This strategy outlines Rushcliffe Borough Council’s approach to risk management. It has been developed to ensure that areas of risk are identified and appropriate remedial action is considered.

Rushcliffe Borough Council considers Risk Management to be a series of coordinated actions seeking to control and mitigate risks bringing the negative consequences of such risks within tolerable levels or maximising the potential of opportunity risks being realised. The Council recognises that only risks that are properly identified can be effectively addressed.

Failure to pay attention to the likelihood and impact of risks can have significant consequences. These can include endangering public health, reputational damage, financial costs, compensation claims and disruption to critical services. The effective management of risk is therefore a critical part of Rushcliffe Borough Council’s approach to delivering services and maintaining high levels of performance.

The Council operates three risk registers – one for Strategic Risks, a second for Operational Risks and a third for Opportunity Risks (specific project risks are maintained within the Project Management Framework). The Strategic Risk Register contains high level risks specifically related to the achievement of the organisation's corporate objectives including risks associated with future business plans and strategies. The Operational Risk Register contains service-based risks that effect an individual; business unit or those risks associated with inadequate or failed internal processes, people or systems. Opportunity Risks are those associated with the positive gains or benefits of a specific course of action.

The Council has embedded risk management into its cultures, processes and structures to ensure that opportunities are maximised and risk minimised. This Strategy will enable the Council to develop risk management further through its effective use in management and decision-making processes.

The Council recognises that there are risks involved in everything it does and that it has a duty to manage these risks efficiently and effectively. This duty is to staff, residents, service users, partners, contractors and funding agencies.

1.2 Statement of Commitment

The Leader and Cabinet are committed to:

Adopting best practice in the identification, evaluation and cost-effective control of risks.
Ensuring wherever possible that risks are either, reduced to a level within the Council’s risk tolerance or eliminated.
Maximising opportunities to achieve the Council’s corporate objectives and deliver core service provisions.

1.3 Funding

The risk and insurance reserve provides senior managers with the encouragement to increase levels of risk awareness within their areas of responsibility by formally identifying risks and proposals for action.

The reserve provides the opportunity to apply for financial support and creates an incentive for loss control, without adversely affecting service area budgets. This investment in risk management measures should lead to a reduction of insured and uninsured losses and eventually to lower costs, including premiums.

Other reserves exist such as Planning Appeals and Investment Properties to help mitigate against other specific risks. A Climate Change Reserve has been created to help the Council address environmental risks. Service budget and the Capital Programme may also be utilised to mitigate risk.

The S151 Officer will ensure that appropriate insurance cover is in place for all identified risks. Managers, where necessary, will utilise budgets to help mitigate risk.

1.4 Sources of assurance

Sources of assurance are sought to provide evidence that the management of risk is carried out effectively. These exist at different levels to ensure that risks are identified and controlled appropriately. An assurance framework is included in appendix A.

Identification and articulation

Risks can be identified by all staff liaising with Lead Specialists (via team meetings or service planning exercises) with emerging risks brought to the attention of Service Managers and Directors either through the bi-monthly performance clinic process, at team meetings or at the more formal Risk Management Group. Those topics raised that are considered to be risks (an occurrence that may or may not happen in the future) as opposed to issues (something which is happening in the here and now that requires immediate action) are discussed and a risk identification template completed and submitted to the Performance Officer. The articulation of risks is an important part of the process, and the risk identification template encourages the identification of cause-risk-consequence reflecting best practice in this area.

Monitoring via performance clinics

Pentana is the Council’s chosen performance management tool – it also acts as a repository for identified risks. Lead Specialists are responsible for reviewing risk ratings (likelihood and impact) at a minimum of every other month in line with bi-monthly performance clinics. A written performance clinic is produced for each of the Council’s four service areas, presented at the clinic meeting by Service Managers and challenge is provided by other Service Managers present. Any changes to risk ratings since the last clinic are highlighted in the performance clinic document.

