Archived decisions
Corporate Strategy
for Managing Risk
2007 - 2010
Owner: Peter Andrews, Corporate Risk Manager
01/05/06
Corporate Risk Management Strategy 2007-2010
Introduction and aims of the Strategy
Hampshire County Council has a track record of successful risk management and innovative service delivery initiatives.
The County Council has a mature risk management framework and associated policies, dating back to 1999. A comprehensive strategy was agreed in 2002 in the form of " the Corporate Strategy for Managing Risk 2003/04 to 2005/06".
Considerable progress has been made in integrating risk management into the business processes of the County Council. In particular, the framework for handling risk, both strategic and operational, through Corporate and Departmental risk registers, along with the reporting framework has delivered significant improvements to the performance of risk management and has had a beneficial effect on the delivery of services to the public of Hampshire.
Expectations of the benefits that risk management can bring to service delivery have increased. Building on previous success, the steps in this strategy document are designed to support the challenges that the County Council may face, through the development of an enterprise-wide risk management approach.
The aims of this strategy are to deliver improvements to the capacity for the Council to handle risk effectively and produce a performance management framework that will enable it to demonstrate the contribution risk management makes to its handling of risk and achieving of outcomes.
The Role of Risk Management
The County Council defines risk as the effect of uncertainty on objectives.
Risk Management is a modern management discipline and is about getting the right balance between innovation and change on the one hand, and the avoidance of shocks and crises on the other.
The County Council recognises that risk management is as much about exploiting opportunities as it is managing threats.
A certain amount of risk taking is both inevitable and essential if the County Council is to achieve its objectives. The County Council recognises that the way that it manages the many risks facing it contributes towards the implementation of its Corporate Business Plan and the achievement of it's priorities:
· Hampshire safer and more secure for all
· Maximising wellbeing
· Enhancing our quality of place
Effective management of risk helps improve the Council's performance by contributing to:
· increased certainty and fewer surprises to the Council and the public
· better service delivery to the community
· more effective management of change and ability to respond to change
· more efficient use of resources and better value for money
· better management at all levels through improved decision-making
· a reduction in waste and as a guard against impropriety, malpractice and fraud
· supporting innovation
· avoidance of anything that could damage the Council's reputation and undermine community confidence.
The County Council will take a pro-active approach to risk - in order for us to take risk, but more calculated risks. The County Council believes that risk needs to be managed rather than avoided.
The Council will also ensure that its response to risk is proportionate.
Risk Management Policy
The County Council is already committed to the challenge of managing all risks and uncertainties related to its business. Its approach is founded on the following principles, which are critical success factors for effective risk management:
· All Members and senior management to support, own and lead on risk management.
· Risk management policies and the benefits of effective management to be clearly communicated to all staff.
· Risk management is the responsibility of every person in the organisation. All staff are effectively risk managers. Managing risk should be firmly embedded in everyone's thinking, behaviour and actions.
· Managing risks to be closely linked to the achievement of business objectives.
· Risk management is a key element of the Council's corporate governance and performance management framework. Managing risk should be firmly embedded in all core management processes including policy-making, service improvement plans and business planning, project management, operational management and decision making. It should be consistently applied.
· Regular monitoring and reporting of risk on a constructive no-blame basis, including early warning of risks likely to have a significant impact on the achievement of the County Council's objectives, to be carried out by departments, the Risk Management Board and Cabinet.
· Risks and risk treatment progress is regularly reviewed.
· Risk taking, innovation and exploitation of opportunities are encouraged within a well-managed environment, where risks are identified and appropriate mitigation measures are taken.
· Decisions about risk should be grounded in evidence (facts and measurements) whenever possible and a record kept of what factors were taken into account in making the decisions in order to provide an audit trail.
· Departments are responsible for identifying, evaluating, and managing their own risks, contributing towards the management of corporate and cross-cutting risks and explicitly assessing and managing risks associated with working with other partner organisations to realise a common understanding of risks, agree a proper means for handling them and co-ordinating responses.
