MBC Risk Appetite Statement

Introduction

The Council formally adopted the risk management framework in July 2015 via the Policy and Resources Committee. Since that time, we have been providing risk updates on a regular basis to Corporate Leadership Team and to Members of the Committee.

Definitions

There are three key terms that are introduced as part of this statement:

Risk Appetite

The amount of risk that an organisation [the Council] is willing to seek or accept in the pursuit of its long term objectives[1]

At the highest level, risk appetite reflects the culture and philosophy of the Councils approach to taking risks. The risk appetite takes into consideration risk tolerance and also capacity.

Risk Tolerance

Risk tolerance is the amount of risk that the Council is willing to tolerate. While it is often used as a synonym to risk appetite, it is quite different.

Tolerances are more commonly quantitative in nature.† They are thresholds that should guide Officers when they are considering risks, so that they understand the levels that should not be exceeded, or those thresholds that if breached require further mitigation and monitoring.

Risk Capacity

Risk capacity is the level of impact that we can bear in the event of the risk occurring. We may have measures in place to manage and monitor risks, but there is always a degree of uncertainty, and the chance that our objectives may not be met. It is important to know the capacity so that we do not take risks that exceed our ability to absorb the impact.

For instance, if we set a high appetite to accept the risks in taking commercial opportunities, we should be able to absorb the financial losses in the event of them failing.††

 

 

 

 

 

Benefits

Effective risk management is a key component for achieving and maintaining good governance. In order for a risk management process to be effective it is important that risks are identified, evaluated, and appropriately managed. A key part of this is to set the risk appetite level.

Without a clearly articulated and well defined appetite for risk there is limited guidance in place for the organisation when making key decisions to keep them from taking decisions that bear major consequences. In an integrated risk management framework, how much risk the Council is willing to take will play a large part in the certainty of achieving its objectives / outcomes.

A clear understanding of our risk appetite and tolerance will help us to:

a)      Exploit the right opportunities and make well informed decisions;

b)      Identify resources that are being deployed on other risks that we are prepared to tolerate, and re-focus them on risks that are more business critical;

c)      Clarify the thresholds above which risks should be escalated and monitored more frequently;

d)      Improving the risk culture of the organisation to be aware of and manage the risks more relevant to the achievement of objectives, both operationally and corporately;

e)      Providing assurance to Members and the public that the Council is aware of and managing its risks.

What does the risk appetite say about us?

The Council has set its ambitions in the Strategic Plan and recognises that in order to achieve these objectives it will need to take risks. The risk appetite statement acknowledges this fact, and that there are situations where we may accept more risk than others in pursuit of these objectives.

However, any risks will be carefully evaluated and managed to ensure that they are taken in an informed way, and with a full understanding of consequences, and other options. It also recognises that risks are not just about threats, but also about seeking out opportunities.

The risk appetite statement includes an illustrative risk matrix. This shows the level of risk impact that the Council is not willing to accept. Under no circumstances, for instance, will we put at risk the safety of residents or uncontrolled financial loss in excess of £500,000.

Below is the draft risk appetite statement which we would like Members to agree and adopt into the risk management framework. In addition, the following pages also include a Ďrisk responseí guide for officers, and the impact and likelihood definitions.


Risk Appetite Statement

Our risk appetite guides how much risk we are willing to seek or accept to achieve our objectives. We recognise we will need to take risks, both in our ordinary business and to achieve the priorities set out in our Strategic Plan 2015-20. Good risk management ensures we make well informed decisions and we understand the associated risks. By ensuring that we properly respond to risks we will be more likely to achieve our priorities. It also provides control and a high level of due diligence consistent with our responsibilities in managing public money.

We recognise effective risk management considers not just threats but also opportunities. So, our approach to risk is to seek the right opportunities and, where possible, minimise threats. By encouraging managed risk taking, and considering all of the available options we seek a balance between caution and innovation.

Our risk appetite reflects our current position; encouraging managed risk taking for minor to moderate level risks, but controlling more closely those risks that come further up the scale. Our appetite for risk will vary over time depending on our ambitions and priorities and the environment we work in.

Beyond our risk appetite is our risk tolerance. This sets the level of risk that is unacceptable, whatever opportunities might follow. In such instances we will aim to reduce the risk to a level that is within our appetite.

We illustrate our risk appetite and tolerance in the matrix below. The RED shaded area represents the outer limit of our risk appetite, and the BLACK area indicates the tolerance. As a Council we are not willing to take risks that have significant negative consequences on the achievement of our objectives.

