Risk management policy and procedure

Our aim is to identify, analyse and appropriately manage potential threats and opportunities posed by risk.


Risk management policy

We recognise that we live in an uncertain world and that risk is present in everything we do to improve outcomes and deliver services. The Council and our partners encounter a wide range of risks during our activities and in delivering plans.

Strong risk management is therefore essential to achieving our ambitions and delivering our plans and projects.

Managing risk is the responsibility of everyone: To achieve this, the management of risk has to be integral in our culture.

This Policy Statement is supported by our risk management approach; a systematic, effective, robust, consistent and proportionate management of risk process.

The benefits gained through utilising risk management arrangements are considerable, as they allow:

  • improved strategic, operational, and financial management,
  • improved statutory compliance and
  • clear and transparent leadership,

thereby improving the resilience and quality of the services we deliver and protecting the people of Reading.

Introduction and objectives

This policy sets out how Reading Borough Council (‘the Council’) will effectively identify and manage potential threats and opportunities to delivering its services and plans. Chief amongst these plans is the Corporate Plan, but this policy also covers all other plans and delivery of services. Risk Management affects all parts of the Council’s business and the strategic and operational decisions made at all levels across the Council.

Our vision is ‘to help Reading realises its potential and to ensure that everyone who lives and works here can share in the benefits of its successes’. We can achieve better outcomes for the Council through a realistic assessment of the challenges faced, informed decision making and targeted risk mitigation and treatment.

This document along with the Risk Management SharePoint, supports the effective and proportionate management of risk. It should also be read in conjunction with supporting documentation including:

  • The Corporate Health and Safety Policy for managing health and safety at the Council in accordance with Health and Safety at Work Act 1974.
  • The Resilience Policy and responsibilities to ensure we are able to respond effectively and deliver critical services during an emergency, whilst ensuring compliance with the Civil Contingencies Act 2004.
  • The Project Management Hub Information Project Management Knowledge Hub (sharepoint.com)
  • Public Contract Regulations and Local Authorities (Capital Finance and Accounting) (England) Regulations
  • The Constitution

The Policy and Procedure aim to provide staff, elected members and partners with guidance to help ensure there is an effective, robust, consistent, and communicated way of managing risk across the whole Council.

This will be achieved by:

  • Regularly reviewing the scope of risk management across the Council and its key partners.
  • Ensuring a consistent framework is in place for determining, analysing, and managing risk to ensure all reasonable steps are taken to mitigate risk ensure the level of risk accepted is balanced against the expected reward.
  • Ensuring risk management remains integral to the Council’s culture, values, and behaviours, and is mandatory.
  • Raising awareness and reinforcing the importance of the Council’s risk management arrangements and the benefits to staff, elected members and stakeholders, and providing guidance and comprehensive training and sharing good practice. This will also develop awareness and a common understanding of the Council’s expectations.
  • Establishing clear responsibilities, accountabilities and reporting lines.
  • Incorporating risk management into business planning, procurement, project management, budget monitoring, decision making and operational processes.
  • Ensuring that high quality, non-biased information is used when making decisions. This will minimise failure and determine the level of acceptance of the potential positive and negative impacts of each major decision taken.
  • Undertaking regular monitoring and reporting of risk to identify the threats and opportunities facing the Council, as well as anticipating and responding to changing

social and legislative requirements, minimising the impact and likelihood of risks occurring and to reduce the cost of risk.

  • Providing key performance risk management information for management.

Endorsement of this document from Members and the Corporate Management Team who are accountable for effective risk management within Reading Borough Council.

Definitions: risk and risk management

Risk’ can be is defined as ‘The effect of uncertainty on objectives’.

Risks are threats, adverse events or opportunities that, should they arise, could affect the achievement of ambitions. In simple terms, risks are real or tangible ‘things’ that we need to be aware of.

Risks can be classed as internal or external facing

  • Internal risks are those faced by the Council from within the organisation, that arise from routine day to day activities such as managing staff, safeguarding, health and safety, financial challenges or operating IT systems etc.
  • External risks are those that arise from outside the Council but may still have an adverse impact on its activities, for example, a major cyber-attack or extreme weather conditions. External risks are harder to manage as we have less control over whether they occur.

Risks change with time, as the environment changes and as we manage the risk.

