Business Risk Management Toolkit Revision 09
39
RISK MANAGEMENT RISK MANAGEMENT TOOLKIT TOOLKIT Rev. 2009 Rev. 2009
-
Upload
babatunde-ajayi -
Category
Documents
-
view
7 -
download
0
description
Business Risk Management
Transcript of Business Risk Management Toolkit Revision 09
RISK MANAGEMENTRISK MANAGEMENT TOOLKIT TOOLKIT
Rev. 2009 Rev. 2009 CONTENTS
1. Introduction
2. Risk Management Process – One page summary
3. What is risk?
4. What is business risk management?
5. Risk appetite and tolerance thresholds
6. Process
7. Who should be involved?
8. Working through the 4 stages of the risk assessment process
.1 Risk identification
.2 Risk analysis and evaluation
.3 Risk control
.4 Risk monitoring and review
9. Escalating risks
10. Early warning indicators
11. Risk assessments
12. Risk registers
13. Summary
APPENDICES
1. Sources of risk
2. Glossary of terms
3. Business continuity
4. Partnerships
5. Risk rating matrix
6. Risk register
7. Example risk assessment
1. INTRODUCTION
The diverse range of activities undertaken by the Council involves making decisions and taking risks. Part of why KCC has been so successful is because it encourages and supports well-managed risk taking by recognizing that innovation and opportunities to improve public services requires risk taking provided that we have the ability, skills,
knowledge and training to manage those risks well. Risk management is therefore at the heart of what we do.
We cannot always decide upon the activities with which we are involved. In the private sector, high impact/high likelihood risks can be avoided by opting out of that part of the business. In the public sector that option may not exist due to statutory responsibilities. Risk management therefore plays an important role in helping to manage risks and opportunities in a practical and cost effective manner.
Some risks will require very little management whereas others will require a more managed and structured approach. This toolkit is designed to help in this process and describes a simple methodology to maximise the opportunity to achieve expected results.
This toolkit will work through the following questions:
This toolkit is provided to assist with the management of operational risks however examples of strategic risks are also provided for information.
Guidance is also provided on business continuity planning and the management of risks within partnerships.
2. Risk Management - Process – One Page Summary
What do you want to achieve?What can stop you achieving your target?How big is the risk?What is the chance of it happening?What has been done about it?What else do you need to do about it?
PROCESS
Manage threats that may hinder delivery of priorities.
Maximise opportunities that will help to deliver them.
Process is a continuous cycle.
1. Identify
What could go wrong?
What type of risk is it?
What category is it?
When to think about risks?
Best done in groups Use available documents, e.g. business plans etc Think about the risk e.g. If we do not review and manage our
budget there is a risk of overspending Corporate, operational, partnership or project? Political, economic, social, technological, legislative,
environmental, competitive, customer/citizen, reputation, partnership.
Consider risks when setting objectives, improving services, early stages of project/partnership planning etc
2. Assess
How likely is it to happen?
What would the impact be?
Likelihood x Impact = Risk rating
Like
lihoo
d
Very likely
5 5Low
10Medium
15Medium
20High
25High
Likely 4 4Low
8Medium
12Medium
16High
20High
Possible 3 3Low
6Low
9Medium
12Medium
15Medium
Unlikely 2 2Low
4Low
6Low
8Medium
10Medium
Very Unlikely
1 1Low
2Low
3Low
4Low
5Low
RISK RATING MATRIX
1 2 3 4 5Minor Moderate Significant Serious Major
Impact
3. Plan & implement controls
What should be done to reduce the risk?
Who owns the risk?
What else do you need to do about it?
Rank risks in order of priority Concentrate on high ranked risks first Look at reducing the likelihood and impact Options to control – tolerate / treat / transfer / terminate Devise contingency plans for risks that remain high even with
controls
4. Monitor and Review
Are the controls effective?
Has the risk changed?
Is there something new?
Few risks remain static. Existing risks may change. New issues and risks may emerge
Identify
Plan &
action
Monitor and
Review
Assess
Council objectives
3. WHAT IS RISK?
Wherever there is a decision or action to be taken, there lies a risk potential.
There are many definitions for ‘risk’ of which the following is just one example:
“Risk is the chance of something happening that will have an impact on objectives”
This means that risk can be seen as a negative threat or a positive opportunity
A threat is anything that could hinder the achievement of business goals or the delivery of customer / stakeholder expectations. It’s not always a bad thing, as there is no activity without risk, it’s in the very nature of things. What is bad is when it’s a surprise and has an adverse impact on the whole enterprise or where there is an event that seriously affects a stakeholder.
Opportunities are often described as the added benefits arising from the implementation of the opportunity – benefits that are over and above the achievement of the original objective. Opportunities may be wider than this and encompass the opportunity to add benefit by deliberately taking risks through choice.
Some people confuse risk and hazard. A hazard is the source or origin of the event. For example, a swimming pool filled with sharks is a hazard. It’s only when someone might fall in does it become a risk. There can be many hazards around but it is only when people, systems, property etc are exposed to them that they become risky.
