from the need to meet current & changing needs or expectations of customers and citizens.
C
u
s
to
m
e
r
/
C
it
ize
n
.
• • Customer Care Extent and nature of consultation with/involvement of community. • Demographics – analysis, understanding.• Relationship with community leaders and groups.
• Service delivery – response, feedback, complaints, compliments. • Community Cohesion
• Visibility of services e.g. refuse collection, street cleaning, etc. • Public and media communication
• Consultation and communication of service changes to stakeholders • Reputation management – Retain public trust and confidence in the Council
and its services.
• Complaints and Compliments – e.g. Increase in complaint numbers, learning from complaints or compliments.
Arising from the need to be managerially and professionally competent.
P
ro
fe
s
s
io
n
a
l
/
M
a
n
a
g
e
ri
a
l.
• Views arising from peer reviews – e.g. internal audit, consultancy review, etc.• Professional/managerial standing of key officers. • Stability of officer structure/management teams. • Competency and capacity – Organisational and Individual. • Key staff changes and personalities.
• Turnover, recruitment and retention, talent management & succession planning.
• Workforce planning & development - Right skills, people & employee capacity • Management Capacity – Change, Financial, Performance, Risk/Opportunity,
Asset & Crisis Management and management of key partnerships/contracts • Management frameworks & processes – efficient, effective.
• Mission, Vision and Values.
• Statutory duties – Capability and capacity to meet duties.
• Organisational change and Transformation of the Council & Services.
Arising from the financial planning and control framework.
F
in
a
n
c
ia
l.
• Funding from Government and other external funding • Financial situation of authority and level of reserves. • Budgetary policy and control.• Delegation of budget and financial disciplines. • Monitoring and reporting systems.
• Control weaknesses – anti fraud & corruption • Income and Revenue. Capital Programme.
• Procurement – e.g. Consortium purchase schemes, reduced market.
• Insurance – adequacy of covers, level of self-funding, deductibles, etc. • Fraud/bribery/corruption and impact of compensation culture. • Interest rates, inflation, income tax, asset values, etc. • Efficiency, invest in priorities, disinvestments non-priority areas.
• Short term budget challenges v long term challenges – strategic planning of budget cuts.
• Impact of prolonged recession.
• Statutory duties – Resource / capacity to meet duties
Arising form changes to legislation and / or possible breaches of legislation.
L
e
g
a
l.
• Legal challenges, judicial review • Adequacy of legal support.
• Boundaries of corporate & personal liabilities.
• Sufficient reserves to defend legal challenge or unrecorded liabilities. • Damage to reputation arising from legislation breach.
• Partnerships – Legal Liabilities, contractual liabilities. • Employment disputes
Arising from physical hazards or possible gains associated with people, land, buildings, vehicles, plant & equipment.
P
h
y
s
ic
a
l.
• Commitment to health, safety and well being of staff, partners and the community.• Assets - Nature and state of asset base, including record keeping. • Accident and incident record keeping.
• Maintenance practices. • Resilience & Business Continuity
• Security - staff, assets, buildings, equipment, plant, machinery, vehicles, data and information, etc
• Health - improve health, reduce health inequalities & promote healthy lifestyles • Staff morale and sickness absence (e.g. stress)
• Community Resilience to major incidents • Employment or industrial disputes.
• Safeguarding vulnerable people – e.g. children, young people, adults.
Arising from partnerships and contracts.
P
a
rt
n
e
rs
h
ip
/
C
o
n
tr
a
c
tu
a
l.
• Relationships with partners/contractors• Accountability frameworks and partnership boundaries. • Outsourcing and Insourcing.
• Shared resource or services
• Procurement arrangements / contract renewal policy. • Performance of partnerships/contractors
• Partnership resilience – business continuity arrangements. • Performance/client management of partnerships/suppliers - capacity.
• Legal and contractual liabilities.
• Partner or supply chain failure – e.g. financial, data loss, governance, etc • Reputation management – e.g. Third party supply chain failure. • Strategic Commissioning of Services – Capacity, experience expertise. • Change control and exit strategy arrangements
• Impact of local public services cuts on the community and partner organizations • Joint projects
9 The risks and opportunities identified need to be recorded in structured format. A description covering the Cause, Event and Effect is used to scope a risk or opportunity. Some typical phrasing or statements are outlined below:
Cause / Event / Effect Because of …
As a result of … Due to …
<an uncertain event i.e. risk or
opportunity> may occur, … … which would lead to <effect on objective(s)>
Event / Cause / Effect Risk of … Failure to … Failure of … Lack of … Loss of … Uncertainty of … Delay in … Inability to … Inadequate … Partnership with … Development of … Opportunity to …
… due to … … leads to … and/or … results in …
Part 3 – Evaluation
3.1 Evaluation
Stage 1 - Unmanaged Risk / Opportunity
Once the risk or opportunity has been identified and defined the issue needs to be evaluated without any controls, actions or management arrangements in place to establish the Inherent risk/opportunity rating. The diagram below provides an illustration of how risks and opportunities are recorded for the initial evaluation. Enter Risk/Opportunity description and date identified in the template.
