Policy and Resources Committee Risk Update – October 2018
Corporate Risks
The Council’s corporate risks are those risks which could impede the achievement of our strategic objectives. The corporate risk register was last reported to Members in April 2018.
The matrices below provide a snapshot of the corporate risk profile, with the location on the matrix being dependent on the score of risk likelihood and impact. This is based on the inherent risk, i.e. the risk impact and likelihood (as defined in Appendix 1C) considering any existing controls in place to manage the risk, but before any further planned controls are introduced. For a base comparison we have included the profile from the previous risk update:
The following table illustrates the risk heading and summarises how the risk score has moved between April and October 2018:
There has been an increase in the partner relationship risk (f) as a result of the KCC judicial review. The management of this risk is outlined on the next page.
The reduction in the legal /compliance breaches risk (b) is due to the implementation of planned controls.
While there has been no change in the overall risk score of the remaining risks, action has been taken to implement some of the planned controls.
There are two BLACK corporate risks – i.e. risk that sit above the Council’s tolerance (Poor Partner Relationships and Housing Pressures). Controls have been identified to manage these risks down to a more acceptable level as required by the risk appetite guidance. Furthermore, these risks are being closely monitored by the Corporate Leadership Team through the following:
· Poor Partner Relationships: The relationship with partners, and KCC in particular, is something which senior officers keep under review as part of the different areas of work the Council participates in.
· Housing Pressures: Corporate Leadership Team receive monthly updates from the Housing Service which allows them to monitor progress and provide guidance, support and focus where needed.
Further detail on the corporate risks, including a description of the risk and details of existing and planned key controls can be found in Appendix 1A.
What’s on the Horizon?
The identification and management of potential risks is an essential task for any successful local authority. Anticipating trends not only helps to build resilience against harmful events, but also means we are in a good position to take advantage of valuable opportunities. While not a formal process, we maintain an awareness of issues on the horizon. Consideration can then be given to whether these issues are crystallising into risks that need to be recognised within our comprehensive risk register.
The following table outlines the key external factors we are facing and how we maintain our awareness of changes in these areas. The process for developing the new Strategic Plan has more broadly enabled consideration of external factors on the horizon.
Factor |
Maintaining Awareness |
Brexit |
Operational group to review available information and assess risks. |
Climate change |
Flood risk management and Emergency Planning processes. |
Population change |
Work with health and social care partners, understanding poverty impact of universal credit. |
Technological change |
IT Strategy development identified potential and risk. |
Utility failure |
Business continuity planning. |
Operational Risks
All Council services maintain an operational risk register. Operational risks are the responsibility of the services to manage, and so fall within the remit of our Managers and Heads of Service. The following matrix shows the operational risk profile for the Council. This is based on the inherent risk, i.e. the risk impact and likelihood (as defined in Appendix 1C) considering any existing controls in place to manage the risk, but before any further planned controls are introduced. The table shows the number of risks for each colour category.
These risks are managed in accordance with the Council’s Risk Appetite Statement, whereby services routinely monitor their risks based on the risk score (see Appendix 1B). Quarterly risk updates are presented to Corporate Leadership Team (CLT) on all risks above the Councils appetite – i.e. those risks which are RED or BLACK (24 in total).
The BLACK risk relates to political inter-organisational consensus on implementing Local Plan actions and has been impacted by the KCC judicial review. This is monitored by CLT through the same routes as for the corporate risk relating to partner relationships. Should the circumstances for an existing risk change such that the score is increased into BLACK this will be escalated to CLT and a decision made as to any further action needed and how the risk is best monitored. Monitoring of these high level risks enables more effective challenge on the effectiveness of controls, and also means that support can be put in place to help manage the impact of the risk.
Next Steps
Risk management is a continuous process, and to be valuable it must be updated and maintained. Moving forward into 2018/19, the following areas will be our focus in order to further strengthen the risk management process and develop a positive risk culture across the Council:
1. To undertake the first full review of the framework: The framework has been operating for nearly 3 years, and so it is the right time to review and where necessary update the framework to ensure that it remains fit for purpose.
2. Develop a training programme: We (Mid Kent Audit) have continued to facilitate workshops, and deliver risk sessions as and when requested. However, developing the overall knowledge and expertise for risk management across the Council requires a wider approach. We will be looking to develop a training session for managers and officers on the principles of risk management, and to tailor that to the framework and procedures.
3. Planning risks: The process for identifying planning risks and their associated mitigating actions will be reviewed.
4. Refresh of Corporate Risks: In light of the work to update the Council’s strategic plan a workshop will be run in the new year to refresh the Corporate Risks.
Risk management is adding real value and insight, this wouldn’t have been possible without the great deal of positive engagement and support from Senior Officers and Managers in the Council. So, we’d like to take this opportunity to thank officers for their continued work and support.