4. WHAT IS BUSINESS RISK MANAGEMENT?
Put simply, business risk management is the culture, organizational structure and ongoing processes of managing the risks around the provision of services or development of the local economy. It’s about getting the right balance between innovation and change on the one hand and the avoidance of shocks and crises’ on the other in a consistent and systematic way. Equally, risk management can also help identify opportunities and implementing measures aimed at increasing the prospects of success.
The benefits of a robust approach to risk management will help to manage risks so that:
There is an increased focus on what needs to be done to meet objectives Better use of resources Better management of change programmes Innovation is supported Results are achieved first time of trying Competitiveness is improved Improved quality of service delivery Enhanced ability to justify actions taken Protection of reputation
KCC has published its Risk Management Strategy which describes the framework for managing risk. A key element of this is to have a consistent approach in how we identify and control risks through risk assessment. This is known as the process and is described in the following sections.
You might find it useful to use problem solving techniques as you proceed through the stages of the process.
5. RISK APPETITE / TOLERANCE THRESHOLDS
Before identifying and assessing risks consideration should be given to the amount and type of risk that you can or are prepared to accept, tolerate, or can be exposed to at any point in time. The level of risk that you are prepared to accept is known as your risk appetite. Within KCC there will be many different risk appetites due to the diverse range of activities. For example there may be zero appetite for taking risks in relation to activities associated with child protection. For new initiatives there will likely be a greater appetite for risk taking in order to bring about change. The level of risk appetite at any level will be dictated by the level of risk appetite at the next senior level. The levels of appetite that can be taken at any one level should be made clear and communicated. As a strict rule the risk appetite at one level must never exceed that of any senior levels. Working with defined risk appetites is a developing area and where this has not been confirmed it might be useful to use levels of authority as a guide.
The degree of residual risk you are prepared to accept forms the basis of your tolerance threshold and should be set below your risk appetite. Risks that exceed your pre defined risk appetite should not be allowed to exist. Risks that exceed your tolerance threshold should be referred to a senior management for instruction as to how to proceed. Risk appetite and tolerance thresholds are not always easy to describe and are more easy to apply to financial, programme or project risks however by trying to describe and implement appetites and tolerance thresholds you will demonstrate increased governance over risks. Appendix 5 can be used as guidance.
6. PROCESS
There are four stages to the risk assessment process:-
Objectives
Risk Appetite / Tolerance thresholds
Process
1Risk IdentificationWhat can happen?
How could it happen?
2Risk AnalysisDetermine the
likelihood/impact in orderEstimate the level of risk
3 Plan & Implement
Determine how to treat the risk
4Risk Monitoring
Monitor & review the effectiveness of controls
and review the risk profile
If you work with other organisations, contractors, partnerships etc you will probably find that they use a similar core process approach which helps simplify working across organisational boundaries. You will also find that a common language is used when referring to risks. See Appendix 2 for Glossary of Terms.
7. WHO SHOULD BE INVOLVED?
The best people to identify and control risks are those who are directly responsible for the activity. Ideally, the group identifying the risks should contain the risk ‘owner’ i.e. the person who will be responsible for actually designing and implementing controls and able to provide early warning of difficulties. Where activities and associated risks cut across other directorates, partners, external organisations, etc it may be prudent to consult with them where they can influence the level of risk, outcome or output.
8. WORKING THROUGH THE 4 STAGES OF THE RISK ASSESSMENT PROCESS
1 Identifying the risk
In order to manage risk it is necessary to know what risks exist or might occur. Understanding where risks might exist and how to deal with them helps to ensure that all the positive things we plan do happen and that we identify and prevent any of the negative things from occurring that could stop or cause us to revise these plans or cause harm.
When thinking about risks you can look at events such as the failure of a database, criminal prosecution, increase in demand for services or a process such as the management of health and safety, financial control or client care management.
First, set out the objectives of the activity to be examined. It may help to have key documents available such as the current annual business operating plan, medium term plan, project brief, performance indicators etc. Using these documents you can start to identify your risks.
You should think about risks in terms of
Event Consequence Impact
For example: Break in leads to theft of server which leads to loss of data
Or Staff absence prevents compliance with statutory duties resulting in clients not receiving critical services
As you proceed through this process you will start to build up a list of risks.
Risks can be broken down into two categories – strategic and operational.
Strategic risksare those arising from major events which could impact across the whole of the Council e.g. major overspend or serious damage to the reputation of the Council. Their sources of origin include:
Political Economic Social Technological Legislative Environmental Competitive Customer/stakeholders
Operational risksare those arising from the day-to-day management of activities within directorates and less likely to impact upon other directorates or the Council as a whole. Their sources of origin include:
Professional Financial Legal Physical Contractual Technological Environmental
Most risks will fall into the ‘operational’ category. The process for managing strategic and operational risks is identical however accountability for strategic risks lies with the Chief Executive Officer and the Chief Officers Group whereas operational risks lie with directorate managers. To help facilitate discussion the above sources of risk are expanded in Appendix 1.
2 Risk Analysis & Evaluation
Having compiled a list of risks it is necessary to assess which of these are going to pose the greatest threat (or opportunity) and this is done by looking at both impact (what harm might result from the risk) and likelihood (chance of the risk occurring).
