Risk Management Guidelines

To download a complete version of the Guidelines click on the attachment below:

Introduction

These guidelines have been produced by the Risk Management Working Group to explain the risk management process and the methodology, which we will apply in the conduct of operational risk reviews across the Council. The guidelines are in draft and will be developed as we learn from our practical experiences of operational risk reviews and feedback from colleagues.

The guidelines are based on best practice and are consistent with the Council's risk management policy statement and strategy, with the approach taken by Zurich consultants and with the Magique risk management software, which has been implemented.

Definitions

Risk

Risk is the chance of something happening that will have an impact upon objectives.

Risk is the chance or possibility of loss, damage or injury or failure to achieve objectives caused by an unwanted or uncertain action or event.

Risk Management

Risk management is the planned and systematic approach to the identification, evaluation and control of risk.

The alternative to risk management is risky management.

Strategic Risk

Strategic risks are the risks that need to be taken into account in judgements about the medium to long-term goals and objectives of the Council.

Operational Risk

Operational risks are the risks that managers and staff will encounter and deal with in the daily course of their work.

Risk Measurement

Risk is measured in terms of consequences and likelihood.

Gross Risk

Gross risk, or inherent risk, is the status of the risk without taking account of any risk management activities that the business unit may already have in place. Gross risk is the assessed likelihood and impact of an event in the absence of any controls.

Net Risk

Net risk, or residual risk, is the status of the risk after taking account of any risk management activities that the business unit may have in place.Net risk is a reassessment of the gross risk taking into account existing controls, which may reduce the likelihood or impact of an event.

Internal Control System

The principal aim of any internal control system is to manage the risks that are significant to the achievement of a council's objectives.

The internal control system comprises the whole network of systems established in an organisation to provide reasonable assurance that organisational objectives will be achieved with particular reference to:

• The effectiveness of operations
• The economical and efficient use of resources
• Compliance with applicable policies, procedures, laws and regulations
• The safeguarding of assets and interests from losses of all kinds, including those arising from fraud
• The integrity and reliability of information, accounts and data.

Internal Audit

Internal audit is an independent appraisal function within an organisation, which operates as a service to management by measuring and evaluating the effectiveness of the internal control system.

Risk Based Internal Auditing

The objective of Risk Based Internal Auditing (RBIA) is to provide independent assurance that:

The risk management processes which management has put in place across the organisation and at all levels are operating as intended.

These risk management processes are of sound design

The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to an acceptable level

A sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat.

The Risk Management Process

The following risk management process is based on that contained in the UK Risk Management Standard, published by AIRMIC, ALARM and IRM in 2002, and is consistent with both the STORM methodology used by Zurich strategic risk consultants and the Magique risk management software.

The stages of the Risk Management Process are described below and also depicted in a process map.

Risk Identification

This means Identifying the authority's exposure to uncertainty, by determining what can happen, why and how. The aim will be to produce a comprehensive list of events, which might affect the authority. Risk identification will be approached in a methodical way by the RMWG to ensure that all significant activities within the authority have been identified and all the risks flowing from these activities are defined.

Within Magique the key elements for the identification and recording of operational risks are:

• Business Units
• Objectives
• Risk Categories
• Risk owners

Within Magique, each of the Council's Services is broken down into a number of " business units ". These are listed in the section on Magique Risk Management parameters. The risks identified for each "business unit" will be recorded and described in a Risk Register. The Risk Register will be compiled and maintained by Internal Audit, using Magique risk management software.

It is important that proper emphasis is given to the identification of Service / Business Unit objectives and that a clear link is made between objectives and risks. Accordingly, each identified risk will relate to a specific objective which in turn is linked to the Council's Corporate Plan and Community Strategy aims.

Strategic and operational risks will also be categorised as defined below in the risk management methodology.as defined in the risk management methodology.

