DOCUMENT CONTROL
Author Dr Juliet Cross, Clerk and Responsible Financial Officer | |||
Date | Version | Status | Description |
22/07/19 | 0.1 | Draft | Draft document circulated to councillors. |
01/08/19 | 1.0 | Final | Document approved at Council Meeting with amendmentsheld on 1 August 2019 (Minute: 19.188). |
Review Cycle Every four years at the Annual Meeting of the Council after the election of the parish councillors or in response to new or amended statutory requirements. Next review due May 2023. | |||
Legislation and Regulation Accounts and Audit Regulations 2015Governance and Accountability for Smaller Authorities in England 2019 Chawleigh Parish Council’s related documents:Risk assessment formRisk Register |
INDEX
1. | INTRODUCTION | 2 |
2. | WHAT IS RISK MANAGEMENT? | 2 |
3. | WHY DOES THE COUNCIL NEED A RISK MANAGEMENT STRATEGY? | 3 |
4. | RISK MANAGEMENT POLICY STATEMENT | 3 |
5. | IMPLEMENTING THE STRATEGY | 4 |
6. | ROLES AND RESPONSIBILITIES | 4 |
7. | FUTURE MONITORING | 6 |
8. | CONCLUSION | 6 |
APPENDIX A – RISK SCORING MATRIX | 7 |
1. INTRODUCTION
1.1 | Chawleigh Parish Council (the Council) recognises that it has a responsibility to manage risks effectively in order to protect its employees, assets, liabilities, business, services, reputation and the community against potential losses and to minimise uncertainty in achieving its goals and objectives. |
1.2 | The objectives of this Strategy and Policy are to: Further develop risk management and raise its profile across the Council;Integrate risk management into the culture of the organisation;Embed risk management through the ownership and management of risk as part of all decision-making processes; andManage risk in accordance with best practice. |
2. WHAT IS RISK MANAGEMENT?
2.1 | ‘Risk is the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives and to successfully execute its strategies. Risk management is the process by which risks are identified, evaluated and controlled. It is a key element of the framework of governance together with community focus, structures and processes, standards of conduct and service delivery arrangements.’ Audit Commission, Worth the Risk: Improving Risk Management in Local Government, (2001: 5) |
2.2 | Risk management is an essential feature of good governance. An organisation which manages risk well is more likely to achieve its objectives. It is vital to recognise that risk management is not simply about health and safety, but applies to all aspects of the Council’s work. |
2.4 | Risks can be classified into various types but it is important to recognise that for all categories the direct financial losses may have less impact than the indirect costs such as disruption of normal working. The examples below are not exhaustive: Strategic Risk – Long-term adverse impacts from poor decision-making or poor implementation. Risks damage to the reputation of the Council, loss of public confidence, and in a worse-case scenario Government intervention. Compliance Risk – Failure to comply with legislation and regulations, agreed procedures or the lack of documentation to prove compliance. Risks exposure to prosecution, judicial review, employment tribunals and the inability to enforce contracts. Financial Risk – Fraud and corruption, waste, excess demand for services, bad debts. Risk of additional audit investigation, objection to accounts, reduced service delivery, dramatically increased precept and impact on Council reserves. Operational Risk – Failure to deliver services effectively, malfunctioning equipment, hazards to service users, the general public or staff, damage to property. Risk of insurance claims, higher insurance premiums, lengthy recovery processes. |
2.5 | Not all these risks are insurable and for some the premiums may not be cost effective. Even where insurance is available, a monetary consideration might not be an adequate recompense. The emphasis should always be on eliminating or reducing risk before costly steps to transfer risk to another party are considered |
2.6 | Risk is not restricted to potential threats but can be connected with missed opportunities. Good risk management can facilitate proactive, rather than merely defensive responses. Measures to manage adverse risks are likely to help with managing positive ones. |
