Risk Management Policy
Reviewed March 2024. Next review: March 2025
1.The Purpose of the Policy
The purpose of the policy is to develop risk management beyond Health & Safety.
- integrate risk management into the culture of the organisation;
- embed risk management through the ownership and management of risk as part of all decision making processes;
- manage risk in accordance with best practice.
2. What is Risk Management?
Risk management is essential to good governance.
‘Risk is the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives and to successfully execute its strategies. Risk management is the process by which risks are identified, evaluated and controlled. It is a key element of the framework of governance together with community focus, structures and processes, standards of conduct and service delivery arrangements.’ Audit Commission, Worth the Risk: Improving Risk Management in Local Government, (2001: 5)
Risk is not restricted to potential threats but can be connected with opportunities. Good risk management can facilitate proactive, rather than merely defensive responses. Measures to manage adverse risks are likely to help with managing positive ones.
The examples below are high profile but not exhaustive:
Health & Safety Risk - The Council will adhere to the requirements of the Health and Safety at Work Act 1974; the Regulatory Reform (Fire Safety) Order 2005; the Management of Health and Safety at Work Regulations 1999; and other relevant health and safety legislation and codes of practice.
Strategic Risk - long-term adverse impacts from poor decision-making or poor implementation. Risks damage to the reputation of the Council, loss of public confidence, and in a worst case scenario Government Intervention.
Compliance Risk - failure to comply with legislation, or laid down procedures or the lack of documentation to prove compliance. Risks exposure to prosecution, judicial review, employment tribunals, increased Best Value inspection, inability to enforce contracts.
Financial Risk - fraud and corruption, waste, excess demand for services, bad debts. Risk of additional audit investigation, objection to accounts, reduced service delivery, dramatically increased council precept levels/impact on council reserves.
Operating Risk - failure to deliver services effectively, malfunctioning equipment, hazards to service users, the general public or staff, damage to property. Risk of insurance claims, higher insurance premiums, lengthy recovery processes.
3. What is the Risk Management Process?
Implementing the Policy involves identifying, analysing/prioritising, managing and monitoring risks.
Risk Identification – Identifying and understanding the hazards and risks facing the Council is crucial if informed decisions are to be made about policies or service delivery methods. The risks associated with these decisions can then be effectively managed.
Risk Analysis – Once risks have been identified they need to be systematically and accurately assessed using proven techniques. Analysis should make full use of any available data on the potential frequency of events and their consequences. If a risk is seen to be unacceptable, then steps need to be taken to control it or respond to it.
Risk Prioritisation - An assessment should be undertaken of the impact and likelihood of risks occurring, with impact and likelihood being scored Low, Medium, or High. High scoring risks will be subject to detailed consideration and the preparation of a contingency/action plan to appropriately control the risk.
Risk Control – Risk control is the process of taking action to minimise the likelihood of the risk event occurring and/or reducing the severity of the consequences should it occur. Typically, risk control requires the identification and implementation of revised operating procedures, but in exceptional cases more drastic action may be required to reduce the risk to an acceptable level.
4. Options for control of Risks
Elimination – the circumstances from which the risk arises are ceased so that the risk no longer exists.
Reduction – loss control measures are implemented to reduce the impact/ likelihood of the risk occurring.
Transfer – where the financial impact is passed to others e.g. by revising contractual Terms.
Sharing –sharing the risk with another party or parties.
Insuring – insuring against some or all of the risk to mitigate financial impact.
Acceptance – documenting a conscious decision after assessment of areas where the Council accepts or tolerates risk a particular risk.
5. Risk Monitoring
- The risk management process does not finish with putting any risk control procedures in place. Their effectiveness in controlling risk must be monitored and reviewed. It is also important to assess whether the nature of any risk has
changed over time.
- The Independent Internal Auditor provides an important financial and operational scrutiny role carrying out audits to provide independent assurance to the council and the public.