1.1.1

Scarborough Borough Council

Risk Management Guidance for Elected Members SEPTEMBER 2011

Index of Contents Page

Purpose of this Guide 3 Introduction 4 Why is risk management a “hot topic”? 5

What is risk? 6

What is risk management? 6

The role of risk management in corporate governance 7

The risk management cycle 8

Dealing with risks 9

Risk appetite 9

Risks that elected members should consider 10

The role and responsibilities of elected members for risk management 12 What should elected members expect from officers in relation to risk? 12

The benefits of risk management 13 Contacts 13

Appendices: Appendix One: 1. Risk – a threat or an opportunity 14

2. What is risk management 14 3. Dealing with risks 15

Appendix Two: Categories of Risk 16 Appendix Three: Scarborough Borough Council - Risk Management Process and Reporting Structure 17 Appendix Four: Reference and further reading 18

2

The purpose of this guide

All regulatory bodies in the public sector now require organisations to involve Elected Members (Members) in the risk management process. The extent to which Members are involved in the Council’s risk management process will vary. Some, those sitting on the Audit Committee for example, will have a regular involvement in the Council's risks and its risk management process, thus increasing their familiarity with the topic. Others may only come across the term “risk management” on a less frequent basis (for example, when the Council’s Corporate Risk Register is reported to a Full Council meeting or in connection with duties whilst sitting on various committees or the management boards of outside bodies). It is recognised that there are many demands placed on the time of Members and therefore the format of this document is intended to provide: Ø a summary of the main points for those who wish simply to have a

basic, background knowledge of the subject. Ø fuller explanations in a series of Appendices for those (e.g. Members of

the Audit Committee) who may wish to know more about the subject.

Introduction

In a report, the Society of Local Authority Chief Executives has stated that:

“If a Council doesn’t have effective risk management then it doesn’t have effective management.”

Although referring specifically to local councils, this challenging statement can be applied equally to any organisation whether public or private sector. Effective risk management, integrated into the organisation’s policies and procedures can bring numerous benefits to the performance of that organisation. It is now widely recognised that risk management is an essential part of securing effective corporate governance.

“All life involves some risk, and any innovation brings risk as well as reward – so the priority must be to manage risk better. We need to do more to anticipate risks, so that there are fewer unnecessary and costly crises…getting the right balance between innovation and change on the one hand, and the avoidance of shocks and crises on the other ...risk management is now central to the business of good government”

It is impossible for an organisation - whether it be public or private, whether it is a local council or another public sector body - to achieve effective governance without an awareness of the risks and opportunities it faces in striving to achieve its strategic and operational objectives. The organisation needs an effective strategy to manage those risks and capitalise on the opportunities. There is a strong and direct link between the effectiveness of an organisation’s risk management procedures and the overall performance of that organisation. Ensuring effective risk management offers a number of benefits, such as:

Ø providing a means of improving strategic, operational and financial management.

Ø providing a means of securing operational and service performance. Ø assisting to maximise opportunities and minimise loss events which

might result in financial losses, service disruption, bad publicity, threats to public health or claims for compensation.

Why is risk management a “hot topic”? Public sector bodies face a number of challenges, such as:

• Being more transparent in their dealings.

• The need for early warning systems when things are about to go wrong

• The drive for increased partnership working.

• The demands to provide high quality services within pressured budgets

• New leadership structures in many public bodies.

• New and increasing legislation and regulations.

• The need to satisfy the requirements of their regulatory bodies.

• The need to demonstrate best value and/or value for money. In addition:

• Technology is advancing rapidly

• Insurance (the traditional way of financing risk) is no longer inexpensive and there are a dwindling number of insurers who will underwrite the risks of public bodies

• Stakeholder attitudes are changing

• Fraud is escalating—money laundering, for example, should now be something many public bodies have safeguards against

• Society is more litigious—public bodies are often seen to have “deep pockets” and, when things go wrong, stakeholders are more quick to claim compensation

• The risks faced by public bodies are under the public glare and there is often significant media coverage when things do go wrong.