Opportunity risks are those risks associated with plans that aim to benefit Reading, for example from an investment. They can be unseen and unplanned. These risks are acceptable provided they are well thought out and properly managed.

The ‘Risk Management Process’ is a series of co-ordinated activities, through which risks are regularly identified, evaluated, treated, reported, and monitored.

The risk management process helps us to:

  • Understand the nature of the risks faced and ‘what could go wrong’
  • Be aware of the extent of these risks
  • Identify the level of risk that the Council is willing to accept; its risk appetite
  • Recognise the Council’s ability to manage and treat each risk, so appropriate decisions and action can be taken
  • Take action, where possible, to avoid something going wrong and to minimise the impact.

The purpose of risk management is not to eliminate all risks, but to develop a better understanding of the nature, scale and potential effects posed by the Council’s risk exposure so that it can take effective action to reduce or mitigate downside threats and maximise upside opportunities.

The Council’s risk culture balances an acceptance that risks need to be taken to achieve our plans. The Council is fully committed to developing a culture where risk is appropriately, effectively and proportionately managed. This culture flows throughout the whole organisation from employees to elected members who understand and comply with the Council’s Risk Management Policy and processes and are aware of their own roles and responsibilities in managing risk.

A glossary of terms can be found in Appendix 1.

Risk management procedure

Risk management process

Diagram with central circle with 'Risk management process' written on it, with six numbered small circles around it: 1. Establish objectives, 2. Identify risks, 3. Analyse and evaluate risks, 4. Manage risks, 5. Record and report, and 6. Monitor and update.
Figure 1: Risk management process

Step 1: Establish objectives

The starting point for the management of risks is the identification of objectives including those held in a plans, including the Corporate Plan, Service Plans, project plans and in service delivery policies and procedures.

Step 2: Identify the risks

Consideration should then be given to what threats and opportunities may be associated with the delivery of these objectives. The purpose is to generate a comprehensive, up to date, easy to understand list of risks.

To identify risks, managers should:

  • Undertake a risk management assessment exercise.
  • Research and consider the risks or incidents that have affected others in delivering similar objectives.
  • Review local, national, and international policies, legislation, and events that may affect the objectives.
  • Measure current performance and identify weaknesses.
  • Review reports about Council services including those issued by internal and external auditors, agencies, and inspection results.
  • Consider the risk categories listed below. (Note: this is not a finite list.)
Risk category examples

Business continuity
Health and safety
Climate change

Information management
Projects and programmes
Visions and values

Service delivery
Physical assets

Describing a risk

Risks needs to be described in clear terms that can easily be understood and must specify what is the tangible threat or opportunity. The description should help determine how the risk will be managed and treated.

Risk descriptors are often prefaced with:

‘Lack of…’    ‘Loss of…’    ‘Failure to…’   ‘Inability to….’ ‘Reduction of…’ ‘Disruption to’ ‘Inappropriate…’

Risks should generally be described in a couple of sentences, explaining the risk, cause, and effect.


Failure to deliver a major change project on time and in budget (risk) due to lack of project management and appropriate resources and conflicting priorities (cause) which will result in detrimental impact to deliver the next stage of the program and will increase temporary staffing costs (effect).

Step 3: Analyse and evaluate the risk

Once identified, risks need to be analysed, evaluated, and prioritised for treatment. Risks are rated through a combined assessment of:

  • Impact: The potential impact / consequences (both before and after mitigation)
  • Likelihood: How likely the risk is to occur

A 5 by 5 scoring matrix set out in Figure 2 below, is used to carry out the assessment of ‘impact’ and ‘likelihood’ to ensure that the risks are rated in a consistent way.

This allows risks to be plotted on the risk chart, which is the visual tool used to illustrate and compare risks.

The greater the risk, the more effort will be required to manage it, where it is within our control, and it would be best use of resources.

During this process the risk rating will need to be determined for the risk appetite, inherent risk, residual risk, and target risk value.

Diagram showing risk likelihood on the vertical axis and impact on the horizontal axis. From bottom to top: remote, unlikely, possible, highly likely and almost certain. From left to right: negligible, slight, moderate, critical and catastrophic. Blocks are numbered and colour-coded. Low likelihood and impact is green, high likelihood and impact is red.
Figure 2: risk matrix

The Council has predetermined ‘likelihood’ and ‘impact’ criteria to ensure consistency, as
set out below.