When assessing risks you are simply looking at what might happen, the chances of it happening and when. This assessment can be achieved through rating each risk. A 5x5 matrix is used for this purpose. By considering these factors and giving each risk a score you will quickly be able to rank these and identify which need early and closer attention.
Like
lihoo
d
Very likely 5 5Low
10Medium
15Medium
20High
25High
Likely 4 4Low
8Medium
12Medium
16High
20High
Possible 3 3Low
6Low
9Medium
12Medium
15Medium
Unlikely 2 2Low
4Low
6Low
8Medium
10Medium
Very Unlikely
1 1Low
2Low
3Low
4Low
5Low
RISK RATING MATRIX
1 2 3 4 5Minor Moderate Significant Serious Major
Impact
Each risk identified should first be scored according to the potential level of likelihood and impact without controls to give the inherent risk value and then again with existing controls in
place and working to give the residual risk value (what is left). If there are no controls in place the residual risk can only be scored as you proceed through stage 3.
Risks will fall into three categories:
LOW MEDIUM HIGH
1 – 6 8 – 15 16 - 25
For example: Staff absence prevents compliance with statutory duties resulting in clients not receiving critical services
Inherent - Impact = 5 x Likelihood = 4 Risk ranking = 20 (HIGH) Residual - Impact = 5 x Likelihood = 3 Risk ranking = 15 (MED)
Identified risks should be recorded. If you are dealing with one particular activity it may be appropriate to simply record details of risks within a risk assessment.
When recording risks across a range of activities a risk register should be prepared. Any entry within a register can also be supported by a risk assessment which sets out any barriers to success and describes controls in more detail to help monitor them. Templates are provided in Appendix 6 & 7 for this purpose.
An example of an entry within a risk register at business unit level may be:
Ref Source Event Planned Outcome
Accountable Manager
Existing Controls
New Task/ Actions
Date inherent Rating
Residual rating
No. 4
Building is located in a high crime area
Break in leads to theft of IT systems resulting in the loss of information
Secure site
Assistant Director
- intruder alarm system
I = 3L= 5R= 15MED
I = 3L= 3R = 9MED
When a risk is recorded it should be given a reference number. This reference number should remain with the risk until it no longer exists to provide an audit trail.
3 Risk Control
Having identified and assessed a risk it is then necessary to decide on what initial or further action needs to be taken to control it or overcome barriers to ensure you achieve your objective. The residual rating attributed to each risk should be rescored on the assumption that the controls have been implemented are and effective. Those risks with HIGH residual scores will need early and closer attention and should be addressed as a priority. It may be that some high risks will remain HIGH even with controls in place. These risks should be considered against your risk appetite and tolerance thresholds. The level of tolerance should be established if not already done. For example the risk tolerance line could be set where MEDIUM risks butt up against HIGH risks on the 5x5 matrix. Any risks that exceed this tolerance threshold should be referred immediately to the next level
of management for guidance. Risks beyond the tolerance threshold can only be accepted with the permission of the next level of management.
Tolerance
Only a workable number of risks should be focused upon at any one time - probably anything up to 10. Hopefully there won’t be many HIGH risks in which case MEDIUM risks can also be considered. Any remaining risks can be dealt with as more immediate risks drop out of the top 10 once appropriate controls have been introduced and are working. As part of this process you should identify which of the controls are more critical in terms of their effectiveness. It may be helpful to list controls in order of their criticality.
Although those risks requiring early or closer attention have been identified there may be other risks that are suitable for a “quick fix” and can be quickly and easily controlled. These should be dealt with if possible particularly where they will have a real impact upon the overall effectiveness of control measures.
The courses available to control risks are:
Evaluated level of risk
Accept with existing level of
controls?
Yes or No
Action:
Tolerate Treat
Transfer Terminate
Tolerate Do nothing special and continue as planned. The ability to do anything may be limited or the cost of taking action may be disproportionate to the potential benefit gained.
Treat Introduce control procedures to increase the chance of success
Transfer Share the exposure of risk with insurance or contractor. The relationship with a contractor needs to be carefully managed as it may not be possible to fully transfer all risks and some aspects might remain such as reputational risk.
Terminate Withdraw from the activity if possible
Controlling risks will be a process of reducing ‘impact’ and / or ‘likelihood’.
Suggested controls might include:-
Impact Likelihood Business continuity plans Contractual agreement Fraud control planning Good public relations Minimising exposure to the
source of risk
Contract conditions Process controls and inspections Project management Preventative maintenance Effective internal controls Supervision Structured training programme
Any controls should always be proportional to the risk and ‘over control’ avoided. Loss control initiatives can be expensive and time consuming to initiate and it is therefore important to try and ensure that they are likely to be successful and will not cost more than the losses they are designed to avoid or mitigate.
Controls should be clearly described to avoid ambiguity and any obstacles or barriers that might arise and affect them should be explored along with early warning indicators. Controls should be recorded in the order of their critically upon the achievement of the outcome for ease of identification.
Target dates for completion of aspects of control, reporting of progress etc should be made clear and recorded where possible.
Some risks might seem too difficult to tackle because they are controversial, political, too big or too specialist. These should not be avoided but dealt with in a positive but proportional way by considering factors such as the opportunity to improve them, ease of improvement, cost of improvement and breadth of community affected.
