Contact your Parish Council




Annual Risk Management Report



Audit, Governance & Standards Committee

January 2020





Risk management is how the Council identifies, quantifies and manages the risks it faces as it seeks to achieve its objectives.† It is fundamental to the Councilís governance, and contributes greatly to the successful delivery of services and the key priorities.

The purpose of this report is to provide assurance to Members that the Council has in place effective risk management arrangements, and that risks identified through this process are managed, and monitored appropriately.† This enables the Audit, Governance & Standards (AGS) Committee to fulfil the responsibilities as set out in the Terms of Reference:

ďIn conjunction with Policy and Resources Committee to monitor the effective development and operation of risk management and corporate governance in the Council to ensure that strategically the risk management and corporate governance arrangements protect the Council.Ē





Roles & Responsibilities

We (Mid Kent Audit) have lead responsibility for supporting risk management processes across the Council.† Our role includes regular reporting to Officers and Members, through the Corporate Leadership Team (CLT), Policy & Resources Committee and the AGS Committee.† We also provide workshops and training, and facilitate the effective management of risks.

Having valuable and up to date risk information enables both Executive and oversight functions to happen effectively. The Policy & Resources Committee has overall responsibility for risk management and will review the substance of individual risks to ensure that risk issues are appropriately monitored and addressed.

As those charged with governance and oversight the AGS Committee should seek assurance that the Council is operating an effective risk management process.



Risk Management Process

The risk management framework is the guide that sets out how the Council identifies, manages and monitors risks.† This includes the risk appetite statement, which articulates the Councilís appetite for and tolerance of risk.† The reviewed and updated framework was approved by Policy and Resources Committee in April 2019.† In summary, the risk management process for the Council can be broken down into the following key components:†

Corporate level risks are more strategic in nature.  By definition, these risks inherently carry a higher impact level as they affect multiple services. They are the risks that could prevent the Council from achieving its ambitions and priorities.

All risks are recorded on the comprehensive risk register, and it is this register that is used to generate risk information across the Council.† In the main risks are identified at two levels:



Operational risks are principally identified as part of the service planning cycle each year. They are directly linked with the day to day operation of services. However, operational risks can nonetheless have potential for significant impact.





You will see that there is a direct link between these two levels of risks. †This is because where an individual or group of operational risks start to have a significant impact on delivery of strategic objectives consideration is given to escalating the risk to a corporate level.

Risks are assessed on impact and likelihood (definitions attached in Appendix 1B). The same definitions and scales are used for all risk assessments in order to achieve consistency in approach, and allow for comparisons over the period.

                Impact: This is a consideration of how severely the Council would be affected if the risk was to materialise.

                Likelihood: This is a consideration of how likely it is that the risk will occur.† In other words, the probability that it will materialise.

In order to understand the scale of risks the following guidance is available to risk owners when assessing their risks:†

Risk Rating

Guidance to Risk Owners


Risks at this level sit above the tolerance of the Council and are of such magnitude that they form the Councilís biggest risks.


The Council is not willing to take risks at this level and action should be taken immediately to treat, transfer or terminate the risk.


Identify the actions and controls necessary to manage the risk down to an acceptable level.

Report the risk to the Audit Team and your Director.


If necessary, steps will be taken to collectively review the risk and identify any other possible mitigation (such as additional controls).


These risks are within the upper limit of risk appetite. While these risks can be tolerated, controls should be identified to bring the risk down to a more manageable level where possible.


Alternatively consideration can be given to transferring or terminating the risk.

Identify controls to treat the risk impact / likelihood and seek to bring the risk down to a more acceptable level.


If unsure about ways to manage the risk, consult with the Internal Audit team.



These risks sit on the borders of the Councilís risk appetite and so while they donít pose an immediate threat, they are still risks that should remain under review. If the impact or likelihood increases then risk owners should seek to manage the increase.


Keep these risks on the radar and update as and when changes are made, or if controls are implemented.

Movement in risks should be monitored, for instance featuring as part of a standing management meeting agenda.


These are low level risks that could impede or hinder achievement of objectives. Due to the relative low level it is unlikely that additional controls will be identified to respond to the risk.


Keep these risks on your register and formally review at least once a year to make sure that the impact and likelihood continues to pose a low level.


Minor level risks with little consequence but not to be overlooked completely. They are enough of a risk to have been assessed through the process, but unlikely to prevent the achievement of objectives.†


No actions required but keep the risk on your risk register and review annually as part of the service planning process.


Risk Profile

The diagrams below illustrate how the risk profile of the Council (i.e. the actual number of risks on the register and their RAG rating) has changed throughout the year.† This is made up of corporate and operational risks, and is based on the current risk, i.e. the risk impact and likelihood considering any existing controls in place to manage the risk, but before any further planned controls are introduced.

The change in the risk profile of the Council demonstrates how action is taken to manage risks and to capture emerging risks.†† Most notably action has been taken by officers which has resulted in a decrease in the number of BLACK and RED risks.† The overall number of risks however has remained reasonably static throughout the year.† All risks will be reviewed with services during the start of the new financial year to ensure that services risk registers remain current.

Corporate Risks ††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††††

In January 2019 we ran a workshop with Members and officers to refresh the Councilís corporate risks in light of the newly agreed Strategic Plan.† This sought to identify any new or emerging risks and any risks which were no longer relevant due to successful management or the passage of time. †The revised corporate risk register was reported to CLT and then agreed by the Policy & Resources Committee in April 2019.††

CLT are responsible for the management of the corporate risks and review them quarterly.† Furthermore any risk which is rated as BLACK is monitored monthly to review progress and provide guidance, support and focus where needed.†

The following table shows the Councilís current corporate risks (which are included in the diagrams above) and details the risk scores and how these scores changed over the course of the year:

The detail of these risks has been reviewed and discussed at the Policy & Resources Committee.† However, this illustrates that action is being taken to manage the risks and that processes are in place to ensure new emerging issues are captured or significant operational risks are appropriately escalated.

Operational Risks

Operational risk registers are in place for each service and are reviewed and updated routinely in line with their risk scores.† Managers and Heads of Service are responsible for managing operational risks.† In accordance with the Councilís risk appetite, CLT receive quarterly updates on all current RED and BLACK risks and, as above, review BLACK risks monthly.† The operational risk profiles are reported to Policy & Resources as part of their 6 monthly update and monitoring reports.

Next Steps

Risk management is a continuous process, and we will continue to build on and improve the arrangements to further strengthen the risk management process and develop a positive risk culture across the Council.† In particular work is underway to obtain a risk management system to replace the current spreadsheet process.† This will give us greater functionality in updating and reporting on risks and free up time to further develop other aspects of risk.

We have continued to receive a positive level of engagement and support from Senior Officers and Managers in the Council which has enabled the risk management process to develop and embed.† So, weíd like to take this opportunity to thank officers for their continued work and support.

Appendix 1A

Maidstone Risk Management Process: One Page Summary

Appendix 1B

Impact & Likelihood Scales


Risk Impact


Risk Likelihood