Policy & Resources Committee

17 February 2016


Comprehensive Risk Register Update


Final Decision-Maker

Corporate Leadership Team

Lead Head of Service

Rich Clarke: Head of Audit Partnership

Lead Officer and Report Author

Rich Clarke: Head of Audit Partnership



Wards affected




This report makes the following recommendations to the final decision-maker:

1.    To note the key risks facing the Council and the measures in place for their management.

2.    To agree to receive updates on the risk position at approximately 6 monthly intervals

3.    To agree to receive a report back on a formal statement of the Council’s risk appetite for approval by September 2016.



This report relates to the following corporate priorities:

·         Keeping Maidstone Borough an attractive place for all –

·         Securing a successful economy for Maidstone Borough –


The risk register spans all issues facing the Council that may impede or delay achievement of its corporate priorities.






Policy & Resources Committee

17 February 2016

Comprehensive Risk Register Update





1.1      In July 2015 the Policy and Resource Committee approved the outline of a refreshed way to achieve a comprehensive risk management approach at Maidstone Borough Council.  The full strategy emanating from that decision is included at appendix II and has been used over the past few months as a basis for compiling a comprehensive risk register.  


1.2      The comprehensive risk register aimed to collate in one place and on a common structure all of the risks currently being faced by the Council itself, its service departments and key projects to provide a picture of the major threats to the authority.  That exercise is now complete and this report presents the first output to Leadership Team and Members.  However, the risks faced by the Council are under continual change as circumstances and our controls develop.  Therefore the final part of the report gives an indication of the next steps for risk management and where Members can obtain further information.





2.1      Following the July decision, Mid Kent Audit began working with services across the Council to identify and evaluate the risks they face in seeking to achieve their objectives.  This included undertaking around 20 individual risk workshops with service managers explaining the new framework and helping them identify and shape their risks.  For some services, especially shared services, this built on existing work undertaken as part of planning to create collaboration agreements.


2.2      A second thread of compiling the register examined the Council’s major projects.  Under the Project Management Handbook projects are expected to compile and monitor their own risk registers and we incorporated those details within the overall risk register to reflect the impact of project risks on the Council as a whole.


2.3      The final major thread sought to examine corporate level risks, meaning those which affect the Council’s strategic objectives. While in some instances these will be service issues writ large (e.g. difficulty in recruiting and retaining staff) others will be ‘macro’ issues that transcend their impact on individual services (e.g. failure to develop a coherent vision for MKIP). To assist with the identification and evaluation of these risks the Council commissioned Grant Thornton to facilitate a risk workshop attended by senior officers and Members.


2.4      The Grant Thornton risk workshop in December 2015 began with a presentation on the firm’s 20/20 Vision research piece, aiming to set the scene for the discussion by considering the Council’s current position relative to its neighbours and what challenges Maidstone, and the local government sector generally, will face over the next five years.


2.5      The workshop identified a range of corporate risks which have been incorporated within the register outturn reported here.  However, since the workshop the Council has received further information on the Finance Settlement and initial results from the Residents’ Survey, both of which have been taken into consideration when scoring the risks identified.  This also illustrates the broader point that the risks facing the authority are dynamic and supports the need to have a risk approach which allows for updating and flexibility to keep information useful and current. 


2.6      This also means that the risk scores are necessarily a point in time measurement and subject to change as circumstances and the Council’s risk appetite develop.  Currently, the chief component of any scoring has been the views of the risk owner, guided by the risk framework at appendix II, subject to some challenge and review by relevant Heads of Service and CLT.  As the risk approach continues to progress – noted under ‘next steps’ in Appendix I – we expect a more formal moderation and review process to develop.




3.1      There is no legal requirement on the authority to formally monitor its risks, still less is there a defined framework to do so.  Although failing to monitor and record risks will leave the Council vulnerable to external criticism – for example by its external auditors who are required to assess the effectiveness of risk management when considering their annual Value For Money conclusion – the Council could decide that is a price worth paying against using some of its resources to identify and monitor risk.


3.2      Even accepting the utility in gathering systematic monitoring information on the risks it faces, there is a wide range of different approaches the Council might adopt.  Even if one looks solely at the local government sector, there are myriad formats, structures and arrangements adopted to record and present information to senior officers and Members.






4.1      The approach taken by this report is a development of the approach approved by Members in July 2015 and has been reported through the Council’s Corporate Governance Group and Corporate Leadership Team.  Consequently it reflects the present belief on how information on risks and their management is most usefully held and displayed.  However, like the risks themselves, this approach must be kept under review to ensure that information is retained and presented in a way that supports good decision making. 


4.2      As set out in July 2015, the role of Members in the process is principally to satisfy themselves that key risks – as a group – are being effectively controlled and monitored by management.  While that will involve enquiry into individual risks as examples, responsibility for management of individual risks rests with the risk owners.  Consequently, this paper recommends that Members note and comment as appropriate on the highlighted risks (which are those rated as most acute at present) but does not propose any specific decisions on any individual risks.


4.3      The paper also invites the Committee to consider further evolution of the Council’s risk strategy, specifically the formulation and documentation of the Council’s risk appetite.  This is a key statement in risk mature organisations which defines the amount and type of risk an organisation is willing to take in order to meet their strategic objectives.


4.4      Creating a risk appetite statement cannot take place in an information vacuum as an organisation.  In order to formulate a risk appetite statement that will reflect the reality of the organisation’s outlook it will need to be road tested against specific risks.  Now that the Council has collated comprehensive information on its risks, it is in a position to look across the risk picture as a whole and consider which risks it will tolerate thus codifying its risk appetite. Since this is a key statement that specifically falls outwith the scope of audit to dictate to an organisation, this paper proposes that Members invite Corporate Leadership Team to begin consideration of how such a statement would be formulated and give initial comment to the role of Members in setting and then monitoring the overall risk appetite.





5.1      This report is following discussion at the Corporate Governance Group and Corporate Leadership Team.  The risks and responses detailed within were compiled after extensive consultation across the Council’s service management teams.





6.1      Subject to comments, further reports will be made to Policy & Resource Committee at six monthly intervals.


6.2      The timescale of creating a risk appetite statement will be the subject of further discussion, but the starting intention is for a report back to this Committee within the next six months.










Impact on Corporate Priorities

The report’s recommendations will help develop risk management at the Council which will, in turn, assist with being able to identify and address those issues which threaten achievement of corporate priorities.

Rich Clarke, Head of Audit Partnership

Risk Management

Risk management is the focus of the paper.

As above


There are no direct financial implications of the recommendations.

As above


There are no staffing implications associated with the recommendations.

As above


There are no legal implications for this report.

As above

Equality Impact Needs Assessment

This report does not describe circumstances which require an Equality Impact Needs Assessment.

As above

Environmental/ Sustainable Development

There are no environmental or sustainable development implications for this report.

As above

Community Safety

There are no community safety implications for this report.

As above

Human Rights Act

There are no implications for the Council’s responsibilities under the Human Rights Act in this report.

As above


There are no procurement implications for this report.

As above

Asset Management

There are no asset management implications for this report.

As above





The following documents are to be published with this report and form part of the report:

·         Appendix I: Maidstone Borough Council Risk Register

·         Appendix II: Risk Management Framework