Appendix 1A
Corporate Risks
The table below sets out each of the corporate risks in detail. Risk owners have assessed the impact and likelihood of the risks and identified the key controls and planned actions necessary to further manage the risk to an acceptable level:
Risk (full description) |
Risk Owner |
Key Existing Controls |
Inherent rating I L ∑ |
Controls planned |
Residual rating I L ∑ |
||||
Breakdown of Governance
Controls |
Angela Woodhouse |
- Framework in
Constitution with processes for regular review |
4 |
2 |
8 |
- Democracy Committee
review of Committee System |
4 |
2 |
8 |
Legal / Compliance
Breaches |
Angela Woodhouse |
- Individual service
process designed to ensure compliance and supported by procedures |
4 |
2 |
8 |
- Share the Annual Governance Statement action plan more widely with staff through the Unit Managers |
4 |
2 |
8 |
Workforce Capacity &
Skills |
Alison Broom |
- Workforce Strategy monitoring and
reporting |
2 |
2 |
4 |
- Implementation of actions from
Investors in People assessment |
2 |
2 |
4 |
Project Failure |
Dawn Hudd |
- Use of external
specialist expertise such as Employers Agents on complex capital projects |
4 |
4 |
16 |
- Detailed and
consistent analysis of project risks at approval stage, through approval
Process required at Policy & Resources Committee |
4 |
3 |
12 |
ICT Systems Failure /
Security |
Chris Woodward |
- Regular backups of ICT
systems |
4 |
4 |
16 |
-
Procurement of additional security counter measures - Corporate Leadership Team monitoring of Performance Indicators around cybersecurity |
4 |
4 |
16 |
Poor Partner
Relationships |
Alison Broom |
- Regular meetings /
communication with partners |
4 |
5 |
20 |
- Increased joint work
with KCC highways and waste teams |
4 |
4 |
16 |
Housing Pressures
Continue to Increase |
John Littlemore |
- Homelessness
prevention team has been created and staff resources increased |
4 |
5 |
20 |
- The possibility of the
Council investing prudential borrowing monies into a JV with a housing
association partner to take ownership of more of the affordable housing being
delivered through the Local Plan is actively being explored |
3 |
4 |
12 |
Delivery of the Local
Plan Review by April 2022 |
Rob Jarman |
- Work plans in place |
3 |
3 |
9 |
- Learning lessons from
other LP examinations workshop planned for April 2019 |
3 |
3 |
9 |
Financial Restrictions |
Mark Green |
- Project management
processes |
4 |
4 |
16 |
- Plans developed to
close projected budget gap |
4 |
3 |
12 |
General Data Protection Regulations
(GDPR) |
Information Management Group |
- GDPR Action plan in
place and being worked on |
4 |
3 |
12 |
- Deliver actions from
the GDPR action plan |
3 |
3 |
9 |
Major contraction in Retail and
Leisure Sectors |
Dawn Hudd |
- Cross departmental approach |
4 |
3 |
12 |
- Work commissioned to promote
Maidstone as a business destination |
3 |
3 |
9 |
Appendix 1B
Maidstone Risk Management Process: One Page Summary
Risk Appetite – Monitoring Process
We illustrate our risk appetite and tolerance in the matrix below. The RED shaded area represents the outer limit of our risk appetite, and the BLACK area indicates the tolerance. As a Council we are not willing to take risks that have significant negative consequences on the achievement of our objectives.
The matrix also illustrates how we monitor risks. The Council’s highest level risks (those with a combined score of 12 and above) are reported to Corporate Leadership Team for consideration and guidance.
Risk Rating |
Guidance to Risk Owners |
|
20-25 |
Risks at this level sit above the tolerance of the Council and are of such magnitude that they form the Council’s biggest risks.
The Council is not willing to take risks at this level and action should be taken immediately to manage the risk.
|
Identify the actions and controls necessary to manage the risk down to an acceptable level. If still scored above 20, report the risk to the Audit Team and your Director.
Steps will be taken to collectively review the risk and identify any other possible mitigation (such as controls).
Risks that remain at this level will be escalated to CLT, who will actively monitor and provide guidance on the ongoing management of risks at this level. |
12-16 |
These risks are within the upper limit of risk appetite. While these risks can be tolerated, controls should be identified to bring the risk down to a more manageable level where possible.
|
Identify controls to treat the risk impact /likelihood and seek to bring the risk down to a more acceptable level.
These risks should be monitored and reviewed monthly. If unsure about ways to manage the risk, consult with the Internal Audit team.
Risks at this level will feature in a quarterly risk update to CLT who will provide oversight and support if needed. |
5-10 |
These risks sit on the borders of the Council’s risk appetite and so while they don’t pose an immediate threat, they are still risks that should remain under review. If the impact or likelihood increases then risk owners should seek to manage the increase.
|
Keep these risks on the radar and update as and when changes are made, or if controls are implemented.
Movement in risks should be monitored, for instance featuring as part of a standing management meeting agenda.
Responsibility for monitoring and managing these risks sits within the service. |
3-4 |
These are low level risks that could impede or hinder achievement of objectives. Due to the relative low level it is unlikely that additional controls will be identified to respond to the risk. |
Keep these risks on your register and formally review at least once a year to make sure that the impact and likelihood continues to pose a low level. |
1-2 |
Minor level risks with little consequence but not to be overlooked completely. They are enough of a risk to have been assessed through the process, but unlikely to prevent the achievement of objectives. |
No actions required but keep the risk on your risk register and review annually as part of the service planning process. |
Impact: 5 Likelihood: 1 |
Rare events that have a catastrophic impact form part of the Council’s Business Continuity Planning response. |
Record on your risk register and Internal Audit will co-ordinate with Business Continuity officers. |
Appendix 1C
Impact & Likelihood Scales
Risk Impact
Risk Likelihood