Risk management policy and procedure

Our aim is to identify, analyse and appropriately manage potential threats and opportunities posed by risk.

Contents

Risk management policy
Introduction and objectives
Definitions: risks and risk management
Risk management procedure
Risk management process
Risk registers
Reporting framework
Risk management policy and procedures review
Risk governance assurance
Risk management training
Roles and responsibilities
Appendix 1: glossary
Appendix 2: how to use the Risk Management SharePoint

Risk management policy

The Council has a Corporate Plan ‘Investing in Readings Future 2022-2025’.
Strong risk management arrangements are essential to managing the risks associated with achieving our ambitions and delivering our Corporate Plan objectives. To achieve this, management of risk is integral to our culture.

We recognise that we live in an uncertain world and that risk is present in everything we do to improve outcomes and deliver services. We also appreciate that our communities and partners encounter a wide range of significant risks during their activities. These include cyber-attacks, adverse weather conditions and the impacts of national and international events.

Managing risk is the responsibility of everyone; it is at the heart of the Council’s culture and
values and is reflected in the behaviours of staff and elected members.

This Policy Statement is supported by our risk management approach, providing systematic, effective, robust, consistent and proportionate management of risk.

The benefits gained through utilising risk management arrangements are considerable, as they allow:

  • improved strategic, operational, and financial management,
  • continuity of knowledge,
  • data based management decisions,
  • improved statutory compliance and
  • clear and transparent leadership.

Thereby improving the resilience and quality of the services we deliver and protecting the people of Reading.

Introductions and objectives

This document sets out how Reading Borough Council (‘the Council’) will effectively identify and manage potential threats and opportunities to achieving our Corporate Plan and associated activities. Our vision is ‘to help Reading realises its potential and to ensure that everyone who lives and works here can share in the benefits of its successes”. We can achieve better outcomes for the Council through a realistic assessment of the challenges faced, informed decision making and targeted risk mitigation and treatment.

Risk Management affects all parts of the Council’s business and the strategic and operational decisions made at all levels across the Council.

This document along with the Risk Management SharePoint and Corporate Governance Framework, supports the effective and proportionate management of risk.

It should also be read in conjunction with supporting documentation including:

  • The Corporate Health and Safety Policy | Reading for managing health and safety at the Council in accordance with Health and Safety at Work Act 1974.
  • The Resilience Policy | Reading and responsibilities to ensure we are able to respond effectively and deliver critical services in the event of an emergency, whilst ensuring compliance with the Civil Contingencies Act 2004.

The Policy and Procedure aim to provide staff, elected members and partners with guidance to help ensure there is an effective, robust, consistent, and communicated way of managing risk across the whole Council.

This will be achieved by:

  • Regularly reviewing the scope of risk management across the Council and its key partners.
  • Ensuring a consistent framework is in place for determining, analysing, and managing risk to ensure all reasonable steps are taken to mitigate risk ensure the level of risk accepted is balanced against the expected reward.
  • Ensuring risk management remains integral to the Council’s culture, values, and behaviours, and is mandatory.
  • Raising awareness and reinforcing the importance of the Council’s risk management arrangements and the benefits to staff, elected members and stakeholders, and providing guidance and comprehensive training and sharing good practice. This will also develop awareness and a common understanding of the Council’s expectations.
  • Establishing clear responsibilities, accountabilities and reporting lines.
  • Incorporating risk management into business planning, procurement, project management, budget monitoring, decision making and operational processes.
  • Ensuring that high quality, non-biased information is used when making decisions. This will minimise failure and determine the level of acceptance of the potential positive and negative impacts of each major decision taken.
  • Undertaking regular monitoring and reporting of risk to identify the threats and opportunities facing the Council, as well as anticipating and responding to changing social and legislative requirements, minimising the impact and likelihood of risks occurring and to reduce the cost of risk.
  • Providing key performance risk management information for management.
  • Endorsement of this document from Members and the Corporate Management Team who are accountable for effective risk management within Reading Borough Council.

Definitions: risk and risk management

‘Risk’ can be is defined as ‘The effect of uncertainty on objectives’

Risks are threats, incidents, or adverse events that, should they arise, would prevent, or disrupt the achievement of ambitions. In simple terms, risks are the tangible threats that we need to be concerned with.