Responsibility for managing risk needs to be spread across those responsible for managing the different business activities. Risks cannot be effectively managed unless they are owned. Accordingly, each risk identified and recorded in the Magique risk register will have a risk owner. Each risk owner will ultimately be responsible for risk action plans and correcting control weaknesses.

Risk Analysis

The objective of risk analysis is to separate the minor, acceptable risks from the major risks, by combining estimates of consequences and likelihood in the context of existing control measures. Risk estimation can be a quantitative or qualitative exercise. For the Council's operational risk assessments, determining the likelihood that specified events may occur and the magnitude of their consequences will be a qualitative exercise. For example, qualitative degrees of likelihood may range from "Almost Certain" to " very rare", whilst consequences may range from "extreme "or "catastrophic" to "negligible" or "insignificant".

The first stage in risk analysis is to determine "gross risk" which is the combined likelihood and impact of an event in the absence of any controls or mitigations.

The second stage is to identify and record those controls or mitigations, which have been put in place to reduce the likelihood or impact of an event, resulting in an assessment of the "net risk". The combination of likelihood and consequence will determine the position of each risk in a risk matrix or risk profile.

The Magique software is used to record the gross risk, net risk and existing controls for each risk.

The result of the risk analysis process for each business unit or service will be a risk profile, presenting risks in a 6 X 4 matrix, which will highlight the most significant risks, which need to be addressed. As an example, a simplistic risk profile is shown below, using High / Medium / Low indicators to prioritise risks.

Risk Matrix / Profile

	Impact
Likelihood	1	2	3	4
6	Medium	Medium	High	High
5	Medium	Medium	High	High
4	Medium	Medium	High	High
3	Low	Low	Medium	Medium
2	Low	Low	Medium	Medium
1	Low	Low	Medium	Medium

 

HIGH	Those risks falling in the top right hand corner are significant and immediate or urgent action needs to be taken to reduce exposure
MEDIUM	The risks falling in the top left and bottom right quarters are medium and under control, but need to be kept under managerial and audit review
LOW	The risks falling in the bottom left quarter are likely to be managed by routine procedures or are trivial and unlikely to need any specific application of resources.

The qualitative measures of consequence and likelihood which will be applied in the conduct of the Council's operational risk assessments are detailed below in the risk management methodology, along with the risk profile and priority parameters set up in the Magique risk management software.

Risk Evaluation

This step is about deciding whether risks are acceptable or unacceptable.

Risk evaluation is the process used to determine risk management priorities by comparing the level of risk against the authority's risk appetite or tolerance to decide whether risks are acceptable or unacceptable.

Each business unit or service will determine its own tolerance line, which defines the appetite for risk and indicates whether each specific risk should be accepted or treated. An example is shown in the following chart.

Risk Matrix / Profile

	Impact
Likelihood	1	2	3	4
6	Accept	Treat	Treat	Treat
5	Accept	Treat	Treat	Treat
4	Accept	Accept	Treat	Treat
3	Accept	Accept	Treat	Treat
2	Accept	Accept	Accept	Treat
1	Accept	Accept	Accept	Accept

Take or terminate?

Risks in the green area below the line are considered to be acceptable. The level of risk is so low that specific treatment is not appropriate within available resources, or the cost of treatment is excessive compared to the benefit. Either way, we are prepared to tolerate the risk by understanding and living with the risk.

Where a risk is accepted it will still be subject to periodic review to ensure that changing circumstances do not alter its priority level.

Risks in the red area above the tolerance line are not considered acceptable. The risk can be terminated or avoided by not proceeding with the activity likely to generate risk.

The other option is to treat the risk.

Risk Treatment

This is the process of identifying and selecting treatment options and the preparation and implementing of risk action plans.

Risks to be treated are those which were considered not acceptable during the risk evaluation stage.

Risk treatment options include:

• Risk control / mitigation.

Control / mitigation measures may be aimed at reducing the likelihood, reducing the consequences or both.

Examples of actions to reduce or control likelihood include audit reviews, use of contracts, project management, preventative maintenance and quality management and standards, training and supervision.