Figure 3: Likelihood and impact criteria
ScoreDescriptionExample detail
5Almost certainAlmost certain occurrence / The event is expected to occur in most circumstances / There is a history of very frequent occurrence at the council or similar organisations.
4Highly likelyThere is a strong possibility that the event will occur / There is a history of frequent occurrence at the council or similar organisations.
3PossibleThe event might occur / There is a history of occurrence at the council or similar organisations.
2UnlikelyNot expected/ but there’s a moderate possibility it may occur.
1RemoteHighly unlikely, but it may occur in exceptional circumstances. It could happen but is very unlikely.
Measured over a one-year period or life of the project
Impact typeImpact level
H&SDeath or life threatening.
Service deliveryLoss of service for more than 5 days / Impacts on vulnerable groups /Affects the whole Council.
ReputationalNegative sustained national publicity, resignation or removal of CE, Director, or elected member.
EnvironmentalMajor damage, long term contamination to local area.
LegalLegal action almost certain and difficult to defend, Catastrophic breach of duty resulting in imprisonment.
FinancialFinancial impact not manageable within existing funds & requiring Member approval for virement or additional funds i.e., in excess of £1,000,000 or >15% of monthly budget.
Level 5: Catastrophic
Impact typeImpact level
H&SExtensive, permanent/long term injury or long-term sick.
Service deliveryLoss of service 3 to 5 days / Possible impact to small numbers of vulnerable people/definite impacts on property or non-vulnerable groups /Affects most Directorates.
ReputationalNegative national publicity.
EnvironmentalSerious damage, medium term contamination to local area.
LegalLegal action expected / Significant breach of duty resulting in fines/disciplinary action.
FinancialFinancial impact manageable within existing Directorate budget but requiring Director and Head of Finance approval for virement or additional funds i.e., between £500,000 and £1,000,000 Or >10% of monthly budget.
Level 4: Critical
Impact typeImpact level
H&SInjury, lost time, short term sick absence.
Service deliveryLoss of service 2 to 3 days / Impacts to non-vulnerable groups / Affects a single Directorate.
ReputationalNegative sustained local publicity, High proportion of negative customer complaints.
EnvironmentalModerate impact, to short term contamination to local area.
LegalLegal action possible / Moderate breach of duty resulting in disciplinary action.
FinancialFinancial impact manageable within existing Directorate budget but requiring Director and Head of Finance approval for virement or additional funds i.e., between £250,000 and £500,000 Or >5% of monthly budget.
Level 3: Moderate
Impact typeImpact level
H&SInjury – no lost time.
Service deliveryLoss of Service 1 to 2 days / Impacts to non-vulnerable groups / Affects 1 or a few services of the Council.
ReputationalNegative local publicity.
EnvironmentalMinor impact, short term contamination.
LegalLegal action unlikely / Minor breach of duty resulting in disciplinary action.
FinancialFinancial impact manageable within existing service budget but requiring service manager approval for virement or additional funds i.e., between £50,000 and £250,000 Or >2% of monthly budget.
Level 2: Slight
Impact typeImpact level
H&SIncident – no lost time.
Service deliveryBrief disruption, less than 1 day / Impacts to non-vulnerable groups /Affects a project.
ReputationalMinor adverse local publicity.
EnvironmentalLocal incident would be dealt with immediately with minimal impact.
LegalLegal action unlikely / Localised service level deviation from duties.
FinancialPossible financial impact manageable within service budget i.e., less than £50,000 Or > 1% of monthly budget.
Level 1: Negligible

Step 4: Manage (mitigate/treat) risks

Controls and Actions. A key consideration in managing risk is the identification and
development of controls. These are activities (for example checks and review meetings
looking at specific Key Performance Indicators (KPIs)) which are carried out regularly to
review the risk or something associated with it. An action is a one-off activity often to bring
in a control or change a specific matter associated with the risk. Controls and actions are
identified separately in the risk score cards.

Once the risk has been identified and its priority determined, the options for managing
(mitigating) the risk to either stop it from arising or to minimise the impact should occur.
This involves:

  • Identifying the existing controls in place
  • Identifying what further controls and/or actions are required. This will either involve improving existing controls or developing and implementing new ones
  • Accepting that it is not possible to eliminate all risk and there are not reasonable mitigations available.

