Archived decisions

Hampshire Fire and Rescue Authority Item 8

9 February 2005

Risk Management Policy and Strategy - Strategic Risk Register

Report by the Chief Officer

Contact: David Howells Director of Corporate Services Telephone 023 8062 6833

Summary

Over the last six months, the Corporate Management Team (CMT) has been reviewing the way that strategic risks are identified, evaluated and controlled. Following a number of training and awareness sessions, involving both Members and officers, significant progress has been made in developing a new comprehensive Risk Management Policy and Strategy. This is presented to the Authority for approval. As part of the review, a draft Strategic Risk Register has been produced and this is also presented to Members of the Authority for consideration and comment. The intention is that the Register will be published on our website and maintained as a `live' document.

Recommendations

1. That the current version of the Risk Management Policy and Strategy (paper copy attached for Members as Appendix 1) be approved; and that the Chief Officer in consultation with the Chairman be given delegated authority to make subsequent amendments to keep the Policy relevant and up to date. Appendix 1 - accessible from the Authority's "agendas, reports and minutes" web pages - /decisions/decisions-index/index-mtg-275

2. That the current version of the Strategic Risk Register (paper copy attached for Members as Appendix 2) be adopted; and that the Chief Officer in consultation with the Chairman be given delegated authority to make subsequent amendments to it in order to maintain an up to date record of the Authority's strategic risks. Appendix 2 - accessible from the Authority's "agendas, reports and minutes" web pages - /decisions/decisions-index/index-mtg-275

3. That Members of the Authority be asked to submit, to the Director of Corporate Services, any initial comments they have on the current version of the Strategic Risk Register by 1 March 2005.

Introduction

The Authority's core business is all about preventing, protecting and responding to risk in the communities of Hampshire. We have an Integrated Risk Management Plan (IRMP) which describes exactly what we intend to do to make Hampshire safer. It would be tempting to suggest that because we are in the `risk management' business we do not need any further policies. However, the IRMP does not necessarily include those strategic risks that threaten the way that the Authority operates and manages as a `business' with an annual budget of over £60m.

The management policy and strategy being presented to the Authority takes a different and wider perspective that goes beyond the Authority's front-line (operational) responsibilities for preventing and dealing with emergencies.

Members will note that this report has used a different structure and format. Part of the improvement to our risk management process is to put greater emphasis in reports to the Authority and its Committees on the factors that help to determine risk. If this format is welcomed by Members, it will be used - wherever possible and sensible to do so - as the basis for all future reports.

Contribution to corporate aims and objectives

While all our corporate aims seek to reduce risk to the communities we serve, it is essential that these - and their related objectives and activities - are subject to risk assessment and considered in terms of the potential impact if they were not pursued as well as the risks and opportunities associated with their planned implementation.

We also aim to be one of the top-performing fire and rescue services in the country. We must therefore ensure that our decision-making processes are supported by recognised good management practices and procedures. Fundamental to this is a robust approach to risk management throughout the whole organisation and one that is based on a comprehensive policy and strategy.

The more significant actions and projects - set out in the Authority's IRMP - will be managed using the PRINCE2 methodology which incorporates a risk assessment process. Work is continuing to ensure that there is appropriate cross-referencing between the IRMP and the Risk Register.

Risk Management Policy and Strategy

The proposed Risk Management Policy and Strategy is accessible from the Authority's "agendas, reports and minutes" web pages (with a paper copy attached as Appendix 1 for Members of the Authority).

The aims of the policy are to:

    · Anticipate and respond to changing external and internal pressures so there are fewer surprises

    · Raise awareness of the need for risk management by all those connected with the delivery of our services.

    · Manage risk in accordance with best practice.

    · Support well thought-through risk taking to ensure opportunities for improvement and development are not lost

    · Integrate risk management into the culture of the Authority.

The approach taken is that Members and senior management are concerned with significant strategic risks - those that could affect the Authority's ability to achieve its corporate aims and objectives.

More detailed operational risks will be identified in the functional departments, service areas and in work with our key partnerships. When issues of corporate significance are identified at operational levels they will be escalated to the Service Management Team level for further assessment. The Corporate Management Team will be asked to consider those issues identified for inclusion in the Strategic Risk Register.

