Risk Management Framework


Step 0 – Before you begin - Clarify your objectives

Before you can assess what stands in your way you need to know where you’re going.  What are your objectives?

  • What are you seeking to achieve?
  • by When? And
  • Who is responsible for achieving?

This includes understanding what the Council wants to achieve and the resources it has available – in both capacity and capability – to deliver.  The Council has set out its corporate objectives in the Strategic Plan.
Our aim is that risk management fits in with and supports your objectives, which in turn support the objectives of the Council.  This link between Council objectives, through departmental or service objectives (and even personal development goals) supported by risk management practices is called the golden thread.  When everyone at the Council is pulling in the same direction we will have a much greater chance of being able to achieve our shared goals.

Clarifying your objectives will allow a greater understanding of what will stop you achieving those objectives and what opportunities you need to grasp to meet your goals.  Setting our your objectives clearly will also reveal links to internal and external stakeholders on whom you will rely as well as other external factors that will impact your objectives.

Questions and Answers

When should I seek to define my objectives?

The ‘textbook’ answer is that your objectives should always be defined.  At any point, you should have a clear understanding of what you are trying to achieve so that you have assurance your work is heading in the right direction.  In practice, most workplaces don’t have objectives that change day-to-day so it is likely that an annual consideration alongside your service planning will do the job just fine.  However, you should be alert to changes that might impact your objectives – for instance embarking on a major project, moving to a new partnership or a change in political leadership – and consider whether these events create a need to revisit and redefine your objectives.

Where can I learn more about defining objectives?

This guide is not focused directly on this stage, but since it is such a crucial part of risk management we could not neglect it entirely.  There is information on how to set good business objectives provided as part of Service Planning Guidance, or a quick general overview is available at this link.

Step 1: Identifying Your Risks

This step has two principal elements:

  • Initial risk identification, for example when embarking on a new project, following a major service change or creating a new service plan, and
  • Continuous risk identification: required to identify new risks, changes to existing risks, including those which become irrelevant over time.

Risks must derive from objectives, but this can be any level of objective from corporate to personal.  When identifying risks following from objectives, you must avoid falling into the trap of simply restating the objective – look instead for those potential events or circumstances that might prevent or hinder achievement.

Below is an example, following on from an identified corporate objective:

Objective Potential Risk Statement Is this a risk?
To provide the best services resources allow Failing to provide the best services resources allow This is simply stating the opposite of the objective.
Public are dissatisfied with Council services This is a statement of the potential impact of failing to meet the objective; not in itself a risk.
A lack of suitably trained and available staff limiting ability to deliver efficient services This is a risk we can control by, for instance, making plans to keep training up to date and reviewing our staffing needs
The Government has reduced our funding This has already happened and so is an event to be managed.  Risks look ahead to potential events and so involve at least some uncertainty
The Government sharply reduces future funding This is a risk over which we have little or no control, but we can assess likelihood and, if required, make contingency plan

Horizon Scanning

When identifying risk, particularly at a set point such as composing a service plan, you will find it useful to ‘horizon scan’.  This involves looking to the medium or even long term endeavouring to provide early warning of potential risks, giving enough time for the service to adopt appropriate response strategies.

This will inevitably be a somewhat speculative exercise and may be best undertaken in groups so you can pool various outlooks and expertise to provide a comprehensive outlook.  When identifying ‘horizon’ risks you may want to consider:

  • What could (realistically) happen?
  • What could go wrong?
  • How and why can it happen?
  • What do we depend upon for our success?
  • What opportunities might arise as circumstances change?

Risk Ownership

Once identified, it is essential that someone owns the risk, taking principal responsibility for monitoring its course and tracking actions in response.  Risk ownership is not the same as actually undertaking or being responsible for carrying out actions in response.  Rather the role is aimed at ensuring necessary actions take place, otherwise there is a chance management actions may not be completed.
Risks need not be owned or managed solely by risk ‘experts’; in fact with the right support everyone in the organisation has the capacity to manage risk.  The best risk owner will usually be someone closely involved in delivering the area of the business where the risk arises.

Questions and Answers

When should I seek to identify risks?

Similar to the issue of objectives, ideally the effective manager is continually alive to risks arising in her service and how those risks develop.  However, it is also beneficial to periodically take a fresh look at your risks and when formulating a service plan or embarking on a major new project are both great opportunities to review and evaluate.

Do I need to consider *everything* that could happen?