Procedures to reduce or control consequences include contingency planning, use of contracts, disaster recovery plans and public relations.

• Transfer the Risk

This involves another party bearing or sharing part of the risk. Mechanisms include the use of contracts, insurance arrangements and organisational structures such as partnerships.

Where risks are transferred in whole or in part, the organisation transferring the risk has acquired a new risk, in that the organisation to which the risk has been transferred may not manage the risk effectively.

Risk Reporting and Monitoring.

Reporting

Risk management is an iterative or cyclical process, rather than a one-off exercise. Therefore, RMWG will need to establish a routine for communicating and reporting on the output from the risk management process; that is the risks which have been identified, the action plans which have been implemented and the risk events which have occurred.

The Guidelines will be extended to include what risks are reported, when, where, how and who is responsible for reporting on risks?

Monitoring

Once the programme of risk management has been implemented it will be necessary to review and refresh the process as a whole on an ongoing basis. This is an overall review of the risk management system, which will be carried out by internal audit at specified intervals. The purpose is to ensure the continuing suitability and effectiveness of the risk management system and to identify any opportunities for improvement.

Process Map

The risk management process is depicted in the following process map:

The Risk Management Methodology.

The key elements of our risk management methodology include:

Business Units.

These are used to structure the risk recording and analysis, allowing risks to be allocated to specific services, sections and risk owners.

Categories of Risk

When undertaking service / section risk reviews we are concerned with the operational risks which managers and staff will encounter in the daily course of their work. The Magique parameters include 13 types of risk, which may be used to categorise operational or strategic risks. In conducting a risk review it is probably easier to identify the risks first and then decide which category they fit into.

Assigning a category to each identified risk will facilitate the reporting of the various types of risks which are faced across the authority, such as "physical", financial", "environmental" or "stakeholder" risks".

Qualitative Measures of Impact and Likelihood.

Our measurement of the likelihood and impact of risk events will be qualitative, firstly in assessing gross risk and then in assessing net risk The methodology includes four levels / descriptions of impact, from "Negligible" to "Catastrophic". It includes 6 measures of likelihood from "Almost Impossible" to "Very High". These are set up as Magique parameters and are consistent with the methodology used by ZMMS in strategic risk reviews.

Risk Priorities

The combination of impact and likelihood results in 5 levels of risk priority, which are automatically assigned to gross and net risk in Magique. The priority levels range from "Very Low " to "Catastrophic".

Risk Profile.

The qualitative risk assessment produces a 6 X 4 risk matrix or Risk profile which depicts the priority of each risk identified in the business unit / service.

The risk management methodology is set out in the following section.