3. WHY DOES THE COUNCIL NEED A RISK MANAGEMENT STRATEGY?
3.1 | Risk management will strengthen the ability of the Council to achieve its objectives and enhance the value of services provided. |
3.3 | The Risk Management Strategy will help to ensure that the councillors and Clerk have an understanding of risk and that the Council adopts a uniform approach to identifying and prioritising risks. This should in turn lead to conscious choices as to the most appropriate method of dealing with each risk, be it elimination, reduction, transfer or acceptance. |
3.4 | Strategic risk management is an important element in demonstrating continuous service improvement. |
3.5 | There is a requirement under the Accounts and Audit Regulations 2015 to establish and maintain a systematic strategy, framework and process for managing risk. |
4. RISK MANAGEMENT POLICY STATEMENT
4.1 | The Council is aware that some risks can never be eliminated fully and it has in place a strategy that provides a structured, systematic and focussed approach to managing risk. Risk management is an integral part of the Council’s management processes. |
4.2 | Definitions Hazard is something (e.g. an event, a situation, an activity) which can cause an adverse effect or harm.Harm includes injury, damage to property, financial losses, increased liabilities, service interruption.A risk is the likelihood that a hazard will actually cause its adverse effects or harm, together with a measure of the impact or consequence that this will have. |
4.3 | Like all organisations, the Council is exposed to risk. Not all of the risks to which it is exposed can be insured against, but they can be managed and controlled by proactive measures to identify and assess their likelihood and impact. |
4.4 | The aim of the Council’s Risk Management Policy is to identify and manage the risks to the Council’s business, including: Its employees;Its assets, including property;Its liabilities, including inspections and compliance statutory duty;Its business and service provision;Its reputation; andThe community and general public. |
4.5 | The Council will: Review and assess the impact of potential events upon the Council’s activities and implement:Emergency plans and contingency arrangementsDisaster recovery and business continuity plans;Evaluate risks in terms of likelihood and impact at both strategic and operational levels;Make every effort to control the identified risks by managing and monitoring the Council’s Risk Register;Review the possibilities of self-insuring risks where any potential loss will not significantly affect our business;Carry insurance in such amounts and in respect of such perils as will provide protection against significant losses, where insurance is required by law or contract and in such other circumstances as considered necessary from time to time; andEmbed the culture of risk management throughout the Council and ensure it becomes an integral part of all the Council does. |
5. IMPLEMENTING THE STRATEGY
5.1 | Risk Monitoring The risk management process does not finish with putting risk control procedures in place. The effectiveness of procedures in controlling risk must be monitored and reviewed. It is also important to assess whether the nature of any risk has changed over time. The information generated from applying the risk management process will help to ensure that risks can be avoided or minimised in the future. It will inform judgements on the nature and extent of insurance cover and the balance to be reached between self-insurance and external protection. The Council’s Risk Register will be managed and monitored at least once a year and updated when appropriate. |
5.2 | Risk Management System Risk Identification– Identifying and understanding the risks facing the Council is crucial if informed decisions are to be made about policies or service delivery methods. The risks associated with these decisions should be recorded on a risk assessment form so that they can then be managed effectively.Risk Analysis – Once risks have been identified they need to be systematically and accurately assessed using proven techniques. Analysis should make full use of any available data on the potential frequency of events and their consequences. If a risk is seen to be unacceptable, then steps need to be taken to control or respond to the risk. Risk Prioritisation – An assessment should be undertaken of the impact and likelihood of risks occurring, with impact and likelihood being scored on a scale from 1 – 5 with 1 being low and 5 being high. Scores for impact and likelihood are multiplied and risk scores of 8 and above will be subject to detailed consideration and preparation of a contingency/action plan to control the risk (see Appendix A). |
5.3 | Risk Control Risk control is the process of taking action to minimise the likelihood of the risk event occurring and/or reducing the severity of the consequences should it occur. Typically, risk control requires the identification and implementation of revised operating procedures, but in exceptional cases more drastic action will be required to reduce the risk to an acceptable level. Options for control include: Elimination – the circumstances from which the risk arises are removed so that the risk no longer exists;Reduction – control measures are implemented to reduce the impact/ likelihood of the risk occurring;Acceptance – documenting a conscious decision where the Council accepts or tolerates a risk after reviewing the existing controls that are in place;Transfer – the risk or part of the risk is passed to others e.g. by revising contractual terms or taking out insurance. Some risks, e.g. reputational risk, cannot be transferred; orSharing – the risk is shared with another party, such as professional services for planning and design. |
6. ROLES AND RESPONSIBILITIES
6.1 | It is important that risk management becomes embedded into the everyday culture and performance management process of the Council. The roles and responsibilities set out below, are designed to ensure that risk is managed effectively across the Council and its operations, and responsibility for risk are shared appropriately. The process must be driven from the top and must involve the employees of the organisation. |