Source: Audit Commission

What is risk? Some definitions commonly used to define risk are as follows: “The chance of something happening that will have an impact on business objectives” “Any threat that might prevent us from achieving our vision” “Risk arises as much from failing to capture opportunities whilst pursuing business objectives as it does from a threat that something bad will happen.” Source: CIPFA Better Governance Forum

There is a great tendency to think of risk only in the negative context i.e. it is an event or action that will adversely affect an organisation's ability to meet its objectives and execute it strategies successfully. Whereas, in fact, managing risk effectively can encourage innovation and entrepreneurship. “ a turtle is a well protected animal, but it only moves forward when it sticks its neck out!”

This “upside” to risk management is demonstrated by the very nature of risk. Pure risk – presents the possibility of a loss, but not a profit. Speculative risk – may produce a profit or a loss

What is risk management ? Risk Management can be described as the process of identifying risks, evaluating their probability and potential consequences and determining the most effective methods of controlling them or responding to them. It is a means of maximising opportunities and minimising the costs and disruption to the organisation caused by undesired events. The aim of risk management is to improve risk-taking activities and to reduce the frequency of loss events occurring (wherever this is possible) and to minimise the severity of the consequences if they do occur. Alternative definitions might be: The culture, processes and structure that are directed towards effective management of potential opportunities and threats to the organisation achieving its objectives. Source: ALARM/District Audit

Risk management is the management of integrated or holistic business risk in

Note – For further reading see Appendix 1 Paragraph1

a manner consistent with the virtues of economy, efficiency and effectiveness. In essence it is about making the most of opportunities (making the right decisions) and about achieving objectives once those decisions are made. This is achieved through:

• Controlling risks

• Transferring risks

• Living with risks Source: SOLACE

Studies have shown that only about 20% of any organisation’s total risk profile is insurable risk. It follows then that about 80% - the significant majority – of risks faced by an organisation cannot be covered by simply transferring the risk to an insurance company. A shared corporate approach is important if risks are to be identified and managed systematically and consistently across the organisation.

The benefits of risk management

• Achieve benefits and exploit opportunities enabling innovation.

• Less negative publicity - enhances reputation.

• Incidents avoided - report it before something happens.

• Values and numbers of insurance claims reduced in all categories.

• Insurance premiums reduced.

• Risk considered in projects - both at the planning stage and monitored throughout the project.

• Partnership risks are considered prior to the partnership and monitored throughout the arrangement.

• Achieve and demonstrate good governance.

• Provides for on-going framework for risk identification, responsibilities & action plans.

• Increases corporate risk and control awareness.

• Promotes effective and efficient controls, and a platform for continual improvement.

The risk management cycle

Corporate governance requires that risk management be integral to policy, planning and operational management. It cannot be a “bolt on”; it must be embedded into the organisation's culture. Applying the risk management cycle—identifying, analysing, controlling and monitoring risk—will help

Note – For further reading see Appendix 1 Paragraph 2

strategic decision makers, such as Members, make informed decisions about the appropriateness of adopting policy or service delivery options.

Stage 1—Risk Identification Identifying the risks facing the organisation is crucial if informed decisions are to be made about policies and service delivery. Stage 2—Risk Analysis Once risks have been identified they need to be systematically and accurately assessed in terms of how likely they are to occur and what the impact would be if they did.

Stage 3—Risk control Where the risk is seen to be unacceptable, steps must be taken to reduce the likelihood of them occurring or the impact of them should they occur. Stage 4—Risk monitoring & review The effectiveness of controls needs to be kept under review—as does the nature of the risk (which can change over time)

RISK SCORING AND PRIORITISATION The Council’s approach is to be risk aware rather than risk averse, and to manage risk rather than to seek to eliminate it in all cases. The Council recognises that it must take a balanced approach to risk and that effective risk management is not just about safeguarding against negative risks (threats) but about benefiting from positive risks (opportunities) arising from innovation.

Risk Identification

Risk Analysis

Risk Control

Risk Monitoring & Review

Scarborough’s Risk Management Process & Reporting Structure Appendix Three

Given the breadth of services and functions the Council undertakes it will inevitably have a variable appetite to risk in different areas. Decisions will depend on the context, on the nature of the potential losses or gains, and the extent to which information regarding the risks is complete, reliable and relevant. Once risks have been identified they need to be assessed systematically and accurately, giving consideration to:

Ø The probability of an event occurring – ‘likelihood’, and Ø The potential severity of the consequences should such an event occur

– ‘impact’, The risk score is then plotted against the risk matrix. These scores are not intended to provide precise measurement of risk but to provide a useful basis for identifying vulnerabilities, ensuring that any necessary actions are undertaken.