No.  Like all organisations, the Council has limited resources available to manage its risk.  Therefore an important part of this exercise is to gain an understanding of the key risks – the ones that pose threats to the achievement of our objectives or unlock significant opportunities – so that we can best focus those resources.  Consequently it is perfectly coherent to consciously consider a risk so remote as to be not worth recording; the classic example here is the occasional Freedom of Information requests reported in the press where Councils are asked for their contingency plans for dragon attack or zombie apocalypse.  You are not expected to plan for literally every eventuality.  It may well prove to be so that the next step – evaluating risks – will also help sharpen your focus.

Should I just consider ‘what could go wrong’?

No.  As noted in the definition of risk, a mistake often made is to focus on the ‘negative threat’ aspect and neglect the ‘positive opportunity’.  Although the mechanics of this guide deal principally with ‘negative’ risks, it is important that you consider these alongside potential opportunities.  You will need both sides to be able to understand and effectively manage your service, as well as to be able to present a full picture of its activity.

What if I identify more risks than I can manage?

Firstly, it may be that many of the risks you have identified are already effectively managed by the day-to-day practice of your business.  The next steps – evaluating and treating the risks – will help you in forming a picture of what risks genuinely present a need for ‘extra’ management.  Secondly it might be that you have cast the net too wide on horizon scanning.  Look again at the risks you have identified and consider, in reality, are they issues that will require attention in the near term or can they be ‘parked’ for another day or until the circumstances described are more likely to arise.  Thirdly, if you have considered the risks and still feel overwhelmed you may need to seek further advice – Appendix II of this guide gives some guidance on where you can get more support.

Step 2 – Evaluating Your Risks

Having identified the risk, the next step is its evaluation.  How big is the risk you have identified? To what degree should the organisation take action to prevent its occurrence or limit its impact?

The first part of this step is to consider the inherent risk you have identified.  This means the risk as it exists currently, with no additional measures taken; the ‘business as usual’ position.  For this reason – save for exceptional circumstances – the inherent risk will not change once evaluated.  In the next step we’ll consider how to control risks and how to re-evaluate risk once those controls are in place.

Risk evaluation incorporates two principal elements:

  • Impact – This is a consideration of how severely the organisation would be effected if the risk transpires. In other words if the forecast event actually happens then what will that do to the organisation?
  • Likelihood – This is a consideration of how likely it is that the risk will occur.  In other words the probability that it will materialise and become an event to be managed.

At Appendix I are impact and likelihood scales that will help guide your judgement in evaluating a risk.

Inherent risk evaluation example

Let’s take an example risk.  Leading on from the table above, we’ll use the risk: “A lack of suitably trained and available staff limiting ability to deliver efficient services” and assume we are assessing on behalf of the Council’s Housing Benefits function (note that the examples below are indicative, and not the service’s actual assessment).  The exercise here is to imagine what would realistically happen to the Council if your risk were to materialise and become an event.

Impact CategoryJudgementOutcome
Service Risk The risk is not that all our staff suddenly vanish – that would be unrealistic – but more an erosion of staff taking us below the level at which the service can effectively operate.  We know that the role is specialist and skilled and cannot be filled immediately by short term contractors, and so consider poor service might result for an extended period but the position would be recoverable. Score 4:
Major impact
Reputation Risk The service currently enjoys a good reputation so it is unlikely a single event of poor service (unless hugely protracted, which would be an issue in itself) would result in external intervention or perception as a failing authority.  Similarly, except in very rare circumstances, the activities of a Council Benefit section do not attract national publicity.  However, the potential is clearly there for hostile local publicity if unavailability of staff led to poor service. Score 3:
Moderate impact
Health and Safety Risk The service does not engage in the type of work which poses real risk of death or physical injury but there is the potential that reduction in staffing levels would add to stress levels of remaining staff. Score 2:
Minor impact
Regulatory Risk Administration of Housing Benefit is a complex regulatory area.  Although the service has software to help guide staff, the loss of experienced trained people would inevitably increase the risk of failing to abide by regulations.  However, the consequences are relatively limited – there are no criminal consequences of non-compliance but complaints from service users and the need to make good mistaken payments are likely results. Score 2:
Minor impact
Financial Risk The Council receives subsidy to cover its Benefits expenditure but must justify that spend through external certification.  A lack of trained staff may lead to increased error and consequent loss of subsidy.  Although the total value of the subsidy is £x, much of this is low-risk regulator payments.  The high risk of error areas are £y and you are confident the maximum realistic loss is around £100k. Score 3:
Moderate impact
Environmental Risk The benefits service does not have any significant environmental impact, so this category is not applicable. Not applicable
Overall Impact Score Score 4: Major Impact

The next step is to consider the likelihood of the risk materialising and becoming an event.  To continue with our hypothetical example:

Impact CategoryJudgementOutcome
Likelihood You are aware that the service is highly reliant for specialist knowledge on a small handful of team leaders who are all approaching retirement age; two have announced plans to retire this year and there is no succession plan currently in place.  You are also aware, because of a failed recruitment last year, that finding that expertise locally would be difficult. Score 5:
Almost certain

This example therefore gives us an overall risk score of: Impact 4, Likelihood 5.