Even with controls some degree of residual risk may remain in which case business continuity plans might need to be considered to reduce impact and ensure that the service can function even if something awful is happening. See Appendix 3
4 Risk monitoring and review
Few risks remain static and it is important to know and understand what is happening. This can be achieved through regularly monitoring progress and formally reviewing risks in order to: Gain assurance that progress is being made towards controlling risks and the
effectiveness of controls
Monitor changes to the risk profile brought about by circumstances and business priorities i.e. new legislation
A suggested monitoring period might be every three months with a more formal review period annually. The frequency will be dependent on the circumstances and environment around the risks. Within a rapidly changing environment monthly monitoring and three monthly reviews may be more appropriate.
When monitoring and reviewing risks you need to be clear about how this is to be undertaken. It may help to develop a set of questions for example:
Are the key risks still relevant?
Have some risks become issues? Has anything occurred which could impact upon them? Has the risk appetite or tolerance levels changed? Are performance / early warning indicators appropriate? Are the controls in place effective? Have risk scores changed and if so are they decreasing or increasing? If risk profiles are increasing what further controls might be needed? If risk profiles are decreasing can controls be relaxed?
Where objectives have not been achieved or are not on course to be achieved the cause(s) should be investigated to inform and improve the risk assessment process. At the next formal review of the risk the rating attributed to the risk should again be considered. At this stage you may wish to review your risk appetite or tolerance levels to ensure they remain appropriate. The review and monitoring process of risks should be integrated into existing organisational and business planning processes so that it adds value and supports the successful achievement of objectives and not just seen as a “bolt on”.
9. ESCALATING RISKS
There will be occasions when risks should be shared with more senior managers. These will automatically include risks that exceed your tolerance thresholds. Residual risks that are rated as HIGH, i.e. with a combined score of 16+, should also be referred up to the next level of management to advise upon the appropriate level of control. ‘HIGH’ residual rated risks should not remain without the permission of the next senior level of management.
Directorate management teams should have in place a process which allows for risks at any level to be escalated upwards to enhance their level of control.
Business unit Service unit Directorate risks risk register risk register
Where a risk is escalated to a more senior level it should be considered along with all other risks at this new level and possibly included within the higher level risk register.
Using a system whereby risks can be escalated allows senior managers to better target their attention and resources towards key activities.
10. EARLY WARNING INDICATORS
The sooner you know something is not going to plan or events are happening around you that will impact upon objectives the quicker you will be able to take corrective action and get back on target or amend your course of action / priorities to reflect changing circumstances.
Early warning indicators are used as a way of measuring change in local critical areas so that if pre-defined levels (tolerance levels or appetite) are reached, corrective action will be triggered. To be effective they need to be monitored on a regular basis and the findings presented in such as way that the information can be quickly assimilated.
Early warning indicators should be specific to the risk and should not be confused with Key Performance Indicators.
Indicators should be reviewed and updated to ensure they remain appropriate.
When establishing an indicator you should establish from the outset what information is to be collected, the reporting frequency and trend or tolerance thresholds.
Early warning indicators can be applied to strategic and operational risks. For operational risks they can be set to measure activity such as:
Achievement of service quality levels Achievement of volume targets Achievement of time targets Achievement of revenue targets Levels of safety incidents or injury Achievement of key milestones Delivery of planned activities on time and on budget
Points to consider when establishing / reviewing indicators:
Are all critical business systems clearly defined? Do early warning indicators exist for critical business systems? Do early wanting indicators exist for programmes and projects? Do early warning indicators exist for operational activities? Is there a balanced set of indicators, including financial indicators? Are indicators examined by decision makers with the authority to take corrective action
on a regular cycle? Are the results of monitoring early warning indicators presented in a concise,
consistent manner so that the impact of the information is readily understood? Are the indicators updated to reflect changes within the activity? Are the indicators inward and outward looking?
Early warning indicators can also be used to identify opportunities
11. RISK ASSESSMENTS
Although there are some similarities in the information recorded within risk assessments and risk registers both documents actually serve a specific purpose. Risk assessments tend to look at one particular element of a risk recorded against an objective in detail and its associated controls whereas registers summarise risks and their controls across a project, unit or directorate. It may be necessary to complete a number of risk assessments to support a single objective especially where elements may be under the control of different teams.
Risk assessments should be used to assess the level of risk associated with the objective and inform the process for refreshing risk registers
All risk assessments associated with objectives within business plans should be kept updated throughout the year as necessary. They will also be used by Internal Audit to inform the Annual Audit Progamme and provide the basis for testing the extent and effectiveness of controls and provide evidence that risk management methodology is being complied with.
Key project and partnership risks should be included within this process as they will have their sources of origin in business objectives.
12. RISK REGISTERS
Risk registers provide an immediate record of all the identified risks, key controls and their status resulting from their assessment in terms of likelihood and impact across a wider pool of risks.
Risks registers should be monitored by management teams. Risks included within directorate registers should be closely monitored by senior management teams.
The critical risks that can affect the Council as a whole should be recorded within the Strategic Risk Register which is monitored by Directorate Resource Managers on behalf of the Chief Officer Group which is made up of the Chief Executive and Managing Directors of the Council.