It is important to be aware of what does not constitute a risk in order to avoid misunderstandings. Issues (problems that are happening right now or have already occurred); statements; certainties; sources; consequences and observations are not, in themselves, risks.

Risks can be classed as internal or external facing.

Internal risks

Internal risks are those faced by the Council from within the organisation, that arise from routine day to day activities such as managing staff, safeguarding, health and safety, financial challenges or operating IT systems etc.

External risks

External risks are those that arise from outside the Council but may still have an adverse impact on its activities, for example, a major cyber-attack or extreme weather conditions. External risks are harder to manage as we have less control over whether they occur.

Risks change with time, as the environment changes and as we treat and manage the risk.
Opportunity risks are those associated with decisions that aim to benefit Reading, for example from an investment. These are taken to support the targets of the Corporate Plan and are an important part of risk management, provided the risks are well thought out and properly managed.

The Council’s risk culture balances an acceptance that risks need to be taken to achieve our plans. The Council is fully committed to developing a culture where risk is appropriately, effectively, and proportionately managed. This culture flows throughout the whole organisation from employees to elected members who understand and comply with the Council’s Risk Management Policy and processes and are aware of their own roles and responsibilities.

The “Risk Management Process” is a series of co-ordinated activities, through which risks are regularly identified, evaluated, treated, reported, and monitored.

The risk management process helps us to:

  • Understand the nature of the risks faced and ‘what could go wrong’
  • Be aware of the extent of these risks
  • Identify the level of risk that the Council is willing to accept
  • Recognise the Council’s ability to manage and treat each risk, so appropriate decisions and action can be taken
  • Take action, where possible, to avoid something going wrong and to minimise the impact

The purpose of risk management is not to eliminate all risks, but to develop a better understanding of the nature, scale and potential effects posed by the Council’s risk exposure so that it can take effective action to reduce or mitigate downside threats and maximise upside opportunities.

A glossary of terms can be found in Appendix 1.

Risk management procedure

Risk management process

Diagram showing risk management process: 1. Establish objectives; 2. Identify risks; 3. Analyse and evaluate risks; 4. Manage risks (action plans); 5. Record and report; 6. Monitor and update.
Figure 1: Risk management process

The starting point for the management of risks and opportunities should be the Corporate Plan, Directorate and Service Plans and the objectives and strategies that underpin them.

Step 2: Identify the risks

The purpose is to generate a comprehensive, up to date, easy to understand list of risks that are relevant to Council, Directorate and Service Plan delivery, as well as associated projects.

To identify risks managers should:

  • Undertake a risk assessment exercise as a Corporate Management Team / Directorate Management Team /Service or project management team.
  • Horizon scan: Research and consider the risks or adverse incidents that have affected others. This can also involve keeping up to date with new local, national, and international policies, legislation, and events.
  • Measuring current performance and identifying weaknesses.
  • Reviewing reports about Council services including those issued by internal and external auditors, agencies, and inspection results.
  • Consider the risk categories listed below. (Note: this is not a finite list.)
Risk category examples
  • Business continuity
  • Economic
  • Health and safety
  • Partnerships
  • Security
  • Climate change
  • Social
  • Contractual
  • Community
  • Environmental
  • Information management
  • Projects and programmes
  • Staffing
  • Safeguarding
  • Visions and values
  • Operational
  • Service delivery
  • Finance
  • Legal/regulatory
  • Reputational
  • Technology/IT
  • Political
  • Physical assets
  • Transformation/change

Describing a risk:
Risks needs to be described in clear terms that can easily be understood and must specify what the tangible threat is. The description should help determine how the risk will be managed and treated.

Risk descriptors are often prefaced with:

‘Lack of…’ ‘Loss of…’ ‘Failure to…’ ‘Inability to….’ ‘Reduction of…’ ‘Disruption to’ ‘Inappropriate…’

Risks should generally be described in a couple of sentences, explaining the risk, cause, and effect.

Example:

Failure to deliver a major change project on time and in budget due to lack of project management and appropriate resources and conflicting priorities which will result in detrimental impact to deliver the next stage of the program and will increase temporary staffing costs.