The matrix also illustrates how we monitor risks. The Councilís highest level risks (those with a combined score of 12 and above) are reported to Corporate Leadership Team for consideration and guidance.

 

 

Impact

 

 

1

Minimal

2

Minor

3

Moderate

4

Major

5

Catastrophic

Likelihood

5

Almost

Certain

Monitor Quarterly

Monitor Quarterly

Monitor Monthly

Monitor Monthly to

CLT

Monitor Monthly to

CLT

4

Likely

Monitor

6-Monthly / Annually

Monitor Quarterly

Monitor Monthly

Monitor Monthly

Monitor Monthly to

CLT

3

Possible

Monitor

6-Monthly / Annually

Monitor Quarterly

Monitor Quarterly

Monitor Monthly

Monitor Monthly

2

Unlikely

No Action

Required

Monitor

6-Monthly / Annually

Monitor Quarterly

Monitor Quarterly

† Monitor Quarterly

1

Rare

No Action

Required

No Action

Required

Monitor

6-Monthly / Annually

Monitor

6-Monthly / Annually

Business Continuity Plan

 

 

 

 

 

 

 

 


Risk Response

Risk Rating

Guidance to Risk Owners

20-25

Risks at this level sit above the tolerance of the Council and are of such magnitude that they form the Councilís biggest risks.

 

The Council is not willing to take risks at this level and action should be taken immediately to manage the risk.

 

Identify the actions and controls necessary to manage the risk down to an acceptable level.

If still scored above 20, report the risk to the Audit Team and your Director.

 

Steps will be taken to collectively review the risk and identify any other possible mitigation (such as controls).

 

Risks that remain at this level will be escalated to CLT, who will actively monitor and provide guidance on the ongoing management of risks at this level.

12-16

These risks are within the upper limit of risk appetite. While these risks can be tolerated, controls should be identified to bring the risk down to a more manageable level where possible.

 

 

Identify controls to treat the risk impact /likelihood and seek to bring the risk down to a more acceptable level.

 

These risks should be monitored and reviewed monthly.

If unsure about ways to manage the risk, consult with the Internal Audit team.

 

Risks at this level will feature in a quarterly risk update to CLT who will provide oversight and support if needed.

5-10

These risks sit on the borders of the Councilís risk appetite and so while they do not pose an immediate threat, they are still risks that should remain under review. If the impact or likelihood increases then risk owners should seek to manage the increase.

 

 

Keep these risks on the radar and update as and when changes are made, or if controls are implemented.

Movement in risks should be monitored, for instance featuring as part of a standing management meeting agenda.

 

Responsibility for monitoring and managing these risks sits within the service.

3-4

These are low level risks that could impede or hinder achievement of objectives. Due to the relative low level it is unlikely that additional controls will be identified to respond to the risk.

Keep these risks on your register and formally review at least once a year to make sure that the impact and likelihood continues to pose a low level.

1-2

Minor level risks with little consequence but not to be overlooked completely. They are enough of a risk to have been assessed through the process, but unlikely to prevent the achievement of objectives.†

No actions required but keep the risk on your risk register and review annually as part of the service planning process.

Impact: 5

Likelihood: 1

Rare events that have a catastrophic impact form part of the Councilís Business Continuity Planning response.

Record on your risk register and Internal Audit will co-ordinate with Business Continuity officers.

 

Impact & Likelihood Scales

The Risk Management Framework provides guidance on the Councils risk management processes.† The framework sets out the definitions of the Impact and Likelihood scales and these are repeated below for ease of reference:

 

 

Next steps

Agreeing and adopting the risk appetite finalises the work on the risk management framework. From this point forward all risks will have regard for the tolerance levels and this will help to further strengthen and inform decision making for the Council.

We have already updated report templates to include a specific reference to risk management, this section will be used to help highlight associated risks and to provide assurance to Members on how those risks have been evaluated and if mitigations are necessary to bring the risk to an acceptable level.

Further to this, additional guidance has been created to Officers to ensure that high level risks are appropriately escalated, and that new emerging risks are captured and added to the risk register.

In the future, this will mean that we can provide more insightful risk updates to Members, which will include the effectiveness of risk actions and key risk themes. This is something that we have already started to put into practice when looking at our corporate risks (Appendix 2).†



[1] Institute of Risk Management: Risk Appetite and Tolerance Guidance Paper