5

4

3

2

1

A B C D E

Likelihood: A = Very Low B = Not Likely C = Likely D = Very Likely E = Almost Certain Impact; 1 = Low 2 = Minor 3 = Medium 4 = Major 5 = Disaster

Imp

act

Likelihood

The ‘traffic light’ system of categorising levels of risk has been used for simplicity. The table below describes the three risk categories.

RED

High Priority Action plans should be in place where possible to reduce/manage the risk.

AMBER

Medium Priority

Monitored and where mitigation is practicable, measures to reduce/manage the risk should be put in place.

GREEN

Low Priority Ongoing monitoring should identify changes which increase the risk and therefore require recategorisation

Dealing with risks

It really goes without saying that, where risks have been identified, they need to be dealt with. An organisation can deal with risk in four ways:-

Treating the risk – actions instigated from within the organisation which are designed to contain the risk to acceptable levels. Tolerating the risk – the ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained. Transferring the risk – e.g. conventional insurance or through a contractual arrangement. Terminating the activity from which the risk arises – some risks will only be treatable, or containable to acceptable levels, by terminating the activity.

Risk appetite “Risk appetite” is a phrase often used by risk professionals who, nearly as often, when challenged to define it, find it difficult to do so! It is a fact of life that, both in our professional and personal lives, we cannot exist in a totally risk free environment. There comes a point where, either as an organisation or individual, we must accept that a risk exists and that to put in place further measures to reduce that risk is either not possible, practical, cost effective or possibly all three. For example, we all know about the risk of being injured in a road traffic accident. We take some measures to reduce the risk, such as wearing a seatbelt, not using a hand held mobile phone whilst driving, paying due care and attention to the road conditions etc. We could reduce the risk of being injured in a road traffic accident even further by not getting in the car in the first place but this is hardly a practical solution if we need to get from point A to point B. Risk appetite is simply jargon for the level of risk which an organisation or individual is prepared to tolerate without putting in place further risk mitigation or controls. It is important to appreciate that “risk appetite” will vary from organisation to organisation (and from person to person if the number of people who still use hand held mobile phones whilst driving is anything to go by!) and also from risk to risk within an organisation.

Note – For further reading see Appendix 1 Paragraph 3

It is at this point of “risk toleration” that we can define our “appetite” for that particular risk. That is whether the organisation is prepared to accept the risk at its current level or whether any further action needs to be taken to reduce either the likelihood of the risk event occurring or its impact if and when it does occur. Whilst it is possible for “risk appetite” to be defined on an organisational-wide basis (for example, the organisation will not tolerate any risks remaining in the “high” category) “risk appetite” is, perhaps, a better measure when used on a risk by risk basis.

Risks that Members should consider The categories of risk detailed in Appendix Two illustrate some of the risks Members should consider when taking strategic decisions.

The role and responsibilities of Members for risk management Members are responsible for governing the delivery of services to the local community. Members have a responsibility to understand the strategic risks facing the Council.

Member’s key tasks are:

Ø Facilitating a risk management culture across the Council.

Ø Ensuring that business risks are being identified and effectively

managed.

Ø Provide leadership and direction for the management of risk on

Project Boards.

Ø Scrutinising the Cabinet’s decisions to ensure that they meet the

requirements of effective risk management.

Audit Committee Members

Ø Approve, support and monitor the implementation and ongoing processes for identifying and managing key risks of the Council.

Ø Provide independent assurance to the Council on the effectiveness of

the Council’s Risk Management, Internal Control and overall assurance framework.

Ø Approve the Corporate Risk Management Strategy

Ø Appoint Member(s) as Member Risk Champion.

Member Risk Champion(s)

The Member Champion should gain an understanding and promote risk management and its benefits throughout the Council, ensuring Members give it due consideration when making decisions.

What should Members expect from Officers in relation to risk?