· Ownership is assigned to a specific person at an early stage for each risk identified. Mitigation measures introduced to control and reduce risks should be effective, appropriate, proportional, affordable and flexible.
Approaches to Risk Management
The County Council will use a risk based approach to:
· Make better decisions
· Support improved delivery of services
· Build on the success of our partnership arrangements
· Ensure the most effective use of resources
Risk Management should be considered when:
· Setting strategic aims
· Setting business objectives
· Early stages of project planning & key stages
· Options appraisals
· Prioritising work
· Service improvement plans
A number of criteria can be adopted for the assessment of risk, these will vary according to the context within which the assessment is taking place.
For example:
· Strategic risk
· Existing process for inclusion on departmental risk registers
· Operational Risk
· Existing process for inclusion on departmental risk registers
· Dynamic risk assessment
· Opportunities vs. threats analysis
· Reward vs. resource comparison
· Individual Performance
· Risk based approach to target setting (IPP)
· Health & Safety Risk Assessment
Other risk management processes, tools and guidance will be developed, in particular, in support of the management competences.
Tolerance to Risk
The amount of risk the County Council is prepared to tolerate or be exposed to (its risk appetite) will vary according to the perceived significance of particular risks and the timing (it may be more open to risks at different points in time). It may be prepared to take comparatively large risks in some areas and none at all in others.
CMT and the Cabinet are responsible for setting the Council's overall appetite for risk, having taken into account advice provided by the Risk Management Board. The Board may set risk appetite levels for specific areas and issue guidelines.
Managing the Risk of Fraud and Corruption
The impact of fraud on a public sector organisation can have consequences that are serious and often far reaching. Financial and reputational loss are the obvious key risk areas but instances of fraud can also bring a range of other serious consequences including breakdown of trust, impact on morale and the risk of potential litigation.
The County Council recognises that it is essential that it places the management of risk of fraud at the very heart of its corporate governance and risk management arrangements.
In managing the risk of fraud and corruption, the County Council adopts the same principles that are used to manage other key business risks.
The Fraud Risk Cycle
Identify the Key Risk Areas for Fraud
Consider the Likely Impact of Fraud Occurring
Action Plan and Allocate Responsibility
Low Risk of Fraud |
The County Council, through its counter fraud strategies, will ensure that these are met.
The Risk Management Process
The methodology the County Council uses is summarised as follows:
Risk Management - is a modern management discipline and is about getting the right balance between innovation and change on the one hand, and the avoidance of shocks and crises on the other | |||
Putting Risk into Context - What objectives are we trying to achieve? | |||
Identify risks |
Evaluate risks |
Treat risks |
Monitor & Review |
Risk: the Effect of Uncertainty on Objectives Determine what the Uncertainties are Cause + Consequence·Impact Includes: Threats & Opportunities When: Setting strategic aims Setting business objectives Early stages of project planning & key stages Options appraisals Service improvement plans Determining risk-based priorities
Categories can help: Strategic/Operational Internal/External Best done in groups - by those responsible for delivering the objectives |
Combination of the probability (Likelihood) of an event and its consequences (Impact) Impact x Likelihood Set ratings for levels of risk (e.g. what is a high, medium, low risk?)
Consider impact in Financial, Reputation and Business/Service terms Determine what level of risk can be tolerated |
Named person responsible for each risk Concentrate on 10-15 Top Risks What can we do to: · influence the likelihood? · influence the impact or consequences? · influence the cause? Avoid Reduce Transfer Tolerate Evaluate current control measures Devise Contingencies - Business Continuity Planning Undertake identified risk treatment measures |
Risk Registers: Baseline data to be prepared and monitored regularly. These should clearly indicate consequences, countermeasures and contingencies as well as the risk owner Assessment before controls, with current control, with proposed controls Review Top Risks regularly as agenda item Report progress to senior management
|
Roles, Responsibilities and Reporting on risk
A framework for reporting and monitoring risk has been established with clear guidelines on roles and responsibilities.