Monitoring via Risk Management Group

The Council has an active Risk Management Group which consists of the Chief Executive and three Directors (including the Council’s Section 151 Officer). The Monitoring Officer and Senior Information Risks Officer are consulted as necessary. The Risk Management Group meets twice a year to review the Corporate and Operational Risk Registers and challenge risk ratings and control measures where necessary.

Monitoring at Governance Scrutiny Group

Risk Management is scrutinised twice a year by the Governance Scrutiny Group. All three Risk Registers are presented and the Group’s attention is drawn to any changes officers have made to risk ratings since the last meeting. Controls and mitigating actions are made available for risks currently rated as ‘red’ risks to focus Councillors' attention on the Council’s most important risks.

Additional assurance is provided by the Council’s insurer, Zurich, who provide regular training to officers and Councillors as well as acting as a critical friend in all matters related to risk. The Council’s risk management process has also been recently audited by the internal auditors, BDO, and a ‘substantial’ rating in terms of Design and operational Effectiveness awarded.

2. Risk Management Process

2.1 Overview

Risk management entails identifying risks, evaluating their potential consequences and determining the most effective methods of controlling them. It is a means of minimising costs and disruption caused by undesirable events.

The aim of this process is to reduce the frequency of incidents and minimise the severity of their effects. Even when the likelihood of an event occurring cannot be controlled, steps can be taken to limit its consequences (for example, by developing effective emergency and business continuity plans).

Risk management involves the following processes (the risk management cycle):

Risk identification
Risk analysis and evaluation
Risk control
Monitoring and review.

2.2 Identification

A systematic assessment of risk needs to be undertaken when judging all policy and service delivery options available to the authority. By identifying areas of risk before an event occurs, steps can be taken to prevent an incident from arising.

2.3 Analysis

Having identified areas of potential concern, risks need to be systematically and accurately assessed. This process requires managers to evaluate:

The probability of a particular incident occurring
The potential consequences should such an incident occur
The anticipated cost of future incidents.

The Council has a risk identification template which helps a manager to correctly and effectively define the risk (using the cause-risk-consequence model), rate the risk at identification (often called inherent risk) in terms of how likely the risk is and what the potential impact of that risk might be if it is realised, whether the risk should be tolerated, treated, terminated or transferred, what controlling and mitigating actions should be taken if the risk is retained to reach a target risk rating, and, finally, the residual risk rating once those actions have been put in place. This information is entered into Pentana, the Council’s performance management tool.

2.4 Control

A variety of options exist for controlling risk. These include:

Terminate
Treat
Transfer
Tolerate

Terminating risk involves the authority opting not to undertake a current or proposed activity because the risk is deemed too significant. By taking the decision not to pursue the project or activity the risk is effectively eliminated. Given the nature of the public sector this option is only available for discretionary services.

Treating (or controlling) risk involves taking action (such as implementing projects or developing procedures) to reduce the likelihood of an incident occurring and limit the severity of its impact. If the current risk score is higher than the target risk score, actions should be identified to mitigate the risk and reduce its potential likelihood and / or impact to the target level. These actions are noted on the risk identification template and recorded within Pentana. They are then monitored by Lead Specialists to ensure that the controls and mitigating actions taken are effective. Financial provision to implement risk reduction measures will be made available where appropriate, with funding for initiatives provided from the risk management reserve, specific earmarked reserves, the revenue budget or the capital programme. Where these additional mitigating actions cannot be justified or implemented, the review process will result in the target risk score being raised.

Transferring risk refers to allocating liability for the consequences of an event to another body. Legal liability may be transferred to an alternative provider under contractual arrangements for service delivery. Transferring some or all of the financial risk to external insurance companies may also reduce the costs associated with a damaging event.

There may be occasions when the cost of implementing risk reduction measures will outweigh the anticipated benefits. This is often because the likelihood of a risk occurring is deemed to be very low or its impact negligible. In such instances, a decision may be taken to tolerate the risk and no additional control measures will be undertaken.

2.5 Monitoring and Review

The risk management process does not end once control measures are identified. Regular monitoring and reviews should take place of:

The implementation of agreed control actions
The effectiveness of these actions in controlling the risk
How the likelihood and impact of the risk has changed over time
Ongoing review of risks in totality along with the Risk Management Strategy.