6.2 | Councillors Risk management is seen as a key part of the councillors’ stewardship role and there is an expectation that councillors will lead and monitor the adopted approach, including: Approval of the Risk Management Strategy and Policy;Analysis of key risks in reports on major projects, ensuring that all future projects and services undertaken are adequately risk managed;Consideration and approval of the Annual Governance Statement; and Assessment of risks whilst setting the budget, including any bids for resources to tackle specific issues. |
6.3 | Employees The Clerk is the only Council employee. She will undertake her job within risk management guidelines ensuring that her skills and knowledge are used effectively. The Clerk will maintain an awareness of the impact and costs of risks and how to feed data into the formal process. She will work to control risks or threats within her job, monitor progress and report on job related risks to the Chairman or Vice Chairman of the Council. |
6.4 | Clerk and Responsible Financial Officer The Clerk will act as the lead officer on risk management, and be responsible for overseeing the implementation of the Risk Management Strategy and Policy. The Clerk will: Provide advice as to the legality of policy and service delivery choices;Provide advice on the implications for service areas of the Council’s corporate aims and objectives;Update the Council on the implications of new or revised legislation;Assist in handling any litigation claims;Provide advice on any human resource issues relating to strategic policy options or the risks associated with operational decisions and assist in handling cases of work-related illness or injury;Advise on any health and safety implications of the chosen or proposed arrangements for service delivery;Assess the financial implications of strategic policy options;Provide assistance and advice on budgetary planning and control;Ensure that the accounting systems allow effective budgetary control;Maintain the Council’s Risk Register;Effectively manage the Council’s investment and loan portfolio; andAssess and implement the Council’s insurance requirements. |
6.5 | Internal Audit Internal Audit provides an important scrutiny role by carrying out audits to provide independent assurance to the Council that the necessary risk management systems are in place and all significant business risks are being managed effectively. Internal Audit assists the Council in identifying both its financial and operational risks and seeks to assist the Council in developing and implementing proper arrangements to manage them, including adequate and effective systems of internal control to reduce or eliminate the likelihood of errors or fraud. Internal Audit reports, and any recommendations contained within, will help to shape the Annual Governance Statement. |
6.6 | Training Risk Management training will be provided to councillors and the Clerk through a variety of methods, to ensure everyone has the skills necessary to identify, evaluate and control the risks associated with the services the Council provides. |
6.7 | In addition to the roles and responsibilities set out above, the Council will promote an environment within which individuals and groups are encouraged to report adverse incidents promptly and openly. |
7. FUTURE MONITORING
This Strategy and Policy will be reviewed every four years. Review and future development of the Risk Management Policy and Strategy will be overseen by the Full Council. |
8. CONCLUSION
The adoption of a sound risk management approach should achieve many benefits for the Council. It will assist in demonstrating that Chawleigh Parish Council is committed to continuous service improvement and effective corporate governance. |
APPENDIX A – RISK SCORING MATRIX
Method
All identified risks are subjected to a robust scoring method to ensure the consistent scoring of risks. The risk score is determined by using a risk scoring matrix and multiplying the risk impact score with the risk likelihood score. This provides a quantitative basis upon which to determine the urgency of any actions.
Low risk
Risks with a score of 0 are defined as risk no longer existing as the actions have been completed, for example where a new piece of equipment has been obtained and replaced an obsolete piece of equipment.
Risks with a score of 1 – 3 are defined as a very low risk where further risk reduction may not be feasible or cost effective.
Risks with a score of 4 – 6 are defined as a low risk where risk control is required, so far as is reasonably practicable. The majority of control measures are already in place, or the likelihood of harm or its consequence is small. Actions may be required in the long term.
Medium risk
Risks with a score of 8 – 12 are defined as a medium risk where prompt action is required, so far as is reasonably practicable. There is moderate probability of major harm or high probability of minor harm if control measures are not implemented. Action may be required in the medium term.
High risk
Risks with a score of 15 – 25 are defined as a high risk where there is a significant probability that major harm will occur if control measures are not implemented. Urgent action is required and stopping the activity or procedures should be considered.
Risk Likelihood Score
Score | Description | Example |
1 | Rare | Would only occur in exceptional circumstances |
2 | Unlikely | Could occur at some time |
3 | Possible | May occur or re-occur at some time |
4 | Likely | Will probably occur but is not a persistent issue |
5 | Almost certain | Is expected to occur or is a persistent issue |
Risk Impact Score
Score | Description | Example – Adverse publicity, loss of reputation |
1 | Insignificant | Rumours, potential for public concern. |
2 | Minor | Short-term reduction in public confidence, elements of public expectation not being met. |
3 | Moderate | Long-term reduction in public confidence, local media coverage. |
4 | Major | National media coverage of less than 3 days, service well below reasonable public expectation. |
5 | Catastrophic | National media coverage for more than 3 days, service well below reasonable public expectation, total loss of public confidence, MP concern (questions in the House). |
Risk Score
Risk score = Likelihood x Impact
By using the equation, a risk score can be determined ranging from 1 (low severity and unlikely to happen) to 25 (almost certain to happen with catastrophic and widespread consequences).
Impact | Likelihood | ||||
1 Rare | 2 Unlikely | 3 Possible | 4 Likely | 5 Almost certain | |
1 – Insignificant | 1 | 2 | 3 | 4 | 5 |
2 – Minor | 2 | 4 | 6 | 8 | 10 |
3 – Moderate | 3 | 6 | 9 | 12 | 15 |
4 – Major | 4 | 8 | 12 | 16 | 20 |
5 – Catastrophic | 5 | 10 | 15 | 20 | 25 |