Risk Management

Annual Report

 

 

Audit, Governance & Standards Committee

March 2022

 

 


 

Introduction

Effective risk management sits at the heart of the Council and is a cornerstone of good governance. The risk management framework and processes enable us to be aware of risks on the horizon and to understand their severity and likelihood. By understanding our risks, we can better plan and prepare, this in turn, increases our ability to deliver and achieve our ambitions and objectives.

The purpose of this report is to provide assurance to Members of Audit, Governance and Standards Committee, that the Council has effective risk management arrangements in place.  Moreover, that risks identified through this process are managed and monitored appropriately. This assurance is vital to enable the Committee to fulfil the responsibilities as set out in the Terms of Reference:

 

“In conjunction with Policy and Resources Committee to monitor the effective development and operation of risk management and corporate governance in the Council to ensure that strategically the risk management and corporate governance arrangements protect the Council.”

 

Roles & Responsibilities

We (Mid Kent Audit) are responsible for facilitating and coordinating the risk management processes across the Council.  Our role includes regular reporting to Officers and Members, through the Corporate Leadership Team (CLT), Policy & Resources Committee and the Audit, Governance & Standards Committee.  We also provide workshops, training, and facilitate the effective management of risks across all levels of the Council.  

Having valuable and up to date risk information enables both Executive and oversight functions to happen effectively. The Policy & Resources Committee has overall responsibility for the risks identified through the risk process and will review the substance of individual risks to ensure that issues are appropriately monitored and addressed.

As those charged with governance and oversight the Audit, Governance & Standards Committee are required to seek assurance that the Council is operating an effective risk management process.

 

 


 

The Risk Process

As a Council we define risk as a potential future event that, if it materialises, effects the achievement of our objectives.  Risk management is a continuous process which primarily seeks to identify and understand those things that are uncertain. The regular and ongoing monitoring of risks is vital in ensuring that we are responding to the risks in the right way and that our resources are deployed and focussed on the biggest issues.

The Risk Management Framework is the guide that sets out how the Council identifies, manages, and monitors uncertainty. This includes a clear risk appetite statement articulating the Council’s tolerance to risk. The framework was reviewed, updated and approved by Policy and Resources Committee in April 2019.  The risk management process can be illustrated as follows:

Since a risk is an event that could affect the achievement of the Council’s objectives, the process starts with considering what the corporate or service objectives are.  Consideration is then given to what could happen in the future to affect the achievement of these objectives. 

Once identified risks are then evaluated, with risk owners understanding how big the current risk is by considering:

·         The existing controls which are already in place to manage the risk

·         How severely the organisation would be affected if the risk occurs (the impact)

·         The possibility of the risk materialising and becoming an event that needs managing (the likelihood)

Appendix a includes the definitions used to guide the impact and likelihood evaluations and ensure consistency in measuring risks.

 

 

The next step is to determine what, if any, action will be taken to respond to the risk.  The baseline level of response is determined by the Council’s risk tolerance and appetite, which are illustrated as follows:

The following table outlines what risk owners should do to respond to their identified risks:

20-25

Identify the actions and controls necessary to manage the risk down to an acceptable level.

Risks of this level are regularly reported and monitored by Corporate Leadership Team.

12-16

Identify controls to treat the risk impact / likelihood and seek to bring the risk down to a more acceptable level. Risk of this level are reported and monitored by Corporate Leadership Team each quarter.

5-10

Keep these risks on the radar and update as and when changes are made, or if controls are implemented. Movement in risks should be monitored, for instance featuring as part of a standing management meeting agenda.

3-4

Keep these risks on your register and formally review at least once a year to make sure that the impact and likelihood continues to pose a low level.

1-2

No actions required but keep the risk on your risk register and review annually as part of the service planning process.

Where necessary planned actions should be documented, and the impact and likelihood scores reassessed to determine the mitigated risk. 