Stage 1 – Unmanaged Risk / Opportunity (inherent R/O rating) No. Risk or Opportunity Description
1. The Council faces a budget shortfall for the financial year ending 31/03/11 with the impact of reductions in public spending and the recession. Failure to develop effective short to medium term plans to manage the position leads to financial difficulties, service pressures and a breakdown in the pursuit of the Council’s priorities, resulting in poor delivery of the Council’s objectives/services.
Date Identified 21/10/2009 Inherent R/O Rating Critical / Very High Template and example for Stage 1.
By using the ‘Criteria Guide for Impact and Likelihood Ratings’ table on pages 11 and 12 the potential impact and the likelihood of the issue occurring without any controls, action or management
arrangements in place can be determined.
The potential impact of risk is expressed in terms of: (I) Critical, (II) Substantial, (III) Marginal, (IV)
Negligible and determined by considering the risk and the consequences (effects) outlined in the risk description.
The potential impact of opportunity is expressed in terms of: (I) Exceptional, (II) Major, (III) Moderate,
(IV) Minor and determined by considering the opportunity and the benefits (effects) outlined in the opportunity description.
The likelihood of the risk or opportunity occurring is expressed in terms of: (A) Very High, (B) High,
(C) Significant, (D) Low, (E) Very Low, (F) Almost Impossible and determined by considering the risk or opportunity description.
The results of the evaluation of impact and likelihood should be recorded in the Inherent R/O Rating column of the template.
Stage 2 – Current Risk / Opportunity
The risk or opportunity identified in stage 1 is now re-assessed to take into account what is currently in place to manage the issue (e.g. mitigate the risk or maximize the opportunity). These controls or actions including dates for when the controls/actions were commenced and /or completed should be recorded in the Current Control/Action column in stage 2 of the template.
Stage 2 – Current Risk / Opportunity
(residual R/O rating) - see below Residual R/O Rating Critical / High
Current Controls or Action Assurance on Controls / Action
1. Develop by July 2010 the medium term financial strategy (MTFS) to ensure financial pressures are known & transparent
1. Regularly reviewed by the Head of Corp. Finance & Director of Finance & Corporate Governance
Template and example for Stage 2.
Assurance details of what is in place to check that the management controls or actions are working, appropriately and effectively should be recorded in the Assurance in Place column of the template. Frequency of the assurance arrangements should be included, where appropriate.
Assurance is normally obtained through performance monitoring or management review arrangements. If there are any gaps, further action should be taken to check that the current management
arrangements are working properly and effectively. When all the current controls or actions and
assurance arrangements are determined the risk or opportunity can be re-assessed by using the Criteria Guide for Impact and Likelihood Ratings table on pages 11 and 12. The assessment should reflect the Council’s current position in relation to the risk or opportunity.
The potential impact of risk is determined by the risk, consequences (effects) and the current controls,
action or management arrangements in place.
The potential impact of opportunity is determined by the opportunity, benefits (effects) and the current
action or management arrangements in place.
The likelihood of risk or opportunity occurring is determined by considering the risk or opportunity
description and the current controls, action and management arrangements that are in place.
The results of the evaluation of impact and likelihood should be recorded in the Residual R/O Rating column of the template.
3.2 Risk and Opportunity Matrix
The results of the likelihood and impact assessments should be recorded on the Risk and Opportunity Matrix by using the risk/opportunity number as a reference. The Matrix and Criteria Guide for Likelihood and Impact Levels on pages 11 and 12 outlines the Council’s appetite for risk and opportunity and is used to prioritize the issues identified. The Red, Amber and Blue indicators in the matrix show the
hierarchy of risk and opportunity. Red shows those areas of risk/opportunity that are high priority, Amber
medium priority and Blue low priority.
11
Risk
Opportunity
Negative
Impact
Description
Positive
Impact
Description
I
Critical
• Inability to deliver a no. of org’l priorities or strategic obj’s. • Major disruption to a number of important services. • Loss of life.
• Extensive coverage in national press and broadsheet editorial and/or national TV.
• Major local & significant national/international env. damage. • Huge financial loss >£1M in a year.
• Huge impact on ability to achieve the project’s objectives. • Huge disruption to project.
I
Exceptional
• Exceptional improvement to service(s) (e.g. quality, level, speed, cost, etc) and/or delivery of strategic objectives/priorities • National or international partnership initiative/arrangement • Extensive positive coverage in national press and broadsheet
editorial and/or national TV.
