Contact: Peter Andrews, ext. 01962 847309, [email protected]

1 Introduction
The aim of this report is to update Members on the County Council's programmes for risk management to support the Cabinet oversee the effective management of risk by officers of the County Council. This report also outlines the findings of the review of risks undertaken in Departments.

1.1 The County Council's risk management programme aims to deliver improvements to the capacity of the Council to handle risk effectively. It also provides a platform that will enable it to demonstrate the contribution risk management makes to its handling of risk and achieving of outcomes.

1.2 A certain amount of risk taking is both inevitable and essential if the County Council is to achieve its objectives. The way that the County Council manages the many risks facing it ultimately contributes towards the implementation of its Corporate Business Plan and the achievement of its priorities of:

· Hampshire safer and more secure for all

· Maximising Wellbeing

· Enhancing our Quality of Place

2 Recommendation

That Cabinet

a) Agree the approach being taken to manage the County Council's risks and whether any changes of approach are needed.

b) Asks the Chief Executive to review the County Council's Risk Management Framework and provide an assessment on compliance and the adequacy of internal and external controls.

c) Support the development of a strategic risk register, owned by Chief Officers and that such a risk register is reported to Cabinet no later than September 2008.

3 Review of the County Council's Risk Management Arrangements

3.1 A key purpose of the County Council's risk management arrangements is to provide assurance to Members that the County Council is effectively managing its key risks. In order to achieve this it maintains robust risk management arrangements that have adopted best practice from the private and public sector, nationally and internationally. These arrangements are subject to review by the Audit Commission as part of the Use of Resources assessment, and from 2009, as part of the Comprehensive Area Assessment. Considerable improvements are being undertaken both in terms of the conclusions drawn from the Corporate Assessment report of August 2007 and in preparation for the changes in focus determined by future inspections.

3.2 There were two risk management areas highlighted in the Corporate Assessment report. The table below shows those highlighted areas, and the actions being made to address them:

3.3 These actions also address the key risk management points within the Action Plan for 2008 Use of Resources Assessments. In addition, steps have been taken to link the assessments of financial risk within Departmental risk registers to the overall budget setting process. As a consequence, the timetable for the annual risk review has been brought forward to allow consideration of high financial risks to be taken at an early stage.

3.4 An internal audit review was undertaken in November/December 2007 of the County Council's risk management arrangements, with specific emphasis on the process of Departmental risk registers. The review report stated in its assurance statement:
"In our opinion, based on the audit evidence obtained, we can give assurance that the internal control system to manage the control risks identified enable the objectives for Risk Management to be achieved as:

· There is an appropriate framework of control to manage the control risks identified, however, recommendations have been made to enhance controls.

· Testing has shown that these controls are operating in practice with exceptions.

· No significant issues have been identified during this review."

3.5 A number of areas of improvement to the current arrangements were identified and are in the process of being implemented. These are:

· Improving the links from Departmental risk registers to the Corporate Priorities.

· Improving capacity and competency through the development of a risk management training programme.

· Developing robust risk management arrangements for the new Local Area Agreement as part of its delivery framework.

3.6 The County Council has also adopted a performance management framework developed by HM Treasury, to monitor the progress of its risk management performance and inform its statement of assurance. This is in the form of a series of self assessments undertaken by Departments and aggregated to indicate a picture of the County Council as a whole. It confirms that the County Council maintains robust risk management arrangements and provides assurance that:

· Senior managers act as role models to apply risk management thoroughly across the organisation.

· Risk policies and strategies are communicated effectively and made to work through a framework of processes.

· A core group of people have the skills & knowledge to manage risk effectively.

· Approaches for addressing risk with partners are being developed and implemented.

3.7 The changes that will be brought about as a result of the Comprehensive Area Assessment in 2009 present a number of challenges. The Audit Commission has indicated that it will take a risk based approach to the assessment. In addition, within the current inspection arrangements, the Audit Commission has outlined its expectations on managing risks within partnerships. Considerable work is being undertaken to ensure that the risk management arrangements for the new Local Area Agreement are robust, proportionate and link to the appropriate County Council processes.

3.8 Notwithstanding the evidence indicating the adequacy of the current risk management arrangements, the challenges posed by these external changes, plus the imminent introduction of an international (ISO) and British Standard on risk management, mean that this is an appropriate opportunity to undertake a review of the current framework; along with an assessment on compliance to, and the adequacy of, internal and external controls, to ensure that they continue to meet the developing needs of the organisation and best practice. Cabinet is requested to ask the Chief Executive to undertake such a review.