Magique Software Parameters

Magique Business Units

Service	Service Manager	Ref.	Magique Business Unit
Corporate Services	Robin Hooper	0100
		0001	Corporate Management
Policy Services	Celia Bahrami	0200
		0201	Policy Unit
Personnel Services	Ingrid Jones	0300
		0301	Human Resources
		0302	Health and Safety
		0303	Office Services
		0304	Concessionary Travel
Democratic and Legal Services	Mike Croston	0400
		0401	Democratic Representation & Man.
		0402	Land Charges
		0403	Legal Services
		0404	Elections & Registration of Electors
ICT Services	Steve Edwards	0500
		0501	Computer Services
		0502	Telephony Services
		0503	Reprographics Services
Finance Service	Paul Pennell	0600
		0601	Accountancy
		0602	Payroll
		0603	Creditors
		0604	Insurance
		0605	Benefits Administration
		0606	Revenues - Council Tax
		0607	Revenues - NNDR
		0608	Revenues - Sundry Debtors
		0609	Internal Audit
Property Services	Geoff Trantham	0700
		0701	Property Management
		0702	Procurement
		0703	Project Management
Engineering Services	Eddie McGrath	0800
Engineering Services		0801	Engineering and Works
Engineering Services		0802	Car Parks and Bus Station
Economic Development Services	David Griffiths	0900
		0901	Economic Development
		0902	Publicity and Tourism
		0903	Markets
Planning Policy Services	Geoff Harrison	1000
		1001	Planning Policy
		1002	Conservation
Development Control Services	Peter Fenwick	1100
		1101	Devt. Control and Enforcement
Building Control Services	Dennis Bowers	1200
		1201	Building Control
Housing & Community Regeneration	Andy Goldsmith	1300
		1301	Housing Strategy and Enabling
	Andy Goldsmith	1302	Community and Sustainable Devt.
		1303	Community Centres and Wardens
Leisure Services	Alan Wallin	1400
		1401	Swimming and Fitness Centre
		1402	Sports Centres
		1403	Outdoor Recreation
		1404	Golf Course
		1405	Sports Development and Promotion
Museums Service	Mary White	1500
		1501	Shrewsbury Museums
Theatre Service	Lezley Picton	1600
		1601	Music Hall
		1602	Arts and Events
Public Amenities	Derek Caddy	1700
		1701	Horticultural Services
		1702	Refuse Collection
		1703	Recycling
		1704	Street Cleansing
		1705	Children's' Playgrounds
		1706	Public Conveniences
Environmental Health Services	David Wraith	1800
		1801	Public Health
		1802	Pest Control
		1803	Licensing
Bereavement Services	David Wraith	1900
		1901	Cemeteries
		1902	Crematorium
Capital Programme		2000

Magique Risk Category Parameters.

1	Political	Those associated with a failure to deliver either local or central government policy or to meet the local administration's manifesto commitments.
2	Economic	Those affecting the ability of the council to meet its financial commitments. These include internal budgetary pressures, the failure to purchase adequate insurance to cover external macro-level economic changes , or the consequences of proposed investment decisions
3	Social	Those relating to the effects of changes in demographic, residential or socio-economic trends on the council's ability to deliver its objectives
4	Technological	Those associated with the capacity of the council to deal with the pace/scale of technological change, or its ability to use technology to address changing demands. They may also include the consequences of internal technological failures on the council's ability to deliver its objectives.
		Those relating to a reliance on operational equipment (for example, IT systems or equipment and machinery).
5	Environmental	Those relating to the environmental consequences of progressing the council's strategic objectives (for example in terms of energy efficiency, pollution, recycling, emissions etc.)
		Those relating to pollution, noise or the energy efficiency of ongoing service operations
6	Legislative	Those associated with current or potential changes in national or European law.
7	Competitive	Those affecting the competitiveness of the service and / or its ability to deliver best value
8	Contractual	Those associated with the failure of contractors to deliver services or products to the agreed cost and specification
9	Stakeholder	Those associated with the failure to meet the current and changing needs and expectations of customers, citizens and staff.
10	Professional	Those associated with the particular nature of each profession
11	Financial	Those associated with financial planning and control and the adequacy of insurance cover
12	Legal	Those related to possible breaches of legislation
13	Physical	Those related to fire, security, accident prevention and health and safety (for example, hazards / risks associated with buildings, vehicles, plant and equipment etc.)

Magique Qualitative Measures of Consequence or Impact

Consequence or Impact

Level	Descriptor	Description
1	Negligible	Minor or insignificant. Minimum impact at a local level only. No external effect and quick recovery.
2	Marginal	Moderate or significant.
3	Critical	Major or very serious. Very important or dangerous. At the limit / on the edge
4	Catastrophic	Disastrous. A great and sudden disaster, an accident or event causing great distress or destruction.

 

Qualitative Measures of Likelihood

Level	Descriptor	Description
6	Very High	Almost certain / inevitable: Is expected to occur in most circumstances. Will occur once a year or more frequently.
5	High	Likely: Will probably occur in most circumstances.
4	Medium / Significant	Possible: Quite likely to occur some time
3	Low	Unlikely: could occur some time
2	Very Low	Remote : Not much chance that this would happen
1	Almost Impossible	Very Rare: Very little chance and only in exceptional circumstances. Have never known of this to happen.