Step 3: analyse and evaluate the risk

Once identified, risks need to be analysed, evaluated, and prioritised for treatment. Risks are rated through a combined assessment of:

  • Impact: The potential impact / consequences (both before or after mitigation)
  • Likelihood: How likely the risk is to occur

A 5 by 5 scoring matrix set out in Figure 2 below, is used to carry out the assessment of ‘impact’ and ‘likelihood’ to ensure that the risks are rated in a consistent way.

This allows risks to be plotted on the risk chart, which is the visual tool used to illustrate and compare risks.

The greater the risk, the more effort will be required to manage it, where it is within our control, and it would be best use of resources.

During this process the risk rating will need to be determined for the risk appetite, inherent risk, residual risk, and target risk value.

Grid showing likelihood on the left-hand side and impact along the bottom. Likelihood is rated almost certain, highly likely, possible, unlikely and remote. Impact is rated  negligible, slight, moderate, critical and catastrophic. Remote and negligible scores 1, almost certain and catastrophic scores 25, the other combinations score between them.
Figure 2: risk matrix

The Council has predetermined ‘likelihood’ and ‘impact’ criteria to ensure consistency as set out below.

Likelihood and impact criteria

Likelihood – measured over a one year period or life of the project

ScoreDescriptionExample detail
5Almost certainAlmost certain occurrence / The event is expected to occur in most circumstances / There is a history of very frequent occurrence at the council or similar organisations.
4Highly likelyThere is a strong possibility that the event will occur / There is a history of frequent occurrence at the council or similar organisations
3PossibleThe event might occur / There is a history of occurrence at the council or similar organisations
2UnlikelyNot expected/ but there’s a moderate possibility it may occur.
1RemoteHighly unlikely, but it may occur in exceptional circumstances. It could happen, but is very unlikely.

Impact

5Catastrophic
H&SDeath or life threatening
Service deliveryLoss of service for more than 5 days / Impacts on vulnerable groups /Affects the whole Council
ReputationNegative sustained national publicity, resignation or removal of CE, Director, or elected member.
EnvironmentalMajor damage, long term contamination to local area
LegalLegal action almost certain and difficult to defend, Catastrophic breach of duty resulting in imprisonment
FinancialFinancial impact not manageable within existing funds & requiring Member approval for virement or additional funds i.e., in excess of £1,000,000 or >15% of monthly budget
4Critical
H&SExtensive, permanent/long term injury or long-term sick
Service deliveryLoss of service 3 to 5 days / Possible impact to small numbers of vulnerable people/ definite impacts on property or non-vulnerable groups /Affects most Directorates
ReputationNegative national publicity
EnvironmentalSerious damage, medium term contamination to local area
LegalLegal action expected / Significant breach of duty resulting in fines/disciplinary action
FinancialFinancial impact manageable within existing Directorate budget but requiring Director and Head of Finance approval for virement or additional funds i.e., between £500,000 and £1,000,000 Or >10% of monthly budget
3Moderate
H&SInjury, lost time, short term sick absence
Service deliveryLoss of service 2 to 3 days / Impacts to non-vulnerable groups / Affects a single directorate
ReputationNegative sustained local publicity, High proportion of negative customer complaints
EnvironmentalModerate impact, to short term contamination to local area
LegalLegal action possible / Moderate breach of duty resulting in disciplinary action
FinancialFinancial impact manageable within existing Directorate budget but requiring Director
and Head of Finance approval for virement or additional funds i.e., between £250,000 and £500,000 Or >5% of monthly budget
2Slight
H&SInjury – no lost time
Service deliveryLoss of Service 1 to 2 days / Impacts to non-vulnerable groups / Affects 1 or a few services of the Council
ReputationNegative local publicity
EnvironmentalMinor impact, short term contamination
LegalLegal action unlikely / Minor breach of duty resulting in disciplinary action
FinancialFinancial impact manageable within existing service budget but requiring service manager approval for virement or additional funds i.e., between £50,000 and £250,000 Or >2% of monthly budget
1Negligible
H&SIncident – no lost time
Service deliveryBrief disruption, less than 1 day / Impacts to non-vulnerable groups /Affects a project
ReputationMinor adverse local publicity
EnvironmentalLocal incident would be dealt with immediately with minimal impact
LegalLegal action unlikely / Localised service level deviation from duties
FinancialPossible financial impact manageable within service budget i.e., less than £50,000 Or > 1% of monthly budget

Step 4: manage (mitigate/treat) risks

Once the risk has been identified and its priority determined, the options for managing (mitigating) the risk to either stop it for arising or to minimise the impact should occur. This involves:

  • Identifying the existing controls in place
  • Identifying what further controls are required. This will either involve improving existing controls or developing and implementing new ones
  • Accepting that it is not possible to eliminate all risk and there are not reasonable mitigations available

Mitigating actions should either, minimise the likelihood of the risk event occurring, reduce the frequency or limit the severity of the event should it occur.