Risk Matrix

Once you have established a risk score, you will need to plot that score onto the risk matrix which produces an overall risk profile (example below, with the risk just identified shown as R1).

Risk matrix

The risk profile is a simple graphical representation of risk information that provides visibility and can assist management decision-making, particularly when comparing the positioning of a range of risks.  It allows management to consider the level of risk which is acceptable to the organisation.  Plotting on a matrix also helps:

  • To give a sense check on the risk scores; when all displayed together do they seem proportionate and in the right order, and
  • To show a representation of movement from inherent to residual risk score (for more details on this, read on).

The Council uses a 5 x 5 matrix which assigns a rating to both likelihood and impact of individual risks

Questions and Answers

How much do I need to know before I can assess an inherent risk?

For both elements, the scoring is fundamentally a matter of judgement but you should employ your own experience, past records, expert judgement and wider knowledge to make the process as informed as possible.

In general it will not be necessary to undertake any specific additional work at this stage to help identify the inherent risk’s likelihood or impact (such as, commissioning research to help make an impact judgement more specific).  However, this might be helpful for certain very high profile risks or where the organisation is embarking on a novel enterprise or approach.  If you are finding it difficult to confidently assess an inherent risk then please see the contact details in Appendix II for assistance.

Under what sort of circumstances should I reconsider inherent risk?

The inherent risk is essentially a ‘business as usual’ evaluation; how the risk looks with no special treatment applied.  Therefore it may be beneficial to revisit the inherent risk scores if there is a fundamental change to how ‘business as usual’ works, for example a major expansion of the responsibilities of a service or wide-reaching new legislation.

If I have a risk with a potential catastrophic (level 5) environmental risk, but only a moderate financial impact (level 3) should I average the overall impact to Major (level 4)?

Absolutely not.  There can be no trade-off of impacts.  The organisation has decided that each of the risk impact themes is individually catastrophic/major/moderate &c independently of how they affect other domains.  For example, a catastrophic reputational impact is not made more acceptable by the organisation not having suffered a financial loss to get to that point.  Your impact score will be equivalent to the highest score you have assessed in any single domain, which will then also act as a guide to where you may best focus your risk treatment (see next section).

Do I have to assess a risk against all 6 risk categories?

No.  There will be few, perhaps no, risks you identify that will have a quantifiable impact across all 6.  You need only consider against those domains where the risk may impact.

Over what period should I consider ‘likelihood’?

Generally speaking, we mean the possibility of the risk becoming an event within the next 12 months from identification.  This is because the process assumes at least one review per year (at the time of producing your service plan) and so you will have the opportunity to revisit the score within a year, although you should ideally review whenever there is a change of circumstances even if a year has not passed.  It may be suitable to sometimes consider likelihood over a shorter timescale, for instance risks associated with a particular project that will conclude within a year, so it is best to include in your documentation what period is being considered if not a year.

How prescriptive are the impact categories?

Fundamentally, the evaluation of a risk is an exercise of judgement.  The impact categories and levels are there to help guide your judgement and give you an indication of what the Council as a whole considers to be a major impact and so on, but they are not absolute and not intended to cover all circumstances.  As evaluation is judgement you may wish within your service to have a review mechanism (for example Head of Service sign off) or evaluate the risks at a team meeting to avoid the possibility of a particularly cautious or even confident individual setting the judgement higher or lower than it should be.

Step 3 – Address Risks

The next step is to decide what action (if any) you are going to take to address the identified risks.  Based on the inherent risk you identified at the previous step the actions will – broadly – be as follows:

Matrix Position What does this mean? What happens next? Where should I record my actions?
Black
(Score 20-25)
Top risk, requiring immediate action and ongoing reporting Address the risk and report/monitor Include the risk in your service plan and actions in the risk return
Red
(Score 12-16)
High risk, requiring immediate action Address the risk (see next section)
Amber
(Score 8-10)
Medium risk, review current controls
Green
(Score 3-6)
Low risk - No immediate action Record in service plan, monitor at next scheduled review Include the risk in your service plan and risk return
Blue
(Score 1-2)
Minimal risk - No action Note to monitor at next scheduled review You may wish to include in your service plan but not essential

Scoring a risk at AMBER (8) or higher means the risk owner should now consider how to address the risk.  There are 4 principal options, known collectively as ‘the Four Ts’:

  • TREAT the risk.  This is the most common way of managing risks and involves putting in place (or strengthening existing) systems and processes (internal controls).  These control the risk and mitigate the likelihood of a risk occurring and/or militate against its impact if it does occur.
  • TOLERATE the risk.  This means accepting the likelihood and consequences of a risk occurring.  This should only be considered as an option if the risk is within the risk appetite of the organisation, which is to say if it is rated AMBER or (by specific agreement of senior management) RED.  Risks rated BLACK are beyond the risk tolerance of the organisation and so this mode of address will not be acceptable except in extreme circumstances.
  • TRANSFER the risk.  This means shifting the risk, in whole or part, to a third party.  This could be achieved, by example, by seeking insurance to cap financial losses at a certain level or by seeking partners for a project and so sharing the risk.
  • TERMINATE the risk.  The means deciding to cease or become involved in the risk situation; withdrawing from the activity which causes the risk.  This will not always be possible as the Council must deliver some particular services by law, but will often be an option when considering a new project or opportunity.

Internal Controls

One of the key ways in which a risk can be addressed is through implementation or enhancement of internal controls.  There are different types of internal controls, set out in the table below, that can work together to bring down the impact and/or likelihood of a risk:

Control StrategyDescriptionExamples
Preventative Designed to limit the possibility of an undesirable outcome (this will be the majority of risk related controls) Financial Standard Orders
Prior authorisation of expenditure
Separation of duties
Detective Designed to identify problems when undesirable events have occurred, allowing them to be addressed Analytical review
Reconciliation between control totals

Residual Risk

If you opted to treat or transfer your risk, the next step is to consider the residual risk score.  This represents the impact/likelihood of a risk becoming an event once taking into account the additional measures you have taken.

Turning again to our example:

Risk Address Description of action Anticipated outcome
Treat Compile succession plan including (a) recruitment strategy (b) timing of recruitment to overlap with retirements to allow handover. Reduce likelihood of risk materialising to Possible (score 3)
Transfer Liaise with [neighbouring authority] to seek share of key staff to provide resilience.  Additional cost can be accommodated within service budget. Reduce likelihood of risk materialising to only Probable (score 4) as no information on if [neighbouring authority] is willing to discuss.
Overall view Risk address actions, if successfully taken together, reduce likelihood still further. Reduce likelihood to Unlikely (score 2)

This example therefore gives us an overall risk score of: Impact 4 (unchanged from inherent risk assessment), Likelihood 2 (down from 5).

Note that we have not considered TOLERATE as the inherent risk is beyond the Council’s risk tolerance.  Nor have we considered TERMINATE as administration of housing benefits is a statutory service from which the Council cannot withdraw entirely.

Note also that we have focused the above on reducing the likelihood.  As this was the highest score in our initial evaluation that’s a good place to start thinking about actions to address the risk, though it may be in reality that other scores are a better focus if they offer more effective solutions.

It is important to note the possibility that your risk address actions may themselves cause new risks to emerge.  For instance, the proposal in the example above to share services – while a reasonable option to consider – would perhaps be a substantial project in its own right.

Once you have established a risk score, you will need to plot that score onto the risk matrix which produces an overall risk profile.  Use an arrow to show how your view of the risk has developed as a result of actions planned to address (example below).

Residual risk matrix

Questions and Answers

Where should I focus my treatment of risk?

A useful approach here will be to consider what factors drove your original assessment of the inherent risk? Is the impact most severe in financial terms? Or reputational terms, perhaps? Consider where you can most efficiently take action to reduce the score of the risk, not forgetting that it is often controls that limit the likelihood of a risk becoming an event that are the most effective.

Can I have more than one action for each option to address the risk (for instance two different controls)?

Of course.  In fact, it is probably advisable so that you have back-up plans if for any reason ‘Plan A’ doesn’t deliver the benefits you had hoped.

What if I need additional resources to treat risks?

You should always consider whether your plans to address risk are proportionate to the risk.  There is little merit, for instance, in a significantly costly additional control system in order to yield a minor reduction in risk score.  However, it will be the case that potential reduction in risks the organisation faces would be a legitimate part of any discussion around resource allocation.  For advice and guidance on what might be cost-effective steps to reduce risk please see the contact details in Appendix II.

Step 4 – Review Risks

Once you have identified your risks, determined the inherent and (if required) residual risk record this information on the risk register accompanying your service plan or project documentation and send to internal audit using the contact details in appendix II.  Internal Audit may have some further questions and discussion before finalising.

An example risk register format is at Appendix V and also available as an Excel template.

