Our aim is to identify, analyse and appropriately manage potential threats and opportunities posed by risk.
We recognise that we live in an uncertain world and that risk is present in everything we do to improve outcomes and deliver services. The Council and our partners encounter a wide range of risks during our activities and in delivering plans.
Strong risk management is therefore essential to achieving our ambitions and delivering our plans and projects.
Managing risk is the responsibility of everyone: To achieve this, the management of risk has to be integral in our culture.
This Policy Statement is supported by our risk management approach; a systematic, effective, robust, consistent and proportionate management of risk process.
The benefits gained through utilising risk management arrangements are considerable, as they allow:
thereby improving the resilience and quality of the services we deliver and protecting the people of Reading.
This policy sets out how Reading Borough Council (‘the Council’) will effectively identify and manage potential threats and opportunities to delivering its services and plans. Chief amongst these plans is the Corporate Plan, but this policy also covers all other plans and delivery of services. Risk Management affects all parts of the Council’s business and the strategic and operational decisions made at all levels across the Council.
Our vision is ‘to help Reading realises its potential and to ensure that everyone who lives and works here can share in the benefits of its successes’. We can achieve better outcomes for the Council through a realistic assessment of the challenges faced, informed decision making and targeted risk mitigation and treatment.
This document along with the Risk Management SharePoint, supports the effective and proportionate management of risk. It should also be read in conjunction with supporting documentation including:
The Policy and Procedure aim to provide staff, elected members and partners with guidance to help ensure there is an effective, robust, consistent, and communicated way of managing risk across the whole Council.
This will be achieved by:
social and legislative requirements, minimising the impact and likelihood of risks occurring and to reduce the cost of risk.
Endorsement of this document from Members and the Corporate Management Team who are accountable for effective risk management within Reading Borough Council.
‘Risk’ can be is defined as ‘The effect of uncertainty on objectives’.
Risks are threats, adverse events or opportunities that, should they arise, could affect the achievement of ambitions. In simple terms, risks are real or tangible ‘things’ that we need to be aware of.
Risks can be classed as internal or external facing
Risks change with time, as the environment changes and as we manage the risk.
Opportunity risks are those risks associated with plans that aim to benefit Reading, for example from an investment. They can be unseen and unplanned. These risks are acceptable provided they are well thought out and properly managed.
The ‘Risk Management Process’ is a series of co-ordinated activities, through which risks are regularly identified, evaluated, treated, reported, and monitored.
The risk management process helps us to:
The purpose of risk management is not to eliminate all risks, but to develop a better understanding of the nature, scale and potential effects posed by the Council’s risk exposure so that it can take effective action to reduce or mitigate downside threats and maximise upside opportunities.
The Council’s risk culture balances an acceptance that risks need to be taken to achieve our plans. The Council is fully committed to developing a culture where risk is appropriately, effectively and proportionately managed. This culture flows throughout the whole organisation from employees to elected members who understand and comply with the Council’s Risk Management Policy and processes and are aware of their own roles and responsibilities in managing risk.
A glossary of terms can be found in Appendix 1.
The starting point for the management of risks is the identification of objectives including those held in a plans, including the Corporate Plan, Service Plans, project plans and in service delivery policies and procedures.
Consideration should then be given to what threats and opportunities may be associated with the delivery of these objectives. The purpose is to generate a comprehensive, up to date, easy to understand list of risks.
To identify risks, managers should:
Business continuity
Economic
Health and safety
Partnerships
Security
Climate change
Social
Contractual
Community
Environmental
Information management
Projects and programmes
Staffing
Safeguarding
Visions and values
Operational
Service delivery
Finance
Legal/regulatory
Reputational
Technology/IT
Political
Physical assets
Transformation/change
Risks needs to be described in clear terms that can easily be understood and must specify what is the tangible threat or opportunity. The description should help determine how the risk will be managed and treated.
Risk descriptors are often prefaced with:
‘Lack of…’ ‘Loss of…’ ‘Failure to…’ ‘Inability to….’ ‘Reduction of…’ ‘Disruption to’ ‘Inappropriate…’
Risks should generally be described in a couple of sentences, explaining the risk, cause, and effect.