• Major improvement to local or national/international environment. • Income and/or savings of >£500K.
• Exceptional savings of resource (e.g. time, labour)
II
Substantial
• Inability to deliver an org’l priority or strategic objective. • Major disruption to important service.
• Extensive/multiple injuries
• Coverage in national press &/or low coverage on national TV • Major damage to local environment.
• Major financial loss >£500K - <£1M in a year
• Major impact on ability to achieve the project’s objectives. • Major disruption to project.
II
Major
• Major improvement to service(s) (e.g. quality, level, speed, cost, etc) and/or delivery of strategic objective/priority.
• Regional partnership initiative/arrangement.
• Positive coverage in national (broadsheet) press and/or low coverage on national TV
• Major improvement to local environment. • Income and/or savings of >£250K - <£500K. • Major savings of resource (e.g. time, labour).
III
Marginal
• Inability to deliver a service objective that is not key to the delivery of an organisational priority or objective. • Significant disruption to important service. • Major disruption to non-crucial service. • Serious injury (medical treatment required).
• Extensive and/or front-page coverage in local press and/or minimal coverage in national tabloid press/TV.
• Moderate damage to local environment. • High financial loss >£100K - <£500K in a year.
• Moderate impact on ability to achieve the project’s objectives. • Moderate disruption to project.
III
Moderate
• Moderate improvement to service(s) (e.g. quality, level, speed, cost, etc) and/or delivery of strategic objective/priority.
• Borough or County wide level partnership initiative/arrangement. • Positive coverage in local press (e.g. extensive or front page) in
local press and/or minimal coverage in national tabloid press/TV. • Moderate improvement to local environment.
• Income and/or savings of >£100K - <£250K. • Moderate savings of resource (e.g. time, labour).
IV
Negligible
• Inability to deliver team/individual objective that is not key to the delivery of an organisational priority or objective. • Minor impact on delivery of strategy or operational activities • Brief disruption of important service.
• Minor/significant disruption to non-crucial service. • Minor injury (first aid treatment)
• Minimal reputation damage (minimal coverage local press). • Insignificant or minor damage to local environment. • Low or medium financial loss <£100K in a year.
• Minor impact on ability to achieve the project’s objectives. • Minor disruption to project.
IV
Minor
• Minor improvement to service and/or delivery of strategic objective/priority.
• Local level partnership initiative/arrangement • Minimal positive coverage in local press. • Minor improvement to local environment. • Income and/or savings of <£100K.
• Minor savings of resource (e.g. time, labour).
Risk
Opportunity
Likelihood
Description
Likelihood
Description
A
Very High
• More than 90% chance of occurrence. • Is expected to occur in most circumstances • Occurs on a daily/weekly basis.
A
Very High
• More than 90% chance of happening.
• A clear opportunity already apparent, which can easily be achieved with a bit of further work or management. • Achievable in under 6 months
B
High
• Between 65% and 90% chance of occurrence.
• Will probably occur at some time or in most circumstances. • Occurs on a monthly/quarterly basis.
B
High
• Between 65% and 90% chance of happening
• An opportunity that has been explored and may be achievable but which will require some further work or management. • Achievable between 6months to 1 year (12 months)
C
Significant
• Between 40% and 65% chance of occurrence.
• Fairly likely to occur at some time or in some circumstances. • Occurs on an annual basis.
C
Significant
• Between 40% and 65% chance of happening.
• Possible opportunity identified, but as yet to be fully investigated and require further work or management.
• Achievable between 1 to 2 years
D
Low
• Between 10% and 40% chance of occurrence. • Fairly unlikely to occur, but could occur at some time. • Occurs once every two years.
D
Low
• Between 10% and 40% chance of happening
• Opportunity that is fairly unlikely to happen that will need full investigation and require considerable work or management. • Achievable between 2 to 3 years
E
Very Low
• Between 1% and 10% chance of occurrence. • Is unlikely to occur but could occur at some time. • Occurs once every three years.
E
Very Low
• Between 1% and 10% chance of happening
• Opportunity that is unlikely to happen that will need full investigation and require considerable work or management. • Achievable between 3 to 4 years
F
Almost
Impossible
• Less than 1% chance of occurrence. • May occur only in exceptional circumstances. • Has never or very rarely happened before.
F
Almost
Impossible
• Less than 1% chance of happening.