The following examples of impact and likelihood were used by ZMMS to facilitate the assessment of risks during the SABC strategic risk review workshops in December 2003. They may also be used to assist in the assessment of operational risks at section / service level.

Likelihood - Examples

	Probability	Timing
Very High	> 90%	This Week
High	55% - 90%	Next week / this month
Significant	15% - 55%	This year
Low	5% - 15%	Next Year
Very Low	1% - 5%	In the next 5 years
Almost Impossible	< 1%	In the next ten years

Consequence or Impacts - Examples

Area of Impact	Negligible	Marginal	Critical	Catastrophic
Financial	Up to £10K	£10K - £200K	£200K - £1M	£1M - £10M
Service Provision	No effect	Quality of service slightly reduced	Service reduced or suspended short term	Service suspended long term. Statutory obligations not delivered
Health and Safety	Sticking plaster / first aider	Broken bones/ Illness	Loss of Life / Serious Illness	Major loss of life / large scale outbreak of serious illness
Objectives	Objectives of one section not met	Objectives of one service not met	Directorate objectives not met	Corporate objectives not met
Morale	No change	Some hostile relationships and minor non-cooperation	Industrial Action	Mass staff leaving / unable to attract new staff
Reputation	No media attention / minor letters	Adverse local media reporting	Adverse national publicity	Remembered for years.
Regulatory	No change	Poor assessments	Service taken over temporarily	Service taken over permanently

By combining these assessments of likelihood and consequence, the risks can be prioritised as follows:

Risk Priorities

Impact	Likelihood	Score	Priority
Negligible	Almost Impossible	1	VL
Negligible	Very Low	2	VL
Negligible	Low	3	VL
Marginal	Almost Impossible	4	VL
Negligible	Significant	5	L
Negligible	High	6	L
Negligible	Very High	7	L
Marginal	Very Low	8	L
Marginal	Low	9	L
Critical	Almost Impossible	10	L
Marginal	Significant	11	M
Marginal	High	12	M
Marginal	Very High	13	M
Critical	Very Low	14	M
Critical	Low	15	M
Catastrophic	Almost Impossible	16	M
Critical	Significant	17	H
Critical	High	18	H
Critical	Very High	19	H
Catastrophic	Very Low	20	H
Catastrophic	Low	21	H
Catastrophic	Significant	22	C
Catastrophic	High	23	C
Catastrophic	Very High	24	C

Risk Profile

Likelihood
6	7	13	19	24
5	6	12	18	23
4	5	11	17	22
3	3	9	15	21
2	2	8	14	20
1	1	4	10	16
Impact	1	2	3	4

 

Score	Priority	Response
22 - 24	C	Extreme Risk - Immediate action is required
16 - 21	H	High Risk - Urgent action is required
10 - 15	M	Medium Risk - under control, but keep under managerial / audit review. -
4 - 9	L	Low risk - easily and effectively managed by routine operating procedures
1 - 3	VL	Very Low Risk - Trivial and unlikely to require any specific application of resources. Common sense.

Magique Risk Management Framework

The way in which risks are identified and recorded in Magique in relation to business units, objectives and risk categories is depicted in the following chart.

 

Application of Risk Management Process and Methodology

Operational Risk Reviews

The members of the RMWG will undertake an initial survey of operational risks in their own service areas which include:

• Finance

• ICT

• Public Amenities

• Property Services

These reviews will take place in the 3 month period from February to April 2004.The process will then be rolled out across the Council and members of RMWG will then participate in a planned programme of operational risk reviews in conjunction with each of the Service Managers in accordance with an agreed timetable.

The risk reviews will apply the risk management process and methodology set out in these guidelines and introduced during the ZMMS risk management training sessions in September 2003. It is envisaged that this will involve risk identification and assessment workshops similar to the way that the strategic risk review was conducted in December 2003.