Mitigating actions should either minimise the likelihood of the risk event occurring, reduce
the frequency or limit the severity of the event, should it occur. There are normally a
variety of choices available to manage risk: Sometimes no one control can totally remove
the risk. There may also be times where no amount of treatment can adequately control
the risk. Progress in implementing the identified mitigations will be monitored and reported
on a regular basis.

The residual risk values need to be determined, and recorded, with the controls identified
in place.

If the residual risk value (after mitigation) remains too high i.e., exceeding the risk
appetite, further controls need to be identified to ensure that the risk is below the risk
appetite. If this is not possible, a formal decision will need to occur about the risk and
whether the activity can occur.

Responsibility and accountability for managing each risk needs to be assigned:

A risk owner: The person who is responsible and accountable for the risk. This should be
the person with the knowledge of the risk area and sufficient seniority to enable them to
allocate resources to manage the risk and to ensure that actions required to treat it are
completed. This is normally an Executive Director, Deputy or Assistant Director.

A delegated control owner: The risk owner may allocate someone else, of appropriate
seniority and who is closer to the service/event/project to which the risk relates, to
oversee the risk on their behalf. The delegated control owner reports progress in managing
the risk to the ‘Risk Owner’.

Risk Position

Having identified the existing controls and actions, Risk Owners are required to categorise
the positioning of the risk within the organisation.

The options are split into:

  • Tolerating the risk – Agreeing to accept the risk at its current risk level. This will mean that no further risk mitigations will be implemented but the risk will be monitored.
  • Terminating the risk – Deciding not to take any further action and stopping the activity
  • Treating the risk – Agreeing to continue to implement further controls to change the nature of the risk
  • Transferring the risk – Agreeing to transfer the risk for example to a contractor or by purchasing specialist insurance to cover the risk.

The management of the risk can also change by: Escalating the risk – Moving the risk to the
Strategic Risk Register or De-escalating the risk – Moving the risk to a different Risk Register (Directorate or Service Risk Register).

When undertaking this process, careful consideration should be given to balancing the
benefits against the objects, resources, effort and appetite, and the consequences or
disadvantages of implementing controls. Justification for controls, terminating the risk
or transferring the risk should be considered in broad context such as commitments,
obligations and stakeholder views. It should not solely be based on finances.

Step 5: Record and report

Risks need to be recorded and reported: This occurs through the Strategic, Directorate,
service, project and other risk registers.

The risk registers are working documents that record the key details of the risks, such
as title/description, risk owner, risk rating, the main controls in place to manage the
risk, a summary of the actions and their progress, and comments providing further
information and updates on the management of the risk.

Risk reporting should:

  • Provide relevant, concise but sufficient risk information in a timely manner that facilitates decision making and action
  • Ensure that the views of the leadership/management team/ Committee receiving the risk report are passed to the relevant risk owners
  • Focus on the most significant risks, ensuring adequate responses are put in place.

Details on how to input data onto the Risk Registers can be found at Appendix 2.

Step 6: Monitor and update

Few risks and risk registers remain static, they evolve over time: Risk characteristics,
priorities and responsibilities change, and actions get completed. Therefore, risk
monitoring is required. It includes:

  • Monitoring the changes in the risk characteristics and values
  • Monitoring the effectiveness of our response to the risk by considering the adequacy of controls and how the risk actions are progressing and changing. Controls dependent upon a people may fail and should be avoided or increased monitoring should occur.
  • Monitoring the risk profile; reviewing the risks facing the Council via the reporting of risk registers to relevant Boards, Committees, and leadership teams

Any changes identified during the monitoring meetings should be reflected against the
relevant risk and risk register.

Risk Escalation

Identifying when a risk should be escalated is an important part of the monitoring
process. There may be instances where further action to mitigate a risk cannot be taken
by the current owner meaning it needs to be escalated e.g., from the Directorate to the
Strategic Risk Register or from the Project/Programme to Directorate Risk Register.

In these circumstances a report will be presented to either the Corporate Management
Team, or Directorate Management Team by the Risk Owner for discussion. Where a
Directorate risk increases in significance to the extent it may have a corporate impact,
the risk may be escalated to the Strategic Risk Register.

Risk registers

There are five types of risk registers operated within Reading Borough Council.