• Opportunity that is very unlikely to happen that will need full investigation and require considerable work or management. • Achievable in above 4 years
Criteria Guide for Likelihood Levels
Risk Opportunity
Very High A 20 40 80 100 100 80 40 20 A Very High
High B 18 36 72 90 REDHigh Priority 90 72 36 18 B High
Significant C 16 32 64 80 80 64 32 16 C Significant
Low D 12 24 48 60 AMBER Medium Priority 60 48 24 12 D Low
Very Low E 4 8 16 20 20 16 8 4 E Very Low
Almost Impossible F 2 4 8 10 BLUE Low Priority 10 8 4 2 F Almost Impossible
IV III II I I II III IV
RA
B RAB Priority Rating Score
High 64 - 100 Medium 32 - 63 N e g lig ib le M a rg in a l S u b s ta n ti a l C ri ti c a l Ex c e p tio n a l M a jo r M o d e ra te M in o r Low 1 - 31 Risk & Opportunity Matrix – (with priority classifications and the rating scores contained on InPhase, Performance Plus).
13
Part 4 - Management
4.1 Management
Under the management stage response strategies are established for the high, medium and low priority
issues and plans developed to implement the chosen strategies.
The management response strategies for Risk and Opportunity are outlined in the following table:
Risk Management Response Strategies
Opportunity Management Response Strategies
Mitigate – Reducing the size of the risk in order to make it more acceptable by reducing the likelihood and/or impact.
Accept – Recognizing that some risks must be taken and responding either actively by allocating appropriate contingency arrangements (* see note below), or passively doing nothing except for monitoring the status of the risk.
Transfer – Identifying another stakeholder better able to manage the risk, to which the responsibility can be passed.
Avoid – Eliminate the uncertainty by making it impossible for the risk to occur (e.g. discontinue activity), or by executing a different approach to eliminate the risk.
Enhance – Seek to increase the likelihood and/or the impact of the opportunity in order to maximize the benefit.
Ignore – Minor opportunities can be ignored, by
adopting a reactive approach without taking any explicit actions.
Share – Seek a partner/stakeholder able to manage the opportunity, which can maximize the likelihood of it happening and increase the potential benefits.
Exploit – Seek to make the opportunity definitely happen. Aggressive measures to ensure the benefits from the opportunity are realized.
* Contingency arrangements – Any risk could suddenly be realised and become a significant issue, even those
that have been assessed as having relatively low likelihood. There is a need to consider, in advance, what action to take if a risk develops or a crisis occurs and these contingency arrangements are an essential part of the management response stage. Contingency arrangements should be considered for all risks, which have been assessed as either Critical or Substantial impact, irrespective of the potential likelihood levels, and any plans developed should be rehearsed or validated to ensure they cater for the eventuality.
The issues contained in the matrix can be a mix of pure risks and opportunities that are unrelated to any other items, opportunities with related risks and risks with related opportunities. Once this is established and the links created the management response strategies for each situation can then be determined and prioritised. Examples include:
Situation Management Response Strategy
High Priority Opportunity (pure opportunity
with no related risks)
Check findings to ensure correct. If substantiated exploit the opportunity if possible.
High Priority Risk (pure risk with no related
opportunity)
Check findings to ensure correct. If substantiated mitigate or avoid the risk if possible.
High Priority Opportunity matched by Low Priority Risk
Check findings and current controls for risk to ensure correct. If substantiated exploit opportunity if possible.
High Priority Opportunity held back by High Priority Risk
Check findings to ensure correct. If substantiated undertake analysis on what can be done to mitigate or reduce the risk so that the opportunity can be exploited.
Low Priority Opportunity matched by Low Priority Risk
Check current controls for risk to ensure correct. If substantiated undertake analysis on what can be done to enhance the opportunity.
Low Priority Opportunity matched by High Priority Risk
The risk is high and the opportunity is low. This suggests that the risk should be avoided by ignoring the opportunity.
Management response strategies – Opportunity v Risk.
4.2 Resource and Cost/Benefit Analysis
The management stage develops responses to identified risk and opportunities, which are appropriate, achievable and affordable. An evaluation of the resource and funding available to manage potential risks and opportunities is a key part of the management stage. There will be some occasions when the cost of the response will outweigh the benefits accrued as a result of the proposed action to be taken. An
assessment of the cost/benefit of implementing the response should be carried out as part of the management stage. Resourcing the response to risk and opportunity should be considered as part of the service planning and financial management arrangements and any medium to long term resource implications identified incorporated in the Medium Term Financial Strategy.
Stage 3 – Target Risk/Opportunity
When the management response strategies and plans to the risk and opportunities have been
determined the details can be recorded in the Further Controls or Action column of Stage 3 of the template, including dates for when the planned controls/action are to commence and/or be completed.
Stage 3 – Target Risk / Opportunity
Further Controls or Action Assurance on Controls / Action
2. Promote/publicise the understanding of the efficiency agenda across the Council from Oct 2009 to reduce cost & improve services. 3. Bring forward the budget timetable to ensure decisions on increases to income, efficiencies & reductions to services can be planned & implemented in a timely fashion (from March 2010).
