SUMMARY

1. This report identifies those issues which the recent CPA inspection highlighted with regard to the Council’s risk management arrangements. It also informs the Committee about the actions which the Council is proposing to take which will address those issues.

ACTION REQUIRED

2. The Committee is asked to note the proposed actions and to resolve to monitor their implementation. The Committee is also invited to consider whether the proposed actions are sufficiently robust.

CONFIDENTIAL ITEMS

3. There are no confidential items associated with their report.

BACKGROUND

4. The Committee has a key role to play in assessing the Council’s arrangements for risk management. This is acknowledged in its terms of reference, and much of the Committee’s focus over the last year or so has been ‘risk-orientated’. Perhaps one of the best examples of this is the process of the Council’s Statement on Internal Control (SIC) and the Committee’s involvement with it.

5. Risk Management is now universally accepted as being a critical business discipline. As such, it is not surprising that it features strongly in external assessments – most notably the Corporate Assessment (which the Council has just had) and the Use of Resources assessment which the Council is currently undergoing. The Key Lines of Enquiry (or KLOEs) for risk management appear under the heading of ‘Internal Control’ – again illustrating just how fundamental risk management is to the role of this Committee. The key lines of enquiry for risk are reproduced at Appendix A. The Council has only recently submitted its ‘self assessment’ for all Use of Resources KLOEs, including Internal Control, and the Audit Commission are in the process of evaluating it as a means of making its Use of Resources judgement.

6. The recently reported Corporate Assessment of the CPA did make comment about the Council’s risk management arrangements, as follows:

‘Operation and strategic risk management is underdeveloped. Risk management is overseen by a cross-service officer group, and is based on a monthly ‘risk status report’, which records and evaluates risks and shows significant weaknesses in the management of strategic risks. The Council has not identified or agreed a list of key strategic risks or taken active measures to manage these. For example, the Council has not addressed the key risks and interdependencies arising from all the major projects that it is undertaking or developed a change management programme as a means of managing these risks. In addition, the risk status report shows that the Council has not implemented full control measures for all recorded operational risks. Weaknesses in strategic and operational risk management mean that the Council cannot be sure that it has the capacity to achieve all its key objectives.’

7. Clearly the view of the CPA inspectors was that the Council has some way to go in demonstrating that it does all that it should be doing to manage risk. This may be due to a number of reasons but fundamentally it can be attributed to a failure on the part of the Council to recognise the importance of risk management and to give it sufficient priority amongst all its other corporate initiatives.

8. In one sense, the Council was already aware of the need to improve its risk management arrangements before being told by the CPA inspectors. Consequently, planning for the required improvements is at an advanced stage. An improvement plan which is cross-referenced to the KLOEs was discussed by Directors and Members at the Aim High Strategy Group of 30 May 2006. It is reproduced for the Committee at Appendix B.

9. In a more recent (12 September) and equally significant development, Directors Group has considered and by now, I anticipate, will have agreed revisions to the Council’s risk management policy strategy and process. When approved, the Committee will be afforded the opportunity to consider the revised process, and to make its views known about its quality. It is fair to say that whilst the revised process is mostly unchanged, what is different is that there is now a much greater will and determination to see that it is effectively implemented, as referred to in Paragraph 7 above. This is in my view, absolutely critical to improving our performance as a Council on risk management.

STRATEGIC CONTEXT

10. From the above, it is clear that a better performance on managing risk is critical to the Council being assessed as better that ‘2 Star’. Improving our risk processes therefore must feature in the over-arching CPA Improvement Plan. Members and in particular senior management must ensure that sufficient focus and attention are paid to the subject. Risk management must be seen as making a crucial contribution to becoming a high performing, cost effective Council.

CONSULTATION

11. The Risk Management Action Plan, and Risk Policy, Strategy and Process have all been considered by Directors and senior members (ie Aim High Strategy Group). They have consequently had an opportunity to propose changes where necessary.

FINANCIAL/BUDGET IMPLICATIONS

12. The financial implications of implementing the improvement plans are minimal in that the Council simply needs to give risk management greater priority. The most likely pressure will arise as managers seek to contend with the increasing demands on their limited time, but this should be managed by them being able to decide what is, and what is not, a priority.

13. There will also be some minimal cost associated with the necessary training of Members, management and staff which is implied by the improvement plan.