• That there is a written strategy in place for managing risk

• The organisation has clear structures and processes for risk management which are successfully implemented

• The organisation has developed a corporate approach to the identification and evaluation of risk which is understood by all staff

• The organisation has well defined procedures for recording and reporting risk. Members should receive regular reports of the key risks facing the organisation, how likely they are to occur, what the impact would be if they did, what controls are in place, details of action plans to strengthen controls and the date by which the action is due to be taken.

• Advice on the risk implications of any decisions Members are asked to make.

• There are well-established and clear arrangements for financing risk.

• The organisation has developed a programme of risk management training for relevant staff.

• Managers are accountable for managing their risks

• Risk management literacy is disseminated throughout the organisation

• Risk management is fully considered in projects and partnership working

• To receive sufficient and appropriate information & training to enable Members’ awareness of risk management to be raised.

Contacts Member Risk Champions: Councillor Challen & Councillor Green Officer Risk Champion: Nick Edwards, Head of Finance and Asset

Management 01723 382410

Insurance/Risk Section: Martin Pedley & Jessica Ryder 01723 232359

Appendix One

1. Risk - a threat or an opportunity?

The “upside” to risk management is demonstrated by the very nature of the risk.

• Pure risk—two outcomes o Nothing will happen o A loss will occur

Examples include: • Poorly maintained highways • Fire • Employee accidents • Vehicle fleet management

• Speculative risk—three possible outcomes o Nothing happens o A loss will occur o A gain will occur

Examples include • Treasury management • Expanding leisure facilities • Other service improvements • Partnership working • New technology

2. What is Risk Management?

Some public sector managers still regard risk management as being primarily concerned with insurance or health and safety.

Some of the reason for this may be historical. In the local authority sector, to respond to the withdrawal from the insurance market of the Municipal Mutual Insurance Company in 1992 and to try and demonstrate to commercial insurers that risk management was being taken seriously, some councils chose to add risk management to the job title and responsibilities of the insurance officer. In many cases the insurance officer was given neither additional resources nor training to carry out his or her new role. The new “risk and insurance officer” could do little more than continue to focus on processing insurance claims with, perhaps, the odd spare moment for risk management. Even when time was available for risk management, this was mainly focused on insurance based risks and asset protection. As a result, the risk management culture of the organisation may not be as strong as it otherwise might have been.

Studies have shown that only about 20-25% of any organisation’s total risk profile is insurable risk. It follows then than about 80% - the significant majority of risks faced by an organisation cannot be covered by simply transferring the risk to an insurance company. A shared corporate approach is important if risks are to be identified and managed systematically and consistently across the organisation.

3. Dealing with risks

Treating the risk— implementing projects or procedures to minimise or reduce the likelihood of an event occurring or limit the severity of the consequences should it occur. It is not usually possible to reduce both the consequences and the likelihood of any given risk. Typical measures to reduce consequences

• Contingency/continuity plans

• Contract terms

• Design features including engineering and structural barriers

• Fraud and money laundering control planning

• Good public relations

• Minimise exposure to sources of risk Typical measures to reduce frequency

• Audit and compliance programmes – effective internal controls.

• Contract terms

• Process controls and inspections

• Project management and supervision.

• Preventative maintenance

• Structured training and other programmes Terminating the risk—involves the organisation opting not to undertake a current or proposed activity because it has been identified as being too risky.

• Not always possible in public bodies (e.g. statutory services)

• Sometimes only possible at the periphery (e.g. removal of sun beds from leisure centres to reduce risk of claims for skin cancer)

Transferring the risk—transferring, in whole or part, liability for the consequences of an event to another body by the use of things such as:

• Insurance is the most popular form of risk transfer (but only transfers the financial responsibility for the risk)

• Contract terms

• Leases and sub contracts

• Indemnity agreements

• Waivers etc. Tolerating the risk—it is perfectly legitimate for an organisation to decide that certain risks must be accepted or tolerated. A risk free world is a utopian vision and can never be achieved.

Appendix Two: Categories of Risk

CATEGORY DESCRIPTION INDICATIVE GUIDELINES (given as an example)

Political Associated with a failure to deliver either local or central government policy.

New political arrangements Not meeting government agenda Political make-up

Economic Affecting the ability of the Council to meet its financial commitments. These include internal budgetary pressures, the failure to purchase adequate insurance or the consequences of proposed investment decisions.