4. Integrate the MTFS with Council Strategies by Dec 2010 to
maximize the likelihood of achieving the corporate plan priorities/obj’s. 5. Develop the Monthly Budget monitoring reports from /during March 2010 to concentrate on high value or high risk areas.
2. Monitored and reviewed by Procurement (and Efficiency) Board.
3. Regularly reviewed by the Head of Corporate Finance and Director of Finance and Corporate Governance and monitored by Finance Board. 4. Regularly reviewed by the HoCF and DoF&CG and monitored by Directors Board (DB).
5. Regularly reviewed by the HoCF and DoF&CG and monitored by FB and DB.
Target End Date 31/03/2011 Target R/O Rating Critical / Low Template and example for Stage 3.
Actions linked to providing assurance against the further management response arrangements should also be included under the Assurance on Controls/Action column, including frequency of assurance arrangements, where appropriate.
15 The risk or opportunity should then be reassessed using the Matrix and Criteria Guide for impact and likelihood ratings on pages 11 and 12 to determine the Target R/O Rating. This assessment should take into account all controls/actions identified in Stage 2 and the agreed further controls/action in Stage 3. This provides a target of the future rating that will be achieved when all the controls or actions identified have been applied. Record target end date for the risk/opportunity.
4.3
Risk and Opportunity Register
The templates for the identification, evaluation and recording of risks and opportunities are located on the Performance Management system InPhase Performance Plus. This system facilitates an integrated approach to risk and opportunity management and incorporates the frameworks for Service and
Strategic/Corporate Risk and Opportunity Registers.
Please refer to ‘Minute Manager’ guide - Performance Plus, Risk & Opportunity Management for further information.
4.4 Risk and Opportunity Escalation
Critical to effective risk and opportunity management is the reporting of information to the appropriate management level. To ensure risks and opportunities are considered at the appropriate level the following criteria has been established:
Corporate/Strategic Risks & Opportunities
Risks and opportunities at this level will have the following characteristics:
• Risks and opportunities identified by Directors Board and/or Members that impact directly on the Corporate Plan priorities or objectives.
• Corporate or cross cutting issues that are likely to impact upon more than one service.
• Strategic issues that are likely to have an impact on the medium to long term goals and tend to link to the Corporate Plan priorities and objectives.
• Risks/opportunities at departmental/service or project/partnership that if realised would impact on the Corporate Plan priorities and objectives and/or need Directors Board or Cabinet management intervention.
• Risks/opportunities with significant financial or reputation impact that require Directors Board overview and management.
Departmental/Service Risks & Opportunities
Risks and opportunities at this level tend to be identified and managed by the departmental and/or service management teams. Risks/opportunities assigned to this level will have the following characteristics:
• Risks/opportunities identified by departmental or service management teams that are likely to have an impact on short term goals and tend to link to departmental/service level objectives and plans.
• Risks/opportunities identified at project or partnership level that are likely to have an impact on service objectives and need departmental or service management team intervention.
Project/Partnership Risks & Opportunities
Risks and opportunities at this level tend to be identified and managed by project/partnership boards or teams. Risks/opportunities at this level will have the following characteristics:
• Risks/opportunities that impact on individual project/partnership objectives and which can be managed by the project/partnership board, manager or team.
• Risks/opportunities that impact on departmental or service objectives and which can be managed by the project/partnership board, manager or team.
The escalation of risk/opportunity to Strategic/Corporate level is considered by the Performance Board.
Performance Board reviews the issue against the escalation criteria and take appropriate action. This may include:
• Risk/opportunity escalated and incorporated in the Corporate/Strategic Risk & Opportunity Register for monitoring and reporting to Directors Board and Audit Committee.
• Risk/opportunity incorporated into an existing issue on the Corporate/Strategic Risk & Opportunity Register if it is related to that issue, for ongoing management and review.
• Risk/opportunity de-escalated to Departmental/Service or Project/Partnership level for ongoing management and review.
Part 5 – Review
5.1 Review
Risk and opportunity management is a dynamic process. It is vital that all service and project risk registers are kept up to date. New risks and opportunities will be identified and some will be removed or terminated. The assessment of likelihood and impact levels will need to be updated to take into account
the management actions undertaken and contingency arrangements will need to be reviewed in response to changing internal and/or external events.
This means that Heads of Service must complete regular reviews of their risk and opportunity registers, including;
• Reviewing the service approach to risks and opportunities.
• Establish new potential risks and opportunities to the Council and re-evaluate current issues. • Identify arrangements that are in place to help manage new and current risks and opportunities. • Re-evaluate new and current risk and opportunities by assessing the impact and likelihood of the
issue occurring.
