Risk Management Strategy 2023-26
Rushcliffe Borough Council Risk Management Strategy 2023 - 2026
Published: March 2023
Next Review due April 2026
Contents
4. Terms of Reference: Risk Management Group
Appendix A: Assurance Framework
Appendix B: Risk Tolerance Thresholds
1. Introduction
1.1 Overview
This strategy outlines Rushcliffe Borough Council’s approach to risk management. It has been developed to ensure that areas of risk are identified and appropriate remedial action is considered.
Rushcliffe Borough Council considers Risk Management to be a series of coordinated actions seeking to control and mitigate risks bringing the negative consequences of such risks within tolerable levels or maximising the potential of opportunity risks being realised. The Council recognises that only risks that are properly identified can be effectively addressed.
Failure to pay attention to the likelihood and impact of risks can have significant consequences. These can include endangering public health, reputational damage, financial costs, compensation claims and disruption to critical services. The effective management of risk is therefore a critical part of Rushcliffe Borough Council’s approach to delivering services and maintaining high levels of performance.
The Council operates three risk registers – one for Strategic Risks, a second for Operational Risks and a third for Opportunity Risks (specific project risks are maintained within the Project Management Framework). The Strategic Risk Register contains high level risks specifically related to the achievement of the organisation's corporate objectives including risks associated with future business plans and strategies. The Operational Risk Register contains service-based risks that effect an individual; business unit or those risks associated with inadequate or failed internal processes, people or systems. Opportunity Risks are those associated with the positive gains or benefits of a specific course of action.
The Council has embedded risk management into its cultures, processes and structures to ensure that opportunities are maximised and risk minimised. This Strategy will enable the Council to develop risk management further through its effective use in management and decision-making processes.
The Council recognises that there are risks involved in everything it does and that it has a duty to manage these risks efficiently and effectively. This duty is to staff, residents, service users, partners, contractors and funding agencies.
1.2 Statement of Commitment
The Leader and Cabinet are committed to:
- Adopting best practice in the identification, evaluation and cost-effective control of risks.
- Ensuring wherever possible that risks are either, reduced to a level within the Council’s risk tolerance or eliminated.
- Maximising opportunities to achieve the Council’s corporate objectives and deliver core service provisions.
1.3 Funding
The risk and insurance reserve provides senior managers with the encouragement to increase levels of risk awareness within their areas of responsibility by formally identifying risks and proposals for action.
The reserve provides the opportunity to apply for financial support and creates an incentive for loss control, without adversely affecting service area budgets. This investment in risk management measures should lead to a reduction of insured and uninsured losses and eventually to lower costs, including premiums.
Other reserves exist such as Planning Appeals and Investment Properties to help mitigate against other specific risks. A Climate Change Reserve has been created to help the Council address environmental risks. Service budget and the Capital Programme may also be utilised to mitigate risk.
The S151 Officer will ensure that appropriate insurance cover is in place for all identified risks. Managers, where necessary, will utilise budgets to help mitigate risk.
1.4 Sources of assurance
Sources of assurance are sought to provide evidence that the management of risk is carried out effectively. These exist at different levels to ensure that risks are identified and controlled appropriately. An assurance framework is included in appendix A.
Identification and articulation
Risks can be identified by all staff liaising with Lead Specialists (via team meetings or service planning exercises) with emerging risks brought to the attention of Service Managers and Directors either through the bi-monthly performance clinic process, at team meetings or at the more formal Risk Management Group. Those topics raised that are considered to be risks (an occurrence that may or may not happen in the future) as opposed to issues (something which is happening in the here and now that requires immediate action) are discussed and a risk identification template completed and submitted to the Performance Officer. The articulation of risks is an important part of the process, and the risk identification template encourages the identification of cause-risk-consequence reflecting best practice in this area.
Monitoring via performance clinics
Pentana is the Council’s chosen performance management tool – it also acts as a repository for identified risks. Lead Specialists are responsible for reviewing risk ratings (likelihood and impact) at a minimum of every other month in line with bi-monthly performance clinics. A written performance clinic is produced for each of the Council’s four service areas, presented at the clinic meeting by Service Managers and challenge is provided by other Service Managers present. Any changes to risk ratings since the last clinic are highlighted in the performance clinic document.