The objectives will be:

1. To identify and record the objectives of each section / service.
2. To identify the key operational risks in each area of activity / service delivery across the Council. The risks should be directly linked to objectives - that is what could happen which would affect the ability to deliver objectives
3. To record risks. Risks should be recorded as risk scenarios,
4. including the vulnerability, the trigger and the consequences.
5. To categorise the operational risks using the types of risk shown in the risk methodology.
6. To identify risk ownership so that there is clear responsibility for managing operational risks.
7. To assess gross risks in terms of consequences and likelihood
8. To identify and record the existing controls which are in place to mitigate risks.
9. To reassess net risk in terms of likelihood and impact, that is how effective are existing controls in mitigating the risk?
10. To evaluate those risks and determine risk priorities.
11. To treat key risks by producing and implementing risk action plans.
12. To record operational risk data in the Magique risk database.
13. To compile a comprehensive risk register and risk profiles for sections / services across the Council
14. To report on the key operational risks in each area of service delivery / support activity and produce a consolidated report for the authority as a whole.

Thereafter, the objective will be to embed operational risk management in the authority's planning and control arrangements at Service level.

Internal audit will incorporate risk assessment in the audit planning process and will adopt a risk-based approach to audit work where appropriate.

Timetable for Operational Risk Reviews

A timetable for the conduct of operational risk reviews will be compiled and agreed by the RMWG in February 2004. A provisional timetable is attached.

	RISK REVIEW TIMETABLE	2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2005	2005
Ref.		Feb.	Mar.	Apl.	May.	June	July.	Aug.	Sept.	Oct.	Nov.	Dec	Jan	Feb
100	Corporate Services
101	Corporate Management
200	Policy Services
201	Policy Unit
300	Personnel Services
301	Human Resources
302	Health and Safety
303	Office Services
400	Democratic and Legal Services
401	Democratic Representation & Man.
402	Land Charges
403	Legal Services
404	Elections & Registration of Electors
500	ICT Services
501	Computer Services
502	Telephony Services
503	Reprography Services
		2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2005	2005
		Feb.	Mar.	Apl.	May.	June	July.	Aug.	Sept.	Oct.	Nov.	Dec	Jan	Feb
600	Finance Service
601	Accountancy
602	Payroll
603	Creditors
604	Insurance
605	Benefits Administration
606	Revenues - Council Tax
607	Revenues - NNDR
608	Sundry Debtors
609	Concessionary Travel
700	Property Services
701	Property Management
702	Procurement
703	Project Management
800	Engineering Services
801	Engineering and Works
802	Car Parks and Bus Station
900	Economic Development Services
901	Economic Development
902	Publicity and Tourism
903	Markets
		2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2005	2005
		Feb.	Mar.	Apl.	May.	June	July.	Aug.	Sept.	Oct.	Nov.	Dec	Jan	Feb
1000	Planning Policy Services
1001	Planning Policy
1002	Conservation
1100	Development Control Services
1101	Devt. Control and Enforcement
1200	Building Control Services
1201	Building Control
1300	Housing & Community Regeneration
1301	Housing Strategy and Enabling
1302	Community and Sustainable Devt.
1400	Leisure Services
1401	Swimming and Fitness Centre
1402	Sports Centres
1403	Outdoor Recreation
1404	Golf Course
1405	Sports Development and Promotion
		2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2004	2005	2005
		Feb.	Mar.	Apl.	May.	June	July.	Aug.	Sept.	Oct.	Nov.	Dec	Jan	Feb
1500	Museums Service
1501	Shrewsbury Museums
1600	Theatre Service
1601	Music Hall
1602	Arts and Events
1700	Public Amenities
1701	Horticultural Services
1702	Refuse Collection
1703	Street Cleansing
1704	Children's' Playgrounds
1705	Public Conveniences
1800	Environmental Health Services
1801	Public Health
1802	Pest Control
1803	Licencing
1900	Bereavement Services
1901	Cemeteries
1902	Crematorium
2000	Capital Programme