• Review actions that were scheduled to be carried out and add new actions to further manage risks and opportunities.
Questions to ask when reviewing progress include:
• How regularly is it happening in each Department or Service?
• What level of input is the Head of Service or Director having to this review? • How static is the risk or opportunity information?
• Have the risk or opportunity likelihood/impact levels changed?
• Do the changes appear cosmetic or are they substantial, involving the identification of additional actions or changes to contingency arrangements?
• Are these additional actions being addressed?
• Is there an audit trail outlining the actions that have been taken and indicating their relative success? • Is the information shared with staff and are the amending and refining their actions in light of any
changes to the risk and opportunity profile?
• What is the turnover in terms of new risks and opportunities being identified and existing issues being removed or terminated?
• Is the number of high risks decreasing?
• Are the high level opportunities being exploited and the benefits realised?
Following review the progress and developments against the outstanding current and planned further controls or actions can be recorded in Progress/Developments against the Further Controls/Action column of the template (including dates for when the action/controls were commenced and/or completed).
Progress/Developments against the Further Controls /Action - see below
Revised Residual
R/O Rating Critical / High
Quarter Ending 31/03/2010:
1. MTFS - Development of MTFS commenced Feb 2010 and scheduled for presentation to Cabinet, via DB July 2010. 2. Efficiency Agenda – Interim Director of Change & Improvement recruited to drive the efficiency agenda. Recruitment of Efficiency Delivery Team scheduled for May 2010.
3. Budget Timetable - MTFS framework under development from Feb 2010 and when established it will ensure that necessary projections and required actions are known much earlier in the cycle.
4. Integration of MTFS and other Key Strategies - MTFS & other Key Strategies under development and to be integrated by the process.
5. Monthly Budget Monitoring & Reporting – Monthly budget monitoring reports concentrating on high value or high risk areas developed and agreed by Finance Board and Directors Board. Critical budgets identified March 2010.
17 Once the progress and developments against the planned further controls or actions have been
recorded the risk or opportunity can then be reassessed using the Matrix and Criteria Guide for impact and likelihood ratings to determine the Revised Residual R/O Rating.
The template for recording the identification, evaluation, management and review of risks/opportunities is included under Appendix 1 and an example of a completed risk included in Appendix 2.
The service and/or departmental risk and opportunity registers should be regularly reviewed by
Directorate Management Teams. Updates of Service Risk Registers and changes to Strategic/Corporate Risk and Opportunities should be provided to Performance Board on a quarterly basis so that the details can be reflected in the Strategic/Corporate Risk and Opportunity Register if appropriate.
The Strategic/Corporate Risk and Opportunity Register is reported to Audit Committee quarterly in June, September, December and March. The quarterly review dates will be circulated annually by the
Corporate Performance Team to enable Directorate Management Teams to schedule the review arrangements within the directorate reporting process.
Heads of Service will also need to provide annual assurance on the effectiveness of their risk and opportunity management arrangements for the service area. This is part of good governance and the service information will be captured for the Annual Governance Statement, which is reported annually between June and September.
Part 6 - Roles and Responsibilities
A key objective of the framework is to achieve the integration of risk and opportunity management into the culture of the Council. Risk and opportunity management is a cultural issue that must be based on a top-down meets bottom-up approach. There are certain roles within the Council that more directly contribute to our approach to ensuring effective risk and opportunity management. The roles and responsibilities for risk and opportunity management are contained in the Council Constitution and outlined in the following section:
---
6.1 Political Accountability
The Portfolio Holder for Central Services
• Cabinet Portfolio Holder with political accountability and lead responsibility for risk and opportunity management.
Audit Committee
• Approve and adopt the Risk and Opportunity Management Policy, Framework, Strategy and the arrangements for the management of strategic/corporate risks and opportunities.
• Monitor and review the outcomes of strategic/corporate risk and opportunity management reports to ensure that priority business risks and opportunities are being identified and actively managed. • Annually review the effectiveness of the Council’s risk and opportunity management policy,
framework and strategy to ensure it remains effective, appropriate and current.
---
6.2 Managerial Accountability
Corporate Director of Finance & Corporate Governance
• Corporate Director with managerial accountability and lead responsibility for risk and opportunity management.
• Agree the Risk and Opportunity Management Policy, Framework, Strategy and the arrangements for the management of strategic/corporate risks and opportunities.
• Provide direction and receive assurance on compliance with and the effectiveness of the Risk and Opportunity Management Policy, Framework and Strategy.
Directors Board
• Agree the Risk and Opportunity Management Policy, Framework, Strategy and the arrangements for the management of strategic/corporate risks and opportunities.
• Monitor and review the outcomes of quarterly reports on strategic/corporate risk and opportunity management to ensure that priority risks and opportunities are being identified and actively managed and to agree the strategic/corporate risk and opportunity register.