4 Annual Risk Review

4.1 The County Council has a corporate process through which it identifies, assesses and manages the risks to the services it provides. Departments are required to review their risks on an annual basis, reporting any findings to their respective Departmental Management Teams (DMTs). In addition, information on those risks that may have the greatest financial impact have been related to DMTs, so that consideration of those impacts can be considered as part of the overall budget process.

4.2 Considerable work has been undertaken in all Departments to analyse, review and amend their risk registers. Risk registers are dynamic documents, so a number of changes have been made with new risks being identified, risks increasing in intensity and other risks dropping in importance as circumstance and business priorities change and new mitigation measures are implemented.

4.3 A thorough review of the risk registers held in Departments has been undertaken. Reports on the findings of the reviews have been presented to Departmental Management Teams. Reports from each Department on their arrangements for managing risk are given as Appendix A to this report.

5 The County Council's Risk Profile

5.1 The County Council inevitably faces a number of high level risks. It uses it's risk management processes to mitigate these risks. The following table illustrates the levels of risk, the current position and the expected destination in respect of those risks that currently feature in the strategic risk registers.

5.2 It shows that considerable risk mitigation measures are in place, with further improvements planned. In addition, it illustrates that in respect to a small number of high risks, risk mitigation measures may have little effect on the impact or likelihood of those risks and the County Council recognises that it may have to tolerate some significant risks in order to continue to provide efficient services to the public.

6 Cross Cutting Risks

6.1 Examination of the existing Departmental risk registers has shown common risks faced by a number of Departments, and it is clear from the annual risk review that considerable work is already being undertaken at Departmental level to mitigate those aspects of strategic risk areas that fall within the remit of those Departments.

6.2 There are also specific corporate initiatives being undertaken to address cross cutting risk areas. The management of health and safety and the implications of the Corporate Manslaughter Act, for example, are examined in a companion to this report.

6.3 The important cross cutting risk issue of IT risk and business continuity has also been recently examined by Cabinet. Portfolio holders are in discussion with their Directors on particular areas of IT resilience. These discussions are still taking place at the time of writing this report.

6.4 However, it is recognised that there is the potential for these cross cutting risks to be examined in isolation. This may mean that reactions to these risks, although important in themselves, are not necessarily seen in the context of other equally important risks. This could result in poor prioritisation of scarce resources in terms of risk mitigation. It could also mean that cost benefit analysis of the resources needed to control these risks could be potentially skewed without being able to see the "bigger picture" of the total cost of risk mitigation of all key cross cutting risks.

6.5 In order to address this, a risk register of key cross-cutting and other strategic risks is being developed.

6.6 The Strategic Risk Register comprises of :

· Risks identified at Departmental level that have strategic implications for the County Council as a whole.

· Risks that are common to one or more departments

· Risks that require the joint working of one or more department to manage them

· The identification of common control measures used by departments to manage risk which if not operating at an appropriate level would in themselves constitute significant risks.

6.7 A sub -group of the Risk Management Steering Group, consisting of representatives from Departments, has been meeting to assist with the drawing up a register of the cross-cutting risks that are faced by the County Council.

6.8 Chief Officers have agreed that more work needs to be undertaken to refine this work and that it is appropriate that this risk register is owned and spearheaded by Chief Officers. A revised Strategic Risk Register is to be presented to Cabinet by September 2008. They request that Members endorse this approach.

6.9 Further work will also be undertaken by Chief Officers and the Risk Management Board to link existing risks contained in Departmental risk registers, as well as to incorporate corporate initiatives that are also addressing those risks.

7 Conclusions

7.1 The County Council continues to manage its key business risks well. With the refinement of the Strategic Risk register in terms of cross-cutting risks, it will be possible to clearly demonstrate how risk mitigation measures on individual risks within Departments and corporate initiatives contribute towards managing key risks to the County Council.

APPENDIX A - Annual Risk Review in Departments

The following short reports from Departments outline the risk management developments within Departments and the key risks that are being managed.

1 Adult Services Department

1.1 The number and complexity of the risks associated with the Adult Services Department's operations remains high, perhaps as high as any County Council Department, but DMT is conscious of this and ensures that their management and control continues to be given appropriate priority. Each risk and the measures in place to control it is now regularly monitored by a nominated DMT member in association with the designated risk owner. A Risk Management and Business Continuity Steering Group has been established to help drive improved performance in these critical areas and a comprehensive review of the department's wider governance arrangements is currently being undertaken.

1.2 DMT has published a policy statement specific to the management of risk in an adult social care environment and has also produced guidelines for managers working in partnership with other agencies to ensure that the liabilities held by the County Council are understood and appropriately managed.