Strategic risk register

Strategic risks are those of significant, strategic, and cross cutting importance that require attention from the councils most senior managers and elected members.

Temporary risk registers

There may be circumstances where strategic specific initiatives require risk registers i.e., COVID, Ukraine refugees etc. These should only be set up when the initiative is complex It is likely that the Strategic Risk register would have a single, overarching risk for the initiative.

Strategic Project Risk Registers should only be generated with the approval of Corporate Management Team.

Directorate risk register

Directorate risks are those that required the attention of the respective Directorate Management Team, over seen by the individual Director.

Directorate risks may be local versions of the corporate risks i.e., directorate budget or information governance specifying in more specific terms how the directorate will manage the risk as it relates to services.

Service risk register

Service risks are those that required the attention of the respective Service Team, over seen by the individual Assistant Director.

Service risks may be local versions of the corporate, directorate or project risks i.e., budget or information governance specifying in more specific terms how the service and teams will manage the risk as it relates to services.

Project/programme/specific risk registers

Project and programme risks will be identified by the Senior Responsible Officer supported by the Performance Management Office (PMO). The ‘Risk Management for Projects and Programmes Guidance’ should be consulted for management of these risks Risk Management.

Specific risks such as health and safety risks, building risks, policy risk etc may be identified separately and should be fed into service, project or directorate risk registers.

Reporting framework

The reporting hierarchy for risk and the associated review bodies are included in the table below:

Risk reportingReview body
Annual assurance report on corporate risk management arrangements
Presents assurances to the Committee on the effectiveness of the Council’s corporate risk management arrangements.
Audit & Governance Committee
All Committees via standard report template
Quarterly Strategic Risk Management Report
Updates and provides assurance to the Audit & Governance Committee on the Council’s strategic risk register.
Audit & Governance Committee Corporate Management Team
Strategic Risk Register & Reports
Strategic risk register – cross cutting risks that could have a significant impact on the Councils’ operations.
Central H&S Committee Report
Corporate Management Team
Directorate Risk Register & Reports
Risks that impact on the objectives of the directorate and its services.
Risk associated with project and programmes within the Directorate.
Corporate Boards / Committee reports.
Directorate Management Teams
Corporate Boards for example LPD Board
Service, operational and programme / project risks
Risks directly impacting on the service, operation, or programme / project delivery.
Identified by Service Plans.
Service/Operational Management Teams
 Programme & Project Boards
H&S Committees

Boards and Committees receive risk information relevant to their specialism. An example includes the Directorate and Central Health & Safety Committees that receive health and safety specific risk information. Boards and Committees are chaired by Senior Management and accountability structures are in place to escalate of risks that cannot be managed to the relevant meeting, outlined above i.e., DMT or CMT.

Risk management policy and procedures review

It is important that the Risk Management Policy and Framework remain up to date, fit for purpose, are embedded across the Council and that they work as intended.

The following actions help achieve this:

  • Keeping up to date with risk management best practice and guidance
  • Obtaining feedback from risk management training sessions and workshops
  • Periodic comparison against arrangements of UK Core Cities and LA’s and national standards
  • Ensuring consideration of Equality, Diversity and Cohesion matters.

Risk governance assurance

Risk Management is a key part of the Council’s governance arrangements, and the Risk Management Policy supports the authority’s compliance with its statutory requirements. Local authorities are required to conduct a review of the effectiveness of their systems of internal control, which include the arrangements for the management of risk, at least once a year.

Through the Annual Governance Statement, the Council is required to comment on the effectiveness of its arrangements in this regard. The Statement must also identify any significant governance issues that may have resulted from failures in governance and risk management.

Risk management training

It is important that elected members, and staff develop their knowledge and understanding of risk management.

Organisational Development & Learning will annually set out a risk management training programme which will include a variety of training modules that must be completed: Employee training will be subject to their role and responsibilities for Risk Management issues.

The training programme will contain a mixture of both formal and informal training sessions and will remain adaptable to the changing risks within the organisation.

Managers will be responsible for ensuring employees within their Service /Team receive adequate Risk Management training.

Roles and responsibilities

This section details our responsibilities for risk management.

Elected Members

The Leader of the Council will

  • Ensure the work of Committees and Full Council is conducted in accordance with Council policy and procedures for management of risk and with due regard for any statutory provisions set out in legislation.