• Annually review the effectiveness of the Council’s risk and opportunity management policy, framework and strategy to ensure it remains effective, appropriate and current.
• Actively consider any risk and opportunity implications contained within reports to Directors Board.
Directors
• Ensure risk and opportunity management is a regular item on Directorate Management Team meeting agendas.
• Contribute towards the identification and management of strategic/corporate risks and opportunities facing the Council.
• Approve the service risk and opportunity registers in their particular directorate
• Quarter reviews of service or departmental risk and opportunity registers to ensure that priority risks and opportunities are being identified and actively managed.
• Agree the escalation and de-escalation of risks and opportunities between service and the strategic/corporate risk and opportunity registers.
• Agree data and commentary for inclusion in the quarterly report of Strategic/Corporate Risk and Opportunity Management for consideration by Directors Board and Audit Committee.
• Report to Portfolio Holders on the key service and/or strategic/corporate level risks and opportunities to ensure they are fully engaged and aware of the significant business risks and opportunities facing the Directorate and Council.
• Promote integration of risk and opportunity management into the culture of the Council and its partners via all Heads of Service.
19
Heads of Service
• Ensure risk and opportunity management is a regular item on Service meeting agendas. • Embed risk and opportunity management into service planning, financial management and
performance management.
• Identify and evaluate service risk and opportunities. • Approve Service Risk and Opportunity Registers
• Quarterly reviews of service risk and opportunity registers to ensure that priority service risks and opportunities are being identified and actively managed.
• Ensure that the risk and opportunity management data and the commentary on actions to manage risks and opportunities are maintained on the InPhase, Performance Plus system.
• Identify and propose the escalation and de-escalation of risks and opportunities between service and the strategic/corporate risk and opportunity registers.
• Provide appropriate data and commentary for inclusion in the quarterly report of
Strategic/Corporate Risk and Opportunity Management for consideration at Directors Board and Audit Committee.
• Provide annual assurance on the effectiveness of the arrangements in place to identify and manage the risks and opportunities facing the service.
• Maintain awareness of and promote the approved risk and opportunity management policy, framework and strategy to all relevant staff.
Managers
• Ensure risk and opportunity management is a regular item on team meeting agendas. • Identify and evaluate service/team risk and opportunities.
• Identify and propose the escalation of risks and opportunities from team level to the service risk and opportunity register.
• Ensure that the risk & opportunity management data & the commentary on actions to manage risks and opportunities are maintained on the InPhase Performance Plus system where appropriate. • Provide data and commentary for inclusion in the quarterly report of Strategic/Corporate Risk and
Opportunity Management for consideration at Directors Board and Audit Committee where appropriate.
• Maintain awareness of and promote the approved risk and opportunity management policy, framework and strategy to all relevant staff.
Project Managers
• Ensure that risk and opportunity management is a regular item on project meeting agendas. • Identify and evaluate project risk and opportunities.
• Undertake regular reviews of project risk and opportunity registers to ensure that priority risks and opportunities are being identified and actively managed.
• Identify and propose the escalation of risks and opportunities from project level to the
service/departmental or strategic/corporate risk and opportunity registers where appropriate. • Ensure that project risks and opportunities are managed in accordance with the Risk and
Opportunity Management Policy, Framework and Strategy.
---
6.3 Staff Accountability
Staff
• Identify and report potential risks and opportunities to Management via appropriate routes (e.g. 121 meetings, team meetings, service meetings, etc).
• Contribute to the management of risk and opportunities where appropriate. • Maintain awareness of risk and opportunity policy, framework and strategy.
6.4 Corporate Accountability
Performance Board
• Provide a focus for and co-ordinate risk and opportunity management activities throughout the Council.
• Agree the Risk and Opportunity Management Policy, Framework and Strategy.
• Review the effectiveness of the Risk and Opportunity Management Policy, Framework and Strategy to ensure it remains effective, appropriate and current.
• Develop and agree the Strategic/Corporate Risk and Opportunity Register for onward reporting to Directors Board and Audit Committee.
• Keep priority risks and opportunities under regular review and ensure that key controls/actions to manage the issues are being addressed within appropriate timescales.
• Review service risk and opportunity registers on a rolling programme along with performance data.
Performance Board Directorate Representatives
• Provide focus for and co-ordinate departmental/service risk and opportunity management activities throughout the Directorate.
• Ensure that the risk and opportunity management data for the Directorate/Services and commentary on actions to manage risks and opportunities are maintained on the InPhase, Performance Plus system.
• Ensure that risk and opportunity management is incorporated into service plans.
• Ensure that risk and opportunity management is a regular item on Directorate and Service team meeting agendas.
