Your Councillors

Corporate Risk Update – April 2018

Introduction

Effective risk management is a vital part of the Council’s governance, and contributes greatly to the successful delivery of services and the key priorities. The Council has always recognised and supported the need to have effective risk management processes, and so, in February 2016 updated and refreshed procedures and guidance.

As part of this work, we (Mid Kent Audit) took lead responsibility to co-ordinate and embed revised risk management processes across the Council. Our role includes reporting regular updates to Officers and Members, through the Corporate Leadership Team (CLT), Policy & Resources Committee and the Audit, Governance & Standards Committee. We also provide support and training to help ensure that risks are being effectively managed.

Having valuable and up to date risk information allows for both the management and oversight functions to happen effectively. Executive management has the role to identify the right risks, and review the substance of each risk to ensure that responses and actions are correct and that risks are being actively managed.  Oversight is provided by the Audit, Governance & Standards Committee as those charged with governance, who seeks assurance that the Council operates an effective process.

In our last update in October 2017, the Committee adopted the risk appetite statement. This framework sets the risk tolerance levels, and guides risk owners on how to report, address and monitor their risks (see appendix 1B). Following the adoption of the risk appetite statement we have designed this update to show how this has been applied across the Council, with the focus being on the high level risk issues. 

 

 

 

 

 

 

 

 

 

 

Mid Kent Partners

At the corporate level, our risk register reflects those strategic level risks that could have a much wider impact on the services we deliver, and how we operate as an organisation. The external environment is complex, and new risks are emerging all the time. So it is important that the process is designed to enable the fluid movement of risks as they emerge, become managed and eventually removed from the register. We appraise our external environment in various ways, including horizon scanning and through strategic planning, but also by working closely with our partners. 

Through the internal audit function we support and deliver the risk management process across our Mid Kent partners, this includes Tunbridge Wells and Swale (through MKS) but also Ashford (as part of the audit partnership). This enables us to capture insight across the other sites and gain a greater understanding of similar risk issues facing each Council. Partnership working allows us to share these insights, and where possible develop and strengthen strategies in how we respond to key risk issues.

For instance, the introduction of the General Data Protection Regulations (GDPR) in May 2018 presents significant risks for all organisations, not just the Council. Through our work with governance working groups across Swale and Maidstone we have been able to support the inclusion of this risk into the corporate risk register. We are then able to share information to assist with the implementation of key controls to help manage the impact of the risk.

The figure below shows some of the highest scored corporate (and strategic) risks for each of the partners. From this high level view we are able to see some clear risk themes:

Risk Themes

PROJECT FAILURE

Each Council is running large and complex projects, and exploring new ventures and developments that have significant inherent risks. All 4 Councils have large regeneration projects under way, and so it is right to see the risks around project failure high on the risk profile.

How is Maidstone responding to this risk?

Corporate Risk D (see appendix 1A for full risk description)

§  Well-developed capital programme and financial monitoring

§  Well defined and embedded project governance frameworks

§  Access to specialist expertise and skills needed to run complex projects

§  Investment in systems, resources, and training

 

HOUSING

There is some variation over the specifics of the risks, with Maidstone and Swale both highlighting the challenges around increased homelessness, and Tunbridge Wells and Ashford highlighting demand on housing development. However, the risks relating to housing clearly have a potentially significant impact on the Council’s ability to fulfil its statutory obligations, and effectively manage legislative changes, and manage the associated costs.

How is Maidstone responding to this risk?

Corporate Risk G (see appendix 1A for full risk description)

§  Budget support through the Medium Term Financial Strategy (MTFS)

§  Investment into homelessness prevention

§  Purchase / leasing MBC owned stock for temporary accommodation

§  Closer partnership working across the housing sector

 

FUNDING

Re-examination of Local Authority funding resulting in the reduction and eventual removal of Revenue Support Grant has meant that all Councils have had to think differently about responding to the financial challenge. As such, the risks relating to financial management and potential further funding restrictions are high, and being carefully planned for.

How is Maidstone responding to this risk?