Reporting lines for risk management:
In support of this Strategy, Members, CMT and the Risk Management Board will foster a culture in which well-judged decisions about risks and opportunities can be made and where innovation can be handled with confidence
The Risk Management Board, CMT and Members will take an active lead in:
· driving implementation of the actions set out in this strategy;
· taking key judgements and providing clear direction, for example, in prioritising risks for action;
· ensuring clear accountability for managing risks; and
ensuring managers are equipped with the necessary skills, guidance and other tools needed to undertake effectively their responsibilities for managing risk.
Measuring Performance and Providing Assurance
The County Council has developed a risk management performance framework, based on work originally devised by HM Treasury.
The County Council will use this performance framework to measure the performance of it's management of risk, set robust targets for future improvement and report on progress. Self assessment will be supported by documentary evidence, audits and reviews and performance indicators.
The aim is to develop sustained improvement to gain the highest end of the excellence level. At this level risk management is fully integrated and continuously improved.
Risk Management Performance Framework
The framework is adapted from the EFQM Excellence Model but is simplified and targeted to provide a flexible tool to assist in monitoring and evaluating performance in a systematic and structured way. It will be used to identify areas of particularly good or poor practice and in establishing priorities for improvement action.
The key elements of an effective risk management framework for the County Council have been broken down into seven strands, five for risk management capabilities and two that focus on the results of risk management.
At the most summarised level there are seven questions to address:
Capabilities
1. Leadership: do senior management and Councillors support and promote risk management?
2. Are people equipped and supported to manage risk well?
3. Is there a clear risk strategy and risk policies?
4. Are there effective arrangements for managing risks with partners
5. Do the organisation's processes incorporate effective risk management?
Risk Handling
6. Are risks handled well?
Outcomes
7. Does risk management contribute to achieving outcomes?
These seven "key" questions at the top-level are each underpinned by a lower level set of questions which are intended as indicative of the range of issues and extent of evidence needed to come to a decision in respect of the key questions and hence to help guide evidence gathering.
Assessment Scale
The levels scale provides a means of quantifying performance and will assist in monitoring existing performance, setting targets for improvement, judging progress as well as peer review and benchmarking.
The assessment scales have five levels to gauge progress in developing the necessary risk management capabilities and to assess the effectiveness of Risk Handling and impact on delivering successful Outcomes. In summary these levels are:
Capability (Leadership; Policy & Strategy; People; Partnerships & Resources; and Processes):
1. Awareness and understanding
2. Implementation planned & in progress
3. Implemented in all key areas
4. Embedded and improving
5. Excellent capability established
Risk Handling and Outcome performance:
1. No evidence
2. Satisfactory
3. Good
4. Very good
5. Excellent
The five point scale has been further sub-divided in order to provide a more precise assessment, with a "How Are We Doing?" risk maturity model to assist in the monitoring process.
A detailed set of questions has been devised. These are assessed, with collated evidence and contribute to an overall score for each of the seven strands.
Full details of the Framework are included in the Corporate Risk Management Framework.