Monitoring via Risk Management Group
The Council has an active Risk Management Group which consists of the Chief Executive and three Directors (including the Council’s Section 151 Officer). The Monitoring Officer and Senior Information Risks Officer are consulted as necessary. The Risk Management Group meets twice a year to review the Corporate and Operational Risk Registers and challenge risk ratings and control measures where necessary.
Monitoring at Governance Scrutiny Group
Risk Management is scrutinised twice a year by the Governance Scrutiny Group. All three Risk Registers are presented and the Group’s attention is drawn to any changes officers have made to risk ratings since the last meeting. Controls and mitigating actions are made available for risks currently rated as ‘red’ risks to focus Councillors' attention on the Council’s most important risks.
Additional assurance is provided by the Council’s insurer, Zurich, who provide regular training to officers and Councillors as well as acting as a critical friend in all matters related to risk. The Council’s risk management process has also been recently audited by the internal auditors, BDO, and a ‘substantial’ rating in terms of Design and operational Effectiveness awarded.
2. Risk Management Process
2.1 Overview
Risk management entails identifying risks, evaluating their potential consequences and determining the most effective methods of controlling them. It is a means of minimising costs and disruption caused by undesirable events.
The aim of this process is to reduce the frequency of incidents and minimise the severity of their effects. Even when the likelihood of an event occurring cannot be controlled, steps can be taken to limit its consequences (for example, by developing effective emergency and business continuity plans).
Risk management involves the following processes (the risk management cycle):
- Risk identification
- Risk analysis and evaluation
- Risk control
- Monitoring and review.
2.2 Identification
A systematic assessment of risk needs to be undertaken when judging all policy and service delivery options available to the authority. By identifying areas of risk before an event occurs, steps can be taken to prevent an incident from arising.
2.3 Analysis
Having identified areas of potential concern, risks need to be systematically and accurately assessed. This process requires managers to evaluate:
- The probability of a particular incident occurring
- The potential consequences should such an incident occur
- The anticipated cost of future incidents.
The Council has a risk identification template which helps a manager to correctly and effectively define the risk (using the cause-risk-consequence model), rate the risk at identification (often called inherent risk) in terms of how likely the risk is and what the potential impact of that risk might be if it is realised, whether the risk should be tolerated, treated, terminated or transferred, what controlling and mitigating actions should be taken if the risk is retained to reach a target risk rating, and, finally, the residual risk rating once those actions have been put in place. This information is entered into Pentana, the Council’s performance management tool.
2.4 Control
A variety of options exist for controlling risk. These include:
- Terminate
- Treat
- Transfer
- Tolerate
Terminating risk involves the authority opting not to undertake a current or proposed activity because the risk is deemed too significant. By taking the decision not to pursue the project or activity the risk is effectively eliminated. Given the nature of the public sector this option is only available for discretionary services.
Treating (or controlling) risk involves taking action (such as implementing projects or developing procedures) to reduce the likelihood of an incident occurring and limit the severity of its impact. If the current risk score is higher than the target risk score, actions should be identified to mitigate the risk and reduce its potential likelihood and / or impact to the target level. These actions are noted on the risk identification template and recorded within Pentana. They are then monitored by Lead Specialists to ensure that the controls and mitigating actions taken are effective. Financial provision to implement risk reduction measures will be made available where appropriate, with funding for initiatives provided from the risk management reserve, specific earmarked reserves, the revenue budget or the capital programme. Where these additional mitigating actions cannot be justified or implemented, the review process will result in the target risk score being raised.
Transferring risk refers to allocating liability for the consequences of an event to another body. Legal liability may be transferred to an alternative provider under contractual arrangements for service delivery. Transferring some or all of the financial risk to external insurance companies may also reduce the costs associated with a damaging event.