1.3 The department's service planning toolkit now ensures that all development proposals are accompanied by a suitably detailed risk assessment and all reports submitted to DMT are required to address the issue of risk, as well as opportunity.

1.4 The assessment of the risks managed by the department was used in the formulation of the current round of budget proposals and DMT has conducted an "horizon scanning exercise" to identify those emerging risks that the department will need to respond to in the future. The roll out of individualised budgets and the increasing provision of services through contracts and partnership arrangements will be key amongst these.

1.5 As a result of the performance management self-assessment tool used throughout the County Council an extensive action plan aimed at achieving quantitative improvement in all subject areas has been generated and is in the process of being implemented.

1.6 The electronic incident reporting system used by the department continues to provide a wealth of risk-related information for investigation and the full set of departmental practice manuals is currently being reviewed and updated.

1.7 The annual review of the risks associated with the department's operations was completed in accordance with the corporate timetable.

1.8 38 identified risks are now held in the department's risk register and are being actively managed. New risks, such as pandemic influenza, have been included, some such as those relating to financial management and departmental restructuring have been downgraded given the controls in place and the evidence of their impact, and some, like the introduction of the new charging policy and the proposed, and subsequently withdrawn, amendments to eligibility criteria it has been possible to archive.

1.9 A briefing for the Executive Member on the management of risk and the department's other governance arrangements was held in January 2008.

2 Chief Executive's Department

2.1 The profile of the Department's Key Risks (i.e. those risks that fall into the "High" and "Medium" categories) is significantly different from last year. 8 new key risks were identified. These were principally in the Hantsdirect area and reflect the higher risk activities associated with delivering front line services.

2.2 In addition to the work undertaken to mitigate the Department's key risks, a number of important risk issues have been successfully managed during this year.

These include:

· Flooding during the summer

· Foot and Mouth outbreak

· The Rowner renewal project

· Equal pay implementation

· Comprehensive Performance Assessment

· Introduction of Hantsdirect

· The work to successfully conclude negations on Pay and Benefits after the "no" vote.

2.3 These demonstrate that the Department continues to produce successful outcomes to difficult risk issues.

3 Children's Services

3.1 New risks have recently been identified, `Death or serious injury of a pupil on a school site' and `Death or serious injury to staff during their daily working duties' and some 20 key risks on the Risk Register reflect the higher risk activities associated with delivering services for children.

3.2 During this last year a number of initiatives have been developed to mitigate the Department's key risks, for example:

· Ensuring Children's Services has a legislatively compliant health and safety management system

· Raising awareness across the department of the importance of assessing risks and following safe and healthy practices

· Safer Recruitment implementation to ensure that children in Hampshire are appropriately safeguarded

· Supporting managers in carrying out site-specific risk assessments

· Establishing a central system for data and analysis of Violent Incident Reports and Accident Reports

3.3 Children's Services Health and Safety Risk Management Group and the Departmental Management team receive regular reports to assess the department's risk management performance and its future direction.

4 County Treasurers

4.1 The annual risk review has been completed and has not changed the risk profile of the department. The resulting action plan will be monitored during the year and risk assessments will be updated when necessary. Financial risks have been taken into account in the budget setting process and further work is needed to collate information on the risks across the council with a high financial impact. The department has reviewed the process for monitoring budgets and is looking to implement a risk based approach to budget monitoring.

5 Environment

5.1 The highest risks for the Department are Weather emergency impact on the highway, Longterm effects of inadequate highway maintenance, Management of construction contractors [the H&S element is emphasised], Fire and H&S risks at waste management sites and Failure of the statutory waste disposal service. It is proposed to amalgamate Road Traffic Accidents due to inadequate safety barriers with Highway accident impacting railway, forming a new risk description covering the effects of road traffic accidents that could be attributed to the state of the highway and associated structures. This more broadly-defined risk will move into the top six.

5.2 These risks have all been reviewed, and the updated controls are certified as in place and effective.

5.3 In addition to the Strategic Risk Register, the Department applies risk management principles to decision-making in order to reduce uncertainty and grasp opportunity. In particular, our Special Projects Team applies risk management to all project planning. This helped the team to complete the decant from Ashburton Court in February 2008, without major surprises or unforeseen difficulties. Again risk management features in the Project Initiation Document for the Scanning and Mail Management project - currently in final draft.

6 IT Services

6.1 In addition to our Strategic Risks being reviewed annually by the Corporate Risk Management Board, IT Services has undertaken a review of it's risk management maturity as a department.

6.2 The outcome of which has included the introduction of the following;

· The introduction of an IT Services Risk Management Board. Responsible for the management and review of all highlighted risks within IT Services.

