Contact your Parish Council


 

 

 

Annual Risk Management Report

 

 

Audit, Governance & Standards Committee

July 2018

 

 


 

Introduction

Risk management is how the Council identifies, quantifies and manages the risks it faces as it seeks to achieve its objectives.  It is fundamental to the Council’s governance, and contributes greatly to the successful delivery of services and the key priorities. 

The purpose of this report is to provide assurance to Members that the Council has in place effective risk management arrangements, and that risks identified through this process are managed, and monitored appropriately.  This enables the Audit, Governance & Standards (AGS) Committee to fulfil the responsibilities as set out in the Terms of Reference:

“In conjunction with Policy and Resources Committee to monitor the effective development and operation of risk management and corporate governance in the Council to ensure that strategically the risk management and corporate governance arrangements protect the Council.”

 

 

 

 

Roles & Responsibilities

We (Mid Kent Audit) have lead responsibility for supporting risk management processes across the Council.  Our role includes regular reporting to Officers and Members, through the Corporate Leadership Team (CLT), Policy & Resources Committee and the AGS Committee, providing workshops and training, and helping to ensure risks are being effectively managed.

Having valuable and up to date risk information enables both Executive and oversight functions to happen effectively. The Policy & Resources Committee has overall responsibility for risk management and will review the substance of individual risks to ensure that risk issues are appropriately monitored and addressed.

As those charged with governance and oversight the AGS Committee should seek assurance that the Council is operating an effective risk management process. Previously, we have provided assurance on the effectiveness of the Council’s risk management arrangements as part of the Head of Internal Audit annual and interim reports. However, as the risk management arrangements have matured and embedded, a standalone risk report is a better and more effective way to provide this assurance.

 


 

Risk Management Process

The risk management framework is the guide that sets out how the Council identifies, manages and monitors risks.  This is supported by the risk appetite statement and guidance, which articulates the Council’s appetite for and tolerance of risk.

In summary, the risk management process for the Council can be broken down into the following key components.  Further detail on these components is provided in Appendix 1A.

Corporate level risks are more strategic in nature.  By definition, these risks inherently carry a higher impact level as they affect multiple services. They are the risks that could prevent the Council from achieving its ambitions and priorities.

All risks are recorded on the comprehensive risk register, and it is this register that is used to generate risk information across the Council.  In the main risks are identified at two levels:

 

 

Operational risks are principally identified as part of the service planning cycle each year. They are directly linked with the day to day operation of services. However, operational risks can nonetheless have potential for significant impact.
 

 

 

 

 


You will see that there is a direct link between these two levels of risks. This is because where an individual or group of operational risks start to have a significant impact on delivery of strategic objectives consideration is given to escalating the risk to a corporate level.

Risks are assessed on impact and likelihood (definitions attached in Appendix 1B). The same definitions and scales are used for all risk assessments in order to achieve consistency in approach, and allow for comparisons over the period.

·                Impact: This is a consideration of how severely the Council would be affected if the risk was to materialise.

·                Likelihood: This is a consideration of how likely it is that the risk will occur.  In other words, the probability that it will materialise.

In order to understand the scale of risks the following guidance is available to risk owners when assessing their risks: 

Risk Rating

20-25

Risks at this level sit above the tolerance of the Council and are of such magnitude that they form the Council’s biggest risks.

 

The Council is not willing to take risks at this level and action should be taken immediately to manage the risk.

 

12-16

These risks are within the upper limit of risk appetite. While these risks can be tolerated, controls should be identified to bring the risk down to a more manageable level where possible.

 

5-10

These risks sit on the borders of the Council’s risk appetite and so while they don’t pose an immediate threat, they are still risks that should remain under review. If the impact or likelihood increases then risk owners should seek to manage the increase.

 

3-4

These are low level risks that could impede or hinder achievement of objectives. Due to the relative low level it is unlikely that additional controls will be identified to respond to the risk.

1-2

Minor level risks with little consequence but not to be overlooked completely. They are enough of a risk to have been assessed through the process, but unlikely to prevent the achievement of objectives. 

Impact: 5

Likelihood: 1

Rare events that have a catastrophic impact form part of the Council’s Business Continuity Planning response.


 

Corporate Risks                                                                                                     

In July 2017 we ran a workshop with Members and officers to refresh the Council’s corporate risks.  This sought to identify any new or emerging risks and any risks which were no longer relevant due to successful management or the passage of time.

CLT are responsible for the management of the corporate risks and review them quarterly.  Furthermore any risk which is rated as BLACK is monitored monthly to review progress and provide guidance, support and focus where needed.  The corporate risk register was reported to the Policy & Resources Committee in October 2017 and April 2018.  

Operational Risks

Operational risk registers are in place for each service and are fully reviewed and updated annually, with the most recent exercise being in May and June 2018. Managers and Heads of Service are responsible for managing operational risks.  In accordance with the Council’s risk appetite, CLT receive quarterly updates on all inherent RED and BLACK risks and, as above, review BLACK risks monthly.  The operational risk profiles are reported to Policy & Resources as part of the regular update and monitoring reports

 

Risk Profile

The matrices below illustrate how the risk profile (the actual number of risks on the register) of the Council has changed throughout the year.  This is based on the inherent risk, i.e. the risk impact and likelihood considering any existing controls in place to manage the risk, but before any further planned controls are introduced.

The change in the overall risk profile of the Council demonstrates how action is taken to manage risks, to ensure the completeness of the risk register and to capture emerging risks.

 

The following table shows the Council’s current corporate risks (which form part of the matrices above) and details the risk score as at April 2018 and how these scores changed over the course of the year:

The detail of these risks has been reviewed and discussed at the Policy & Resources Committee.  However, this illustrates that action is being taken to manage the risks and that processes are in place to ensure new emerging issues are captured or significant operational risks are appropriately escalated.

 

 


 

Next Steps

There have been significant improvements to how the Council manages risks over the last couple of years, moving the Council to a position where risk management is adding real value and insight.  In order to ensure that risk management remains valuable, however, it must be updated and maintained. As such moving forward into 2018/19, the following areas will be our focus for development and enhancement:

1.      To undertake the first full review of the framework: The framework has been operating for 3 years, and so it is the right time to review and where necessary update the framework to ensure that it remain fit for purpose;

2.      Develop a training programme: We have continued to facilitate workshops, and deliver risk sessions as and when requested. However, developing the overall knowledge and expertise for risk management across the Council requires a wider approach.  We will be looking to develop a training session for managers and officers on the principles of risk management, and to tailor that with the framework and procedures;

3.      Enhance risk information and insights: We will be undertaking a review of key controls and also drawing together thematic information on key risk areas – this will mean we can provide a richer level of risk information and start to identify similarities / root cause issues across the Council.

We have continued to receive a positive level of engagement and support from Senior Officers and Managers in the Council which has enabled the risk management process to develop and embed.  So, we’d like to take this opportunity to thank officers for their continued work and support.


Appendix 1A

Maidstone Risk Management Process: One Page Summary


Appendix 1B

Impact & Likelihood Scales

         

Risk Impact

         

Risk Likelihood