There may be occasions when the cost of implementing risk reduction measures will outweigh the anticipated benefits. This is often because the likelihood of a risk occurring is deemed to be very low or its impact negligible. In such instances, a decision may be taken to tolerate the risk and no additional control measures will be undertaken.
2.5 Monitoring and Review
The risk management process does not end once control measures are identified. Regular monitoring and reviews should take place of:
- The implementation of agreed control actions
- The effectiveness of these actions in controlling the risk
- How the likelihood and impact of the risk has changed over time
- Ongoing review of risks in totality along with the Risk Management Strategy.
Corporate and Operational Risks Registers are reviewed on a regular basis as described elsewhere in this Strategy. Risks that are tolerated still need to be reviewed as their likelihood and / or impact may increase over time.
This Risk Management Strategy is reviewed every three years by the Risk Management Group and approved by the Governance Scrutiny Group.
2.6 Risk Appetite
Our ‘risk appetite’ guides how much risk the Council is willing to seek or accept to achieve its objectives. Taking risks, both operationally and to achieve the priorities set out in our Corporate Strategy 2019-2023, is a necessary part of business. Good risk management ensures the Council makes well informed decisions where the associated risks are understood and managed. By ensuring that risks are properly managed, the Council is more likely to achieve its priorities. Effective risk management also provides a high level of due diligence consistent with the Council’s responsibility to manage public money prudently.
As a Council, we recognise effective risk management considers not just threats but also opportunities; namely, what is to be gained by taking a risk. Our approach to risk takes account of both opportunities and threats. By encouraging managed risk taking, and considering all of the available options, we seek a balance between caution and innovation. our risk appetite reflects our current position. We encourage managed risk taking for minor to moderate level risks, and control, more closely, those risks which register at a higher point on our risk matrix where the benefits to our residents or to the organisation are greatest. We accept that our appetite for risk will vary over time depending on our ambitions and corporate priorities as well as the external environment the Council is operating in. This position will be reviewed on a regular basis as part of the Council’s Risk Management Strategy.
Risk appetite goes ‘hand-in hand’ with how much the Council will tolerate risk, what is its risk threshold? Appendix B details the Council’s risk tolerance level for both risk threats and opportunities (see para 2.7 below) and what constitutes, low, medium or high risks.
2.7 Opportunity Risk
The Council has an entrepreneurial approach to seizing opportunities and has been able to successfully manage its finances throughout a challenging period of austerity. Successful organisations need a balance between risk taking and caution and this approach has ensured the delivery of major projects with lasting benefit to residents in the borough.
An opportunity risk matrix (Appendix B) has been developed to provide guidance and a scoring mechanism when making decisions about potential opportunities. By using the matrix to establish the greatest potential benefits, the Council is ensuring that its finances re used in the best possible way.
2.8 Project Risk
The Council has a formalised project management framework that provides the basis for officers managing projects within their team and jointly with other members of staff. The framework provides guidance on what risk assessments are required for projects based on a scale of 1-4 determined by the complexity and project costs. Projects that fall within levels 3 and 4 require a full risk register and with controls in place to mitigate against the risks. These projects also require a greater degree of monitoring to ensure the project remains on track and aligned with the budget.
3.0 Roles and Responsibilities
3.1 Overview
The following representatives have responsibilities for Risk Management.
Councillors:
- To oversee and scrutinise the effective management of risk by officers through the Governance Scrutiny Group.
Chief Executive:
- To ensure the risk management strategy is implemented
Director (Finance and Corporate Services):
- To ensure the corporate risk register is reviewed regularly
- To maintain an overview of the risk management strategy and its implementation
- To review the risk management strategy
- To provide updates on risk management to Councillors at Governance Scrutiny Group meetings
- To ensure that an effective strategy is in place for development of business continuity
S151 officer:
- To ensure a proper system of internal audit is carried out within the authority
- To ensure reserves and budgets are sufficient to manage and mitigate both upside and downside risks (in consultation with EMT and Cabinet)
- To ensure that appropriate insurance cover is in place and that a register of claims is
Director (Neighbourhoods)
- To ensure that an effective strategy is in place for development of emergency planning arrangements.