13. SUMMARY
Working through this toolkit provides a simple basic methodolgy to help identify and manage business threats and opportunities that might arise.
It is important to ensure that continuous risk assessment feeds into any decision making and therefore business process.
It may be helpful to understand how managing risk through this process fits in with the overall framework for managing risk throughout the Council. Details of this can be found in the document ‘Risk Management Strategy”.
If you would like further advice about the risk management process contact the Corporate Risk & Insurance Manager or your directorate lead officer for risk management.
SOURCES OF RISK Appendix 1
The examples given are neither prescriptive or exhaustive.
SOURCES OF STRATEGIC RISK(PESTLE – expanded)
Definition - Risks that may be potentially damaging to the achievement of KCC’s objectives
Political Associated with the failure to deliver either local or central government policy, or to meet the local administration’s commitment. Examples of nature of risk:-
Wrong political priorities Decision based on incorrect information Not meeting government agenda Unfulfilled promises to electorateToo slow or failure to modernise Community planning oversight/errors Economic Affecting the ability of the Council to meet its financial commitments. These include internal budgetary pressures, inadequate insurance cover, external macro level economic changes (e.g. interest rates, inflation etc) or the consequences of proposed investment decisions. Examples of nature of risk:-
General/regional economic problems High cost of capital Treasury risk Missed business and service opportunities Social Relating to the effects of changes in demographic, residential or socio-economic trends on the Council’s ability to deliver its objectives. Examples of nature of risk:- Failing to meet the needs of disadvantaged Failures in partnership working communities Problems in delivering life-long learning Impact of demographic change Crime and disorder Technological Associated with the capacity of the Council to deal with the pace / scale of technological change, or its ability to use technology to address changing demands. They may also include the consequences of internal technological failure on the Council’s ability to deliver its objectives. Examples of nature of risk:-
Obsolescence of technology Breach of confidentiality Hacking or corruption of data Failure in communications Legislative Associated with current or potential changes in national or European law. Examples of nature of risk:-
Inadequate response to new legislation Judicial review Intervention by regulatory bodies Human Rights Act breachesand inspectorates Environmental Relating to the environmental consequences of progressing the Council’s strategic objectives (e.g. in terms of energy, efficiency, pollution, recycling, landfill requirements, emissions etc). Examples of nature of risk:-
Impact of Local Agenda 21 policies Impact of planning &transportation policies Noise, contamination and pollutionCompetitive Affecting the competitiveness of the service (in terms of quality or cost) and / or its ability to deliver Best Value. Examples of nature of risk:-
Take over of services by government Failure of bids for government funds Agencies Failure to show best value Customer / citizen Associated with the failure to meet the current and changing needs and expectations of customers and citizens. Examples of nature of risk:-
Lack of appropriate consultation Bad public and media relations
SOURCES OF OPERATIONAL RISK
Those risks that may be encountered in the day to day provision of services Professional Associated with the particular nature of each profession. Examples of nature of risk:-
Inefficient/ineffective management processes Lack of business continuity planInability to implement change Non achievement of Best Value Lack of control over changes to service provision Bad management of partnership working Inadequate consultation with service users Failure to manage and retain service Failure to communicate effectively with contracts employees Poor management of externally funded projects Financial Associated with financial planning and control and the adequacy of insurance arrangements. Examples of nature of risk:- Failure of major projects Failure to prioritise, allocate appropriate Ineffective/inefficient processing of documents budgets and monitor Missed opportunities for income/grants Inadequate control over expenditure Inadequate insurance cover Inadequate control over income Legal Related to possible breaches of legislation. Examples of nature of risk:-
Not meeting statutory duties/deadlines Failure to implement legislative change Failure to comply with European directives on Misinterpretation of legislation Procurement of works, supplies and services Exposure to liability claims e.g. motor Breach of confidentiality/Data Protection Act accidents, wrongful advice Physical Related to fire, security, accident prevention and health and safety. Examples of nature of risk:-
Violence or aggression Loss of physical assets Non compliance with Health & Safety legislation Criminal damage to assets e.g.vandalism Injury at work Failure to maintain and upkeep land Loss of intangible assets and property Contractual Associated with the failure of contractors to deliver services of products to the agreed cost and specification. Examples of nature of risk:-
Non compliance with procurement policies Poor selection of contractor Over reliance on key contractors/suppliers Poor contract specification, deficiencies Failure of outsourced provider to deliver Inadequate contract terms & conditions Failure to monitor contractor Quality issues Technological Relating to reliance on operational equipment (e.g. IT systems or equipment) or machinery. Examples of nature of risk:-
Failure of big technology related project Breach of security of networks and data Crash of IT systems affecting service delivery Failure to comply with IT Security Policy Lack of disaster recovery plans Bad management of intranet / website Environmental Relating to pollution, noise or energy efficiency of ongoing service operation. Examples of nature of risk:-
Impact of Local Agenda 21 policies Noise, contamination and pollution Crime & Disorder Act implications Inefficient use energy and water Incorrect storage/disposal of waste Damage caused by trees, tree roots etc Human Resources Associated with staffing issues (e.g. recruitment / retention, sickness management, change management, stress related risk analysis). Examples of nature of risk:-
Capacity issues Failure to comply with employment law Over reliance on key officers Poor recruitment /selection processes Failure to recruit/retain qualified staff Lack of training Lack of employee motivation/efficiency Lack of succession planning
Glossary of Terms APPENDIX 2
Benefits The measurable improvement resulting from an outcome perceived as an advantage by one or more stakeholders
Business Continuity Plan A plan for the fast and efficient resumption of essential
business operations by directing recovery actions of specific recovery teams
Business risk A threat to the achievement of a business objective / benefit Consequence The outcome of an event.Contingency An action or arrangement that can be put into place to
minimise the impact of a risk should it occur.Control (control measures)
Any action, procedure or operation undertaken to contain a risk to an acceptable level.