All identified risks and associated information are captured in the Council’s comprehensive risk register.  This is used to monitor and report on risks to ensure action is being taken as necessary and changes are captured in updates to the risks.  Appendix b summarises the overall process and step 4 outlines the routine risk reporting. 


 

2020-21 Risk Processes In Action

The risk management processes outlined in the Framework have been in operation throughout the year, and the following timeline summarises the work completed: 

A Risk Workshop was run with WLT and CLT during the summer.  The workshop considered future threats to the delivery of our priorities for 2021 and reviewed the Council’s corporate risks.  From this a number of external threats were identified and the corporate risk register was updated.  Routine risk updates to CLT and Policy & Resources Committee include, in addition to the risk profiles and key risk details, external threats on the horizon.  This provides an opportunity for the Council to consider what risks may be emerging – hopefully allowing us to identify any pandemic-scale risks.

To remain effective risk management should be fully integrated across the organisation.  It needs to be a valuable tool to help services meet objectives, to be proportionate and to add insight and value.  Our existing risk management processes are admin intensive, restricting the time available for further work to embed risk across the Council.  Furthermore, current processes require the prompting of risk leads to ensure risk information remains up to date, and services / senior management do not have ‘live’ access to their risk information.  To address these issues risk management software called JCAD was purchased.  The software has been built to reflect the Council’s risk management processes so that it is tailored to the Council’s approach.  The roll out of the system can happen once the new interface (‘Core 5’) has been released by JCAD - this is planned for completion in the next couple of weeks.

During December 2021 the Council’s insurers Zurich performed a desktop review of the Framework and how risk information is reported. The report concluded that good arrangements are in place with “evidence of a strong process led by the audit function as the key conduit for the flow of information.”  Recommendations were made to enhance risk management processes and a lot of these will be addressed through implementation of the JCAD software.  The remaining recommendations have been incorporated into the 2022-23 work plan.  While recommendations to improve the Councils’ risk management processes were made the report concludes that: “These comments don’t take away from the overall impression of strong framework with solid processes .. and engagement from senior leadership as well as service leaders.”

The Director of Finance and Business Improvement routinely reports a budget strategy risk update that considers factors likely to affect the Council’s budget position.  This has been reviewed and updated during the year in line with the Risk Management Framework.

The following diagram depicts the risk profile last reported to Audit Committee in March 2021 and how it has changed during the year.  The current rating is the risk to the Council assuming all existing controls are working as expected to manage the risk. 

 


Corporate Risk Portfolio

The Council’s corporate risks are those risks which could impede the achievement of our strategic aims and objectives. As the most significant areas of uncertainty, corporate risks are reported to Corporate Leadership Team on a regular basis to ensure effective oversight and management.

The full corporate risk register is also reported and published to the Policy & Resources Committee quarterly. The most recent update went in February 2021.  The table below summaries the 17 corporate risks and how they’ve changed over the last 12 months. This illustrates that corporate risks are actively reported and monitored and that processes are in place to ensure new risks are captured and escalated.

Risk Title

Current Score (I x L)

 

Apr 21

Nov 21

Jan 22

 

Contraction in retail sector

25

(5 x 5)

25

(5 x 5)

25

(5 x 5)

 

Financial uncertainty

20

(4 x 5)

20

(4 x 5)

20

(4 x 5)

 

Environmental damage

16

(4 x 4)

16

(4 x 4)

16

(4 x 4)

 

Brexit / EU Transition

16

(4 x 4)

Removed

 

Major unforeseen emergency

15

(5 x 3)

15

(5 x 3)

15

(5      x 3)

 

Covid-19: Restrictions to Council operations

12

(4 x 3)

9

(3 x 3)

12

(4 x 3)

 

Covid-19: Community & business recovery

12

(4 x 3)

8

(4 x 2)

8

(4      x 2)

 

Housing pressures increasing

12

(4 x 3)

16

(4 x 4)

16

(4      x 4)

 

IT Security Failure

12

(4 x 3)

12

(4 x 3)