LEGAL IMPLICATIONS

14. There are limited legal implications of improving our risk processes. Whilst there is no statutory requirement to manage risk, it is widely accepted that in doing so, organisations are less likely to act illegally. The Committee is reminded of its responsibilities arising from the Accounts and Audit Regulations:-

The Council’s responsible financial officer (in our case the Director of Finance) shall:

‘determine on behalf of the body, its:

(a) accounting records, including the form of accounts and supporting accounting records; and

(b) accounting control systems ‘

(Regulation 5(1))

and further:

‘the accounting control systems determined by the responsible financial officer shall include:

(d) measures to ensure that risk is appropriately managed

(Regulation 5(4))’

OPTIONS

15. This report simply requires the Committee to note the proposed actions to improve the Council’s risk management performance. The Committee is invited to make any suggestions with a view to making the Action Plans more robust. The Committee clearly has a role to play in monitoring the Plan’s implementation and it is recommended that it seeks assurance on a regular basis (not less frequently than quarterly) that sufficient progress is being made.

EVALUATION/RISK MANAGEMENT

16. The Council’s risk register and the issues arising from the Statement on Internal Control both identify the risk of ‘failing to embed risk management’. The proposed Action Plan is designed to address that risk by managing it from its current score of ‘12’ to its perceived ‘controlled score’ of ‘4’. Actions proposed to achieve a better ‘Use of Resources’ score will also make a critical contribution to the ultimate aim of ‘embedding’ risk management. Failure to do so will result in the Council continuing to be assessed as ‘2 Star’ which is unacceptable for all concerned, not least of all the public we serve.

RECOMMENDATIONS

17. There are no recommendations other than those set out in the ‘Options’ above.

BACKGROUND PAPERS

CPA Corporate Assessment Inspection Report (August 2006)

Statement on Internal Control 2005-06

The Council’s draft Risk Management Policy, Strategy and Process (September 2006)

The Council’s Use of Resources Self Assessment (August 2006)

APPENDICES

Appendix A - Key Lines of Enquiry for Use of Resources - Internal Control

Appendix B - Risk Management Improvement Plan

ADDITIONAL INFORMATION

None.

Contact Point: Bob Streets - Programme Lead for Compliance, '823622, email [email protected]

PAUL WILKINSON	COUNCILLOR JILLY WOOD
Director of Finance	Cabinet Member for Resources & Town / Parish Council Empowerment

APPENDIX A

CPA USE OF RESOURCES – INTERNAL CONTROL - RISK MANAGEMENT

4. INTERNAL CONTROL

How well does the council’s internal control environment enable it to manage its significant business risks?

Key line of enquiry

4.1 The council manages its significant business risks

Audit Focus

Evidence that:

· the council has a risk management process in place

· the risk management system covers partnership working

Criteria for Judgement

Level 2

Level 3

Level 4

* The council has adopted a risk management strategy/policy that has been approved by members.

* The risk management strategy/policy requires the council to:

identify corporate and operational risks
assess the risks for likelihood and impact
identify mitigating controls
allocate responsibility for the mitigating controls.

* The council maintains and reviews a register of its corporate business risks linking them to strategic business objectives and assigning ownership for each risk.

* There is a member committee with specific responsibility included in its terms of reference to consider corporate risk management.

* Reports to support strategic policy decisions, and project initiation documents, include a risk assessment.

* The risk management process is reviewed and updated at least annually.

* The risk management process specifically identifies risks in relation to partnerships and provides for assurances to be obtained about the management of those risks.

All staff have been given appropriate training and guidance to enable them to take responsibility for managing risk within their own working environment.

* The members with specific responsibility for risk management have received risk management awareness training.

* The member committee with responsibility for risk management receives reports at least quarterly and takes appropriate action to ensure that corporate business risks are being actively managed, including reporting to full council at least annually.

A senior officer and member jointly champion and take overall responsibility for embedding risk management throughout the council.

The council can demonstrate that it has embedded risk management in its corporate business processes, including:

strategic planning
financial planning
policy making and review
performance management

All members have received risk management awareness training.

The council considers positive risks (opportunities) as well as negative risks (threats).