Chief Executive and Directors:
- To identify risks of loss, damage, injury or performance facing service areas
- To implement appropriate risk control measures (i.e. terminate, treat, transfer, tolerate)
- To seek assurance that risk management arrangements for service areas are implemented effectively and reviewed on a regular basis
- To ensure service areas have arrangements in place for updating the corporate risk management system
- To oversee the implementation of agreed recommendations from internal audits
- To promote good risk management practice throughout the authority by co-operation and liaison with employees and relevant external agencies.
Monitoring Officer
- To report on matters they believe are, or are likely to be, illegal or amount to maladministration
- To be responsible for matters relating to the conduct of Councillors.
Performance Officer:
- To support and assist technical use of the corporate risk management system (Pentana)
- To prepare risk management reports for the Risk Management Group and Governance Scrutiny Group
- To liaise with Internal Audit providing all information requested
- To arrange risk management training for officers and Councillors.
Emergency Planning Officer:
- To advise the Risk Management Group on emergency planning and business continuity arrangements
- To update the corporate emergency plan and corporate business continuity plan
- To ensure that business continuity plans for service areas are reviewed on a regular basis
- To co-ordinate training and exercising for staff, including participating in relevant activities undertaken by the Local Resilience Forum (LRF).
4. Terms of Reference: Risk Management Group
4.1 Overview
The corporate Risk Management Group oversees the management of risk across the organisation and has responsibility for ensuring that adequate sources of assurance are in place. The Risk Management Group will meet twice a year and instigate actions, allocate resources and communicate important messages to service areas as necessary.
4.2. Membership
The Risk Management Group is made up of the following officers:
- Chief Executive
- Director – Finance and Corporate Services
- Director – Neighbourhoods
- Director – Development and Economic Growth.
The Monitoring Officer and Chief Information Officer will be consulted as necessary. Other representatives (such as the Performance Officer and / or Emergency Planning Officer) will be invited to attend as required.
4.3 Objectives
Objectives of the Risk Management Group include:
- Coordinating risk management throughout the authority
- Keeping the corporate risk register and risk management strategy under review
- Identifying strategic and operational practices that present significant risk to the authority
- Identifying emerging risks by drawing on information from other organisations and external sources of information
- Making proposals for reducing the likelihood and / or impact of risks
- Coordinating and prioritising risk control measures
- Advising on the use of the risk management reserve to support funding necessary for initiatives that will reduce risk (e.g. vandalism, arson, theft, damage to property, personal injury to employees, visitors and persons under the care of the authority)
- Monitoring the number and type of insurance claims being received by the authority
- Coordinating the management of information security
- Evaluating new approaches on risk management and the extent to which they could assist the authority and its services
- Promoting good risk management practice by liaising with employees and identifying training needs
- Ensuring effective business continuity arrangements are in place, including those of critical suppliers
- Ensuring effective emergency planning arrangements are in place
- Participating in the work of the Local Resilience Forum (LRF) and working closely with other organisations as appropriate.
Appendix A - Assurance Framework
Oversight
Updates are provided to Elected members via Governance Scrutiny Group (GSG) meetings.
Corporate Risks
Corporate risk management issues are considered on a quarterly basis at Risk Management Group (RMG) within the Executive Management Team meetings. The risk management strategy and corporate risk register are reviewed annually by the RMG.
Operational Risks
Operational risks are reviewed as part of individual service performance clinics at Senior Management Team meetings. They are also reviewed during the development of annual service plans.
Sources of Assurance
First Line of Defence
- Operational delivery assurance (e.g. logging requests via the Customer Tracking System, escalation of potential risks through management).
Second Line of Defence
- Development of annual service plans
- programme and project assurance (e.g. business cases, project plans, project boards, highlight reports, decision logs, action logs)
- Data Quality Strategy
- Financial and budgetary control (e.g. meetings between accountants and service managers before performance clinics).
Third Line of Defence
- Government Scrutiny Group (GSG)
- Internal Audit
- External Audit
- Independent regulators.
