The Risk Management policy of Hampshire Fire and Rescue Authority is to adopt recognised best practice for the identification, evaluation and cost-effective control of risks to ensure that they are managed at acceptable levels.

Risk management is about managing our threats and opportunities, and creating an environment of `no surprises'. By managing our threats effectively we will be in a stronger position to deliver our business objectives. By managing our opportunities well we will be in a better position to provide improved services and better value for money.

The Authority accepts its responsibility to manage the risks associated with all areas of its activity, and acknowledges that some risks will always exist and can never be completely eliminated. In order to achieve this, the Authority has adopted a structured and focused approach to risk management, as described in its Risk Management Strategy and supported by Procedures and a Manual of guidance.

The golden thread that binds these components together is the principle that all employees and partner organisations involved in the delivery of services to the public must understand the nature of risk and accept responsibility for those risks associated with their area of activity.

The Authority and its senior management will provide the commitment, support and resources necessary to turn the Policy and Strategy into reality. It has been written in a way that provides a useful introduction for both Members and staff to raise their awareness of the importance of effective risk management.

In this way the Authority will better achieve its corporate objectives and enhance the value of services it provides to the community.

1 Aims and Objectives

Aim of the Strategy

To promote and embed good practice in the management of risk throughout the organisation: both in our own activities, and those involving third-party suppliers, contractors and in our public and private partnerships.

Objectives

The aims of this policy and strategy are to:

· Anticipate and respond to changing external and internal pressures so there are fewer surprises

· Raise awareness of the need for risk management by all those connected with the delivery of our services.

· Manage risk in accordance with best practice.

· Support well thought-through risk taking to ensure opportunities for improvement and development are not lost.

· Integrate risk management into the culture of the Authority.

2 Scope and Approach

Scope

Risk management refers to the collective cultures, structures and processes that are directed towards the effective management of potential opportunities and adverse threats as we pursue our objectives. This applies equally to the pursuit of strategic objectives at the corporate and support levels as well as to the delivery of front line services by our operational staff.

Risk management must therefore be a top-to-bottom process involving all levels of staff and all partner organisations that contribute in any way to the delivery of our services. Only when this is fully understood and accepted will we succeed in embedding risk management within the working practices and culture of the organisation.

Where services are delivered through formal partnerships or through contract arrangements, robust risk management must apply at both the partnership interface and within the third-party organisation and its operating environments.

Risk management is as much about empowerment and innovation as it is about preventing adverse things from happening. There are up-side risks as well as down-side ones. Therefore, this Policy and Strategy aims to achieve a cultural shift, from an organisation that has traditionally tended to consider only operational risk to one that considers all risks to the entire Authority and Service, particularly those affecting its strategic objectives. The strategy is as much about supporting innovation and seizing opportunities through informed decision making as it is about defending against negative threats.

Approach

A shared corporate approach is important if risks are to be identified and managed systematically and consistently across the organisation. This strategy will be underpinned by:

a) Procedures that form part of the constitution of the Authority.

b) A Manual of guidance that describes the definitions, tools, techniques and templates that should be corporately applied.

c) An Implementation Plan - a `living' document that will act as the detailed delivery plan for the Strategy.

We believe that risk management must be addressed on an integrated basis and should be based on a `top-down meets bottom-up' framework. Effective risk management is characterised by everyone having a role to play and specific responsibilities to fulfil within this corporate framework.

Members and senior management are concerned with significant strategic risks - those that could potentially have an effect on the Authority's ability to achieve its corporate objectives. Implementation of the high level risk management strategy will therefore be on a `top-down' basis, focusing on matters of key strategic and operational importance.

More detailed operational risks will be identified as the framework is rolled out to functional departments, service areas and key partnerships. When that happens, it will be for individual managers to deal with the operational risks identified within their areas of responsibility. When issues of corporate significance are identified at operational level, they will be escalated to the appropriate level for action.

Integration

Many of the `building blocks' and linkages required to achieve good risk management are already in place, so the strategy is designed to fill in the gaps and cement the parts together to form a cohesive whole, rather than creating a whole new structure.