Corporate and Operational Risks Registers are reviewed on a regular basis as described elsewhere in this Strategy. Risks that are tolerated still need to be reviewed as their likelihood and / or impact may increase over time.

This Risk Management Strategy is reviewed every three years by the Risk Management Group and approved by the Governance Scrutiny Group.

2.6 Risk Appetite

Our ‘risk appetite’ guides how much risk the Council is willing to seek or accept to achieve its objectives. Taking risks, both operationally and to achieve the priorities set out in our Corporate Strategy 2019-2023, is a necessary part of business. Good risk management ensures the Council makes well informed decisions where the associated risks are understood and managed. By ensuring that risks are properly managed, the Council is more likely to achieve its priorities. Effective risk management also provides a high level of due diligence consistent with the Council’s responsibility to manage public money prudently.

As a Council, we recognise effective risk management considers not just threats but also opportunities; namely, what is to be gained by taking a risk. Our approach to risk takes account of both opportunities and threats. By encouraging managed risk taking, and considering all of the available options, we seek a balance between caution and innovation. our risk appetite reflects our current position. We encourage managed risk taking for minor to moderate level risks, and control, more closely, those risks which register at a higher point on our risk matrix where the benefits to our residents or to the organisation are greatest. We accept that our appetite for risk will vary over time depending on our ambitions and corporate priorities as well as the external environment the Council is operating in. This position will be reviewed on a regular basis as part of the Council’s Risk Management Strategy.

Risk appetite goes ‘hand-in hand’ with how much the Council will tolerate risk, what is its risk threshold? Appendix B details the Council’s risk tolerance level for both risk threats and opportunities (see para 2.7 below) and what constitutes, low, medium or high risks.

2.7 Opportunity Risk

The Council has an entrepreneurial approach to seizing opportunities and has been able to successfully manage its finances throughout a challenging period of austerity. Successful organisations need a balance between risk taking and caution and this approach has ensured the delivery of major projects with lasting benefit to residents in the borough.

An opportunity risk matrix (Appendix B) has been developed to provide guidance and a scoring mechanism when making decisions about potential opportunities. By using the matrix to establish the greatest potential benefits, the Council is ensuring that its finances re used in the best possible way.

2.8 Project Risk

The Council has a formalised project management framework that provides the basis for officers managing projects within their team and jointly with other members of staff. The framework provides guidance on what risk assessments are required for projects based on a scale of 1-4 determined by the complexity and project costs. Projects that fall within levels 3 and 4 require a full risk register and with controls in place to mitigate against the risks. These projects also require a greater degree of monitoring to ensure the project remains on track and aligned with the budget.

3.0 Roles and Responsibilities

3.1 Overview

The following representatives have responsibilities for Risk Management.

Councillors:

To oversee and scrutinise the effective management of risk by officers through the Governance Scrutiny Group.

Chief Executive:

To ensure the risk management strategy is implemented

Director (Finance and Corporate Services):

To ensure the corporate risk register is reviewed regularly
To maintain an overview of the risk management strategy and its implementation
To review the risk management strategy
To provide updates on risk management to Councillors at Governance Scrutiny Group meetings
To ensure that an effective strategy is in place for development of business continuity

S151 officer:

To ensure a proper system of internal audit is carried out within the authority
To ensure reserves and budgets are sufficient to manage and mitigate both upside and downside risks (in consultation with EMT and Cabinet)
To ensure that appropriate insurance cover is in place and that a register of claims is

Director (Neighbourhoods)

To ensure that an effective strategy is in place for development of emergency planning arrangements.

Chief Executive and Directors:

To identify risks of loss, damage, injury or performance facing service areas
To implement appropriate risk control measures (i.e. terminate, treat, transfer, tolerate)
To seek assurance that risk management arrangements for service areas are implemented effectively and reviewed on a regular basis
To ensure service areas have arrangements in place for updating the corporate risk management system
To oversee the implementation of agreed recommendations from internal audits
To promote good risk management practice throughout the authority by co-operation and liaison with employees and relevant external agencies.