12

(4      x 3)

 

Not fulfilling residential property responsibilities

12

(4 x 3)

12

(4 x 3)

12

(4      x 3)

 

Major contractor failure

12

(4 x 3)

12

(4 x 3)

12

(4      x 3)

 

Ability to access / leverage new funding

 

9

(3 x 3)

9

(3 x 3)

 

Reduce effectiveness of relationships with strategic partners

 

9

(3 x 3)

9

(3      x 3)

 

Governance changes

 

12

(4 x 3)

12

(4      x 3)

 

Resilience of the voluntary and community sector

 

9

(3 x 3)

9

(3      x 3)

 

Loss of workforce cohesion & talent

 

 

12

(3 x4)

 

Sig. changes in contractor costs & possible contractor insolvency

 

 

20

(4 x 5)

 

Operational Risks

Operational risk registers are in place for each service (including shared services) and are reviewed and updated routinely depending on severity. Managers and Heads of Service are responsible for managing operational risks. In accordance with the Council’s risk tolerance, Wider and Corporate Leadership Teams receive risk updates throughout the year and will monitor and review risks through that process.

The overall number of operational risks has remained largely unchanged overall, although there has been changes within individual services with some areas removing risks and others adding them.  There has also been an overall decrease in the number of red/black risks from 31 in April 2021 to 22 in February 2022. 

The black risks in April 2021 related to various impacts from covid, namely on: tourism and visitor numbers, grant schemes and council tax / business rates collection.  Over the course of the year all but one of these risks has reduced to within the Council’s appetite.  The remaining black risk is:

Infrastructure Improvements

Service Area:

Economic Development

Ownership:

John Foster

Score:

I4 x L5

20

Risk

Infrastructure improvement to road, rail, public transport, cycling, community & social infrastructure and broadband fail to take place due to lack of investment or change to government priorities.

Existing Controls

·         Work with KCC on Broadband,

·         Continue to work with KCC, Network Rail and Helen Grant MP to secure Thameslink services and further improvements

·         KCC Transport Planner working for and assisting MBC

·         Maidstone Strategic Infrastructure Working Group in place and includes delivery of improvements to Loose Road corridor

·         Ongoing agenda item in RED

·         Manager supervision and regular 121's

·         The Integrated Transport Strategy and Infrastructure Delivery Plan are managed by the Strategic Policy Team

Risk Response

·         Continue to monitor what will replace the SE Rail franchise  

·         Making Maidstone More Active project to identify sports facility requirements across the Borough

·         Future options for Mote Park Leisure centre to be considered by ERL during 2021 as the contract with MLT and Serco comes to an end in August 2024

Risk review:

April 2022

Risk direction over time:

Score:

I4 x L3

12

 

This risk continues to be monitored and action is ongoing to reduce the risk.

Implementation of JCAD will provide an opportunity to refresh all operational risk registers.  The outcome of this work will be reported in the usual way to Management and then on to Policy & Resources Committee.


 

Next Steps

Risk management is a continuous process, and we will continue to build on and improve the arrangements to further strengthen risk management processes and to develop a positive risk culture across the Council. 

As part of the wider Mid Kent Audit annual planning process, we consider the work needed to support the Council in maintaining effective risk management arrangements.  This involves reflecting on the work delivered during 2021-22 and balancing the work plan for the coming year with the needs of the Council and the resources available.

The following provides an overview of the risk work planned for 2022-23, and the key areas of focus for our work.  We appreciate that circumstances are changeable and so the plan will be kept under review and amended where necessary.    

 

Risk management is only as effective as the risks that are identified, and the action taken to address those risks. We continue to receive a positive level of engagement and support from Senior Officers and Managers across the Council which has enabled the risk management process to develop and embed.

We would like to take this opportunity to thank officers and Members for their continued work and support.


Appendix a

Impact & Likelihood Scales

Risk Impact

           

Risk Likelihood


 


Appendix b

One Page Process Summary