The following diagram provides an overview of the key building blocks, and shows how risk management fundamentally underpins the delivery of our corporate objectives. The detailed steps required to tie them all together will be described in the Risk Management Implementation Plan that accompanies this Strategy.

Figure 1 - Key building blocks and linkages

Corporate

Aims & Objectives

Strategic Planning	Service Planning	Corporate Policy & Procedures	Business Continuity	Corporate Assurance
Strategic Decision Making	Operational Decision Making	Legislative Requirements	Emergency Procedures	Insurance
Strategic Partnerships	Contracted Services	Compliance & Standards	Disaster Recovery	Risk Management Support
Strategic Programmes	Project Management	Contract Management		Public Relations

Performance Management

Risk Management

3 Roles and Responsibilities

All members, employees and partner organisations must understand the nature of risk and accept responsibility for managing those risks associated with their area of activity. The diagram on the following page describes the key structures and reporting lines for risk management, together with an overview of the main responsibilities that must be fulfilled if the Strategy is to be implemented effectively.

Further detail on the terms of reference for the corporate groups and the roles, responsibilities and reporting requirements for each group will be included in the Manual of Guidance.

Figure 2 - Key structures, responsibilities and reporting lines

Hampshire Fire and Rescue Authority (HFRA)

Holds CMT and SMT accountable for the effective management of risk by officers.

Corporate Management Team (CMT)

Ensures risk is managed effectively by developing and reviewing corporate risk management policy and strategy. Considers and review strategic risks.

Service Management Team (SMT)

Reports to CMT and HFRA periodically on: emerging risks; updates to strategic risk register; trends & patterns of risk; costs of risks; progress on risk management projects.

Appoints sub-groups for common risk management projects. Allocates and monitors work undertaken by Functional Management Teams and temporary task groups.

Liaises with external organisations and authorities.

Functional Management Teams (FMT)

Identifies, assess and prioritises current and emerging risks. Escalates perceived strategic risks to SMT for further assessment.

Develops risk management action plans monitors progress. Appoints temporary task groups.

Communicates and engages employees in risk management action plans. Assigns responsibilities.

Temporary Risk Management Task Groups

Service (line) Managers

Identifies and manages risks in own functional area. Escalates perceived strategic risks to FMT or SMT for further assessment. Participates in temporary risk management groups.

Employees and their representatives

Identifies risks in own functional area. Escalates perceived strategic risks to Service (line) Manager for further assessment. Participates in temporary risk management groups

4 The Risk Management Cycle

Risk management is a cyclical process involving a number of clearly defined steps, as illustrated by the following diagram:

Figure 3 - The Risk Management Cycle

Establishing the context

The risk management process will be applied within the framework of our strategic, organisational and risk management contexts. These have been established at the outset in order to define the basic parameters within which risks must be managed and to provide guidance for subsequent decisions. This sets the scope for the rest of the risk management process.

· The strategic context refers to the relationships between the organisation and its operating environments.

· The organisational context refers to the organisation's goals and objectives, and the capabilities and strategies that are in place to achieve them.

· The risk management context refers to the goals, objectives, strategies, scope and parameters of the particular area of activity to which the risk management process is being applied.

Analysis

Risk analysis is the systematic use of available information to determine how often specified events may occur and the magnitude of their consequences.

Identifying risks

This step seeks to identify all of the risks that need to be considered. Comprehensive identification using a well-structured systematic process is critical, because any potential risks missed at this stage are excluded from further analysis. Identification should include all risks whether or not they are under the control of the organisation.

There is a range of techniques that can be used, each with its associated advantages and disadvantages. These are described fully in the Manual that accompanies the Strategy, and training in how to use them will be delivered where necessary. The aim is not to be prescriptive e in terms of the exact tools to use. Instead, managers should be sufficiently knowledgeable and skilled to apply the method that best suits their particular circumstances. At the strategic level we reviewed the external environment via our `STEEPLE' analysis.