"How Are We Doing? : Risk Maturity Model
Level 1 Awareness & Understanding |
Level 2 Implementation planned & in progress |
Level 3 Implementation in all key areas |
Level 4 Embedded & improving |
Level 5 Excellent capability established | |
HCC SCORING |
1 2 |
3 4 |
5 6 |
7 8 |
9 10 |
Leadership: do senior management and Members support and promote risk management? |
Top management are aware of need to manage uncertainty & risk and have made resources available to improve |
Senior Managers & Councillors take the lead to ensure that approaches for addressing risk are being developed and implemented |
Senior Managers act as role models to apply risk management consistently and thoroughly across the organisation |
Top down commitment with embedding and integrating risk management as routine business practice |
Senior Managers reinforce and sustain risk capability, organisational & business resilience and commitment to excellence. Leaders invited to speak at conferences about their success |
Risk Strategy & Policies: Is there a clear risk strategy and risk policies? |
The need for a risk strategy and risk related policies has been identified and accepted |
A risk management strategy & policies have been drawn up and communicated and are being acted upon |
Risk policies & strategies are communicated effectively and made to work through a framework of processes |
Risk handling is an inherent feature of all policies and strategy making processes |
Risk management capability in policy & strategy making helps to drive the risk agenda and is reviewed and improved. Role model status |
People: Are people equipped and supported to manage risk well? |
Key people are aware of the need to assess and manage risks and they understand risk concepts and principles |
Suitable guidance is available and a training programme has been implemented to develop risk capability |
A core group of people have the skills & knowledge to manage risk effectively |
People are encouraged and supported to be more innovative. Regular training is available for people to enhance their risk skills |
All staff are empowered to be responsible for risk management and see it as an integrated part of the Departments business. They have a good record of innovation and well managed risk taking |
Partnerships & Resources: Are there effective arrangements for managing risks with partners and are there appropriate supporting resources? |
Key people are aware of areas of potential risk with partnerships and understand the need to agree approaches to manage these risks |
Approaches for addressing risk with partners are being developed and implemented |
Risk with partners is managed consistently for all key areas and across organisational boundaries |
Sound governance arrangements established, partners & suppliers selected on basis of risk capability & compatibility |
Excellent arrangements in place to identify and manage risks with all partners and to monitor and improve performance. Organisation regarded as a role model. |
Processes: Do the organisation's processes incorporate effective risk management? |
Some stand-alone risk processes have been identified |
Recommended risk management processes are being developed |
Risk management processes implemented in key areas. Risk capability self assessment tools used in some areas |
Risk metrics are collected. Risk management standards applied in some areas |
Management of risk and uncertainty is well integrated with all business processes. Best practice approaches are used are developed. Selected as a benchmark site by other organisations. |
1. No evidence |
2. Satisfactory |
3. Good |
4. Very good |
5. Excellent | |
Risk Handling: Are risks handled well? |
No clear evidence that risk management is being effective |
Limited evidence that Risk management is being effective in at least most relevant areas |
Clear evidence that Risk management is being effective in all relevant areas |
Very clear evidence that risk management is being very effective in all areas and leading to the production of very good results |
Very clear evidence of excellent results in being highly effective in all areas and that improvement is being pursued |
Outcomes: Does risk management contribute to achieving outcomes? |
No clear evidence of improved outcomes |
Limited evidence of improved outcome performance & efficiency consistent with improved risk management |
Clear evidence of significant improvements& efficiency in outcome performance demonstrated by measures including, where relevant, stakeholders' perceptions |
Very clear evidence of very significantly improved delivery of all relevant outcomes and showing positive and sustained improvement |
Excellent evidence of markedly improved delivery of outcomes which compares favourably with other organisations employing best practice |
RISK MATURITY
Level 3 - Application At this level risk management is being applied and deployed and ... _ Risk management is being applied on major projects and business cases _ Risk management is being widely implemented throughout the organisation _ Policy submissions articulate the risks of various options _ The Board actively manage strategic risks _ Guidance on risk is available (eg via an intranet site and/or a central co-ordinator) _ The consequences of priority risks materialising are assessed for their potential impact on achieving business continuity _ There is an effective escalation process to ensure that risks are owned at the appropriate level |
Improvement Plan 2007- 2010
Improvement will be delivered through the implementation of the following Improvement Plan, which follows the format of the risk management performance framework. The objective is to move along the risk maturity matrix from the position as at December 2006 to the "excellent" band.
A clear set of targets will be set, and the actions below have been identified to deliver the necessary improvement.
The improvement actions are designed to contribute to the growing maturity of the County Council's risk management arrangements.
Progress against the improvement plan will be reported to the Risk Management Board and the Governance Committee. The Corporate Improvement Plan will be supported by similar initiatives in each Department.