Policy Committee will

  • Approve and review the Council’s Risk Management Policy.
  • Require officers to develop and implement an effective framework for risk management.
  • Understand the risks facing the Council and the Borough of Reading.

Members will

  • Ensure that they understand the Council’s risk management arrangements and the strategic risks facing the Council.
  • Take reasonable steps to properly consider all the risks implications during the decision making and policy approval taken by them.
  • Understand the risks facing the Council and the Borough.
  • Take an active and supporting role to Council Officers and communities of Reading in times of emergency.
  • Ensure that all the decisions they make are in line with Council policy and procedures for health and safety and any statutory provisions set out in legislation.

Risk Management Champion (Chair of Audit and Governance Committee) / Lead Member will

  • Raise the portfolio of risk management, promoting the benefits to Members, ensuring that everyone is aware of their responsibilities and accountabilities.
  • Ensure that the risk management process is applied to all key and major decisions made by elected members through the use of quality risk assessments with all reports requiring decisions.
  • They will promote risk management and related training to elected members.

Audit & Governance Committee will

  • Agree and endorse the Corporate Risk Management Policy
  • Review and scrutinise the implementation and effectiveness of the Corporate Risk Management Policy.
  • Monitor the Council’s Strategic Risk Register.
  • When appropriate, undertake ‘deep dives’ into high level risks.
  • Receive an annual review of the Council’s approach to Corporate Governance, including risk management.

Council Staff

Chief Executive

The Chief Executive takes overall responsibility for the Council’s risk management performance and in particular will ensure that:

  • The Council has effective and efficient risk management arrangements in place.
  • All decision-making is in line with Council policy and procedures for management of risk and any statutory provisions set out in legislation.
  • Adequate resources are made available for the management of risk.
  • Management of risk performance is continually reviewed.
  • The risks facing the Council and the Borough are understood.
  • Raise the portfolio of risk management by supporting and promoting a risk management culture and ensuring that everyone is aware of their responsibilities and accountabilities.

Corporate Management Team will:

  • Promote and oversee the implementation of the Corporate Risk Management Policy and Procedures.
  • Take a lead in identifying and analysing significant corporate and crosscutting risks and opportunities facing the authority in the achievement of its key objectives; determine RBC’s approach to each risk and set priorities for action to ensuring they are effectively managed and reviewed and updated on a quarterly basis.
  • Identify, develop, manage, and update the Strategic Risk Register when things change or quarterly basis as a minimum.
  • Ensure that “decision book” reports and ‘delegated decision reports’ incorporate a section on risk management information.
  • Understand the risks facing the Council and the Borough of Reading.
  • Review and challenge the Directorate Risk Registers as appropriate.
  • Support and promote a risk management Culture throughout the Council.

Executive Directors will:

  • Develop a Directorate Risk Register and review and update it on a quarterly basis.
  • Monitor the Directorate Risk Register and ensure that mitigating actions are allocated to nominated staff and completed.
  • Ensure that the risk management process is an explicit part of all major projects, partnerships and change management initiatives within their Directorates.
  • Ensure that Risk Management roles and responsibilities and performance management targets are included within appropriate job descriptions.
  • Understand the risks facing their Directorate, the Council, and the Borough.
  • Be accountable for escalating/deescalating risks between the different Risk Registers.

Deputy/Assistant Directors / Managers will:

  • Take primary responsibility for identifying and managing significant strategic and operational directorate risks arising from their service activities. These will be recorded, monitored, and reviewed via the Directorate Risk Register on a quarterly basis.
  • Ensure that identified mitigating actions are nominated to specific personnel and are completed.
  • Ensure that reports for decision include comprehensive risk management information to allow effective decisions to be made.
  • Promote Risk Management and ensure that the Risk Management Policy is implemented effectively across their Service and that they and their staff undertake training as required.
  • Share risk information with other risk owners as appropriate.
  • Ensure that their teams carry out risk assessments where appropriate as a routine part of service planning and management activities.
  • Ensure that all employees are aware of the risk assessments appropriate to their activity.
  • Produce Service Risk Registers if required.
  • Provide support and resources in order to effectively respond to an emergency situation or business disruption.

Managers will:

  • Support Senior Management in the identification of risks and the completion of actions to mitigate the risk.