General/regional economic problems Missed business and service opportunities Failure of major projects Failure to prioritise, allocate appropriate budgets and monitor Inadequate control over expenditure or income Inadequate insurance cover

Social Relating to the effects of changes in demographic, residential or socio-economic trends on the Council’s ability to deliver its objectives.

Failing to meet the needs of disadvantaged communities Failures in partnership working Impact of demographic change

Technological Associated with the capacity of the council to deal with the pace /scale of technological change, or its ability to use technology to address changing demands. They may also include the consequences of internal technological failures on the Council’s ability to deliver its objectives.

Failure in communications Insufficient disaster recovery for key systems Failure of big technology related project Breach of security of networks and data Failure to comply with IT Security Policy

Legislative Associated with current or potential changes in national or European law.

Inadequate response to new legislation Not meeting statutory duties/deadlines Failure to implement legislative change Misinterpretation of legislation Breach of confidentiality / Data Protection Act

Environmental Relating to environmental consequences of progressing the council’s corporate objectives (e.g. in terms of energy, efficiency, pollution, recycling, etc).

Impact on sustainability initiatives/energy Impact of planning & transportation policies Noise, contamination and pollution

Crime & Disorder Act implications

Customer/Citizen Associated with failure to meet the current and changing needs and expectations of customers and citizens.

• Demographic change

• Consultation and communication

• Project failure

Competitive Affecting the competitiveness of the service (in terms of cost or quality) and/or its ability to deliver best value

• Fail to obtain quality accreditation.

• Position in league tables.

Professional/Managerial

Associated with the particular nature of each profession, internal protocols and managerial abilities.

• Staff structure

• Key personalities

• Internal capacity

Financial Associated with financial planning and control.

• Budget overspends

• Level of Council Tax

• Level of reserves.

Legal Related to possible breaches of legislation.

• Clients bring legal challenge.

Physical Related to fire, security, accident prevention and health and safety.

• Buildings in poor state of repair.

• Use of equipment.

Partnership/Contractual

Associated with failure of contractors and partnership arrangements to deliver services or products to the agreed cost and specification.

• Contractor fails to deliver

• Partnership agencies do not have common goals.

Produce Service Risk Registers and Action Plans.

Contingency Plans by assigned persons require active risk

management at Service Area level and monitoring against

these on a periodic basis.

Original source of input by Risk Owners throughout

Authority

‘Very Low’ risks monitored and addressed by existing

management systems and routine daily activities

Consideration of top Corporate Risks -

Corporate Risk Register High/ Disastrous

categories, monitor progress, assign responsibility/

input to Risk Specific issues.

Groups set up as necessary to specifically

consider cross service risks

INSURANCE SECTION (Risk

Management)

Senior Management Team (SMT)

Cross Service Groups

Service Area Management

Teams

Facilitation, training, guidance, co-ordination, monitoring. Identification of cross service issues for consideration at SMT.

Produce & report Corporate Risk Register. Report annually to SMT, Audit Committee & Full Council on the progress and changes to policy and strategy.

Full Council

Audit Committee

Risk Identification

& Assessment

Quarterly Reports, including Service Risk

Registers and specific projects, to Audit

Committee & minutes to Full Council.

Full Annual Report on progress and changes

to policy and strategy.

Annual Report on Corporate Risk Register.

Risk Management Process and Reporting Structure

R E P O R T I N G

M O N I T O R I N G

Appendix Three

Reference and further reading

• Risk Management Standard – Published by AIRMIC, ALARM and IRM www.alarm-uk.org/pdf/riskmanagement-standard.pdf

• ‘Worth the Risk’ Improving Risk Management in Local Government – Audit Commission www.audit-commission.gov.uk/sitecollectiondocuments/auditcommissionreports/nationalstudies/worththerisk.pdf

• Management of Risk – A strategic overview – HM Treasury www.hm-treasury.gov.uk/d/orange_book.pdf

• Corporate Governance in Local Government – A Keystone for Community Governance – CIPFA/SOLACE www.cipfa.org.uk

Appendix Four

Scarborough Borough Council Town Hall St Nicholas Street Scarborough North Yorkshire Y011 2HG

tel: 01723 232323 email: customer.first@scarborough.gov.uk

website: www.scarborough.gov.uk

www.scarborough.gov.uk