Framing risks

Risks are best understood and best managed if they are framed as scenarios, broken down into three key component parts:

· The root cause or source

· The events or triggers that lead to consequences arising

· The likely impacts or consequences

Only if this is done correctly can the likelihood and impact of the risk be ascertained, and management action needed to reduce them be determined and taken.

Sources of risk

There are numerous frameworks available for identifying and categorising risks, but they are neither prescriptive nor exhaustive. The following `wheel' provides us with a useful framework that will cover most risk exercises we are likely to encounter. Our STEEPLE analysis fits well within this model.

Figure 4. Categories of Risk

The categories can be used as a set of prompts to consider scenarios that will give rise to consequences that will impact on specific objectives.

Consequences and Impacts

Just as there are many sources of risk, there are also many possible impacts, and the relation ship between them is many-to-many. We therefore focus on the areas of impact that cause greatest concern:

· Corporate objectives / service delivery

· Financial

· Reputation / public confidence

Analysing risk

The objectives of analysis are to separate the minor acceptance risks from the significant risks and to provide data to assist in their further evaluation and treatment. Risk analysis involves the consideration of each of the risks already identified in terms of:

· The likelihood that they will occur

· The consequences if they do occur

Again, there are numerous sources of information and methods that can be used to judge the likelihoods and consequences, some based on hard data, others more reliant on subjective opinion.

The aim is to assign a `score' to each of these dimensions for all risks so that they can then be plotted on a matrix. A 4 x 4 matrix strikes a good balance between keeping the process as simple as possible and generating meaningful results.

Further detail on the methodologies available, risk categorisation, scoring standards and interpretation of results will be included in the Manual and associated training programmes.

Evaluation

Risk evaluation is the process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.

Profiling risks

Once risks have been identified and analysed for likelihood and impact they need to be profiled in order to more easily indicate where to concentrate any control measures. The most popular method is to use the risk matrix generated in the previous stage, but add `tolerance' lines to show whish risks are acceptable and which require some form of management action.

In theory, risk appetites or tolerances should be determined right at the start of the cycle, but this may require a level of abstract thought that most people are uncomfortable with. In practice, it is much easier to assess appetites and tolerances once the likelihoods and impacts have been plotted. A good way to do this is to look at the relative positions of the risks and decide where the boundaries of acceptability lie.

Figure 5. The Risk Matrix or Risk Map


LIKELIHOOD/FREQUENCY	High	A	A	R	R
	Medium/ High	A	A	A	R
	Medium/ Low	G	A	A	A
	Low	G	G	A	A
	*Key:* R = Red A = Amber G = Green	Low	Medium/Low	Medium/ High	High
	*Key:* R = Red A = Amber G = Green	IMPACT / CONSEQUENCE

Prioritising action

Generally speaking, those risks within the green boxes are those that we are prepared to accept, while those within the red and amber boxes will require a specific management action plan. Decision on where we start and how far we go will depend upon the scale of individual risks and the availability of resources.

Those with the highest combined likelihood and impact, red boxes, are the highest priorities and should be considered first, followed by those in the middle, amber boxes.

It is important to ensure that risks falling in the green boxes are not ignored altogether. Although they may not be included in prioritised action lists, they should still be documented and monitored to ensure they do not move above our risk tolerance line over time.

Control

This is the process of taking action to minimise the likelihood of the risk event occurring and/or reducing the severity of the consequences should it occur.

Action planning

There should be a clear two stage decision path to follow in taking action:

· First, challenge the action already being taken to see if it is appropriate. It is important to be clear about the extent to which existing controls were considered at the risk analysis stage - does our profile show inherent risk prior to any control or residual risk after the application of existing controls?

· Second, having assessed the adequacy of the action already being taken, determine what extra or alternative action is appropriate.

