REPORT OF THE DEPUTY LEADER

IMPLEMENTATION DATE : 13 December 2004

SUMMARY/PURPOSE

1. This report recommends that the Executive endorses the current strategic and corporate risk registers and that the Executive takes into account the Council’s current risk profile when recommending the Council’s budget for 2005-06 to Full Council in due course.

BACKGROUND

2. There has been a significant increase in the level of risk management activity within the Council over the last two years. The focal point for much of this activity is the role played by the Risk Management Group. The Group is chaired by the Chief Financial Officer and includes representation of many service areas together with some specialist advisors (eg Health and Safety, Emergency Planning). It also includes input from both our insurers (Zurich Municipal) and risk consultants (Marsh UK). As such it is a forum for discussing the risks and threats which the Council faces. It decides which of the many risks represent a threat to the Council achieving its corporate objectives, and having done so, carried out an ongoing role of performance managing those risks. The Group has met on a quarterly basis over the last two years, and has over that period continued to refine its role. The main reference point for its role is the Corporate Risk Register (the current version of which is shown at Appendix A).

3. Sitting above the Risk Management Group organisationally is the Strategic Risk Group which comprises of the Council’s strategic directors and the Deputy Leader as the Council’s Risk Champion. Again this Group meets on a quarterly basis and is responsible for managing those risks which have been deemed “strategic” or “key”. By definition these risks which are nearly always (but not exclusively) corporate risks which cannot be managed elsewhere (either by the Risk Management Group or at service level). As potential threats to achieving strategic objectives they are likely to be of particular interest to the Executive. The current version of the Strategic Risk Register is shown at Appendix B.

4. Apart from the performance management and co-ordinating roles carried out by these two groups, risk management activity has been characterised in the Council the following :

(i) The publication and agreement in March 2004 of the Council’s Risk Management Framework. By setting out the way in which risk is to be conducted, including roles and responsibilities, this document brings greater clarity and focus to the subject:

(ii) The formal introduction of risk as a consideration in service planning. Heads of Service and their staff are now required to identify those risks which could affect their ability to deliver objectives. The outputs from service planning (which include an assessment of each risk identified) provide the raw material for both the corporate and strategic risk register;

(iii) Emerging risk can also be identified during interactive workshops. A number of such workshops have been held with both directorate and service management teams.

(iv) There is now a better process for refreshing risk assessments in that between meetings of each Group, the latest position on each risk is ascertained from the risk owner. This means updating the risk score, progress monitoring any control measures that have been proposed, and refreshing if appropriate the ‘manageable’ score;

(v) There is also an agreed methodology for performance managing individual risks. This involves the provision of formal and detailed reports to the respective Groups which allows an in-depth discussion. These are requested on a cyclical basis and will, over time, result in all corporate and strategic risks being dealt with in this way. As a result of this closer scrutiny, both the Strategic and Corporate Risk Groups can reinforce the action that is needed and can support any bid for resources which is required;

(vi) The Council has invested in purpose-designed software which allows the collection, recording, analysis and reporting of risks. At present this is maintained and accessed only by the Insurance and Risk Team but in the near future it is hoped that a ‘view only’ option will also be available to service departments via the Intranet;

(vii) Apart from its co-ordinating role, the Insurance and Risk Team has played a significant and pro-active role in leading the Council’s drive towards better risk management. This has involved both the challenging transition to new skills and knowledge and the bolstering of resources. The team has grown by one FTE over the last two years.

(viii) In parallel to the Council’s developing risk management arrangements, the Internal Audit Team has also adopted a risk-based approach to auditing. In effect this means that audit now focus on risk and how it might impact on services achieving objectives. An interactive workshop is the usual methodology for assessing risk as part of an audit and a significant contribution has been made by the Internal Audit Team in spreading awareness of risk across the Council. All Internal Audit staff have been trained in undertaking risk-based audit.

(ix) Members have been engaged in the risk management process; firstly by training which took place in 2003 but more recently, by way of an interactive workshop as part of an Informal Executive meeting. This has enabled elected members to provide their own perspective on (especially) strategic risk. It is in ended to repeat this activity annually to coincide with service planning.

(x) Other risk management activities include the Deputy Leader’s involvement as part of the Strategic Risk Group. This year the Deputy Leader attended the annual conference of ALARM (Association of Local Authority Risk Managers) where there was a wide range of topics debated. Clearly, the Isle of Wight is very much like many other Councils across the UK in the risks and issues it faces. It was though, a useful way of picking up on issues which we may not have experienced (or in some cases recognised). We also gain some useful ideas about how to deal with existing and known risks. It is apparent that the Council is as well placed as many of those which were represented at the Conference, to manage is risks effectively. It was also clear, however, that whilst the Council is very good at assessing risk, it needs to improve its management of the outcomes of risk management such that it impacts more directly on the prioritisation of resources and leads to changes in practices.

