1. Home
  2. Council and Democracy
  3. Your Councillors

 

 

 

Risk Management

Annual Report

 

 

Audit, Governance & Standards Committee

March 2021

 

 

 

Introduction

Effective risk management sits at the heart of the Council and is a cornerstone of good governance. The events of the last year have shown how important it is for us to be aware of key risk issues and to have the right mechanisms in place to plan and respond to risks before they materialise. The risk management framework and processes enable us to be aware of risks on the horizon and to understand their severity and likelihood. By understanding our risks, we can better plan and prepare, this in turn, increases our ability to deliver and achieve our ambitions and objectives.

The purpose of this report is to provide assurance to Members of Audit, Governance and Standards, that the Council has effective risk management arrangements in place. Moreover, that risks identified through this process are managed and monitored appropriately. This assurance is vital to enable the Committee to fulfil the responsibilities as set out in the Terms of Reference:

“In conjunction with Policy and Resources Committee to monitor the effective development and operation of risk management and corporate governance in the Council to ensure that strategically the risk management and corporate governance arrangements protect the Council.”

 

Roles & Responsibilities

We (Mid Kent Audit) are responsible for the risk management processes across the Council.  Our role includes regular reporting to Officers and Members, through the Corporate Leadership Team (CLT), Policy & Resources Committee and the Audit, Governance & Standards Committee.  We also provide workshops, training, and facilitate the effective management of risks across all levels of the Council.  

Having valuable and up to date risk information enables both Executive and oversight functions to happen effectively. The Policy & Resources Committee has overall responsibility for the risks identified through the risk process and will review the substance of individual risks to ensure that issues are appropriately monitored and addressed.

As those charged with governance and oversight the Audit, Governance & Standards Committee are required to seek assurance that the Council is operating an effective risk management process.

 

 

The Risk Process

Risk management is a continuous process and primarily seeks to identify and understand those things that are uncertain. The risk management framework is the guide that sets out how the Council identifies, manages, and monitors uncertainty. This includes a clear risk appetite statement articulating the Council’s tolerance to risk. The framework was reviewed, updated and approved by Policy and Resources Committee in April 2019. 

Figure 1: Risk Management Process Summary

The illustration above shows how we move through the risk management process from initial risk identification, evaluation and then to response. The regular and ongoing monitoring of risks becomes vital in ensuring that we are responding the risks in the right way and that our resources are deployed and focussed on the biggest issues.

Corporate risks are more strategic in nature. These risks, by their very definition inherently carry a higher impact level as they affect multiple services. They are the risks that could prevent the Council from achieving its ambitions and priorities. We identify risks across 3 levels, corporate (strategy), operational and projects. All Council services maintain an operational risk register, including Shared Services and these risks are updated, monitored, and reported through Wider and Corporate Leadership Team.

 

Operational risks are directly linked with the day to day operation of services. Operational risks can nonetheless have potential for significant impact. Project risks are designed to capture uncertainties over the delivery of our largest projects. These risks principally consider cost, time, and quality.
 

 

 

 


Risk Appetite

Our risk appetite guides how much risk we are willing to seek or accept to achieve our objectives.  We recognise effective risk management considers not just threats but also opportunities. So, our approach to risk is to seek the right opportunities and, where possible, minimise threats. To achieve our ambitions, we recognise that taking risks and facing risks will be inevitable. Our risk appetite encourages managed risk taking for minor to moderate level risks but seeks to more closely control those risks that come further up the scale.

Beyond our risk appetite is our risk tolerance.  This sets the level of risk that is unacceptable, whatever opportunities might follow. In such instances we will aim to reduce the risk to a level that is within our appetite. We illustrate our risk tolerance in the matrix below. As we are currently facing significantly challenging times following the pandemic, our tolerance level is set in the RED shaded area and above. Risks in and above this area require direct focus and oversight above that of risks within the AMBER line and below.

When evaluating risks, we consider impact and likelihood (definitions attached in Appendix a).

·                Impact: This is a consideration of how severely the Council would be affected if the risk were to materialise.

·                Likelihood: This is a consideration of how likely it is that the risk will occur.  In other words, the probability that it will materialise.

To understand the scale of risks the following guidance is available to risk owners when evaluating their risks: 

20-25

Identify the actions and controls necessary to manage the risk down to an acceptable level.

Risks of this level are regularly reported and monitored by Corporate Leadership Team.

12-16

Identify controls to treat the risk impact / likelihood and seek to bring the risk down to a more acceptable level. Risk of this level are reported and monitored by Corporate Leadership Team each quarter.

5-10

Keep these risks on the radar and update as and when changes are made, or if controls are implemented. Movement in risks should be monitored, for instance featuring as part of a standing management meeting agenda.

3-4

Keep these risks on your register and formally review at least once a year to make sure that the impact and likelihood continues to pose a low level.

1-2

No actions required but keep the risk on your risk register and review annually as part of the service planning process.

Corporate Risk Portfolio

The Council’s corporate risks are those risks which could impede the achievement of our strategic aims and objectives. As the most significant areas of uncertainty, corporate risks are reported to Corporate Leadership Team on a regular basis to ensure effective oversight and management.

The full corporate risk register is also reported and published to the Policy & Resources Committee quarterly. The most recent update went in February 2021.

The table below summaries the top 11 corporate risks and tracks movement of the risk over the last 18 months:

Risk Title

Score before mitigation

 

Jun 20

Nov 20

Jan 21

Movement

Contraction in retail & leisure sectors

25

25

25

-

Financial restrictions

20

20

20

-

Environmental damage

16

16

16

-

Brexit / EU transition

16

16

16

-

Major unforeseen emergency

15

15

15

-

Covid-19: Restrictions to Council operations

20

12

12

-

Covid-19: Community & business recovery

 

12

12

-

Housing pressures increasing

12

12

12

-

IT security failure

12

12

12

-

Not fulfilling residential property responsibilities

12

12

12

-

Major contractor failure

 

12

12

-

This summary illustrates that corporate risks are actively being reported and monitored and that processes are in place to ensure new emerging issues are captured and escalated.

Operational Risks

Operational risk registers are in place for each service and are reviewed and updated routinely depending on severity. Managers and Heads of Service are responsible for managing operational risks. In accordance with the Council’s risk tolerance, Wider and Corporate Leadership Teams receive risk updates throughout the year and will monitor and review risks through that process.

We are currently wrapping up work to refresh all of the operational risks across each service, including specific work to identify any risks arising from our new ways of working, working under crisis and resilience risks arising from COVID-19. Outcomes of this work will be reported in the usual way to Management and then on to Policy & Resources Committee.

Next Steps

Risk management is a continuous process, and we will continue to build on and improve the arrangements to further strengthen the risk management arrangements and to develop a positive risk culture across the Council. 

We have set out our priorities over the coming year in a risk management plan. The key areas of focus are set out below:

Risk management is only as effective as the risks that are identified, and the action taken to address those risks. We continue to receive a positive level of engagement and support from Senior Officers and Managers across the Council which has enabled the risk management process to develop and embed.

We would like to take this opportunity to thank officers and Members for their continued work and support.

Appendix a

Impact & Likelihood Scales

Risk Impact

         

Risk Likelihood