Monitoring Officer

To report on matters they believe are, or are likely to be, illegal or amount to maladministration
To be responsible for matters relating to the conduct of Councillors.

Performance Officer:

To support and assist technical use of the corporate risk management system (Pentana)
To prepare risk management reports for the Risk Management Group and Governance Scrutiny Group
To liaise with Internal Audit providing all information requested
To arrange risk management training for officers and Councillors.

Emergency Planning Officer:

To advise the Risk Management Group on emergency planning and business continuity arrangements
To update the corporate emergency plan and corporate business continuity plan
To ensure that business continuity plans for service areas are reviewed on a regular basis
To co-ordinate training and exercising for staff, including participating in relevant activities undertaken by the Local Resilience Forum (LRF).

4. Terms of Reference: Risk Management Group

4.1 Overview

The corporate Risk Management Group oversees the management of risk across the organisation and has responsibility for ensuring that adequate sources of assurance are in place. The Risk Management Group will meet twice a year and instigate actions, allocate resources and communicate important messages to service areas as necessary.

4.2. Membership

The Risk Management Group is made up of the following officers:

Chief Executive
Director – Finance and Corporate Services
Director – Neighbourhoods
Director – Development and Economic Growth.

The Monitoring Officer and Chief Information Officer will be consulted as necessary. Other representatives (such as the Performance Officer and / or Emergency Planning Officer) will be invited to attend as required.

4.3 Objectives

Objectives of the Risk Management Group include:

Coordinating risk management throughout the authority
Keeping the corporate risk register and risk management strategy under review
Identifying strategic and operational practices that present significant risk to the authority
Identifying emerging risks by drawing on information from other organisations and external sources of information
Making proposals for reducing the likelihood and / or impact of risks
Coordinating and prioritising risk control measures
Advising on the use of the risk management reserve to support funding necessary for initiatives that will reduce risk (e.g. vandalism, arson, theft, damage to property, personal injury to employees, visitors and persons under the care of the authority)
Monitoring the number and type of insurance claims being received by the authority
Coordinating the management of information security
Evaluating new approaches on risk management and the extent to which they could assist the authority and its services
Promoting good risk management practice by liaising with employees and identifying training needs
Ensuring effective business continuity arrangements are in place, including those of critical suppliers
Ensuring effective emergency planning arrangements are in place
Participating in the work of the Local Resilience Forum (LRF) and working closely with other organisations as appropriate.

Appendix A - Assurance Framework

Oversight

Updates are provided to Elected members via Governance Scrutiny Group (GSG) meetings.

Corporate Risks

Corporate risk management issues are considered on a quarterly basis at Risk Management Group (RMG) within the Executive Management Team meetings. The risk management strategy and corporate risk register are reviewed annually by the RMG.

Operational Risks

Operational risks are reviewed as part of individual service performance clinics at Senior Management Team meetings. They are also reviewed during the development of annual service plans.

Sources of Assurance

First Line of Defence

Operational delivery assurance (e.g. logging requests via the Customer Tracking System, escalation of potential risks through management).

Second Line of Defence

Development of annual service plans
programme and project assurance (e.g. business cases, project plans, project boards, highlight reports, decision logs, action logs)
Data Quality Strategy
Financial and budgetary control (e.g. meetings between accountants and service managers before performance clinics).

Third Line of Defence

Government Scrutiny Group (GSG)
Internal Audit
External Audit
Independent regulators.

Appendix B - Risk Tolerance Thresholds

The Council has set its risk tolerance level for risk threats at the threshold between medium and high rated risks. A matching but reverse tolerance level has been set for positive risk but the ambition is to move all opportunity risks to their highest impact and likelihood but as with risk threats, only above tolerance risks will be reported by exception.

