Contact your Parish Council


Policy and Resources Committee Risk Update – April 2019

Corporate Risks

The Council’s corporate risks are those risks which could impede us achieving our strategic objectives or need co-operation across multiple services to mitigate. 

In January we led a workshop of senior officers and Members to reconsider the corporate risks following approval of the new Strategic Plan.  Following from that workshop, we set out below a new set of corporate risks.  We first presented these risks to Corporate Leadership Team in March, and Appendix 1A shows the full list with ratings and controls.

The table below provides a summary linked to discussions in the risk workshop.

Risk Title

Notes

Existing Corporate Risks Kept following Workshop discussion

Poor Partner Relationship

Existing corporate risk 06.

Workforce Capacity & Skills

Existing corporate risk 03.

Financial Restrictions

Existing corporate risk 09.

Housing Pressures Increasing

Existing corporate risk 07.

Contraction in leisure/retail from economic downturn

Existing corporate risk 11.

Existing Corporate Risks Kept with variation following Workshop discussion

Failure of core governance system and controls

The risk workshop did not raise various existing Corporate risks with a more ‘back office’ focus.  These include Corp01 (Governance Controls Breakdown), Corp02 (Legal/Compliance Breaches), Corp10 (GDPR).

 

The new risk recognises the continuing importance of these issues but reflects they did not feature in the Workshop.

Cybersecurity

Not mentioned in the workshop but remains a threat to the Council.  Later discussions with officers have highlighted the strength of controls available through Mid Kent ICT, as reflected in scoring.

Major Project Failure

Existing risk Corp04.  The workshop did not draw this out as a general risk, but the conversation did include comment on specific projects.  This risk could further adapt or branch in future as major projects may warrant recognition separately.

Contract Management

Raised as a potential corporate risk but not yet adopted.  Relevant to several discussions in the workshop.

Building Incomplete Communities

An adaptation of existing risk Corp08 (Local Plan Delivery).  The Workshop didn’t focus on the Local Plan specifically, but its role in shaping development in the Borough alongside other work. 

Matters not previously reflected as Corporate Risks but added to reflect workshop

Loss of community engagement

Reflecting discussions in the workshop about the risk of poor engagement with communities and the possible consequent impact on community integration.  The discussions noted how much Maidstone relies up support and goodwill of communities for delivering specific projects (including major developments) and general regard for the quality of the public realm.

Matters not previously reflected as Corporate Risks but added to reflect workshop (continued)

Environmental Damage

Combining discussions in the Workshop on climate change and air quality into a single risk.  Note the Workshop discussion on climate change considered the increased possibility of adverse weather impacts, but that feature not added owing to overlaps with operational risks on emergency planning.

Short Term Brexit Impacts

Encompassing the short term risks around disruption, principally but not wholly traffic related.  Longer term economic risks considered within the general risk of increased financial restrictions.

Matters raised at Workshop but not scored high in discussion so not added as corporate risks

Increased crime

Managed as an operational risk.

Unanticipated demographic change

Consensus in the Workshop the Council has good information available on this topic.

Lack of clarity on use of parks and open spaces

Consensus in the Workshop the Council has plans developing or in place.

Not understanding future leisure/culture trends

Discussions in the Workshop questioned whether this topic warranted recording as a separate risk.

Homes not contributing to good health

Lack of clarity in the workshop on what future uncertain events could prompt consideration of this topic as a risk.  Key associated issues currently managed at an operational level.

Appendix 1A shows the full new corporate risk register.


 

Operational Risks

All Council services keep an operational risk register. Individual services manage operational risks. The matrices below show the overall risk profile of the Council, plotting each risk depending on the overall likelihood and impact.  The table shows the number of risks for each colour category.  These show the current risk, that is the impact and likelihood based on existing and working controls.  Appendix 1C details the criteria for assessing impact and likelihood. 

Services manage these risks under the Council’s Risk Appetite Statement, with routine checking based on the risk score (see Appendix 1B).  We present quarterly risk updates to Corporate Leadership Team on all risks above the Council’s appetite (those risks which are RED or BLACK (16 in total)).

The BLACK risk concerns political inter-organisational consensus on completing Local Plan actions and reflects the KCC judicial review.  We expect, following settlement, this risk will move towards its mitigated rating of 12 in the RED when next updated.

CLT check higher level operational risks through the same routes as corporate risk.  Overseeing these high-level risks enables more effective challenge on the effectiveness of controls, and means the Council can arrange suitable support to help manage the effect.


 

Risk Framework Review

As the Council embeds risk management we took the opportunity to review supporting guidance.  This review ensures the guidelines reflect risk management in practice and are as effective as possible.  Corporate Leadership Team considered the revised Framework in February.  In March we circulated for comment among the Audit, Governance & Standards Committee.  The current draft of the Framework, adapted for comments, is at Appendix 2.