Moving systematically through the priorities list of risks, decide what should be done about them. Should the risk be avoided, eliminated, reduced, transferred or accepted? A useful framework for considering these questions is the "4 T's" :

Figure 6. The 4 T's of Risk Control

NOTES

Terminate

Stop the activity altogether

· Rarely an option in local government, though this may be possible for some non-core activities

Tolerate

Accept the risk and live with it

· Applies to risks within the tolerance threshold or those where the costs of treatment far outweigh the benefits.

· Should be backed up by appropriate contingency plans, business continuity plans and recovery plans

Transfer

To a third party or through insurance

· Can transfer all or part of the risk.

· Beware - although responsibility can be transferred, accountability rarely can, so it requires close monitoring.

Treat

Take action to control the likelihood and/or impact

· This is where the bulk of the risk management action falls.

These are not mutually exclusive categories - it is quite normal to use a combination of two or more.

Action planning should follow a structured process to ensure:

· The action is proportionate to the risk.

· There is clarity as to which part of the risk is being managed, i.e. the cause(s), the trigger(s) or the effect(s).

· There is clarity around what dimension of the risk is being considered, i.e. the likelihood, the impact, or both.

· Whether or not there are any residual risks or new risks caused by the action.

Control actions should always be SMART - Specific, Measurable, Achievable, Realistic and Time-bound - and should be determined in collaboration with those responsible for strategic risk management (Service Management Team) to ensure they are within agreed parameters.

At this stage, some form of cost benefit analysis might be needed to ensure that the cost of risk mitigation action does not outweigh the cost of tolerating the risk. Costs and benefits will not always be solely financial, so managers will need to use their own judgement and experience to assess the costs and benefits. Risk experience information (internal or external) will help managers to judge the cost effectiveness of any actions proposed.

Other considerations

· Input from risk managers and support services is extremely important in assessing the options for risk control and the feasibility of the control actions proposed.

· There may be some occasions where joint action with key partners will deliver more effective control of risk than the organisation working alone.

· Sometimes, the solution to widespread or repeated operational risks might be a strategic decision, so the matter may need to be formally referred upwards for action.

Managing risks

Quite simply, this is about implementing the action plan. Individual managers should decide how they will achieve the level of control for each risk described in the action plan for which they are responsible. The requirements will vary according to circumstances, and they are the people best placed to decide what is required. Key considerations might include:

· Resources required.

· Awareness, understanding and commitment from staff.

· Incentives and sanctions.

· Appropriate delegation.

· Monitoring and reporting mechanisms.

· Parameters of acceptability and trigger points for further action.

· Documentation and review mechanisms.

Managers should also take steps to ensure that the contributions required from external partners are also being implemented as agreed.

Review

Risk management is a cyclical process, with monitoring, review and reporting being important links in the chain.

At strategic level, there must be monitoring and review of:

· Contexts and operating environments.

· Policy positions.

· Overall risk profiles.

· Appetites and tolerances for risk.

· Resources available.

· The integrity and effectiveness of the risk management process itself.

At practical level, there must be monitoring and review of:

· The implementation of agreed control actions.

· The effectiveness of those actions in controlling risks.

· How risks have changed over time.

Monitoring

This refers to the ongoing checking, supervision, observation and recording of the progress of controls to check that they are having the desired effect. If they are not, it may be because the controls are inappropriate or because the risk scenario has changed. Either way, regular monitoring will ensure that deviations are spotted early.

Review

This refers to the periodic repetition of the whole cycle, either for the whole risk profile or for parts of it. Review cycles will be specific to each level of analysis and each service area - typically, high risk areas will be reviewed more frequently than low risk ones. Reviews may also be triggered when the ongoing monitoring tools indicate that a significant shift in underlying conditions has occurred. Managers should be clear as the cycle for risk re-assessment in their own areas of responsibility. Reviewing our STEEPLE and SWOT analysis will be a key process.

Reporting

Risks do not remain static, so reporting upwards and outwards are essential for keeping all stakeholders informed of the changing conditions, our past performance in dealing with risk and our plans for dealing with future risks.

The style and frequency of reporting will vary according to the level within the organisation and the type of issue being reported upon. At the very least, there will be:

· Annual reports for Members, public and external inspection agencies.