Example:
Failure to deliver a major change project on time and in budget (risk) due to lack of project management and appropriate resources and conflicting priorities (cause) which will result in detrimental impact to deliver the next stage of the program and will increase temporary staffing costs (effect).
Once identified, risks need to be analysed, evaluated, and prioritised for treatment. Risks are rated through a combined assessment of:
A 5 by 5 scoring matrix set out in Figure 2 below, is used to carry out the assessment of ‘impact’ and ‘likelihood’ to ensure that the risks are rated in a consistent way.
This allows risks to be plotted on the risk chart, which is the visual tool used to illustrate and compare risks.
The greater the risk, the more effort will be required to manage it, where it is within our control, and it would be best use of resources.
During this process the risk rating will need to be determined for the risk appetite, inherent risk, residual risk, and target risk value.
The Council has predetermined ‘likelihood’ and ‘impact’ criteria to ensure consistency, as
set out below.
Score | Description | Example detail |
---|---|---|
5 | Almost certain | Almost certain occurrence / The event is expected to occur in most circumstances / There is a history of very frequent occurrence at the council or similar organisations. |
4 | Highly likely | There is a strong possibility that the event will occur / There is a history of frequent occurrence at the council or similar organisations. |
3 | Possible | The event might occur / There is a history of occurrence at the council or similar organisations. |
2 | Unlikely | Not expected/ but there’s a moderate possibility it may occur. |
1 | Remote | Highly unlikely, but it may occur in exceptional circumstances. It could happen but is very unlikely. |
Impact type | Impact level |
---|---|
H&S | Death or life threatening. |
Service delivery | Loss of service for more than 5 days / Impacts on vulnerable groups /Affects the whole Council. |
Reputational | Negative sustained national publicity, resignation or removal of CE, Director, or elected member. |
Environmental | Major damage, long term contamination to local area. |
Legal | Legal action almost certain and difficult to defend, Catastrophic breach of duty resulting in imprisonment. |
Financial | Financial impact not manageable within existing funds & requiring Member approval for virement or additional funds i.e., in excess of £1,000,000 or >15% of monthly budget. |
Impact type | Impact level |
---|---|
H&S | Extensive, permanent/long term injury or long-term sick. |
Service delivery | Loss of service 3 to 5 days / Possible impact to small numbers of vulnerable people/definite impacts on property or non-vulnerable groups /Affects most Directorates. |
Reputational | Negative national publicity. |
Environmental | Serious damage, medium term contamination to local area. |
Legal | Legal action expected / Significant breach of duty resulting in fines/disciplinary action. |
Financial | Financial impact manageable within existing Directorate budget but requiring Director and Head of Finance approval for virement or additional funds i.e., between £500,000 and £1,000,000 Or >10% of monthly budget. |
Impact type | Impact level |
---|---|
H&S | Injury, lost time, short term sick absence. |
Service delivery | Loss of service 2 to 3 days / Impacts to non-vulnerable groups / Affects a single Directorate. |
Reputational | Negative sustained local publicity, High proportion of negative customer complaints. |
Environmental | Moderate impact, to short term contamination to local area. |
Legal | Legal action possible / Moderate breach of duty resulting in disciplinary action. |
Financial | Financial impact manageable within existing Directorate budget but requiring Director and Head of Finance approval for virement or additional funds i.e., between £250,000 and £500,000 Or >5% of monthly budget. |
Impact type | Impact level |
---|---|
H&S | Injury – no lost time. |
Service delivery | Loss of Service 1 to 2 days / Impacts to non-vulnerable groups / Affects 1 or a few services of the Council. |
Reputational | Negative local publicity. |
Environmental | Minor impact, short term contamination. |
Legal | Legal action unlikely / Minor breach of duty resulting in disciplinary action. |
Financial | Financial impact manageable within existing service budget but requiring service manager approval for virement or additional funds i.e., between £50,000 and £250,000 Or >2% of monthly budget. |
Impact type | Impact level |
---|---|
H&S | Incident – no lost time. |
Service delivery | Brief disruption, less than 1 day / Impacts to non-vulnerable groups /Affects a project. |
Reputational | Minor adverse local publicity. |
Environmental | Local incident would be dealt with immediately with minimal impact. |
Legal | Legal action unlikely / Localised service level deviation from duties. |
Financial | Possible financial impact manageable within service budget i.e., less than £50,000 Or > 1% of monthly budget. |
Controls and Actions. A key consideration in managing risk is the identification and
development of controls. These are activities (for example checks and review meetings
looking at specific Key Performance Indicators (KPIs)) which are carried out regularly to
review the risk or something associated with it. An action is a one-off activity often to bring
in a control or change a specific matter associated with the risk. Controls and actions are
identified separately in the risk score cards.