· A review and assessment of IT Services Strategic Risks with implementation of further controls to mitigate these risks.

· The production of a draft process to foster best practice on risk management and ensure risk analysis and assessment is happening in all areas of IT Services. This is expected go live by June 2008. This process will be owned by the IT Services Risk Management Board, and introduces a more formal approach for logging and managing strategic, staff and Health and Safety risks. It will also ensures risks are managed throughout the life cycle of all IT projects.

· Hantsnet pages for guidance available to IT Services staff: Risk Management Pages

· Ensure that IT Services risk management supports the formal guidelines set by the Hampshire County Council Corporate Risk Management group.

6.3 Projects
In addition to reviewing and improving risk management within the project life cycle, IT Services now consider improved resilience when designing corporate or departmental solutions. This approach not only provides service improvements to the customer, but takes into account the need for more resilience and protection of services to ensure downtime to the customer is kept to a minimum. For example:

6.4 The new IP Telephony service has been specifically built to give better resilience than the system it replaced, this is achieved by having two central nodes, if one fails the other can continue to provide the service.

6.5 The Disaster Recovery Contract project which is currently at the tender stage, will offer assurance for the recovery of our critical IT applications by hosting them at alternative site, when a major outage occurs within our existing data centre.

6.6 The new computer suite linked to the Ashburton Court refurbishment will provide better resilience, both now and taking into account the long term IT requirements

6.7 The Hampshire Public Services Network service is being reviewed for building in better resilience, reducing the potential loss of this service by the implementation of fully resilient ring network.

6.8 ISO20000
IT Services has also gained ISO 20000 accreditation, this provides assurance of good risk management and Service Continuity within the department. The following requirements had to be in place to ensure IT Services gained accreditation for the Service Continuity Process:

· Service Continuity requirements are identified based on business plans, SLA's and risk assessments

· Service Continuity plans developed and reviewed at least annually

· Plans to cover recovery from slight loss of service to a major loss of service

· Service Continuity plans re-tested at every major change to the business

· Change Management to assess the impact of change on Service Continuity plans

· Service Continuity plans must be available when normal office access is prevented

· Service Continuity plans tested in accordance with business needs

· All tests recorded and test failures formulated into action plans

7 PBRS

7.1 PBRS Management team has identified 27 strategic risk across departmental services with the highest risks associated with the Built Estate to include management of fire, fabric of buildings, asbestos, and maintenance of engineering plant. Capital resources continue to be managed to achieve the maximum strategic impact in reducing maintenance liabilities and addressing risk priorities, the detail of which is shared annually with the Building, Land and Procurement Panel. Performance of each strategic risk is monitored with a rigorous annual assessment to confirm actions and resources required for continuous improvement. Members recently supported a `Test and Invest' strategy to improve use of resources where alterative test strategies have been considered from published industry standard, which ensure safety of the estate but provides significant funding for investment. The `Test and Invest' strategy is one of well-managed risk-taking and has been implemented for electrical systems and asbestos and will be implemented across the risk register where practicable over the next few years eg testing safety valves of pressurised plant, structural inspections.

7.2 Steady progress is being achieved through focused management action and capital investment according to the rank order and published improvement agenda. Enhanced capital investment, beyond the current allocation is required to eliminate or significantly reduce risk and associated liabilities, including the chance of criminal prosecution. The annual risk review provides clear evidence that risk management is being effective in all areas and leading to positive and sustained improvement in risk handling, however it is recognised the Council retains significant risks and liabilities associated with the Built Estate.

8 Recreation & Heritage

8.1 The Recreation and Heritage Department has completed a thorough review of its risk profile through the annual Risk Management Process A full report of the findings has been presented to DMT, where the risk tolerance levels and recommendations were agreed. Those risks which had the highest financial impacts have been identified in the departmental annual budget report. This year the Risk Management review has been more closely aligned with the service planning process.

8.2 Managers and staff in the department manage risk as an everyday part of their business. The risks they handle go hand in hand with the rewards and opportunities of advancing the departments aims. This year we have continued to analyse and respond to the key risks. Our major concerns are related to compliance and prevention of disaster, but we have also given a particular focus to those risks that would prevent us achieving our departmental objectives. It is recognised that many of the Recreation and Heritage risks on the register relate to operational issues i.e. those associated to service quality and development , contracts and health and safety requirements. Nevertheless, we have tried to ensure that in managing these operational risks our external risks relating to public perception, adverse publicity and demographic change are also managed.

8.3 The department will continue to use the Risk Management Process to help support its innovation and change.