APPENDIX B

4. INTERNAL CONTROL How well does the council’s internal control environment enable it to manage its significant business risks?
Key Line of Enquiry 4.1 The council manages its significant business risks
Audit Focus
Evidence that: The council has a risk management process in place The risk management system covers partnership working
Level 2	Actions	By whom	By when
The Council has adopted a risk management strategy/policy that has been approved by members	Review and update current Strategy/Policy and Guidance including Roles and Responsibilities. To be approved by Cabinet or Full Council. (to be confirmed)	Risk Management and Insurance Manager	June 2006
The risk management strategy/policy requires the council to: Identify corporate and operational risks Assess the risks for likelihood and impact Identify mitigating controls Allocate responsibility for the mitigating controls	Further develop the Corporate Risk Register, agreed at AHSG 25 April 06, to include action plans. Service (operational) risk to continue to be managed via the council’s risk database. Risk Champions are nominated in all areas to meet service level requirements. Ensure that named responsible officers are aware of their role and with the support of the relevant risk champion ensure action points are managed in a timely manner. Risk workshops to be undertaken by Services where to date these have not been done so as to identify corporate and service risks.	DG, Cabinet ,Corporate and Service Risk owners. Heads of Service Risk Champions and Risk Management and Insurance Section Heads of Service, Managers as required	Sep 2006 June 2006 Sep 2006 October 2006
Level 2	Actions	By Whom	By When
The council maintains and reviews a register of its corporate risks linking them to strategic business objectives and assigning ownership for each risk.	Risk Champions Group to meet quarterly to provide a forum on the management of risks, to share good practice and identify areas for improvement, emerging risks and cross cutting risks. In particular to use Service Risk Registers (from service planning) bringing issues requiring attention at corporate level to Director’s Group The continued use of the council’s risk management database including the rollout of the interactive browser system across all services to enable users to review, update and provide reports at specified levels (ie Head of Service, Risk Owner, Control Measure Owner, View only) Director’s Group to receive exception risk reports relating to corporate risks. Service Boards receive exception risk reports relating to operational risks.	Chair Risk Champions Group – Programme Lead for Compliance Risk Management and Insurance Manager and Officer/Risk Champions	Aug 2006 Interactive browser pilot – Aug 06.to Oct 06. Rollout by March 2007 September 2006 September 2006
There is a member committee with specific responsibility included in its terms of reference to consider corporate risk management.	Directors Group and Cabinet to review corporate risks on a regular basis and provide support where required in progressing actions. To be advised of escalating service risks (by RCG) and of any emerging risk issues. The Audit Committee to receive, on at least an annual basis, reports relating to the arrangements for the management of risk.	DG/Cabinet/RCG Audit Committee/Chief Internal Auditor	Quarterly July 2006
Reports to support strategic policy decisions, and project initiation documents, include a risk assessment.	Develop guidance and a framework, in line with revised Strategy and Policy, for the appropriate use of risk assessments to be undertaken as part of decision making reports for Cabinet, and Commission reports.	Programme Lead for Compliance/Internal Governance Lead/Risk Management and Insurance Manager	Aug 2006 review Dec 06
Level 3	Actions	By Whom	By When
The risk management process is reviewed and updated at least annually.	Review of Strategy/Policy and Guidance.	Programme lead for Compliance /Risk Management and Insurance Manager	April 2007
The risk management process specifically identifies risks in relation to partnerships and provides assurances to be obtained about the management of risks.	The Partnership Governance Working Group to produce · partnership register which maps the council’s partnership activity · a best practice guide.	External Governance Lead	July 2006
All appropriate staff have been given relevant training and guidance to enable them to take responsibility for managing risk within their own working environment.	To develop a programme of appropriate risk management awareness and training sessions for the following groups: Members, including Audit Committee and Scrutiny Committee Directors and Heads of Service Managers with responsibility for risks Risk Champions To provide suitable risk awareness sessions via the Learning Centre on an ongoing regular basis.	Programme lead for Compliance ,Risk Management and Insurance Manager	First sessions to start Oct 2006 Dec 2006
The members with specific responsibility for risk management have received risk management awareness training.	See above action point.
The member committee with responsibility for risk management receives reports on a regular basis and takes appropriate action to ensure that corporate business risks are actively managed, including reports to full council as appropriate.	See actions for Cabinet and Audit Committee
Level 4	Actions	By Whom	By When
A senior officer and member jointly champion and take overall responsibility for embedding risk management throughout the council.	Paul Wilkinson, Assistant CX ( Finance) and Councillor Wood, Cabinet Member for Auditing, Efficiency and Customer Champion to be confirmed as senior officer and member with responsibility for embedding risk management throughout the council.	DG And Cabinet	30 May 2006
The council can demonstrate that it has embedded risk management in its corporate business processes, including: Strategic planning Financial planning Policy making and review Performance management	Consideration has been given to how the management of risk features in: Draft Corporate Plan MTFP Decision making reports Service Plan Further development is required to fully achieve the required standard.	Director of Finance	March 2007
All members have received risk management awareness training.	See reference above on the risk awareness sessions.	Risk Management and Insurance Manager/Senior Development Learning Centre	March 2007
The council considers positive risks (opportunities) as well as negative risks (threats).	When developing the guidance and framework in line with the revised Strategy and Policy for the appropriate use of risk assessments to support strategic policy decisions, equal emphasis should be given to positive (opportunities) risk. Achievement of this standard is dependant upon embedding risk management into council processes.	Compliance Lead/Risk Management and Insurance Manager	Progress between July 2006 – March 2007