OTHERS’ ASSESSMENTS

5. At the last CPA, risk management was considered a critical issue for any local authority, and it features in its own right amongst the “auditor judgements” made by the Audit Commission on an annual basis. At the time of the CPA in 2002, the auditor scored risk management arrangements as a “2” (= adequate overall, but some weaknesses that need to be addressed). By 2003 the score had been raised to “3” (= adequate). This shows that, in the view of the Audit Commission, our arrangements were improving. We wait the latest judgement which we anticipate to at least be maintained at a score of “3”.

6. The Council’s arrangements were also measured by a recent Internal Audit report (which in fact was based on arrangements as they were during the financial year 2003/04). The report which included an assessment using the HM Treasury “maturity model” indicated that whilst a good start had been made, there was still some scope for improvement. Perhaps of particular interest was that the Council had made very limited progress with managing the risks associated with partnerships, and this is an area where more attention needs to be focussed over the coming weeks as partnership working in particular will feature in the next round of CPA.

OUTSTANDING ISSUES

7. The level of risk management activity over the last two years has been significant. There are however, as highlighted elsewhere in this report, some areas for improvement. These include:

(i) The need to move the Council from assessing to one where it is actively managing the risk. This is already beginning to happen. Success in this would include evidence that resource prioritisation is influenced by risk management and also proof that the Council has been able to manage risk to its lowest level;

(ii) The processes which are used to deliver risk management continue to be “work-in-progress”. This is inevitable in view of the significant change in culture and practice which it requires. Further developments include a planned synchronisation with the QPMR timetable and some rationalisation of risk information displayed in the QPMR. This will provide a regular reporting mechanism to the Executive.

(iii) Access to information (and in particular the Risk 2003 Database) will be available in the near future. This will give service departments a better opportunity to manage their own risks and risk registers.

(iv) Whilst some member engagement has been achieved (for example the workshop with the Informal Executive in August this year), there is scope for increasing their involvement.

(v) There is also a need to develop and/or engage with others to benchmark risk management. This should provide reassurance that the Council is amongst the leading authorities in risk management, or otherwise highlight scope for improvement. Benchmarking is the subject of ongoing debate with peer groups of similar authorities.

(vi) There is clear evidence now that risk is an issue which features in service planning. It also features in the Council’s developing methodologies for managing both projects and procurements. These improved practices need to be disseminated across the Council so that they are applied consistently. This requires that risk is considered in training and in the Council’s developing policies.

(vii) The Council needs to refocus its attention on the risk associated with partnerships, since by their very nature, they can present greater risk than those services that are more “routine”.

(viii) Finally, although the Council has over the last two years turned its attention to corporate and strategic risk management, this has led in some areas to us neglecting some very practical and basic operational risk management. We need therefore to consider how best to create an environment where risk management is part of “business as usual” thinking, which can be greatly achieved by applying a consistent service planning approach.

OUTCOME OF CONSULTATIONS

8. Both the Strategic Risk Group and Corporate Risk Group are forums where risk is debated and risk management processes are both developed and agreed. They include comprehensive representation of all Council directorates.

9. Consultation is also conducted via networking groups of both ALARM and SEIOG (South East Insurance Officers Group). Both groups provide an opportunity to share useful information and practices.

10. Our proposals to introduce risk management practice into corporate processes such as service planning and the QPMR have been discussed with the Policy Team.

FINANCIAL IMPLICATIONS

11. The recommendations in this report include the need for the Executive to recognise risk when recommending a budget for 2005-06. For a significant proportion of risks, failure to manage them properly will result in financial loss.

LEGAL IMPLICATIONS

12. There is no statutory requirement to manage risk. It is, however, a critical part of the Council’s governance arrangements and clearly has a direct and positive impact on our ability to comply with legislative and statutory requirements. These include, for example, action against the Council for corporate manslaughter, Health and Safety issues and negligence.

RECOMMENDATIONS

13. That the Executive :

(i) Receive this report and endorse the Strategic Corporate and Risk registers as representing the current assessment of the Council’s risk profile;

(ii) Determine to take into account the current risk profile in recommending a budget for 2005-06 to Full Council in due course.

BACKGROUND PAPERS

Reports to the Strategic Risk Group May 2003 – October 2004.