Corporate Risk I (see appendix 1A for full risk description)

§  Robust Medium Term Financial plans and longer term funding strategies

§  Close monitoring of budgets

§  Transformative work on service delivery and use of technologies

§  Lobbying Central Government to lessen impact

As risk management becomes more consistently embedded across our partners it will be possible to gain a richer understanding of how similar risks are being managed. This can also be extended out more widely across the Public Sector. In time this will enable us to refine our risk responses, and to share effective strategies and key controls to managing these risks.

 


 

Corporate Risk Update - April 2018

The Council’s corporate risks are those risks which could impede the achievement of our strategic objectives.  The corporate risk register was last reported to Members in October 2017 following a full exercise to update and refresh them in accordance with our priorities and operational risk themes. 

The matrices below provide a snapshot of the corporate risk profile, with the location on the matrix being dependent on the score of risk likelihood and impact.  This is based on the inherent risk, i.e. the risk impact and likelihood considering any existing controls in place to manage the risk, but before any further planned controls are introduced.  For a base comparison we have included the profile from the previous risk update:

The following table illustrates the risk heading and summarises how the risk has moved between October 2017 and April 2018:

Since October 2017 the Council has identified two new Corporate Risks (j and k). 

GDPR has been added to the corporate risk register to reflect the prominence of the potential impact of the new legislation. Previously, this risk was managed through separate entries on two operational risk registers (Policy & Information and MKS ICT services). 

The contraction of the retail and leisure sector risk was also previously an operational risk (Economic Development). However, due to the potential significant impact on the sector caused by online shopping patterns, this has been escalated to the corporate risk register.

Other changes in the Corporate Risk Register are summarised below:

·         (a) Legal / Compliance Breaches: Reference to GDPR has been removed and the controls in place to manage the risk have been updated.  This has led to an overall reduction in the risk score.

·         (d) Project Failure: The implementation of some of the controls which were planned in October 2017 has led to a reduction in the overall risk score.

·         (g) Housing Pressures: This risk has been updated to incorporate an operational risk around the Homelessness Reduction Act.  Existing and planned controls have been updated to incorporate actions from this risk but at this stage it is too early to judge if implementation will lower the inherent or residual risk scores.

·         (h) Local Plan Review: This risk has been redefined following successful adoption of the Local Plan (LP). The risk now reflects the challenges relating to the LP Review and the delivery of outputs of the existing LP.  Existing and planned controls have been fully updated and the risk score has been re-evaluated.

Through review of the matrices it is clear to see the reduction in overall likelihood and impact for 2 of the 3 previously rated BLACK risks. There is however still one risk that sits above the Councils tolerance (risk g: Housing Pressures).  Controls have been identified to manage this risk down to a more acceptable level and as outlined in the risk appetite guidance, Corporate Leadership Team are receiving monthly updates from the Housing Service which allows them to monitor progress and provide guidance, support and focus where needed. 

Further detail on the corporate risks, including a description of the risk and details of existing and planned key controls can be found in Appendix 1A.

 


 

Operational Risks

All Council services maintain an operational risk register. Collectively, these registers form the comprehensive risk register, and it is this complete register that is used to compile the risk update reports on a regular basis. These operational level risks across the Council underpin how we determine the corporate risks. For instance, if we start to see similar operational risks across multiple services, we can escalate those risks to the corporate level to ensure that a holistic approach to managing the risk is taken, across the entire organisation.

Operational risks are the responsibility of the services to manage, and so fall within the remit of our Managers and Heads of Service. However, in accordance with the risk appetite, risks continue to be reviewed and monitored based on overall score.

The following matrix shows the operational risk profile for the Council. This is based on the inherent risk, i.e. the risk impact and likelihood considering any existing controls in place to manage the risk, but before any further planned controls are introduced.  The table shows the number of risks for each colour category.

 

Risk Colour

April-18

 Black

0

 Red

22

 Amber

123

 Green

54

 Blue

7

TOTAL

206

 

 

These risks are managed in accordance with the Council’s Risk Appetite Statement, whereby services routinely monitor their risks based on the risk score (see Appendix 1B).  Quarterly risk updates are presented to Corporate Leadership Team (CLT) on all risks above the Councils appetite – i.e. those risks which are Red or Black (22 in total).

While there are currently no BLACK risks, they would feature more frequently on the CLT agenda. This is also the case should the circumstances for an existing risk change such that the score is increased.  Monitoring of these high level risks enables more effective challenge on the effectiveness of controls, and also means that support can be put in place to help manage the impact of the risk.