1. LEADERSHIP
Outcome |
Success Measures |
Senior Managers reinforce and sustain risk capability, organisational & business resilience and commitment to excellence. |
Progress against the criteria set out in the Risk Management Performance Framework and the achievement of agreed targets |
Actions |
Responsibility |
Develop tools and guidance to assist embedding risk management into all the main decision-making, policy-making and management processes of the County Council, in particular: options appraisal, risk based decision making and update guidance on risk management within reports to Members. |
Corporate Risk Manager |
Increase number and prominence of consideration of opportunities as well as threats in the Risk Register |
Corporate Risk Manager |
Review and update escalation process for risks at different levels of HCC, both for identifying cross cutting risks and reporting reviews of effective implementation of risk treatment measures. |
Corporate Risk Manager |
2. STRATEGIES & POLICIES
Outcome |
Success Measures |
Risk management capability in policy & strategy making helps to drive the risk agenda, is reviewed and improved. |
Progress against the criteria set out in the Risk Management Performance Framework and the achievement of agreed targets |
Actions |
Responsibility |
Develop a corporate crisis management and business continuity plan and implement associated infrastructure to ensure that the Council is better prepared and able to handle a crisis situation should it occur. |
Head of Emergency Planning |
Introduce and implement revised risk management strategy and performance framework for 2007-2010 |
Corporate Risk Manager |
Draw up and implement a strategy for the improvement of the management of health and safety within HCC |
Corporate Risk Manager |
3. PEOPLE
Outcome |
Success Measures |
Staff are empowered to be responsible for risk management and see it as an integrated part of the Council's business. |
Progress against the criteria set out in the Risk Management Performance Framework and the achievement of agreed targets |
Actions |
Responsibility |
Develop a programme for communicating this risk management strategy to all Council Members, with the aim of raising their awareness to the County Council's exposure to risk and, specifically, of identifying risks associated with Member activities. |
Corporate Risk Manager, with advice from Corporate Communications Team |
Undertake a risk based review of the county council's relationships with schools with a view to develop a programme of guidance and advice on risk management issues to schools and to promote good practice in handling risk with the aim of reducing schools' and the County Council's exposure to risk. |
Children's Services Dept |
Ensure that responsibility for risk is addressed in individual performance plans |
DMTs |
Develop a co-ordinated and systematic approach to the provision of risk management skills and training, including e-learning. |
Corporate Risk Manager & Hampshire Learning Centre |
Departments to conduct a review of their own training and development programmes that could usefully cover risk management and innovation. |
DMTs, monitored by departmental representatives on Risk Management Board |
Create the capacity for Departments to forward think and identify emerging risks, taking a positive and proportionate approach. |
DMTs |
Departments to ensure that risk management is included in their induction programmes for all new staff. |
DMTs |
Produce a series of simple guidance documents on aspects of risk management for Members and Officers, including risk awareness (KLOE 4.1) |
Corporate Risk Manager |
Produce guidance to support the management competencies on: · identifying and harnessing opportunity · taking well managed risk · using risk to support innovation |
Corporate Risk Manager |
Devise infrastructure for communicating key risks to all relevant staff |
Corporate Risk Manager with advice from Corporate Communications Team |
4. PARTNERSHIPS & RESOURCES
Outcome |
Success Measures |
Excellent arrangements are in place to identify and manage risks with all partners and to monitor and improve performance |
Progress against the criteria set out in the Risk Management Performance Framework and the achievement of agreed targets |
Actions |
Responsibility |
Produce guidance to be corporately as the basis for accrediting partners' risk management arrangements to ensure that accountabilities are clearly established by departments and capacity maintained to manage and monitor performance and to take early action in the event of difficulty. |
Corporate Risk Manager |
Draw up joint risk registers for all major partnerships |
DMTs & departmental representatives on Risk Management Board |
Ensure that risks to major partnerships included in Corporate and Departmental risk registers |
DMTs |
Support smaller partner organisations by producing a series of toolkit guides and pro-forma for small voluntary groups |
Corporate Risk Manager |
Set up a greater Hampshire risk management forum to support partners to manage risk and prepare for the risk element of the Audit Commission Community Area Assessments in 2008 |
Corporate Risk Manager |
5. PROCESSES
Outcome |
Success Measures |
The management of risk and uncertainty is well integrated with all business processes. |
