Archived decisions

Hampshire County Council

Cabinet

Item 14

24 September 2007

Strategic Risk Management and Business Continuity

Report of the Chief Executive

Contact: Peter Andrews, ext. 01962 847309, [email protected]

    1. Summary

    1.1. The aim of this report is to update Members on the County Council's programmes for the management of risk, including its business continuity arrangements. It outlines the key risks that the County Council faces along with the results of a survey to identify those services that would be critical in the event of a major crisis.

    1.2. This report:

      · Outlines the approach that the County Council is taking towards risk with the introduction of the Corporate Risk Management Strategy and performance management framework for risk 2007-2010.

      · Introduces a framework of risk registers that focus on strategic risks faced by the County Council and wider risks facing the Hampshire Area, linked to the Corporate Business Plan.

      · Outlines the approach that the County Council is taking towards business continuity, with the introduction of a corporate strategy and policy on business continuity management.

      · Outlines the process of critical service analysis the County Council is undertaking that will identify those services critical to the Council in the event of a major crisis.

    1.3. The County Council's risk management programme aims to deliver improvements to the capacity of the Council to handle risk effectively. It also provides a platform that will enable it to demonstrate the contribution risk management makes to its handling of risk and achieving of outcomes.

    1.4. Risk Management is a developing business discipline and a series of new processes and tools are being developed to meet the changing expectations of the public on risk, the business needs of the County Council and external inspection requirements. As part of its risk management approach, the County Council is developing a comprehensive business continuity framework.

    1.5. The Civil Contingencies Act 2004 requires Hampshire County Council to ensure that it has prepared so far as is reasonably practicable, to continue to provide critical activities and an emergency response during any emergency or disruptive event.

    1.6. The County Council undertakes activities and services that must be performed, or rapidly and efficiently resumed, in an emergency. While the impact of an emergency cannot be predicted, planning for operations under such conditions can mitigate the impact of the emergency. To that end, the County Council is undertaking a continuous programme of work to prepare a robust Business Continuity Plan.

    1.7. The changing threat environment and recent emergencies have created awareness of the need for business continuity planning capabilities that enable services to continue their critical activities across a broad spectrum of emergencies.

    1.8. Hampshire County Councils Business Continuity Plans aim to:

      _ Prioritise peoples safety

      _ Maintain essential services

      _ Protect buildings and their contents

    1.9. A certain amount of risk taking is both inevitable and essential if the County Council is to achieve its objectives. The way that the County Council manages the many risks facing it ultimately contributes towards the implementation of its Corporate Business Plan and the achievement of its priorities of:

      · Hampshire safer and more secure for all

      · Maximising Wellbeing

      · Enhancing our Quality of Place

    2. Recommendation

      That Cabinet:

      (a) approve the Policy, Strategy and Performance Framework for Risk Management 2007-2010

      (b) approve the introduction of a Corporate Risk Register linked to the Corporate Business Plan

      (c) are invited to express their views on the risks contained in the draft Corporate and Strategic Risk Registers

      (d) approve the Business Continuity Management Policy and Strategy

    3. Corporate Strategy for Managing Risk 2007 - 2010

    3.1. A review of the strategy for risk management has been undertaken, with the drawing up of a new strategy to cover the period 2007 - 2010, agreed by the Risk Management Board. The strategy is appended to this report, Appendix 1.

    3.2. The aims of this strategy are to deliver improvements to the capacity of the Council to handle risk effectively and produce a performance management framework that will enable it to demonstrate the contribution that risk management makes to its handling of risk and achieving of outcomes.

    3.3. The strategy for 2007-2010 responds to concerns over risk aversion by focusing on encouraging considered risk taking and a taking a proportional response to risk.

    3.4. The associated Improvement Plan outlines the actions required to improve the quality of the management of risk across the County Council. It has been linked directly to a performance management framework.

    3.5. This framework has been modelled on nationally recognised standards, suitably amended to meet the needs of the County Council.