The policy sets out the various roles and responsibilities in more detail together with an explanation of the risk assessment (scoring) matrix used to determine whether risks are so significant to warrant inclusion in the Register.

Strategic Risk Register

The Strategic Risk Register is the document used to maintain information on all the identified risks considered to be of strategic or high importance to the Authority. The Strategic Risk Register is accessible from the Authority's "agendas, reports and minutes" web pages (with a paper copy attached as Appendix 2 for Members of the Authority). This has been produced by the Corporate Management Team that began the process by reviewing and updating the Authority's `STEEPLE' analysis* of the external environment (context) in which we are operating.

This analysis identified a number of potentially strategic risks facing the Authority which were then evaluated and weighted in terms of their probability (likelihood) of occurring and their potential impact (consequence) for the Authority. The process was facilitated by external consultants who will be continuing to provide further training on evaluation and assessment techniques to the Service Management Team and Group Managers in March.

In the meantime, Members of the Authority are asked to approve and adopt the current version of the Strategic Risk Register and to take the opportunity to let the Director of Corporate Resources have any initial feedback on the assumptions that have been made by 1 March 2005.

Risk analysis

Although it might be stating the obvious, there is a risk to the Authority if it does not have in place a sound risk management policy and strategy! There is a need to provide a consistent approach to the analysis of strategic risks so that major threats to, and opportunities for, the Authority can be identified and evaluated to determine appropriate control measures and whether there is any urgent action to be undertaken.

Without a policy and strategy in place, it would be difficult to develop a meaningful risk register and to generate a more objective, common and shared understanding of risk tolerance. The risk register will also help to justify decisions on the levels of financial reserves and balances that the Authority needs to maintain.

Resource implications

Developing the policy and draft strategic risk register has been undertaken during meetings of the Corporate Management Team and the Service Management Team. On occasions, these meetings have been facilitated by external risk management consultants who have also spent time with officers who have a particular responsibility for corporate risk management.

The estimated financial cost in 2004/05 for consultancy services is £25,000 which includes provision for further training of leading Members, senior and group managers. This is being funded from within current training and performance management budgets. Costs in future years are likely to be less than £10,000 for refresher training and subscriptions to the Association of Local Authority Risk Managers (ALARM) - again, this will be met from within existing budgets.

Equality impact assessment

Carrying out equality impact assessments will strengthen our risk management practices by ensuring that the consequences of our proposed policies and actions comply with current legislation and expectations for improving equality and diversity in the workplace and in our delivery of services to the public.

By way of a pertinent example, we have recognised and fully accept that we need to make significant improvement in our progress towards achieving higher levels of attainment in the Equality Standard for Local Government as approved by the Commission for Racial Equality. We regard failure to make reasonable progress as a serious threat to the Authority's reputation and have included this on the Authority's strategic risk register.

The proposals within this report are considered compatible with the provisions of the European Convention on Human Rights, the Human Resources Act 1998, and the Race Relations (Amendment Act 2000).

Consultation

Advice and guidance was sought from risk management consultants in preparing the proposed risk management policy and strategy and it conforms to recognised good practice. The same consultants will be retained to deliver future training and awareness sessions to our managers. In the course of this training, the opportunity will be taken to gather feedback from delegates on how the policy and strategy document could be improved.

Conclusion

It is essential that the Authority has a robust policy and strategy for the identification, assessment and management risk. The proposed Policy and the Strategic Risk Register are based on current good practice. If approved and adopted by the Authority, further risk management training and awareness - based on the Policy - will be offered to Members and delivered to senior managers during 2005.

Background information (Section 100D of the Local Government Act 1972)

The following documents disclose the facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of the report:

This list excludes: published works and documents that disclose exempt or confidential information defined in the Act.

Attachments:

Appendix 1 - Risk Management Policy and Strategy - paper copy attached for Members of the Authority

Appendix 2 - Risk Register - paper copy attached for Members of the Authority

Secretarial/WP/Word/Corporate/HFRA HFRA 9 2 2005 Strategic Risk Management DH/1/2/2005