· Half yearly reports on strategic issues to the Corporate Management Team.

· Quarterly reports to Service Management Team and key partnership boards on service level issues.

· Reports to service managers on a frequency to be determined by them.

· Mechanisms in place for immediately reporting any serious emerging risks or control failures to the appropriate management level.

Cross-cutting requirements

As the risk management model (Figure 3) shows, there are two tranches of risk management, and communication must be a genuine two-way interaction with the gathering of stakeholders' views being just as important as the messages going out.

Consultation and communication are not one-off standalone events - they are important dimensions at every point in the cycle, and the specific requirements will vary accordingly. The Manual and its associated training programme will provide guidance to managers on the key components of consultation and communication that they will need to address as risk managers.

Documentation

It is important that an appropriate level and standard of documentation be maintained as part of the everyday risk management process, and this applies at every stage of the process. The reasons for documentation are to:

· Demonstrate the process is conducted properly.

· Provide evidence of a systematic approach to risk identification and analysis.

· Provide a record of risks and to develop the organisation's knowledge-base.

· Provide the relevant decision makers with a risk management plan for approval and subsequent implementation.

· Provide an accountability mechanism and tool.

· Facilitate continuing monitoring and review.

· Provide an audit trail.

· Share and communicate information.

However, risk management should not impose unnecessary paperwork or bureaucracy - the key is to find the level of documentation that is appropriate for each circumstance, so long as it meets the requirements listed above.

5 Embedding the Process

Risk management is a top-to-bottom process involving all levels of staff, and it is this understanding that has to be embedded within the working practices and culture of the organisation. This is undoubtedly the most challenging part of the whole process.

We recognise that effective engagement and consultation from the outset will contribute significantly to our chances of truly embedding the process.

Our approach will be evolutionary rather than revolutionary. Fundamental to this process is the publication of this Policy and Strategy to act as the corporate framework. This will be underpinned with:

· Risk Management Implementation Plan

· Consultation and Communication Plan

· Training Plan and Programme

· Continual reviews of and revisions to Regulations and Procedures

· Maintenance of Manual of guidance

· Appropriate resources

There are then a number of other mechanisms we will explore to further support the embedding process:

· Formally building risk assessment into the annual planning process

· Strengthening links between risk management, performance management and corporate governance

· Adopting a risk-based approach to functional areas/departments

· Developing staff through training and awareness programmes to address high risk areas

· Having risk issues formally considered on all committee papers and decision reports

· Having risk management on appropriate meeting agendas

· Developing self-assessment checklists and encouraging their use

· Developing links with other quality / improvement initiatives and accreditation schemes where they exist.

Achieving organisation-wide `buy in' and cultural change will only come through time, experience and the self-realisation among staff and partner organisations that risk management really does help people achieve their objectives. That will only happen if we turn this Policy into practice, so the key to embedding the process is simply to get on and do it!

6 Products and Benefits

Benefits

The benefits of effective risk management are compelling, especially when integrated as part of the overall arrangements for performance management and corporate governance. Good risk management supports the achievement of objectives and has a vital role to play in ensuring that the Authority is well run. It is a means to an end, not an end in itself - the real value of effective risk management lies in the benefits it will deliver.

Benefits will be many and varied, some tangible and measurable, others less so. They will vary in their nature and extent from service to service, but they will all be important to our reputation and our ability to deliver cost-effective public services.

A full list of the benefits we expect to realise will be included in the Manual, but the main focus of this Strategy is to deliver:

· Improved performance and achievement of objectives

· Improved strategic management

· Improved operational management

· Improved financial management

· More informed decision making

· Better management of change programmes

· Less chance of service disruption - fewer surprises

· Enhanced reputation and public confidence

Products

Risk Maps

These will show the key risks at each assessed level of activity, starting with those at the strategic level and cascading right through to individual service areas. They will enable resources to be effectively applied to treating and tracking those risks and therefore improve our chances of achieving our targets with minimum disruption. Risk maps will also provide a valuable aid to Internal Auditors, assisting them in designing audit programmes around the areas of highest risk.