The key changes from the previous framework are:

·         Combining the Framework and accompanying guidance into a single document

·         Adding a pictorial overview of the risk management process and introduction

·         Removal of the FAQs into a separate document

·         Removal of Appendix III: Approach Summary Flowchart

·         Better description of the link between planned controls and how this affects impact and / or likelihood

·         Amending the terms ‘inherent’ to ‘current’ and ‘residual’ to ‘mitigated’ risk to better describe the ideas and provide consistency with risk guidance elsewhere.

·         Removing report template guidelines to avoid repetition.

 

Next Steps

Risk management is constant and needs revision and maintenance to keep up its value. Through 2019/20, our focus will be to:

·         Develop a training programme: We (Mid Kent Audit) have continued to promote workshops, and deliver risk sessions as sought. However, developing the overall knowledge and expertise for risk management across the Council needs a wider approach. We will develop training for managers and officers on risk management principles and the framework.

Risk management is adding real value and insight, this wouldn’t have been possible without the great deal of positive engagement and support from Senior Officers and Managers in the Council. So, we’d like to thank officers for their continued work and support.

 


 


Appendix 1A

Corporate Risks

The table below sets out each of the corporate risks in detail. Risk owners have assessed the impact and likelihood of the risks and identified the key controls and planned actions necessary to further manage the risk to an acceptable level.  We present the risks sorted by Current Rating: 

Risk (full description with short title highlighted)

Risk Owner

Key Existing Controls

Current rating

I       L       ∑

Controls planned

Mitigated rating

I      L      ∑

The broader housing crisis leads to housing pressures increasing on the Council, affecting both costs associated with homelessness and ability to meet wider housing needs in the borough.

William Cornall

(1) Homelessness prevention team in place with increased resource
(2) MBC obtaining & using own stock
(3) Closer working with private sector & housing associations

4

5

20

(1) Exploring possibility of JV
(2) Closer working with voluntary sector
(3) Revisiting offer to private sector landlords through Home Finder scheme

3

4

12

Lack of capacity, capability or planning results in major project failure damaging the Council's reputation as a partner and inhibiting achievement of regeneration and development objectives.

William Cornall

(1) Engage external consultants where needed on complex projects
(2) Clear project management process
(3) CLT monitoring & oversight
(4) Specialist software used
(5) Staff training & support
(6) External funding bids

4

4

16

(1) Project risk evaluation & monitoring
(2) Adherence to suite of financial hurdle rates reflective of different sector risk profiles

4

3

12

General financial downturns, unexpected changes to government funding or failure to achieve income or savings targets places further financial restrictions on the Council resulting in difficulty maintaining standards or meeting aims.

Mark Green

(1) Agreed work programmes in transformation and commissioning
(2) Budget monitoring in place
(3) MTFS in place and monitored
(4) Scenario planning in budget setting
(5) Financial independence strategy

4

4

16

(1) Lobbying to avoid unfavourable financial changes to government funding
(2) Aligning MTFS & strategic plan
(3) Cost recovery through bidding for additional government support for one-off costs (e.g. Brexit)

3

4

12

Conflicting expectations or limited engagement leads to poor partner relationships inhibiting the Council's ability to call on others to help achieve its corporate objectives

Alison Broom

(1) Regular liaison meetings
(2) Defined joint working arrangements
(3) Specific joint working protocols for key relationships (e.g. Joint Transport Board, Safer Maidstone Partnership)

4

4

16

(1) Increased joint work with KCC highways & waste teams
(2) Joint working arising from post-litigation settlement

3

3

9

General and localised economic pressure leads to contraction in retail & leisure sectors, limiting the appeal of Maidstone town centre threatening social cohesion and business rates income.

William Cornall

(1) Town Centre strategic advisory board
(2) Public realm improvement work
(3) Supporting One Maidstone BID

4

3

12

(1) Promoting Maidstone as business destination
(2) Exploring town centre shop fronts improvement grant scheme

4

2

8

Poor management of contracts or financial resilience of contractors leads to significant contract failure disrupting services and creating extra liabilities.

Mark Green

(1) Contract management approach in place
(2) Additional contract management resources obtained
(3) Risk assessments & annual checks
(4) Business continuity plans

4

3

12

(1) Review of existing contracts
(2) Additional staff training & support
(3) Contract management toolkit
(4) Regular updates to CLT

4

2

8

Disorderly exit or failures in planning result in adverse short term Brexit impacts disrupting the Council's ability to offer services and increasing liabilities.