Senior Responsible Officer and Project Managers:

  • Are responsible for ensuring that adequate risk management arrangements are in place throughout the project lifecycle.
  • Will report the risk status of the project for inclusion in the relevant Strategic / Directorate/Service Plan risk register.

All Staff will:

  • Comply with the Risk Management Policy for their operational activities and processes.
  • Comply with mitigating actions identified to reduce risk.
  • Report potential hazards and risks they cannot manage to line managers.
  • Support continuous service delivery and any emergency response.
  • Work in a safe manner not putting themselves, others, or the organisation at risk.

Internal Audit will:

  • Provide assurance on the implementation of the Risk Management Policy.
  • Ensure that internal audits coverage is risk based, considering the risks identified within the Strategic and Directorate Risk Registers.
  • Provide assurance on the robustness of the Council’s management of risks.
  • Provide assurance on Resilience.
  • Communicate risks identified during the auditing process with relevant parties.

The Health, Safety and Risk Management Lead will:

  • Develop, promote, support, and oversee the implementation of the Risk Management Policy and systems.
  • Monitor and review the effectiveness of Risk Management Policy, framework, procedure, and Register Support identify and communicate risk management issues to services, project managers, contractors, and partner organisations.
  • Assist services in their risk management activity through training and/or direct support.
  • To ensure compliance with all risk-based legislation through monitoring systems including Health & Safety, Risk Management, and the Civil Contingencies Act 2004
  • Support the preparation of risk registers for services, projects, and partnerships.

Other Partners


  • All maintained schools should be aware of the risk management systems in place at the Council including the Corporate Health and Safety Policy and have a local school policy.
  • Schools should be aware of the risk in the Schools Emergency Response Plan (Rainbow Plan) and have local arrangements in place.

Partners and Contractors

The Council expects third parties upon which it relies (including contractors, partners, associates, and commissioned independents) to:

  • Comply with the Risk Management and H&S Policies and procedures and demonstrate exemplary standards.
  • Work safely, comply with all relevant legislation, and best practice and have in place appropriate sources of expert advice. Provide and evidence all Business Continuity procedures that relate to services provided and additional support that has been agreed.
  • Establish training requirements with regard to strategy implementation.

Specific Duties

Risk Management is an integral part of the Corporate Governance Framework. The following service leads/teams bring together the disciplines of Risk Management.

The Insurance Manager will

  • Provide advice on operational risk, risk retention and transfer, by placing transferred risk with a reputable insurer.
  • Provision of operational risk management advice and guidance
  • Working with the Council’s insurers, provide claims management and investigation services for claims made by and against the Council under its insurance policies.
  • Provide advice and guidance with regard to insurance requirements, indemnities, and legal liabilities.
  • Manage the day-to-day use of the internal Insurance Fund for payment of self-insured losses.
  • Provide provision of a buy back insurance service for schools

The Health, Safety and Risk Management Lead and Health & Safety Advisers will

  • Act as the Council’s competent persons as required by the Management of Health and Safety at Work regulations.
  • Provide expert health and safety advice and support to all levels within the organisation.
  • Develop and maintain the Council’s Health and Safety Policy and Procedures
  • Support the Health and Safety training programme.
  • Carry out Health and Safety audits and inspections of Council establishment.
  • Evaluate accident/incident near miss reports and carry out accident investigations of serious accidents.


The Emergency Planning Team will aim to ensure that Reading Borough Council is prepared and able to respond to an emergency situation or business disruption, in compliance with the Civil Contingencies Act 2004 through:

  • Liaison with enforcing authorities
  • Provision of expert advice, assistance and support to Members, Officers and Service Areas in the event of an emergency and/or business disruption
  • Provision of advice and assistance in establishing the Council’s Critical Services and functions
  • Provision of expert advice and support on preparedness and response to all Council services and teams
  • The production and validation of plans and procedures, including training and awareness.
  • 24hr/365 day integrated Local Authority on-call service.
  • Facilitation of Resilience implementation, awareness, training and exercising
  • Regular monitoring, review and refresh of Resilience Plans, procedures, and reports