Corporate Governance The method by which an organisation directs and controls its functions and relates to its community
Early warning indicator A measure to identify a trend Hazard A description of the source of the risk i.e. the event or situation
that gives rise to the risk. Also known as source of risk Identifying risks The process by which events that could affect the achievement
of objectives, are analysed and described and listedImpact Impact is the result of a particular threat or opportunity actually
occurring Inherent risk The exposure arising from a specific risk before any risk
controls have been applied. Issue An event or concern that has occurred or is taking place and
should be addressed (as opposed to a risk which has not yet, or might not occur)
Likelihood This is the evaluated likelihood of a particular threat of opportunity actually happening
Mitigation (Plan) A strategy that decreases risk by lowering the likelihood of a risk event occurring or reducing the impact of the risk should it occur.
Objective Something worked towards or striven for, a goal.Operational risks Risks associated with the day-to-day issues that an
organisation might face as it delivers its services.Opportunity An uncertain event that could have a favourable impact on
objectives or benefits Outcome The result of change, normally affecting real world behaviour or
circumstances. Outcomes are desired when a change is conceived. Outcomes are achieved as a result of the activities undertaken to effect the change
Periodic review A review that occurs at specified regular time intervals.Project risks Risks associated with a specific activity, which has defined
goals, objectives, requirements, a life cycle, a beginning and an end.
Proximity (of risk) The time factor of a risk i.e. the occurrence of risks will be due at particular times, and the severity of their impact will vary depending on when they occur
Residual risk The risk remaining after the risk control has been applied Responsible manager Manager who has responsibility for taking specified action Risk An uncertain event or set of events that, should it occur, will
have an effect on the achievement of objectives. This could be an opportunity as well as a threat.
Risk appetite The level of residual risk that the Council is prepared to accept, tolerate or be exposed to at any point in time
Risk evaluation The process of understanding the net effect of the identified threats and opportunities on an activity when aggregated together
Risk identification Determination of what could pose a risk; a process to describe and list sources of risk (threats and opportunities)
Risk management The culture, organisational structure and ongoing processes for the management of risk.
Risk prioritisationmatrix
The number of levels of likelihood and impact chosen against which to measure the risk and identify methods of management of the risk.
Risk owner A role or individual responsible for the management and control of all aspects of individual risks, and has authority to implement the measures required. May also be known as Accountable Manager
Risk perception The way in which a risk is viewed based on a set of values or concernsRisk profile Describes the types of risk faced by an organisation and its exposure to
these risks Risk source A description of the source of the risk i.e. the event or situation that
gives rise to the risk Risk register A record of all identified risks relating to an area of activity which
includes their status and mitigating controls. Risk strategy The overall organisational approach to risk management.Risk tolerance The threshold of risk exposure, which with appropriate approvals, can
be exceeded but which when exceeded will trigger some form of response (e.g. reporting the situation to senior management for action)
Strategic risks Risks concerned with where the organisation wants to go, how it plans to get there and how it can ensure survival. A risk which should it occur, will have a significant impact upon the Council.
Terminate A risk response to a threat. A deliberate decision to stop an activity which generates a risk.
Threat An uncertain event that could have a negative impact on objectives or benefits
Tolerate A response to a threat. A deliberate decision to retain the threat. Transfer A risk response for a threat whereby a third party takes on the
responsibility for an aspect of the threat Treat A risk response to a threat. Proactive actions are taken to reduce the
threat.
Appendix 3 BUSINESS CONTINUITY PLANNING
The likelihood of some risks occurring remains high even with controls in place. Where these risks may also have a high impact an action plan should be devised to cope with the event to restore services that support and are provided by the Council. In such cases Business Continuity Planning (BCP) should be considered.
Business continuity planning (BCP) is one of the ways in which high impact risks can be managed. It’s purpose is to enable managers to plan for how they will respond both immediately and in the longer term should there be a major disruption or interruption to their service. The BCP process provides an early opportunity to identify single and weak points that may jeopardise service delivery
Having a plan will enable you to better manage those risks where it is extremely difficult to reduce the impact should the event occur. These are probably the risks where impact and probability produce a combined rating of 20 or more using the KCC risk ranking matrix.
Should an event occur it may be your responsibility to get a service back operational as quickly as possible, identify and implement interim arrangements, communicate with those that may be affected etc. For example how do you tell your staff about the event, how do you tell the community or clients that you cannot provide their service that day or for a longer period, how do you meet important deadlines, what are your critical systems, suppliers and services, who might be expected to provide physical help, advice etc and how do you get in contact? These are just examples of some of the questions that you may need to deal with.
