1.                        PURPOSE OF REPORT AND EXECUTIVE SUMMARY

1.1      This report leads on from a review undertaken by Mid Kent Audit of risk management processes at another authority, but noting that several of the matters raised were also relevant to Maidstone BC.  While it is important to recognise that the Council’s current approach to risk management is adequate – in the sense that the external audit value for money conclusion and Head of Internal Audit opinion are both unqualified – there exists capacity to refresh the process in order to achieve efficiencies and better quality outcomes.  Specifically, the revisions to the process seek to achieve:

·         Increased clarity in roles and responsibilities for risk management, placing the process clearly within the scope of a named responsible director (the Director of Environment and Shared Services) and a service (internal audit).

·         A more uniform approach across the Council allowing for comprehensive overview of risk as it exists and evolves and consideration within the context of the Council’s operations as a whole, and

·         Clearly scheduled opportunities for review of risk by senior officers and members.

1.2      Based on the review of risk management approaches adopted elsewhere across the public and private sectors, and consultation and workshops with Council officers and Members, the Council has developed a refreshed approach to risk management summarised in appendix I.  This approach aims to realise the additional benefits of a revised process as described above within current resources (principally delivered administratively in year one by internal audit in line with the Audit Plan agreed by the Council’s Audit Committee on 30 March 2015).

1.3      This report outlines the approach, inviting comment from Members, and asks their approval that it be implemented to the timescale and with the intended outcomes described.

2.                        INTRODUCTION AND BACKGROUND

2.1      The formal definition of risk management, drawn from the HM Treasury Orange Book is: “all the processes involved in identifying, assessing and judging risks, assigning ownership, taking action to mitigate or anticipate them as well as monitoring and reporting on what has been done”.  More succinctly, risk management is how the Council identifies, prioritises and deals with the risks it faces. 

2.2      The Council’s current process was developed almost ten years ago in direct response to the challenge of the Audit Commission via the Comprehensive Performance Assessment regime.  The content has been refreshed over this period with the Cabinet and with the external support of Zurich Municipal.  Over time the formal ‘written’ approach has been largely superseded in practice by an informal approach to risk that, while practically functional as a management tool, is difficult to assess and review and does not clearly provide to Members or officers a comprehensive overview of the Council’s developing risks and their management.

2.3      Leading on principally from an in-depth review undertaken at another authority with similar (though not identical) informal practices, internal audit has been working with officers during 2014/15 in developing an approach that seeks to minimise those weaknesses and efficiently realise further benefits.

3.                        AVAILABLE OPTIONS

3.1         Maintaining the existing, largely informal process potentially leaves the Council vulnerable to having an incomplete or inconsistent understanding of risk, with consequent limitations in the quality of its decision making. 

3.2         The alternative approach being proposed is summarised at appendix 1 and deliverable within existing resources as agreed within the Internal Audit Plan.

4.         PREFERRED OPTION AND REASONS FOR RECOMMENDATIONS

4.1         The approach is summarised in appendix 1 and will be supported by a more detailed manual for use by officers.  It is anticipated the approach will realise the benefits noted in the introduction:

Increased clarity of roles

4.2         The process will be owned and managed by internal audit in the first instance.  It is important to note that it is the process owned and managed by internal audit, the substantive responses to risks will remain the domains of risk owners.  Ownership of the risks remain with the lead officers in the council. This distinction maintains internal audit’s independent position and is consistent with guidance circulated by the Institute of Internal Auditors on the reasonable extent of audit’s role in risk management.  Having a clear process owner, and Corporate Leadership Team level sponsor, will ensure the process is kept updated and live, not least by being informed by the ongoing results of other audit work.

4.3         The proposal also makes clear the distinct roles of Members.  Specifically the role of this Committee in periodic review of the substance of the risk register and progress on actions underway to mitigate specific risks. This compares with the role of the Audit, Governance and Standards Committee in taking an overview of the mechanics of the process and its effectiveness in providing assurance.

A more uniform and comprehensive approach

4.4         The proposed process includes greater detail on the definitions of both the impact and likelihood of risks (for example, by indicating what level of financial risk the Council could reasonably bear) to allow for a common scale across risks.  This will be so whether those risks arise from services, from projects, from audit review or from high level strategic discussions.

4.5         The process results in the construction of a comprehensive risk register, drawing together risks from all those sources to a common scale and keeping that register updated both through information provided by projects boards/services/senior management and the results of audit work.

Clearly scheduled reviews

4.6         The comprehensive risk register will be kept updated and so, potentially, will be available for ad hoc review.  However, periodic reviews are proposed to ensure oversight is appropriate and maintained.  Review of a summary risk register is proposed, comprising all of the absolute highest scoring risks plus a selection of other major issues.  Informally this has been called a ‘top 10 risks’ listing but the actual number is likely to vary with circumstance and will be consulted on as part of agenda setting meetings ahead of the relevant Corporate Leadership Team or Committee meetings.

4.7         The process proposes quarterly review by the Corporate Leadership Team of the summary risk register (December, March, June, September) and biannual at this Committee.  It is proposed that those reviews are in January (in part to inform the budget setting process in January/February each year) and July (in part to inform approval of the Council’s Annual Report and Accounts).

5.        CONSULTATION RESULTS AND PREVIOUS COMMITTEE FEEDBACK

5.1         The process has been developed in consultation with the Corporate Leadership Team and other workshops involving officers and Members.

6.        NEXT STEPS: COMMUNICATION AND IMPLEMENTATION OF THE DECISION

6.1         If agreed, an outline timetable leading up to the first review of the summary risk register:

·         July-October 2015: Audit attendance at service management meetings and project boards across the Council to develop service/project risk registers.  Also continuing discussion with the Policy team on incorporation of the approach within simultaneously developing service planning and project management processes.

·         Autumn 2015: Based on the strategic plan, risk workshop with senior officers and Members looking to refresh and update the ‘strategic’ risks.

·         November 2015: First comprehensive risk register compiled by audit.

·         December 2015: First summary risk register review by Corporate Leadership Team.

·         January 2016: First summary risk register review by this Committee.

·         Spring 2016: Risks refreshed as part of revised service planning process.

·         Spring/Summer 2016: Audit, Governance and Standards Committee review of effectiveness of the risk management process.

6.2      As the comprehensive risk register is compiled the Council will continue to operate its existing risk management processes.  As noted in paragraph 1.1, the existing process is adequate to meet the Council’s regulatory and audit requirements and so there is no detriment to continuing this process in the short term (though the Council will only benefit from the refreshed approach once implemented).

7.        CROSS-CUTTING ISSUES AND IMPLICATIONS

8.         REPORT APPENDICES

The following documents are to be published with this report and form part of the report:

·               Appendix I: Risk Management Process Summary Information

9.         BACKGROUND PAPERS

None applicable.