Appendix B - Risk Tolerance Thresholds
The Council has set its risk tolerance level for risk threats at the threshold between medium and high rated risks. A matching but reverse tolerance level has been set for positive risk but the ambition is to move all opportunity risks to their highest impact and likelihood but as with risk threats, only above tolerance risks will be reported by exception.
Risk Matrix – Threats
Low risk (green)
- Impact = 1, Likelihood = 1: Risk score = 1
- Impact = 1, Likelihood = 2: Risk score = 2
- Impact = 2, Likelihood = 1: Risk score = 2
- Impact = 1, Likelihood = 3: Risk score = 3
- Impact = 3, Likelihood = 1: Risk score = 3
- Impact = 1, Likelihood = 4: Risk score = 4
- Impact = 2, Likelihood = 2: Risk score = 4
- Impact = 4, Likelihood = 1: Risk score = 4
Medium risk (amber)
- Impact = 2, Likelihood = 3: Risk score = 6
- Impact = 3, Likelihood = 2: Risk score = 6
- Impact = 2, Likelihood = 4: Risk score = 8
- Impact = 4, Likelihood = 2: Risk score = 8
High risk (red)
- Impact = 3, Likelihood = 3: Risk score = 9
- Impact = 3, Likelihood = 4: Risk score = 12
- Impact = 4, Likelihood = 3: Risk score = 12
- Impact = 4, Likelihood = 4: Risk score = 16
Risk Matrix – Opportunity
Low gain/benefit (red)
- Impact = 1, Likelihood = 1: Risk score = 1
- Impact = 1, Likelihood = 2: Risk score = 2
- Impact = 2, Likelihood = 1: Risk score = 2
- Impact = 1, Likelihood = 3: Risk score = 3
- Impact = 3, Likelihood = 1: Risk score = 3
- Impact = 1, Likelihood = 4: Risk score = 4
- Impact = 2, Likelihood = 2: Risk score = 4
- Impact = 4, Likelihood = 1: Risk score = 4
Medium gain/benefit (amber)
- Impact = 2, Likelihood = 3: Risk score = 6
- Impact = 3, Likelihood = 2: Risk score = 6
- Impact = 2, Likelihood = 4: Risk score = 8
- Impact = 4, Likelihood = 2: Risk score = 8
High gain/benefit (green)
- Impact = 3, Likelihood = 3: Risk score = 9
- Impact = 3, Likelihood = 4: Risk score = 12
- Impact = 4, Likelihood = 3: Risk score = 12
- Impact = 4, Likelihood = 4: Risk score = 16
Table 1 Consequence / Impact
This is a measure of the consequences of the identified threat risk.
Impact | Thresholds and Description |
---|---|
1 – Insignificant |
Financial Impact = less than £10k No adverse impact on reputation No impact on partners |
2 – Minor |
Financial Impact = between £10k - £50k Negative internal/ within sector impact on reputation Negative partner impact |
3 – Moderate |
Financial Impact = greater than £100k Negative Regional/Local impact on reputation Negative impact on key partnerships |
4 – Major |
Financial Impact = greater than £250k Negative National reputation Key partners withdraw |
This is a measure of the consequences of the opportunity risk.
Impact | Thresholds and Description |
---|---|
1 – Insignificant |
Little or no improvement to service Little or no improvement to welfare of staff / public Little or no financial income / efficiency savings (less than £10k) Little or no improvement to environment or assets Little or no feedback from service users |
2 – Minor |
Minor improvement to service Minor improvement to welfare of staff / public Improvement that produces £10k - £50K of income / efficiency savings Minor improvement to environment or assets Positive user feedback |
3 – Moderate |
Moderate improvement to service Moderate improvement to welfare of staff / public Improvement that produces £50k+ - £100k of income / efficiency savings Moderate improvement to environment or assets Positive local media contact |
4 – Significant |
Significant improvement to service Significant improvement to welfare of staff / public Improvement that produces £100k+ of income / efficiency savings Significant improvement to environment or assets Positive local media coverage |
Table 2 Likelihood / Probability of Occurrence
This measures the chance of the risk occurring.