• Present Service Risk and Opportunity Registers for the Directorate to Performance Board as part of the rolling programme to review service level risk and opportunity management.
• Maintain awareness of and promote the Risk and Opportunity Management Policy, Framework and Strategy to all relevant staff within the Directorate.
Corporate Performance Team
• Develop Risk and Opportunity Management Policy, Framework and Strategy with arrangements for annual review.
• Develop approach, templates and quarterly review arrangements for both strategic/corporate and service level risk and opportunity management, via In Phase Performance Plus system.
• Overall stewardship of the Strategic/Corporate Risk and Opportunity Register and data via InPhase Performance Plus system.
• Provide quality assurance and challenge of data and commentary provided by Directorates/Services for the quarterly report of Strategic/Corporate Risk and Opportunity Management.
• Prepare quarter reports of Strategic/Corporate Risk and Opportunity Management for consideration at Performance Board, Directors Board and Audit Committee
• Stewardship and communication of any actions arising from the quarter reports of
Strategic/Corporate Risk and Opportunity Management to Performance Board, Directors Board and Audit Committee.
• Service and manage Performance Board.
• Provide consultancy and advice on Risk and Opportunity Management.
---
6.5 Other Accountability
Internal Audit
• Provide independent and objective assessment of the Council’s Risk and Opportunity Management arrangements.
• Contribute to the accuracy and integrity of the strategic/corporate risk and opportunity register and in particular the effectiveness of controls/actions to manage priority risks and opportunities.
21
Glossary
Assurance on Controls / Action.
Arrangements which check and provide confidence that the controls/actions for risk/opportunity are appropriate, working and effective.
Corporate Risks and Opportunities
Corporate or cross cutting issues that are likely to and impact upon more than one service.
Impact The potential effect on the Council and its priorities/objectives if the risk occurs or
the opportunity happens.
Inherent Risk and Opportunity
The level of risk or opportunity assuming that there are no controls or action in place to manage the issue (i.e. unmanaged risk or opportunity).
Likelihood The probability/chance of the risk occurring or the opportunity happening
Departmental / Service Risks and Opportunities
Departmental/service level issues that are likely to have an impact on short term goals and tend to link to departmental/service level objectives and plans.
Opportunity An uncertainty that will enhance the Council’s ability to achieve its objectives (positive effect).
Project/Partner Risks and Opportunities
Project/Partner issues that are likely to have an impact on project/ partnership objectives and plans.
Residual Risk and Opportunity
The level of risk taking account of any current controls/actions and their effectiveness (i.e. current risk or opportunity).
Risk An uncertainty that will adversely affect the Council achieving its objectives
(negative effect).
Risk and Opportunity Management
The planned and systematic approach used to identify, evaluate and manage the risks to and the opportunities for the achievement of objectives.
Risk and Opportunity Management Framework
The framework that describes how risks and opportunities are identified, evaluated, managed and reviewed in the Council.
Risk and Opportunity Management Process
The four-step cycle for identifying, evaluating, managing and reviewing risk/opportunity.
Risk and Opportunity Matrix
Management tool used to plot results of evaluation stage (likelihood and impact assessments) to help identify high priorities and low priority issues.
Risk and Opportunity Profile
The summary of identified risks/opportunities and evaluation of their seriousness (impact and likelihood levels).
Risk and Opportunity Register
Documented and prioritized evaluation of the range of specific risks/opportunities faced by the Council, directorate or service.
Strategic Risks and Opportunities
Strategic level issues that are likely to have an impact on the medium to long term goals and tend to link to the Corporate Plan priorities and objectives.
Target Risk and Opportunity
The estimated level of risk assuming that further controls/actions are implemented and effective.
Uncertainty (In relation to risk/opportunity management) – a risk or opportunity that could have
Appendix 1 – Risk and Opportunity Template.
Stage 1 – Unmanaged Risk / Opportunity (inherent R/O rating) No. Risk or Opportunity Description
ref.
Date Identified Inherent R/O Rating impact / likelihood
Stage 2 – Current Risk / Opportunity
(residual R/O rating) - see below Residual R/O Rating impact / likelihood
Current Controls or Action Assurance on Controls / Action
Stage 3 – Target Risk / Opportunity
Further Controls or Action Assurance on Controls / Action
Target End Date Target R/O Rating impact / likelihood
Progress/Developments against the Further Controls /Action - see below
Revised Residual
R/O Rating impact / likelihood
Quarter ending:
Progress/Developments against the Further Controls /Action - see below
Revised Residual
R/O Rating impact / likelihood
Quarter ending:
Progress/Developments against the Further Controls /Action - see below
Revised Residual
R/O Rating impact / likelihood
Quarter ending:
Progress/Developments against the Further Controls /Action - see below
Revised Residual
R/O Rating impact / likelihood