Risk Registers

These will provide a documentary record of each risk, its owner, the key controls that relate to it, and the status of any planned actions. As well as providing useful data internally, these documents will provide external inspection agencies with evidence of the completeness of the risk management process in place.

Risk Reporting

Regular reports on our risks will enable our stakeholders and managers to be more fully aware of the extent of the risks and the changes that are occurring to them. The monitoring and reporting process will help ensure that any serious issue is promptly drawn to the attention of the relevant level of management.

Further detail on the content of risk maps and risk registers, and guidance on how to use them, will be included in the Manual. The Manual will also contain guidance on the corporate standards for risk reporting.

7 Education and Training

Having defined the framework and formally assigned roles and responsibilities for risk management, it is important to provide staff with the knowledge and skills necessary to enable them to carry out their duties competently.

Training requirements fall into three broad areas:

1 All staff and partner organisations need a general awareness of what risk management is and how we aim to manage risk effectively.

2 Those with corporate responsibilities under the framework need to fully understand what those responsibilities are and how they should fulfil them.

3 Those responsible for actively managing risks need the appropriate skills and knowledge to use the tools at their disposal.

All of these considerations will be built into a long term Training Plan that forms part of the wider Risk Management Implementation Plan. In accordance with the strategic approach described in Section 1, we will seek to use existing channels wherever possible, and only develop new packages for essential elements where no viable channel currently exists. The plan will be for training delivery to run slightly ahead of the wider rollout programme to ensure that managers have the necessary skills before they are expected to use them.

General awareness for all staff

At this level, the line between training and communication is blurred, and the range of options is equally diverse.

We will continue to use existing tools such as:

· Risk Registers, and bulletins

· Routine Notice

· Notice boards

· Our intranet and public website

We will also seek to have an input on risk included in other existing programmes, such as:

· Staff induction

· Standard staff development courses

· Team briefings

For those with corporate responsibilities

These are the Members, senior managers who have key corporate roles to play within the framework described in Figure 2.

Initially, there will be a series of workshops and presentations, designed to introduce the Strategy and its associated components, and explain where all the key players fit in. These initial sessions will be used to identify any further training needs, which will then be written into the longer term Training Plan.

Practitioner skills

Risk management skills training will be based around the Risk Management Cycle (Figure 3) and required competencies, and will expose managers to the common tools they are most likely to use.

We will ensure that the staff training and development (including Role Maps with the Integrated Personal Development System) reflects the need for risk management awareness and skills at all levels. These competencies will then provide a benchmark against which to assess the performance and development needs of individuals in respect of risk management.

As far as possible, we will address any training needs through existing or new programmes being developed for other purposes. However, it is recognised that some of the provision may need to be tailored to the needs of specialist groups.

This training will be further supported by:

· A Risk Management Manual

· The systematic dissemination of good practice

· Mutual support networks

Other considerations

We will identify members of staff with expertise in specific areas who are capable of conducting or contributing to in-house risk management training. These may include in-house trainers, risk managers, health & safety experts and policy, legal or finance staff.

We realise that there is no "quick fix" solution to embedding risk management. We regard the implementation of the Strategy and its associated training as a significant change management exercise, and we will commit the necessary resources over the medium term to long terms.

8 Consultation and Communication

As with the Authority's Corporate and strategic planning framework: consultation, review and communication runs as a thread throughout the risk management cycle (see Figure 3). This principle applies equally to the implementation of the Strategy itself. Consultation and communication are vital at every step:

· During Policy and Strategy development

· During implementation of the Strategy

· For reporting to stakeholders

· For reviewing the effectiveness of arrangements

Our approach to communication will be holistic and integrated: - horizontally and vertically, internally and externally. A Consultation and Communication Plan will address issues relating to both the risks themselves and the process designed to manage them.