Mark Green

(1) Links to Kent Resilience Forum
(2) Business continuity plans & testing
(3) Regular briefings for officers & members

4

3

12

(1) Continued liaison with partners
(2) Government funding to mitigate impacts

2

3

6

Failure in implementation of Local Plan leads to building of incomplete communities in the borough inhibiting residents' quality of life

William Cornall

(1) Communication & liason with partners
(2) CLT oversight, including of developer income & contributions
(3) Major projects team in planning
(4) Agreed approach to LP review

3

3

9

Risk already mitigated to within appetite.

3

3

9

Increased effects from climate change or reduction in air quality causes environmental damage reducing residents' quality of life and increasing risks from adverse weather events

William Cornall

(1) Air Quality Action Plan in place
(2) Emergency planning arrangements
(3) Parks strategy

3

3

9

Risk already mitigated to within appetite.

3

3

9

Increased pressure on controls leads to governance failures resulting in poor decision making and increased legal liability

Alison Broom

(1) Constitutional review & safeguards
(2) Annual Governance Statement
(3) Professional advisory staff (including legal & internal audit)
(4) Staff & member training

4

2

8

Risk already mitigated to within appetite.

4

2

8

Security breach or system weakness leading to IT security failure results in system unavailability and increased legal and financial liability.

Steve McGinnes

(1) Regular backup programmes
(2) External testing
(3) ICT policies & staff training

4

2

8

Risk already mitigated to within appetite.

4

2

8

Poor engagement and communications leads to loss of community engagement limiting support for project delivery and regard for public realm.

Alison Broom

(1) Regular communications & engagement
(2) Specific community projects

3

2

6

Risk already mitigated to within appetite.

3

2

6

Due to difficulties in recruitment, retention or managing absence the Council has insufficient workforce capacity & skills to complete effectively work necessary to achieve its objectives.

Steve McGinnes

(1) Workforce strategy monitoring
(2) Salary benchmarking across SE England public sector
(3) Training & development programme
(4) Shared service resilience
(5) Occupational health & employee support

2

2

4

Risk already mitigated to within appetite.

2

2

4

 

Appendix 1B

Maidstone Risk Management Process: One Page Summary



Risk Appetite – Monitoring Process

We illustrate our risk appetite and tolerance in the matrix below. The RED shaded area represents the outer limit of our risk appetite, and the BLACK area indicates the tolerance. As a Council we are not willing to take risks that have significant negative consequences on the achievement of our objectives.

The matrix also illustrates how we monitor risks. The Council’s highest level risks (those with a combined score of 12 and above) are reported to Corporate Leadership Team for consideration and guidance.

 

 

 

 

 

 

 

 

 

 

 

 

Risk Rating

Guidance to Risk Owners

20-25

Risks at this level sit above the tolerance of the Council and are of such magnitude that they form the Council’s biggest risks.

 

The Council is not willing to take risks at this level and action should be taken immediately to manage the risk.

 

Identify the actions and controls necessary to manage the risk down to an acceptable level.

If still scored above 20, report the risk to the Audit Team and your Director.

 

Steps will be taken to collectively review the risk and identify any other possible mitigation (such as controls).

 

Risks that remain at this level will be escalated to CLT, who will actively monitor and provide guidance on the ongoing management of risks at this level.

12-16

These risks are within the upper limit of risk appetite. While these risks can be tolerated, controls should be identified to bring the risk down to a more manageable level where possible.

 

 

Identify controls to treat the risk impact /likelihood and seek to bring the risk down to a more acceptable level.

 

These risks should be monitored and reviewed monthly.

If unsure about ways to manage the risk, consult with the Internal Audit team.

 

Risks at this level will feature in a quarterly risk update to CLT who will provide oversight and support if needed.

5-10

These risks sit on the borders of the Council’s risk appetite and so while they don’t pose an immediate threat, they are still risks that should remain under review. If the impact or likelihood increases then risk owners should seek to manage the increase.

 

 

Keep these risks on the radar and update as and when changes are made, or if controls are implemented.

 

Movement in risks should be monitored, for instance featuring as part of a standing management meeting agenda.

 

Responsibility for monitoring and managing these risks sits within the service.

3-4

These are low level risks that could impede or hinder achievement of objectives. Due to the relative low level it is unlikely that additional controls will be identified to respond to the risk.

Keep these risks on your register and formally review at least once a year to make sure that the impact and likelihood continues to pose a low level.

1-2

Minor level risks with little consequence but not to be overlooked completely. They are enough of a risk to have been assessed through the process, but unlikely to prevent the achievement of objectives. 

No actions required but keep the risk on your risk register and review annually as part of the service planning process.

Impact: 5

Likelihood: 1

Rare events that have a catastrophic impact form part of the Council’s Business Continuity Planning response.

Record on your risk register and Internal Audit will co-ordinate with Business Continuity officers.  

 


 

Appendix 1C

Impact & Likelihood Scales

         

Risk Impact

         

Risk Likelihood