Once finalised, Internal Audit will produce a comprehensive list of the Council’s risks, a comprehensive risk register.  This register will be updated periodically, so please continue to send risk updates to internal audit as they arise.

Internal audit will monitor the risk register and periodically request updates, particularly as anticipated actions fall due.

Internal audit will also maintain a listing of all BLACK inherent risks plus the top 10 risks across the Council.  This summary register will be kept live and updated, and reported to Senior Management each quarter.

Twice a year, in January and July, the summary register will also be reported to Members at the Policy and Resources Committee for review.

Appendix 1: Impact & Likelihood Scales 2015/16

Risk Impact

Level Service Risk Reputation Risk Health & Safety Legal Risk Financial Risk Environment Risk
Catastrophic (5) Ongoing failure to provide an adequate service. Perceived as failing authority requiring intervention. Responsible for death. Litigation almost certain and difficult to defend.

Breaches of law punishable by imprisonment or significant fines.
Uncontrollable financial loss or overspend over £500k. Permanent, major environmental or public health damage.
Major (4) Failure to deliver Council priorities.

Poor service.

Disrupted 5 Days+.
Significant adverse national publicity. Fails to prevent death, causes extensive perm injuries or long term sickness. Financial loss or overspend greater than £250k. Long term major public health or environmental incident (1yr+).
Moderate (3) Unsatisfactory performance.

Service disrupted / stopped 1-2 days.
Adverse national publicity or significant adverse local publicity. Fails to prevent extensive, permanent injuries or long term sickness. Litigation expected, but defensible.

Breaches of law punishable by fines.
Financial loss or overspend greater than £50k. Medium term major public health or environmental incident (up to 1 year).
Minor (2)

Marginal reduction in performance.

Service disrupted/stopped 1-2 days.

Minor adverse local publicity. Medical treatment required, potential long term injury or sickness. Complaint likely, litigation possible.

Breaches of regulations or standards.
Financial loss or overspend greater than £10k. Short term public health or environmental incident (weeks).
Minimal (1) No significant service impact.

Service disruption up to 1 day.
Unlikely to cause adverse publicity. First aid level injuries. Unlikely to cause complaint.

Breaches of procedures.
Financial loss or overspend under £10k. Environmental incident with no lasting detrimental effect.

Risk Likelihood

TypeProbability Detail description
Almost certain (5) 90%+ Without action is likely to occur; frequent similar occurrences in local government/Council history.
Probable (4) 60-90% Strong possibility; similar occurrences known often in local government/Council history.
Possible (3) 40-60% Might occur; similar occurrences experienced in local government/Council history.
Unlikely (2) 10-40% Not expected; rare but not unheard of occurrence in local government/Council history.
Rare (1) 0-10% Very unlikely to occur; no recent similar instances in local government/Council history.

Appendix 3: Approach Summary Flowchart

Step 1 - Identify Risks Step 2 - Evaluate Risks Step 3 - Treat Risks Step 4 - Review Risks

Best done in groups, by those responsible for delivering objectives, at all levels.

RISK is the chance of something happening that will impact on the objectives.

Consider both THREATS and OPPORTUNITIES

When to consider:

  • Setting business aims and objectives
  • Service planning
  • Target setting
  • Partnerships & Projects
  • Options appraisals

Think what more could go wrong and what more could we achieve?

Combination of the impact and likelihood of an event and its consequences (the inherent risk)

Black - Top risk, immediate action and reporting to directors.

Red - High risk, immediate action

Amber - Medium risk, review current controls

Green - Low risk, limited action, include in plans

Blue - Minimal risk, no action but review

Concentrate on top risks, 10 to 12 in number

  • Can we reduce likelihood?
  • Can we reduce impact?

Risk Response - 4 Ts

  • Treat (i.e. apply controls)
  • Tolerate (i.e. accept risk)
  • Transfer (i.e. insurance)
  • Terminate (i.e. stop activity)

After your risk response:

Where does it score now? (the mitigated risk)

Devise contingencies and action plans for 'Red' and 'Black' risks - seek to reduce mitigated risk back to 'Amber' or below.

Risk Registers

  • Contain all identified risks, Management Action Plans for top risks
  • Prepare and monitor as regular agenda item
  • Indicate risk response and risk owner

Council risk monitoring

  • Risk registers passed to internal audit
  • Action led periodic review to ensure registers kept current

Councils Top Risks

  • Top ten mitigated risks and all inherent 'Black' risks monitored as regular item at Leadership Team
  • Six monthly monitoring at Policy & Resources committee
  • Annual monitoring of process at Audit, Governance & Standards Committee