By taking this joined up approach to include operational and corporate level risks, we are able to much more effectively manage the risks being identified, and use the risk management process to capture issue before they arise.

Next Steps

Risk management is a continuous process, and to be valuable it must be updated and maintained. Moving forward into 2018/19, the following areas will be our focus in order to further strengthen the risk management process and develop a positive risk culture across the Council:

1.      To undertake the first full review of the framework: The framework has been operating for nearly 3 years, and so it is about the right time to review and where necessary update the framework to ensure that it remain fit for purpose;

2.      Develop a training programme: We (Mid Kent Audit) have continued to facilitate workshops, and deliver risk sessions as and when requested. However, developing the overall knowledge and expertise for risk management across the Council requires a wider approach. We will be looking to develop a training session for managers and officers on the principles of risk management, and to tailor that with the framework and procedures;

3.      Enhance risk information and insights: We will be undertaking a review of key controls and also drawing together thematic information on key risk areas – this will mean we can provide a richer level of risk information and start to identify similarities / root cause issues across the Council;

We have also recently procured an audit management system. Enterprise risk management tools are built into the software which will potentially enable us to be smarter and more efficient with how we maintain the risk register and how we generate risk information.

There have been significant improvements to how the Council manages risks over the last couple of years. Moving the Council to a position where risk management is adding real value and insight, and where processes are far more advanced than many other public sector and some private sector organisations.  This wouldn’t have been possible without the great deal of positive engagement and support from Senior Officers and Managers in the Council. So, we’d like to take this opportunity to thank officers for their continued work and support.

 


 


Appendix 1A

Corporate Risks

The table below sets out each of the corporate risks in detail. Risk owners have assessed the impact and likelihood of the risks and identified the key controls and planned actions necessary to further manage the risk to an acceptable level: 

Risk (full description)

Risk Owner

Key Existing Controls

Inherent rating

I       L      

Controls planned

Residual rating

I      L      ∑

Breakdown of Governance Controls
Failure of the governance controls results in the Council making poor decisions or missing significant opportunities

Angela Woodhouse
&
Patricia Narebor

- Framework in Constitution
- Committee agendas and work programmes
- Process for quick decision making in place (Urgency Committee)
- Member and Officer training programme
- Legal advice available
- Sign-off in modern prior to report release from S151, Legal and Policy and Information Team
- Political Awareness and report writing training
- Development of Annual Governance Statement and Local Code of Corporate Governance review

4

2

8

- Regular review of the Constitution
- Democracy Committee review of Committee System

4

2

8

Legal / Compliance Breaches
Breaches of regulations / laws result in significant financial penalties and damage to Council reputation

Angela Woodhouse
&
Patricia Narebor

- Individual service process designed to ensure compliance and supported by procedures
- Information governance group
- Training and guidance available and specific training given on report writing
- Weaknesses identified by Internal Audit and action taken

4

3

12

- Awareness Raising
- AGS action plan being developed

4

3

12

Workforce Capacity & Skills
The Council is unable to recruit or retain staff with the specialist, technical or professional expertise necessary to deliver its ambitions.

Alison Broom
&
Bal Sandher

- Workforce Strategy monitoring and reporting
- Regular benchmarking of salary levels with public sector employers in South East England
- Rewards package
- Training and development programme
- Use of specialist agency staff
- Ability to adjust pay / offer market supplements
- Recruitment processes
- Resilience from shared service arrangements

2

2

4

- Implementation of actions from Investors in People assessment
- Improved agency supplier agreement (Matrix )
- Extended partnership arrangements to ensure greater resilience

2

2

4

Project Failure
Failure of significant capital projects of a housing and regeneration nature

Dawn Hudd
&
William Cornall

- Use of external specialist expertise such as Employers Agents on complex capital projects
- Project management processes adhered to with project board reporting where appropriate with new risks or pressures identified at an early stage
- Close working relationships with experienced partners and stakeholders
- Specialist training undertaken by the newly formed capital projects team
- The purchase of specialist development appraisal software (Proval) to more accurately predict financial returns as well as cash flows
- Skills in this area brought in at CLT level
- Close working with the Finance team on a well-developed capital programme that carefully considers cumulative exposure and cash-flow management
-  Awareness, expertise and success in bidding for grant monies from government to support the delivery of capital projects, so as to act as a buffer against cost overruns and income shortfalls
- The adoption of and Adherence to the Housing and Regeneration Investment Plan