Impact | Thresholds and Description |
---|---|
1 – Insignificant |
Unlikely |
2 – Minor |
Possible |
3 – Moderate |
Probable within 2 years |
4 – Major |
Probable within 12 months |
This measures the chance of the opportunity occurring.
Impact | Thresholds and Description |
---|---|
1 – Insignificant |
Opportunity has not been fully investigated but considered extremely unlikely to materialise |
2 – Minor |
Opportunity has not been fully investigated; achievability is unproven / in doubt |
3 – Moderate |
Opportunity may be achievable, but requires significant management, planning and resources |
4 – Significant |
Opportunity is achievable with careful management |
Accessible Documents
- Air Quality Action Plan 2021
- Air Quality Annual Status Report 2023
- Air Quality Annual Status Report 2022
- Air Quality Annual Status Report 2021
- Air Quality Strategy for Nottingham and Notts
- Auditor's Annual Report 2021
- Internal Audit Annual Report 2021/22
- Auditor's Annual Report 2021-22
- Annual Governance Statement 2021-22
- Annual Governance Statement 2020-21
- Asset Management Strategy
- Become a Councillor 2022
- Budget and Financial Strategy 2021-22
- Budget and Financial Strategy 2022-23
- Budget and Financial Strategy 2023-24
- Budget and Financial Strategy 2024-25
- Capital and Investment Strategy
- Climate Change Strategy 2021-2030
- Complaints Policy
- Compulsory Purchase Order Procedure Protocol
- Confidential Reporting Code
- Contaminated Land
- Corporate Enforcement Policy
- Corporate Strategy 2024-2027
- Council Constitution
- Council Tax Recovery and Enforcement Policy 2023
- Customer Access Strategy
- Discretionary Housing Payments Policy 2023-2024
- Disabled Facilities Grant Policy 2022
- Equalities Scheme 2021-25
- Empty Homes Strategy
- Environment Policy 2023
- External and Internal Communications Strategy
- Freedom Of Information Policy
- HB Recovery and Enforcement Policy
- Homelessness and Rough Sleeping Strategy
- Housing Allocations Policy
- Housing Enforcement Policy
- ICT Strategy 2022 -25
- Information Management and Governance Strategy 2022-25
- Rushcliffe Borough Council Information Retention Schedule
- Internal Audit Annual Report 2023/24
- Leisure Strategy 2021-2027 review
- Local Code of Corporate Governance 2021/22
- Local Plan Part 1: Core Strategy
- Local Plan Part 2: Land and Planning Policies
- Local Plan Monitoring Report
- Local Scheme of Validation
- Off-street Car Parking Strategy
- Pay Policy Statement
- People Strategy 2021-26
- Planning Enforcement Policy
- Procurement Strategy
- Playing Pitch Strategy 2022
- 2021-22 Public Inspection Notice
- RIPA Policy and Guidance
- Risk Management Strategy 2023-26
- Statement of Gambling Licensing Principles
- Statement of Accounts 2019-20
- Statement of Accounts 2020-21
- Statement of Accounts 2021-22
- Statement of Accounts 2021-22 (unaudited)
- Statement of Accounts 2022-23 (unaudited)
- Statement of Accounts 2022-23 (audited)
- Statement of Accounts 2023-24 (unaudited)
- Statement of Licensing Policy
- Street Trading Policy
- Supplementary Planning Documents
- Tenancy Strategy 2019
- Transformation Strategy and Efficiency Plan
- Tree Management and Protection Policy 2023
- WISE Agreement
- Conservation Areas
- Neighbourhood Plans
- The Nature of Rushcliffe 2021
- The Nature of Rushcliffe 2019
- Design Code Baseline Appraisal
- Air Quality Annual Status Report 2024
- Hackney Carriage and Private Hire Licensing Policy 2020 - 2025
- External Audit Completion Report 2024
- External Audit Completion Report 2023
- Rushcliffe Nature Conservation Strategy
- Solar Farm Landscape Sensitivity and Capacity Study