Effective communication will help to ensure that:

· people are fully informed about the reasons why risk management is important, what the corporate approach is, and how they will be affected by any changes flowing from its implementation; and that

· those responsible for implementing risk management, understand the basis on which decisions are made and why particular actions are required.

The aim is to achieve a shared understanding and commitment to realising the benefits of effective risk management.

Effective communication must be:

· A genuine two-way process with the gathering of stakeholders' views being just as important as the messages going out.

· Timely, accurate and delivered in a straightforward format and language that all stakeholders can understand.

· Tailored to the needs of the recipient, not the preferences of the originator. This will be particularly important when the communication is between experts and lay-persons.

What will be communicated?

The nature of risk management is dynamic and it would be wrong to try and list all the types of information that will be communicated. However, the Manual will provide further good practice guidance for risk managers.

At the strategic level, we will focus on making sure that the appropriate channels of communication are kept open and people are encouraged to use them. The key considerations at this level will include:

· Publicising the Policy, Strategy and Implementation Plan

· Winning the hearts and minds of staff and partner organisations

· Gathering stakeholders' views on risks and their controls

· Publicising strategic risk profiles and action plans

· Gathering data on the performance of control measures

· Monitoring and reporting on changes to risks and operating environments

· Reporting on the performance of the risk management process itself

· Providing evidence that risk issues have been considered in all key decision-making

· Sharing good practices and lessons learned

The most clearly defined of these channels will be the formal reporting arrangements, which will closely follow the roles and responsibilities of key groups and individuals outlined in Figure 2. These will be described more fully in the Risk Management Manual.

9 Resources

In the long term, risk management will become part of everything we do, not something we buy in or develop or get someone else to do for us. In that sense, the most vital resources - our staff - are already in place.

We have some way to go before risk management becomes embedded throughout the Authority and Service. The development of this Strategy and its associated Implementation Plan is a good start. Some specific additional resources will be committed in the short term, but in the longer-term the main requirement will be for our personnel to commit a proportion of their time.

The additional / dedicated resources include:

· External consultants have assisted in carrying out a baseline assessment of where we stand and have made recommendations on the way forward.

· Strategic risk management has been `owned' by the Corporate Management Team and the Service Management Team to turn those recommendations into a strategic programme and to manage its implementation.

· Further external support may be required as we move into the implementation phase.

The key requirements from within existing resources will be:

· Active involvement of the Corporate Management Team and the Service Management Team to direct the top-down cascade.

· Some time from risk management champions within functions.

· Some training input for key staff.

· Staff participation in working groups.

· The interest and willing engagement of all other staff.

· Marketing and publicity material.

10 Key Targets and Milestones

The overall aim of this Strategy is to promote and embed good practice in the management of risk throughout the organisation: both in our own activities, and those involving third-party suppliers, contractors and in our public and private partnerships. This will require an organisation-wide cultural change and will take several years to achieve.

At this stage, the Strategy is more about getting the process started, so the key targets and milestones are necessarily more input-oriented. The chart below gives an indication of the key activities and approximate timing and duration over the next two years.

Figure 7 - Outline programme 2004/05 to 2006/07

RISK MANAGEMENT PROGRAMME

2004/05

2005/06

2006/07

Consolidate top level

Commitment

Develop Policy, Strategy & Implementation Plan

Develop supporting Procedures

Develop Manual of Guidance

Cascade approach across the organisation

Training - equip people with tools & skills

Refresh Strategic Risk Register & develop others

Review approach to insurable risks

Review business continuity planning

Establish performance indicators & targets

Establish assurance mechanisms

Marketing & communications

The implementation plan and programme will be reviewed at least annually to take account of progress made and any emerging developments during the year. A revised set of targets and milestones will be included at that stage.

One of the key activities for 2005/06 is to develop a set of performance indicators to measure the success of the programme itself. These will be built into the first annual revision of the Strategy.

11 Programme Risks

We will apply the risk management framework to the implementation of the Strategy itself. That means that stakeholders will be engaged at each stage of the process to identify the threats and opportunities associated with the implementation of each tranche of activity, and also to identify the most appropriate controls. These controls will be built into the Implementation Plan, either as tasks to complete or as underlying principles to apply.