Once the risk has been identified and its priority determined, the options for managing
(mitigating) the risk to either stop it from arising or to minimise the impact should occur.
This involves:
Mitigating actions should either minimise the likelihood of the risk event occurring, reduce
the frequency or limit the severity of the event, should it occur. There are normally a
variety of choices available to manage risk: Sometimes no one control can totally remove
the risk. There may also be times where no amount of treatment can adequately control
the risk. Progress in implementing the identified mitigations will be monitored and reported
on a regular basis.
The residual risk values need to be determined, and recorded, with the controls identified
in place.
If the residual risk value (after mitigation) remains too high i.e., exceeding the risk
appetite, further controls need to be identified to ensure that the risk is below the risk
appetite. If this is not possible, a formal decision will need to occur about the risk and
whether the activity can occur.
Responsibility and accountability for managing each risk needs to be assigned:
A risk owner: The person who is responsible and accountable for the risk. This should be
the person with the knowledge of the risk area and sufficient seniority to enable them to
allocate resources to manage the risk and to ensure that actions required to treat it are
completed. This is normally an Executive Director, Deputy or Assistant Director.
A delegated control owner: The risk owner may allocate someone else, of appropriate
seniority and who is closer to the service/event/project to which the risk relates, to
oversee the risk on their behalf. The delegated control owner reports progress in managing
the risk to the ‘Risk Owner’.
Having identified the existing controls and actions, Risk Owners are required to categorise
the positioning of the risk within the organisation.
The options are split into:
The management of the risk can also change by: Escalating the risk – Moving the risk to the
Strategic Risk Register or De-escalating the risk – Moving the risk to a different Risk Register (Directorate or Service Risk Register).
When undertaking this process, careful consideration should be given to balancing the
benefits against the objects, resources, effort and appetite, and the consequences or
disadvantages of implementing controls. Justification for controls, terminating the risk
or transferring the risk should be considered in broad context such as commitments,
obligations and stakeholder views. It should not solely be based on finances.
Risks need to be recorded and reported: This occurs through the Strategic, Directorate,
service, project and other risk registers.
The risk registers are working documents that record the key details of the risks, such
as title/description, risk owner, risk rating, the main controls in place to manage the
risk, a summary of the actions and their progress, and comments providing further
information and updates on the management of the risk.
Risk reporting should:
Details on how to input data onto the Risk Registers can be found at Appendix 2.
Few risks and risk registers remain static, they evolve over time: Risk characteristics,
priorities and responsibilities change, and actions get completed. Therefore, risk
monitoring is required. It includes:
Any changes identified during the monitoring meetings should be reflected against the
relevant risk and risk register.
Identifying when a risk should be escalated is an important part of the monitoring
process. There may be instances where further action to mitigate a risk cannot be taken
by the current owner meaning it needs to be escalated e.g., from the Directorate to the
Strategic Risk Register or from the Project/Programme to Directorate Risk Register.
In these circumstances a report will be presented to either the Corporate Management
Team, or Directorate Management Team by the Risk Owner for discussion. Where a
Directorate risk increases in significance to the extent it may have a corporate impact,
the risk may be escalated to the Strategic Risk Register.
There are five types of risk registers operated within Reading Borough Council.
Strategic risks are those of significant, strategic, and cross cutting importance that require attention from the councils most senior managers and elected members.