4

4

16

- Detailed and consistent analysis of project risks at approval stage, through approval Process required at Policy & Resources Committee
- Adherence to a suite of financial hurdle rates for new capital projects which are reflective of different sector risk profiles

4

3

12

ICT Systems Failure / Security
Security breach or system outage resulting in Council systems being unavailable and/or significant fines/ransom demands

Chris Woodward
&
Steve McGinnes

- Regular backups of ICT systems
- Disaster recovery plan
- ICT Security Policy

4

4

16

- Procurement of additional security counter measures
- Introduce cyber security software to test & improve staff awareness training (scheduled to commence Q1 2018)

4

4

16

Poor Partner Relationships
Conflicting partner expectations or poor engagement / cooperation leads to difficulty delivering services or other Council ambitions

Alison Broom

- Regular meetings / communication with partners
- Joint working arrangements
- Engagement with members
- Governance arrangements for shared services
- Governance arrangements for partnerships including Joint Transport Board, Safer Maidstone Partnership and Health and Well-Being Group, Thames Gateway Kent Partnership Board and other similar groups
- Continued horizon scanning in respect to devolution

4

3

12

- Increased joint work with KCC highways and waste teams
- Protocol for joint working with Kent County Council concerning planning and transport

- Strategic Board with KCC for transport infrastructure

3

3

9

Housing Pressures Continue to Increase
The housing crisis in the South East has a growing impact on MBC’s ability to fund and manage not only the homelessness service, as it implements to Homelessness Reduction Act, but also to meet the broader housing need that is emerging as a result of the limited supply of affordable housing.

John Littlemore
&
William Cornall

- Homelessness prevention team has been created and staff resources increased
- MBC purchasing and leasing its own stock of temporary accommodation
- MBC building its own portfolio of market rented housing within Maidstone Property Holdings Limited
- Closer working with the housing association sector, and in particular Golding Homes
- More money was set aside in this year of the MTFS to meet the rising demand
- Temporary Accommodation Strategy has been reviewed and updated

4

5

20

- The possibility of the Council investing prudential borrowing monies into a JV with a housing association partner to take ownership of more of the affordable housing being delivered through the Local Plan is actively being explored
- Affordable housing development plan document within the Local Plan
- Homelessness strategy to be reviewed in December 2018
- Closer working with the voluntary sector, targeting the allocation of grants more the delivery of services to this area of need
- Closer working with the private rented sector landlords, through the Home Finder scheme, and now starting to explore a more comprehensive offer to them
- Report to CLT April 2018 to recommend the implementation of an in house Housing Management Team

3

4

12

Delivery of the Local Plan Review by April 2022
Following the adoption of the LP by Full Council in Oct 2017, the focus in now upon delivering the LP Review, which will be a significant and complex project, involving the commissioning of refreshed evidence and policy development work. This project will be of a corporate / cross cutting nature, and could also encompass extending the LP period to 2036 or even 2041. Furthermore, the focus will also shift to the delivery of the outputs of the current LP too, predominantly in terms of housing numbers and supporting infrastructure.

Rob Jarman
&
William Cornall

- Work plans in place
- Communication and liaison with partners
- CLT oversight of development management performance to increase the timeliness of application decisions
- CLT oversight of S106 delays, this has been much improved of late
- Major Projects Team in the Planning department to process major applications faster
- The Developers Forum and Breakfast Meetings ensure an open dialogue with the major housebuilders

3

3

9

- Learning lessons from other LP examinations workshop planned for April
- Town centre opportunity areas project to hasten the delivery of the town centre broad locations
- Culture and behaviours programme to improve customer care and commerciality within the department
- The approach to the LP review will be set out within the MBC Local Development Scheme that will be considered by SPS&T in July 2018, and this will be supported by a comprehensive Gantt Chart detailing the various work-streams, commissions, consultation and decisions that will be required to meet the April 2022 target date.

3

3

9

Financial Restrictions
The Council does not achieve its income or savings targets, incurs overspends or does not have the funding to meet standards or deliver aims.