However, we have not started with a completely blank sheet in this respect. Through discussions with other organisations who have already been through the process, we have identified a number of critical success factors and possible pitfalls. These have already been built into this Strategy and Implementation Plan where appropriate, and will continue to be used as we roll out across the organisation.

Critical success factors

Top down approach

· Top level commitment

· Policy & Strategy

· Functional Management level buy-in

· Agreed framework

· Clear roles and responsibilities

Supported by

· Procedures and practices

· Guidance and workbooks

· Education and training

· Communications

· Appropriate resources

· Regular review

Pitfalls to avoid

The most common pitfalls we want to avoid are:

· Lack of Member involvement

· No clearly-defined risk management policy

· Lack of planning and buy-in - no clear implementation strategy

· Failure to identify clear objectives

· Viewing risk management as a compliance exercise

· Failure to consider risk in the broadest context

· Establishing risk management as a separate initiative

· Failure to link risks with corporate objectives

· Risk management systems that are too complex

· Failure to prioritise and focus only on significant risks

· Lack of clearly identified roles and responsibilities

· Inadequate focus on control measures

· Inappropriate or no risk champions identified

· Lack of consultation throughout the process

· `Bottom-up' rather than `top-down' approach

· Lack of regular monitoring and reporting

· Poor communication

· Not addressing the change management issues from a human resource and cultural perspective

· Inadequate resourcing and training

Appendix A

Glossary of Terms

This glossary covers the abbreviations and key definitions used in this Strategy document. A more extensive glossary of terms used in risk management will be included in the Manual.

Abbreviations used in this document

CMT Corporate Management Team

SMT Service Management Team

FMT Functional Management Teams

Key Definitions

Control

Any action, procedure or operation undertaken to either contain a risk to an acceptable level,, or to increase the probability of a desirable outcome.

Down-side risk

A risk with a negative or unfavourable impact.

Embedding risk management

Ensuring that the risk management Strategy is reflected in the objectives and functions of every level of the organisation.

Impact

The evaluated effect or result of a particular outcome actually happening.

Inherent risk

The level or risk existing before any treatment measures have been taken.

Likelihood

Used as a qualitative description of probability or frequency.

Operational risk

Risks associated with the day-to-day issues that the organisation is confronted with as it strives to deliver its objectives.

Residual risk

The level of risk remaining after risk treatment measures have been taken.

Risk

The chance of something happening that will have an impact upon objectives. It is measured in terms of consequences and likelihood.

Risk analysis

A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences.

Risk appetite

The range of exposure that is judged to be tolerable for the organisation.

Risk assessment

The overall process of risk analysis and risk evaluation.

Risk control

That part of risk management which involves the provision of policies, standards and procedures to eliminate or minimise adverse risk.

Risk evaluation

The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.

Risk framing

Presenting risks as three-part scenarios, with root causes, triggers and impacts.

Risk identification

The process of determining what can happen, why and how.

Risk management

The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.

Risk reduction

A selective application of appropriate techniques and management principles to reduce either likelihood of occurrence or its consequences, or both.

Risk register

A product used to maintain information on all the identified risks pertaining to a particular activity, project or programme. Also known as the Risk Log.

Risk transfer

Shifting of the responsibility or burden for loss to another party through legislation, contract, insurance or other means. Risk transfer can also refer to shifting a physical risk or part thereof elsewhere.

Risk treatment

Selection and implementation of appropriate options for dealing with risk.

Stakeholders

Those people and organisations who may affect, be affected by, or perceive themselves to be affected by, the decision or activity.

Strategic risk

Risks concerned with where the organisation wants to go, how it plans to get there and how it can ensure survival.

Up-side risk

A risk with a positive or favourable impact.

Secretarial/WP/word/Corporate/Risk Management Policy and Strategy 31 01 05

This content is archived

Risk Management Policy