Reports to the Risk Management Group January 2003 – September 2004

Minutes of both Groups

Risk Management of the Isle of Wight Council – March 2004

Code of Audit Practice Assessment (Audit Commission) 2002/03

Internal Audit Report on Risk Management (August 2004)

Contact Point : Bob Streets, Compliance and Risk Manager, ' 823622, e-mail [email protected] and Chris Bentley, Insurance and Risk Manger, ' 823624, e-mail [email protected]

PAUL WILKINSON

Chief Financial Officer

PETER HARRIS

Deputy Leader

Risk Ref.	Description	Risk Score				Controlled Score	Control Measure Status						Current Control

		Sept. 02	Jan. 04	May. 04	Aug. 04	Controlled Score	Proposed	Approved	In Progress	Implemented	Withdrawn	Total	% Implemented
CS100005	Lack of Project Management Skills	6	n/a	6	6	3	1		4			5	0
CS200001	Lack of / Inadequate Succession Planning in Key Directorates	3	3	9	9	2		4		1	4	9	20
CS200006	Risk of Industrial Action by IOWC Employees	8	8	w/d	4	2					1	1	0
CS200003	Adequacy of Human Resources Function	6	6	4	2	2			1	3		4	75
CS200008	Health & Safety Training	n/i	12	1	1	1			1		1	2	0
CS300001	Inadequate Corporate Approach to Information / Knowledge Management (formerly Lack of Key Document Management Policy)	4	6	9	12	4	1		3	3	6	12	43
CS400014	Regional Government	n/i	12	12	12	12		6	1			7	0
CS400008	Loss of Government Funding via Revenue Support Grant (formerly Loss of Area Cost Adjustment)	12	8	9	9	9			3	2	1	6	40
CS400010	Failure to Protect the Council's Assets & Interests	n/i	8	8	6	4			4	4		8	50
CS400015	Partnerships	n/i	6	6		4			6			6	0
CS400001	Failure to Embed Risk Management	6	4	9	9	4		2	5	3	1	11	30
CS400009	Adequacy of Employee Pension Funds Ongoing	6	6	9	9	6	1		1		2	4	0
CS400004	Failure to Manage Procurement Including Contracts (formerly Inadequate / Weak Contract Management)	3	6	6	6	4	2		6	2	4	14	20
CS400005	Risk of Internal Fraud Within IOWC	3	9	9	9	6	2		4	13	2	21	68
CS600027	Adequacy of Building Security	n/i	n/i	16		8		3		1		4	25
CS600030	Adequacy of ICT Systems Security	n/i	n/i	16		8		4		1		5	20
CS600031	Failure to meet e-authority targets	n/i	n/i	12	12	6				12	7	19	100
CS600015	SQL Database Inadequately Maintained	n/i	n/i	9	9	4		1				1	0
CS600002	Adequacy & Efficiency of ICT Function	9	n/a	6	6	2		2	2	1	6	11	20
EN100001	Vandalism	n/i	12	12	12	9	1		3	1		5	20
EN300002	Failure to Rehabilitate the Highways Infrastructure to Sustainable Levels (formerly Inadequate Highways Maintenance Budget)	16	16	16	16	9	1	2		1	2	6	25
EN300003	Major Coastal Erosion Risks	9	12	12	12	9	1		1	4	1	7	67
EN400007	Failure to Manage Tree Safety	n/i	9	8	12	6			1	2		3	67
EN400002	Litigation Risk of Injury / Fatality to IOWC Staff	4	9	9	9	6			2			2	0
EN400001	Lack of Legionella Assessment Policy / Testing	2	3	6	8	4			2	1		3	33
SS200001	Failure to Meet Corporate Parenting Responsibility to Safeguard Children	2	3	3	8	4			3	3	1	7	50
SS400001	Risk of Poor Performance in Relation to Strategic Targets	n/i	n/i	6	6	6			1	1		2	50

Risk Ref.	Description	Risk Score				Controlled Score	Control Measure Status						Current Control

		Sept. 02	Jan. 04	May. 04	Aug. 04		Proposed	Approved	In Progress	Implemented	Withdrawn	Total	% Implemented
CS100001	Perceived Lack of Clear Corporate & Community Leadership	9	n/a	9	6	4			4			4	0
CS100002	Need to Improve Strategic Planning	4	n/a	4	6	3			2	3	2	7	60
CS200002	Stress Related Sickness / Absence Risks	16	16	16	n/a	6	1		1	3		5	60
CS200004	Risk Resulting From Poor Staff Morale	4	4	8	n/a	3		1		2		3	67
CS600001	Lack of / Failure to Develop Business Continuity / Disaster Recovery Solution	16	n/a	16	n/a	8	2		3			5	0
CS600025	Loss of Corporate Server Farm	n/i	n/i	16	n/a	8	3		2	1		6	17
CS600020	Requirement to Make all Suitable Services Available Electronically by the End of 2005	n/i	n/i	9	n/a	4	5			2		7	29
ED100001	Supplier / Partner Failure That Impacts on Our Ability to Discharge Our Obligations	n/i	n/i	16	n/a	2			6	1	2	9	14
ED100002	Impact of Service Reorganisation	n/i	n/i	16	n/a	2			2	3		5	60
ED100003	Impact on CPA & on Consequent Council Freedoms	n/i	n/i	12	n/a	2			2			2	0