Risk Matrix – Threats

Low risk (green)

Impact = 1, Likelihood = 1: Risk score = 1
Impact = 1, Likelihood = 2: Risk score = 2
Impact = 2, Likelihood = 1: Risk score = 2
Impact = 1, Likelihood = 3: Risk score = 3
Impact = 3, Likelihood = 1: Risk score = 3
Impact = 1, Likelihood = 4: Risk score = 4
Impact = 2, Likelihood = 2: Risk score = 4
Impact = 4, Likelihood = 1: Risk score = 4

Medium risk (amber)

Impact = 2, Likelihood = 3: Risk score = 6
Impact = 3, Likelihood = 2: Risk score = 6
Impact = 2, Likelihood = 4: Risk score = 8
Impact = 4, Likelihood = 2: Risk score = 8

High risk (red)

Impact = 3, Likelihood = 3: Risk score = 9
Impact = 3, Likelihood = 4: Risk score = 12
Impact = 4, Likelihood = 3: Risk score = 12
Impact = 4, Likelihood = 4: Risk score = 16

Risk Matrix – Opportunity

Low gain/benefit (red)

Impact = 1, Likelihood = 1: Risk score = 1
Impact = 1, Likelihood = 2: Risk score = 2
Impact = 2, Likelihood = 1: Risk score = 2
Impact = 1, Likelihood = 3: Risk score = 3
Impact = 3, Likelihood = 1: Risk score = 3
Impact = 1, Likelihood = 4: Risk score = 4
Impact = 2, Likelihood = 2: Risk score = 4
Impact = 4, Likelihood = 1: Risk score = 4

Medium gain/benefit (amber)

Impact = 2, Likelihood = 3: Risk score = 6
Impact = 3, Likelihood = 2: Risk score = 6
Impact = 2, Likelihood = 4: Risk score = 8
Impact = 4, Likelihood = 2: Risk score = 8

High gain/benefit (green)

Impact = 3, Likelihood = 3: Risk score = 9
Impact = 3, Likelihood = 4: Risk score = 12
Impact = 4, Likelihood = 3: Risk score = 12
Impact = 4, Likelihood = 4: Risk score = 16

Table 1 Consequence / Impact

This is a measure of the consequences of the identified threat risk.

Risk - measure of consequences
Impact	Thresholds and Description
1 – Insignificant	Financial Impact = less than £10k No adverse impact on reputation No impact on partners
2 – Minor	Financial Impact = between £10k - £50k Negative internal/ within sector impact on reputation Negative partner impact
3 – Moderate	Financial Impact = greater than £100k Negative Regional/Local impact on reputation Negative impact on key partnerships
4 – Major	Financial Impact = greater than £250k Negative National reputation Key partners withdraw

This is a measure of the consequences of the opportunity risk.

Opportunity - measure of consequences
Impact	Thresholds and Description
1 – Insignificant	Little or no improvement to service Little or no improvement to welfare of staff / public Little or no financial income / efficiency savings (less than £10k) Little or no improvement to environment or assets Little or no feedback from service users
2 – Minor	Minor improvement to service Minor improvement to welfare of staff / public Improvement that produces £10k - £50K of income / efficiency savings Minor improvement to environment or assets Positive user feedback
3 – Moderate	Moderate improvement to service Moderate improvement to welfare of staff / public Improvement that produces £50k+ - £100k of income / efficiency savings Moderate improvement to environment or assets Positive local media contact
4 – Significant	Significant improvement to service Significant improvement to welfare of staff / public Improvement that produces £100k+ of income / efficiency savings Significant improvement to environment or assets Positive local media coverage

Table 2 Likelihood / Probability of Occurrence

This measures the chance of the risk occurring.

Risk - measure of likelihood
Impact	Thresholds and Description
1 – Insignificant	Unlikely
2 – Minor	Possible
3 – Moderate	Probable within 2 years
4 – Major	Probable within 12 months

This measures the chance of the opportunity occurring.

Opportunity - measure of likelihood
Impact	Thresholds and Description
1 – Insignificant	Opportunity has not been fully investigated but considered extremely unlikely to materialise
2 – Minor	Opportunity has not been fully investigated; achievability is unproven / in doubt
3 – Moderate	Opportunity may be achievable, but requires significant management, planning and resources
4 – Significant	Opportunity is achievable with careful management

Accessible Documents