Progress against the criteria set out in the Risk Management Performance Framework and the achievement of agreed targets |
Actions |
Responsibility |
All departments ensure that there are up to date and robust disaster and business/service recovery plans, with particular focus on improving resilience and integration at both the strategic and operational levels. |
DMTs |
Review approach to effective dialogue with the public with the aim of improving levels of understanding about risks affecting them and informing them about what they can do to prevent themselves being affected; allowing their concerns to feed into policy development and ensuring that information is presented in an accessible way. The approach to be underpinned by the principles set out in this strategy and building upon the media plan for major civil emergencies and the Corporate Communications Strategy. |
Corporate Communications Team |
Produce simple processes to support a risk based approach to budget setting and budget monitoring linked to the operational activity indicators (KLOE 2.1 & 2.2) |
DMTs & departmental representatives on Risk Management Board |
Map risk register to strategic objectives (KLOE 4.2) |
Corporate Risk Manager/RM Steering Group |
Develop simple tool & process to integrate risk assessment into business plans (KLOE 2.1) |
Corporate Risk Manager, in conjunction with Policy Unit |
Develop process for horizon scanning emerging risk (for Risk Management Board) |
Corporate Risk Manager |
Develop guidance on Procurement Risk (to assist gateway review process) |
Corporate Risk Manager/Corporate Procurement Network |
Introduce formalised benchmarking on risk management with other organisations |
Corporate Risk Manager |
Link risk management with performance management, ensuring risks to performance indicators are included in risk registers |
Corporate Risk Manager/RM Steering Group |
Review existing risk assessment methodology to include consideration of the context of risk (e.g. Members interests, public, service user and wider social interests) to ensure a proportional response to risk |
Corporate Risk Manager/RM Steering Group |
Review risk assessment process to encourage greater recording of opportunities |
Corporate Risk Manager/RM Steering Group |
Review process for review and monitoring of risk control implementation |
Corporate Risk Manager |
Fully implement MK Insight system |
Corporate Risk Manager |
Review feasibility of integrating the risk register to the performance management system (CorVu) |
Corporate Risk Manager |
Investigate efficacy of using the risk register to assist in informing the Council's policy for reserves (KLOE 3.1) |
Corporate Risk Manager/County Treasurer |
Develop a series of tools to ensure that risk management is incorporated in business processes including: · strategic planning · financial planning · policy making and review · performance review · project management (KLOE 4.1) |
Corporate Risk Manager |
Implement processes necessary to comply with the Regulatory Reform (Fire Safety) Order 2005 |
DMTs |
Develop infrastructure and capacity for changes to the external inspection system in 2008 to support the Annual Risk Judgement for Hampshire County Council and the Hampshire area. |
Corporate Risk Manager, in conjunction with Policy Unit |
6. RISK HANDLING
Outcome |
Success Measures |
There is very clear evidence of excellent results in being highly effective in all areas and that improvement is being pursued |
Progress against the criteria set out in the Risk Management Performance Framework and the achievement of agreed targets |
Actions |
Responsibility |
Review all corporate cross-cutting risks and undertake in collaboration assessments of those risks. |
Risk Management Board |
Develop a good practice database which can be accessed via the Council's intranet site, strengthen current networks and other arrangements, and develop specific risk management benchmarking arrangements. |
Corporate Risk Manager |
Introduce a performance management framework for risk management |
Corporate Risk Manager |
7. OUTCOMES
Outcome |
Success Measures |
There is excellent evidence of markedly improved delivery of outcomes which compares favourably with other organisations employing best practice. |
Progress against the criteria set out in the Risk Management Performance Framework and the achievement of agreed targets |
Actions |
Responsibility |
Produce guidance on what information senior managers should be able to produce, if required, in support of risk judgements and risk management actions. |
Corporate Risk Manager |
Develop performance indicators to measure how effectively the Council is managing risk and what benefits are being delivered. |
Corporate Risk Manager |
Develop an approach to benchmark the County Council's risk management arrangements against similar organisations, appropriate national standards and best practice, so that comparisons can be made on relative performance criteria to inform the process of continuous improvement. |
Corporate Risk Manager |
Produce demonstrable evidence of impact of effective risk management in achieving objectives across Council services and how it adds value. |
Corporate Risk Manager & departmental representatives on Risk Management Board |