Appendix 1: glossary

AcceptA risk response that means RBC takes the chance that the risk will occur, usually after all viable options to treat the risk have been exhausted.
ConsequenceThe impact and implications for the organisation should the risk materialise.
Delegated Control OwnerThe person chosen by the risk owner to oversee the implementations of controls on their behalf. The delegated risk owner reports progress in managing the risk to the owner.
Inherent RiskThe level of risk before any actions have been taken to change the probability or impact.
IssueAn event that has already occurred i.e., not a risk.
Key risk indicator (KRI)An early warning indicator that can be used to monitor a change in the likelihood or impact of a risk. Indicates that the risk event is about to materialise.
LikelihoodHow likely the risk is to occur = the probability of the risk actually materialising.
MitigateThe application of controls and actions to a risk to reduce its probability and/or impact down to acceptable levels. The industry uses the word’ treat’ to describe managing risks
Opportunity RiskOpportunity risks are those which are taken deliberately in line with RBC’s risk appetite in order to gain a positive return.
ProbabilitySee likelihood (above)
Residual riskThe remaining level of risk after mitigation and control measures have been taken.
RiskThe effect of uncertainty on objectives.
Risk ActionAdditional/further work required to mitigate the risk
Risk AnalysisSystematic use of available information to determine how often specific events may occur and the magnitude of the impact
Risk AppetiteAmount and type of risk that RBC is prepared to accept or tolerate.
Risk AssessmentThe process by which the significance of a risk is determined.
Risk CategoryThe general areas, categories or types of risk that may face the Council.
Risk CultureRisk culture is ‘the ways we do risk management within RBC’. The values, behaviours, and attitudes towards risk management.
Risk MatrixThe table used for scoring the probability and impact of a risk to determine its overall rating.
Risk ManagementThe term used to describe the process and activities operated to manage risk within RBC.
Risk ChartThe pictorial model that displays the relationship between the likelihood and impact of specific risks.
Risk OwnerThe person responsible and accountable for the risk. They have the knowledge and seniority to allocate resources to manage the risk and ensure actions are completed.
Risk Management PolicyThe document that sets out the principals of action regarding Risk Management and how it will be achieved.
Risk Management ProcessA series of regular steps, carried out in sequence, by which risks are identified, evaluated, responded to, reported, and monitored.
Risk RatingThe result of the probability and impact calculation for a risk.
Risk RegisterThe working document that records the risks identified and their key details such as title/description, risk owner, risk rating and the main controls in place to manage the risk. This is located on SharePoint.
SourceThe things that could give rise to the risk / cause it to occur
StakeholderAny individual, group or organisation that can affect, be affected by, to perceive itself to be affected by a risk.
Standing RisksRisks that will always face the Council, no matter how well they are managed.
StrategyThe processes and systems designed to achieve the long-term overall aim.
Target RatingThe rating based on the lowest probability and impact scores deemed viable to manage the risk to an acceptable level given the number of resources available.
TreatThe industry uses the work ‘treat’ to describe managing risks. See ‘Mitigate’ above.

Appendix 2: how to use the risk management SharePoint

Reading Borough Council use SharePoint to record its risk registers and the background information associated with these risks.

Access to Risk Registers and individual risks is restricted to individual Risk Owners, Directors, and the Risk Management Team.

The Risk Registers operate on a rolling two-year basis as it is recognised that risks do not suddenly ‘appear and disappear’ each financial year.

Incorporating a new risk

Once a new risk has been identified the Risk Management Team will set up a new ‘Risk Card’ for use. This will either be within the Master Strategic, Directorate, Service or Project Specific Risk Register.

The allocated Risk Owner will be responsible for researching the risk, best practice, and mitigations from a number of sources and incorporating the decisions made regarding the risk within the register.

The Risk Owner is required to complete a series of questions within the risk card. This includes:

  • Details of the risk
  • The potential impact
  • Details of the existing controls in place to mitigate and treat the risk
  • Inherent Impact and Likelihood and Residual Impact and Likelihood for the next quarter
  • Details of further actions that will occur and who will be responsible for them
  • Add attachments that support the decisions or demonstrate completion of the mitigating action.

Updating the risk

The information detailed above must be updated by the Risk Owner as and when things change and on a quarterly basis the risk ratings must be calculated. A forward look is also required to explain the actions that will take place.

NB: The Risk Owner does not need to manipulate the charts or change the formatting of the form. The system is set up to automatically display the relevant data.

Last updated on 20/05/2024