It is essential that you are able to respond sensibly and with minimum wasted effort and resources. This can be best achieved by planning your response in advance with your business continuity team. Going through a business impact analysis will illustrate where the risks are highest and the potential impacts greatest. This will then enable you to identify potential problems and guard against them developing into even greater disruptions through measured planning.
Possible areas for consideration might include:
Main event / cause Result
Loss of premises / access to premises
Breach of confidentiality
Failure / corruption of IT
Continuity of support from suppliers
Loss of key documentation / data
Loss of skills / people
Failure to comply with legal obligations
Creation of legal liabilities
Financial loss
Loss of reputation or public confidence
Failure to deliver a service
Failure to respond to an event
Impact on stakeholders
It may not be possible to predict the actual nature of the event that may cause the disruption but by thinking about your response in advance you should be able to use and adapt this information to inform your actions. You should also remember that you may not be dealing with a crisis in isolation and those
officers or contractors upon whom you reply within your own plan may themselves be in a similar situation.
When preparing a plan it should address the procedure to recover functionality within a defined time frame dependant upon the Council’s need. Managers are used to making decisions in response to ad hoc events and it might be more helpful if the plan is kept quite simple but with key points identified to prompt action along with details of who to contact for assistance outside of your own team. For example, finance managers are best placed to assist with making decisions on the release of funding and payment of invoices in an emergency, Corporate Communications can deal with media management, Personnel & Development can advise on staffing issues, ISG can advise on IT and so on.
KCC is reliant upon many other organisations and contractors to help deliver its services. Where there is a dependency upon any of these it may be appropriate to ensure that they too have a plan to deal with any disruption and that it supports your own response.
Once you have a plan you will need to ensure that it is regularly reviewed, tested and accessible in an emergency.
If you would like to find out more about preparing a business continuity plan please contact KCC’s business continuity advisers on 01622 221974 or 01622 694803
Appendix 4
PARTNERSHIPS
Partnership working is playing an increasingly important role in our policy development and service delivery. In recent years, the focus for many public, private, voluntary and community organisations has been on the opportunities offered by partnership or joint working arrangements. Indeed, many new funding sources relating to a wide range of issues can only be accessed by the demonstration of multi-partner approaches.
Working in partnership usually means committing resources such as officer time or direct funding to develop and deliver desired outcomes. It may not be easy and, whilst there are opportunities there are also risks. It is therefore important to understand and manage these in so far as they affect both the partnership and Council. The assessment of risks within partnerships therefore needs to be inward and outward looking. Risks to the partnership should be assessed and recorded within the partnership risk registers whereas risks to the Council should be assessed and recorded in directorate risk registers as appropriate.
To help officers maximize the opportunities of working within partnerships and managing the associated risks a guide has been prepared and is available on KNET by searching under Risk Management.
The guide includes advice on:
how to define a partnership
how partnership working is managed both strategically and within individual partnerships,
why there is a need to enter into a partnership,
how to set one up, and
how to understand the risks and their impact upon the Council and individuals.
The focus of the guide is currently on risk within partnerships and aims to set out a consistent approach to the risk management of key partnerships including the development, establishment, management and monitoring of partnerships. It is not intended to be prescriptive but demonstrate good practice. The process must be proportionate to the risks that each partnership poses to KCC. For the more complex partnerships specialist legal, financial and tax advice should be sought to ensure that your partnership is properly structured to deliver your objectives.
Appendix 5
Risk Rating Matrix
Like
lihoo
d
Very likely 5 5Low
10Medium
15Medium
20High
25High
Likely 4 4Low
8Medium
12Medium
16High
20High
Possible 3 3Low
6Low
9Medium
12Medium
15Medium
Unlikely 2 2Low
4Low
6Low
8Medium
10Medium
Very Unlikely
1 1Low
2Low
3Low
4Low
5Low
RISK RATING MATRIX 1 2 3 4 5
Minor Moderate Significant Serious MajorImpact
Likelihood Assessment Matrix
Factor Score Indicators Very likely 5 Regular occurrence
Circumstances frequently encountered i.e. daily/weekly/monthly The risk is current & is almost certain to happen within the next twelve months
Likely 4 Likely to happen at some point within the next 1-2 yearsCircumstances occasionally encountered (once/twice a year)
Possible 3 Has happened in pastReasonable possibility it will happen within next 3 years
Unlikely 2 May have happened in the past Unlikely to happen in 3+ years
Very Unlikely 1 Has happened rarely/never before
Impact Assessment Matrix
Suggested areas that might be impacted upon along with examples of potential risks. These can be used or added to as necessary.
Risk Score Effect on Service Reputation Financial & Resources
Compliance with law / contracts
People Effect on project objectives
Major 5 Complete breakdown in service delivery with severe, prolonged impact on customer service affecting the whole organisation.
Failure of a strategic partnership
A vote of no confidence in one service area.
Substantial adverse national media leading to Officer(s) &/or Elected Member(s) forced to resign &/or Audit Commission enquiry
A substantial failure in accountability or integrity.