Mark Green

- Project management processes
- External consultancy support
- Programmes of work agreed (e.g. transformation and commissioning)
- Budget monitoring processes in place

4

4

16

- MTFS adopted by Council
- Plans developed to close projected budget gap
- Lobbying to avoid Council suffering ‘negative RSG’

4

3

12

General Data Protection Regulations (GDPR)
Non-compliance with GDPR could result in significant monetary fines and damage to Council reputation

Information Management Group

Angela Woodhouse

- GDPR Action plan in place and being worked on
- Monitoring of action plan by CLT; IMG and AGS Committee
- IT Commissioning Group review of new / updates to systems

4

3

12

- Deliver actions from the GDPR action plan
- New e-learning module for staff and guidance for Members

3

3

9

Major contraction in retail and leisure sectors from national downturn on the high street.
Maidstone Town Centre fails to attract commercial investment, vacancy rates rise due to failure of retail chains such as BHS and Maplin.  Such a decline may lead to a reduction in business rates.

Dawn Hudd
&
William Cornall

- Cross departmental approach
- Town Centre Strategic Advisory Board established.
- Property acquisition completed (Royal Mail/Grenada House)
-Funding secure for public realm work
- Work commissioned to promote Maidstone as a business destination

- Supporting the One Maidstone Business Improvement District

 

4

3

12

- Work commissioned to promote Maidstone as a business destination
- Work delivered to develop town centre opportunity sites

3

3

9


 

Appendix 1B

Maidstone Risk Management Process: One Page Summary



Risk Appetite – Monitoring Process

We illustrate our risk appetite and tolerance in the matrix below. The RED shaded area represents the outer limit of our risk appetite, and the BLACK area indicates the tolerance. As a Council we are not willing to take risks that have significant negative consequences on the achievement of our objectives.

The matrix also illustrates how we monitor risks. The Council’s highest level risks (those with a combined score of 12 and above) are reported to Corporate Leadership Team for consideration and guidance.

 

 

 

 

 

 

 

 

 

 

 

 

Risk Rating

Guidance to Risk Owners

20-25

Risks at this level sit above the tolerance of the Council and are of such magnitude that they form the Council’s biggest risks.

 

The Council is not willing to take risks at this level and action should be taken immediately to manage the risk.

 

Identify the actions and controls necessary to manage the risk down to an acceptable level.

If still scored above 20, report the risk to the Audit Team and your Director.

 

Steps will be taken to collectively review the risk and identify any other possible mitigation (such as controls).

 

Risks that remain at this level will be escalated to CLT, who will actively monitor and provide guidance on the ongoing management of risks at this level.

12-16

These risks are within the upper limit of risk appetite. While these risks can be tolerated, controls should be identified to bring the risk down to a more manageable level where possible.

 

 

Identify controls to treat the risk impact /likelihood and seek to bring the risk down to a more acceptable level.

 

These risks should be monitored and reviewed monthly.

If unsure about ways to manage the risk, consult with the Internal Audit team.

 

Risks at this level will feature in a quarterly risk update to CLT who will provide oversight and support if needed.

5-10

These risks sit on the borders of the Council’s risk appetite and so while they don’t pose an immediate threat, they are still risks that should remain under review. If the impact or likelihood increases then risk owners should seek to manage the increase.

 

 

Keep these risks on the radar and update as and when changes are made, or if controls are implemented.

 

Movement in risks should be monitored, for instance featuring as part of a standing management meeting agenda.

 

Responsibility for monitoring and managing these risks sits within the service.

3-4

These are low level risks that could impede or hinder achievement of objectives. Due to the relative low level it is unlikely that additional controls will be identified to respond to the risk.

Keep these risks on your register and formally review at least once a year to make sure that the impact and likelihood continues to pose a low level.

1-2

Minor level risks with little consequence but not to be overlooked completely. They are enough of a risk to have been assessed through the process, but unlikely to prevent the achievement of objectives. 

No actions required but keep the risk on your risk register and review annually as part of the service planning process.

Impact: 5

Likelihood: 1

Rare events that have a catastrophic impact form part of the Council’s Business Continuity Planning response.

Record on your risk register and Internal Audit will co-ordinate with Business Continuity officers.  

 


 

Appendix 1C

Impact & Likelihood Scales

         

Risk Impact

         

Risk Likelihood