    3.6. All departmental risk champions have completed a self assessment review questionnaire as part of the performance framework process. The initial findings of this exercise confirm that the County Council is strong in terms of leadership, with risk management being supported and promoted in all key areas. It also has a mature risk management strategy and associated policies. However, more work needs to be undertaken to demonstrate the effectiveness that risk management is having on the achievement of objectives and improved service delivery. This is a common area for improvement for Local Authorities in general. There is also a programme of work being undertaken to link the financial risks identified through the risk management process with those built into the budget and medium term financial planning processes.

    3. An Integrated Framework of Risk Registers

    3.1. The foundation of the County Council's risk management programme is a comprehensive set of risk registers. These are managed at Departmental level and contain a list of those risks identified by Departments that may have an effect on the quality of the services that the County Council provides.

    3.2. These risks are reviewed on an ongoing basis and reported to the respective Departmental Management Team meetings, with an annual report tracking progress across the year.

    3.3. Although the current corporate process comprehensively addresses risks to service delivery; it is not flexible when it comes to risks to service improvement plans and risk based options appraisals. New risk tools are therefore being developed to improve the management of risk within improvement and change programmes. Appendix 2 shows how the various risk assessments link together.

    3.4. There are 2 key risk assessment documents; the Corporate Risk Register, which outlines those risks to Hampshire that the Corporate Business Plan is addressing, and the Strategic Risk Register, which is an amalgam of those risks identified within departmental risk registers and cross cutting risks that affect all departments. Together, the Corporate and Strategic Risk Registers provide a picture of the key risks that the County Council faces and is managing.

    4. Corporate Risk Register 2007

    4.1. The existing risk registers focus primarily on tactical and operational risks, and those strategic risks that affect service delivery. It has been recognised that the County Council also faces wider risks not only in relation to the services that it provides, but also to the people of Hampshire in general that it has an influence over. These risks represent both threats and opportunities to the organisation, its partners and the people it serves.

    4.2. The Corporate Business Plan addresses these risks. The Corporate Risk Register, shown in Appendix 3, has been developed to articulate these.

    4.3. This risk register directly reflects the key outcomes that are identified in the Corporate Business Plan, which is the action plan for delivery of the Corporate Priorities, which were formed to reflect the wishes of the people of Hampshire.

    4.4. A link will be made to the Departmental risk registers by ensuring that risks that affect the delivery of the key activities identified in the Corporate Business Plan are reflected in Departmental risk registers

    4.5. Progress will be reported through the County Council's existing corporate performance framework.

    4.6. This risk register is part of the infrastructure that is being developed in response to the changes that the Audit Commission are making to the system of external inspection and the introduction of the Comprehensive Area Assessment.

    5. Strategic Risk Register

    5.1. The Strategic Risk Register comprises of :

      _ Risks identified at Departmental level that have strategic implications for the County Council as a whole.

      _ Risks that are common to one or more departments

      _ Risks that require the joint working of one or more department to manage them

      _ The identification of common control measures used by departments to manage risk which if not operating at an appropriate level would in themselves constitute significant risks.

    5.2. A working group of the Risk Management Steering Group is currently working on producing a comprehensive risk assessment of these cross cutting risks, but initial indications are that the key strategic risks faced by the County Council (in no order of priority) are as follows:

Key Strategic Risks 2007

Risk

Risk Description

Critical Incident Planning/Business Continuity

Failure to sufficiently prepare for a major emergency/inadequate contingency arrangements to ensure the continued delivery of vital services

Working with Partners

Failure to take full opportunities of partnership arrangements/services provided through partnerships do not meet customer expectations

Financial Capacity

Failure to manage financial resources in the most efficient way

IT Dependency /Continuity Arrangements

Failure to provide a sufficiently resilient IT infrastructure

Delivering Corporate Business Plan objectives

Failure to deliver the objectives contained within the Corporate Business Plan

Staff Recruitment & Retention

Failure to attract or retain sufficient high calibre candidates/staff

Equal Pay/Single Status

Failure to implement pay and benefits scheme, resulting in large numbers of equal pay compensation claims

    5.3. This is consistent with the results of a recent national survey of the top 10 risks identified by local authorities:

      Most frequent 10 Summarised Risks

      Critical Incidents/Business Continuity

      Partnerships

      Financial Capacity

      IT Issues

      Not achieve objectives/targets

      Organisational Change

      Income & Funding

      Equal Pay/Single Status

      Staff Recruitment & Retention

      External Review & Inspectorate Judgement

      Source; ALARM National Risk Management Survey 2006

    5.4. A valuable comparison can also be made between those risks identified in the County Council's Corporate and Strategic Risk Registers and the results of a recent survey of those risks that the general public believe are the most important faced by local authorities:

RISK

PUBLIC RANKING

Tackling anti-social behaviour

1

Funding and good financial management

2

Managing partnerships with other organisations

3

Human resource issues

4

Climate change

5

Changes in population

6

Project management

7

Crisis planning

8

Fire safety

9

Compensation culture

10

Source; Ipsos Mori survey for Zurich Insurance Company 2007

    5.5. It is important to note that these risks are reflected in the County Council's existing Strategic, Corporate and Departmental risk registers, with mitigation measures identified and addressed.


    6. Business Continuity Framework

    6.1. Hampshire County Council aims to establish a business continuity framework that:

      _ Improves its resilience against the disruption of its ability to achieve its key organisational objectives

      _ Provides a rehearsed method of restoring Hampshire County Council's ability to continue to provide its key services to an agreed service level and within agreed recovery times

      _ Delivers a capability to manage a business disruption and protect the county councils reputation

    6.2. The Business Continuity Management Policy (Appendix 4) provides the framework for Business Continuity Plans to be developed, implemented, tested and reviewed

    6.3. The Strategy document, attached to this report as Appendix 5 outlines the approach that the County Council proposes to the production of business continuity plans.

    6.4. The delivery of business continuity management in the Departments will be based on a principle of central support for a local delivery. Because of the scale of the project, each Department will be responsible for producing its own plans, with the Business Continuity Officer providing support, guidance and advice as appropriate.

    6.5. A survey has been undertaken by all Departments to determine how many critical activities the County Council provides. Service heads and managers were asked to list the activities they undertake, measuring potential criticality against specific criteria and using elements of the corporate risk assessment process.

    6.6. Priority 1 services are defined as: "Those services whose activities would have a potential impact on our ability to deliver an emergency response if disrupted or would have a potential impact resulting in serious damage to human welfare". Priority 2 services are defined as: "Those services whose activities if disrupted would have a potential impact resulting a) Impact or breakdown of local community services b) Damage to the environment c) Council loses income d) Council suffers loss of reputation e) Legal implications". Priority 3 services are defined as those services which do not fall into either of the other criteria.

    6.7. The responses from the survey are currently being quality assured. Having determined the broad areas in which critical activities might lie, a full business impact analysis will be undertaken on those activities identified as priority 1 and priority 2 services.

    7.8 The key milestones in the development of the business continuity framework are outlined in Appendix 6. Specifically, they are:

      6.7.1. The identification of the impact, loss or disruption to the business and the potential exposures which may be present in the event of a disaster

      6.7.2. The development, maintenance and testing of suitable business recovery plans for all subsidiary business units and locations

      6.7.3. Regular review of the continuity requirements and plans to ensure that they reflect the needs of the business

      6.7.4. The requirement for each Hampshire County Council Service/Function or location to review and test their business continuity plan(s) at regular intervals dependent on the level of risk.

LINK(S) TO CORPORATE STRATEGY

 

Yes

No

Hampshire safer and more secure for all

    
     

Maximising well-being

    
     

Enhancing our quality of place

    
     

Section 100 D - Local Government Act 1972 - background documents

The following documents discuss facts or matters on which this report, or an important part of it, is based and have been relied upon to a material extent in the preparation of this report.

NB: the list excludes:

1. Published works

2. Documents which disclose exempt or confidential information as defined in the Act.

Corporate Strategy for the Management of Risk 2007-2010:

http://intranet.hants.gov.uk/riskmanagement/chiefexecs-riskmanagement-strategy.htm

Corporate Risk Management Performance Framework:

http://intranet.hants.gov.uk/riskmanagement/chiefexecs-riskmanagement-managingperformance.htm

Corporate Business Continuity Policy:

http://intranet.hants.gov.uk/bcm-policy.doc

Corporate Business Continuity Strategy:

http://intranet.hants.gov.uk/businesscontinuity/bcm_strategy.htm