A large financial loss over 50% of budget
Total loss of a critical building
Litigation leading to sizeable increase in responsibilities.
Multiple civil uninsured or criminal actions with payments / fines above £150k
Death of several people. Complete failure of a project
Serious 4 Intervention in a key service.
Disruption to service delivery for one of more directorates for 3 – 5 days. Failure of an operational partnership
Criticism of a key process,.
Large scandal.
High level of complaints at the corporate level across several service areasNational adverse publicity / bad press
Sizeable financial lossup to 50% of budget
Extensive damage to a critical building or considerable damage to several properties from one source
Multiple uninsured civil litigation or criminal actions with payments / fines of £50k - £150k
RIDDOR reportable major injuries to several people or death of an individual.
Extreme delay
Significant 3 Widespread disgruntlement
Disrupted service delivery from one directorate for up to 3 days. Can handle but with difficulty
Criticism of an important process/service
Local bad press
Inability to deliver popular policies due to budgetary constrictions.
Substantial damage to one part of a critical building
Multiple uninsured civil litigation or criminal actions with payments / fines of £25k - £50k
RIDDOR reportable major injury to an individual
Important impact on project or most of expected benefits. Considerable slippage. Possible impact on overall finances / programme.
Moderate 2 Small setback - management headache
Disruptive impact on service at business unit level
Localised disgruntlement
Embarrassment contained within the Directorate
Criticism of a secondary process/service
Noticeable financial loss
Slight damage to one property
Low value / high volume litigation
Departmental fine of £5k - £25k
Superficial first aid injuries discomfort to more than one person
Adverse effect to project. Slippage requires review finances / short term programme.
Minor 1 Small impact on customer service which may result in complaints to the business unit
Nuisance Disgruntlement by a few
Embarrassment contained within the business unit
Small financial loss
Negligible property damage
Low value / volume litigation
Departmental fine below £5k
Superficial first aid injury or discomfort to an individual
Minimal impact to project. Minor slippage
RM:Toolkit Rev.2009
RISK REGISTER Appendix 6
Ref Source Event Planned Outcome
Acc’ table Manager
Existing Controls New Tasks/Actions
Date Inherent rating
Residual rating
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
I=L=R=
RM:Toolkit Rev.2009
Managing Business Risks - Risk Assessment Appendix 7This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity
KCC Directorate / Unit : CED Personnel & Development
Business/Service Objective:
To ensure that employees, visitors and contractors remain safe whilst on KCC property
Completed by: J Smith Personnel Manager
Date completed: 01.04.2009
Risk Ranking Matrix
L
ikel
ihoo
d
Very likely
5 5Low
10Medium
15Medium
20High
25High
Likely 4 4Low
8Medium
12Medium
16High
20High
Possible 3 3Low
6Low
9Medium
12Medium
15Medium
Unlikely 2 2Low
4Low
6Low
8Medium
10Medium
Very Unlikely
1 1Low
2Low
3Low
4Low
5Low
RISK RATING MATRIX1 2 3 4 5
Minor Moderate Significant Serious MajorImpact
RiskNo.
Challenges to the achievement of the business objective
(Risks)
Assessment of Inherent Risk With NO controls in place
Risk Control Measures
What can be done to reduce the threat to the achievement of the
business/service objective?
Assessment of Residual RiskWith all control measures implemented
Impact(Severity)
Likelihood(Probability)
Risk Rating
Impact(Severity)
Likelihood(Probability)
Rev’d Risk Rating
6 Health and safety risk management controls are appropriate and implemented
Contractors manage their
activities so as not to cause harm to themselves or others
EXAMPLE
4
4 16HIGH
List your existing control measures:
Health & safety policy developed and implemented
Local Health & safety representatives
Contractors required to provide evidence of appropriate health & safety procedures
List what else could be done to reduce the risk further
Programmed auditing of KCC and contractors health & safety procedures
Improved training and promotion of health & safety
3
3
3
2
9MED
6LOW
RM:Toolkit Rev.2009
Managing Business Risks - Risk Assessment This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity
KCC Directorate / Unit :
Business/Service Objective:
Completed by:
Date completed:
Risk Ranking Matrix
L
ikel
ihoo
d
Very likely
5 5Low
10Medium
15Medium
20High
25High
Likely 4 4Low
8Medium
12Medium
16High
20High
Possible 3 3Low
6Low
9Medium
12Medium
15Medium
Unlikely 2 2Low
4Low
6Low
8Medium
10Medium
Very Unlikely
1 1Low
2Low
3Low
4Low
5Low
RISK RATING MATRIX1 2 3 4 5
Minor Moderate Significant Serious MajorImpact
RiskNo.
Challenges to the achievement of the business objective
(Risks)
Assessment of Inherent Risk With NO controls in place
Risk Control Measures
What can be done to reduce the threat to the achievement of the
business/service objective?
Assessment of Residual RiskWith all control measures implemented
Impact(Severity)
Likelihood(Probability)
Risk Rating
Impact(Severity)
Likelihood(Probability)
Rev’d Risk Rating
List your existing control measures:
List what else could be done to reduce the risk further
RM:Toolkit Rev.2009
RM:Toolkit Rev.2009