There may be circumstances where strategic specific initiatives require risk registers i.e., COVID, Ukraine refugees etc. These should only be set up when the initiative is complex It is likely that the Strategic Risk register would have a single, overarching risk for the initiative.
Strategic Project Risk Registers should only be generated with the approval of Corporate Management Team.
Directorate risks are those that required the attention of the respective Directorate Management Team, over seen by the individual Director.
Directorate risks may be local versions of the corporate risks i.e., directorate budget or information governance specifying in more specific terms how the directorate will manage the risk as it relates to services.
Service risks are those that required the attention of the respective Service Team, over seen by the individual Assistant Director.
Service risks may be local versions of the corporate, directorate or project risks i.e., budget or information governance specifying in more specific terms how the service and teams will manage the risk as it relates to services.
Project and programme risks will be identified by the Senior Responsible Officer supported by the Performance Management Office (PMO). The ‘Risk Management for Projects and Programmes Guidance’ should be consulted for management of these risks Risk Management.
Specific risks such as health and safety risks, building risks, policy risk etc may be identified separately and should be fed into service, project or directorate risk registers.
The reporting hierarchy for risk and the associated review bodies are included in the table below:
Risk reporting | Review body |
---|---|
Annual assurance report on corporate risk management arrangements Presents assurances to the Committee on the effectiveness of the Council’s corporate risk management arrangements. | Audit & Governance Committee All Committees via standard report template |
Quarterly Strategic Risk Management Report Updates and provides assurance to the Audit & Governance Committee on the Council’s strategic risk register. | Audit & Governance Committee Corporate Management Team |
Strategic Risk Register & Reports Strategic risk register – cross cutting risks that could have a significant impact on the Councils’ operations. Central H&S Committee Report | Corporate Management Team |
Directorate Risk Register & Reports Risks that impact on the objectives of the directorate and its services. Risk associated with project and programmes within the Directorate. Corporate Boards / Committee reports. | Directorate Management Teams Corporate Boards for example LPD Board |
Service, operational and programme / project risks Risks directly impacting on the service, operation, or programme / project delivery. Identified by Service Plans. | Service/Operational Management Teams Programme & Project Boards H&S Committees |
Boards and Committees receive risk information relevant to their specialism. An example includes the Directorate and Central Health & Safety Committees that receive health and safety specific risk information. Boards and Committees are chaired by Senior Management and accountability structures are in place to escalate of risks that cannot be managed to the relevant meeting, outlined above i.e., DMT or CMT.
It is important that the Risk Management Policy and Framework remain up to date, fit for purpose, are embedded across the Council and that they work as intended.
The following actions help achieve this:
Risk Management is a key part of the Council’s governance arrangements, and the Risk Management Policy supports the authority’s compliance with its statutory requirements. Local authorities are required to conduct a review of the effectiveness of their systems of internal control, which include the arrangements for the management of risk, at least once a year.
Through the Annual Governance Statement, the Council is required to comment on the effectiveness of its arrangements in this regard. The Statement must also identify any significant governance issues that may have resulted from failures in governance and risk management.
It is important that elected members, and staff develop their knowledge and understanding of risk management.
Organisational Development & Learning will annually set out a risk management training programme which will include a variety of training modules that must be completed: Employee training will be subject to their role and responsibilities for Risk Management issues.
The training programme will contain a mixture of both formal and informal training sessions and will remain adaptable to the changing risks within the organisation.
Managers will be responsible for ensuring employees within their Service /Team receive adequate Risk Management training.
This section details our responsibilities for risk management.
The Chief Executive takes overall responsibility for the Council’s risk management performance and in particular will ensure that:
The Council expects third parties upon which it relies (including contractors, partners, associates, and commissioned independents) to:
Risk Management is an integral part of the Corporate Governance Framework. The following service leads/teams bring together the disciplines of Risk Management.
The Emergency Planning Team will aim to ensure that Reading Borough Council is prepared and able to respond to an emergency situation or business disruption, in compliance with the Civil Contingencies Act 2004 through:
Accept | A risk response that means RBC takes the chance that the risk will occur, usually after all viable options to treat the risk have been exhausted. |
Consequence | The impact and implications for the organisation should the risk materialise. |
Delegated Control Owner | The person chosen by the risk owner to oversee the implementations of controls on their behalf. The delegated risk owner reports progress in managing the risk to the owner. |
Inherent Risk | The level of risk before any actions have been taken to change the probability or impact. |
Issue | An event that has already occurred i.e., not a risk. |
Key risk indicator (KRI) | An early warning indicator that can be used to monitor a change in the likelihood or impact of a risk. Indicates that the risk event is about to materialise. |
Likelihood | How likely the risk is to occur = the probability of the risk actually materialising. |
Mitigate | The application of controls and actions to a risk to reduce its probability and/or impact down to acceptable levels. The industry uses the word’ treat’ to describe managing risks |
Opportunity Risk | Opportunity risks are those which are taken deliberately in line with RBC’s risk appetite in order to gain a positive return. |
Probability | See likelihood (above) |
Residual risk | The remaining level of risk after mitigation and control measures have been taken. |
Risk | The effect of uncertainty on objectives. |
Risk Action | Additional/further work required to mitigate the risk |
Risk Analysis | Systematic use of available information to determine how often specific events may occur and the magnitude of the impact |
Risk Appetite | Amount and type of risk that RBC is prepared to accept or tolerate. |
Risk Assessment | The process by which the significance of a risk is determined. |
Risk Category | The general areas, categories or types of risk that may face the Council. |
Risk Culture | Risk culture is ‘the ways we do risk management within RBC’. The values, behaviours, and attitudes towards risk management. |
Risk Matrix | The table used for scoring the probability and impact of a risk to determine its overall rating. |
Risk Management | The term used to describe the process and activities operated to manage risk within RBC. |
Risk Chart | The pictorial model that displays the relationship between the likelihood and impact of specific risks. |
Risk Owner | The person responsible and accountable for the risk. They have the knowledge and seniority to allocate resources to manage the risk and ensure actions are completed. |
Risk Management Policy | The document that sets out the principals of action regarding Risk Management and how it will be achieved. |
Risk Management Process | A series of regular steps, carried out in sequence, by which risks are identified, evaluated, responded to, reported, and monitored. |
Risk Rating | The result of the probability and impact calculation for a risk. |
Risk Register | The working document that records the risks identified and their key details such as title/description, risk owner, risk rating and the main controls in place to manage the risk. This is located on SharePoint. |
Source | The things that could give rise to the risk / cause it to occur |
Stakeholder | Any individual, group or organisation that can affect, be affected by, to perceive itself to be affected by a risk. |
Standing Risks | Risks that will always face the Council, no matter how well they are managed. |
Strategy | The processes and systems designed to achieve the long-term overall aim. |
Target Rating | The rating based on the lowest probability and impact scores deemed viable to manage the risk to an acceptable level given the number of resources available. |
Treat | The industry uses the work ‘treat’ to describe managing risks. See ‘Mitigate’ above. |
Reading Borough Council use SharePoint to record its risk registers and the background information associated with these risks.
Access to Risk Registers and individual risks is restricted to individual Risk Owners, Directors, and the Risk Management Team.
The Risk Registers operate on a rolling two-year basis as it is recognised that risks do not suddenly ‘appear and disappear’ each financial year.
Once a new risk has been identified the Risk Management Team will set up a new ‘Risk Card’ for use. This will either be within the Master Strategic, Directorate, Service or Project Specific Risk Register.
The allocated Risk Owner will be responsible for researching the risk, best practice, and mitigations from a number of sources and incorporating the decisions made regarding the risk within the register.
The Risk Owner is required to complete a series of questions within the risk card. This includes:
The information detailed above must be updated by the Risk Owner as and when things change and on a quarterly basis the risk ratings must be calculated. A forward look is also required to explain the actions that will take place.
NB: The Risk Owner does not need to manipulate the charts or change the formatting of the form. The system is set up to automatically display the relevant data.