Progress in implementing the identified mitigations will be monitored and reported on a quarterly basis.

The residual risk values need to be determined, and recorded, with the controls identified in place.

If the residual risk value (after mitigation) remains too high i.e., exceeding the risk appetite, further controls need to be identified to ensure that the risk is below the risk appetite. If this is not possible, a formal decision will need to occur about the risk and whether the activity can occur.

Responsibility and accountability for managing each risk needs to be assigned:

Risk owner: The person who is responsible and accountable for the risk.

This should be the persons with the knowledge of the risk area and sufficient seniority to enable them to allocate resources to manage the risk and to ensure that actions required to treat it are completed. This is normally an Executive Director, Deputy or Assistant Director.

Delegated control owner: The risk owner may allocate someone else, of appropriate seniority and who is perhaps closer to the service/event/project to which the risk relates, to oversee the risk on their behalf. The delegated control owner reports progress in managing the risk to the ‘Risk Owner’.

Step 5: record and report

Risks need to be recorded and reported: This occurs through the Strategic and Directorate Risk Registers, based on SharePoint.

The risk registers are working documents that record the key details of the risks, such as title/description, risk owner, risk rating, the main controls in place to manage the risk, a summary of the actions and their progress, and comments providing further information and updates on the management of the risk.

Risk reporting should:

  • Provide relevant, concise but sufficient risk information in a timely manner that facilitates decision making and action
  • Ensure that the views of the leadership/management team/ Committee receiving the risk report are passed to the relevant risk owners
  • Focus on the most significant risks, ensuring adequate responses are put in place

Details on how to input data onto the Risk Registers can be found at Appendix 2.

Step 6: monitor and update

Few risks and risk registers remain static, they evolve over time: Risk characteristics, priorities and responsibilities change, and actions get completed. Therefore, risk monitoring is required. It includes:

  • Monitoring the changes in the risk characteristics and values
  • Monitoring the effectiveness of our response to the risk by considering the adequacy of controls and how the risk actions are progressing and changing. Controls dependent upon a people may fail and should be avoided or increased monitoring should occur.
  • Monitoring the risk profile; reviewing the risks facing the Council via the reporting of risk registers to relevant Boards, Committees, and leadership teams

Any changes identified during the monitoring meetings should be reflected against the relevant risk and risk register.

Risk escalation

Identifying when a risk should be escalated is an important part of the monitoring process. There may be instances where further action to mitigate a risk cannot be taken by the current owner meaning it needs to be escalated e.g., from the Directorate to the Strategic Risk Register or from the Project/Programme to Directorate Risk Register.

In these circumstances a report will be presented to either the Corporate Management Team, or Directorate Management Team by the Risk Owner for discussion. Where a Directorate risk increases in significance to the extent it may have a corporate impact, the risk may be escalated to the Strategic Risk Register.

Risk registers

There are four types of risk registers operated within Reading Borough Council.

Strategic risk register

Strategic risks are those of significant, strategic, and cross cutting importance that require attention from the councils most senior managers and elected members.

Directorate risk register

Directorate risks are those that required the attention of the respective Directorate Management Team, over seen by the individual Director. Directorate risks may be local versions of the corporate risks i.e., directorate budget or information governance specifying in more specific terms how the directorate will manage the risk as it relates to services.

Strategic project risk registers

There may be circumstances where strategic specific projects require risk registers i.e., COVID, Ukraine refugees etc. These should only be set up when the project is complex and if incorporated into main Strategic Risk Register it would dominate the portfolio, which could result in loss of focus on the core Strategic risk register. Strategic Project Risk Registers should only be generated with the approval of Corporate Management Team.

Project/local risk register

Project risks are set up for specific short-term projects.

Reporting framework

The reporting hierarchy for risk and the associated review bodies are included in the table below.

Risk reportingReview body
Annual assurance report on corporate risk management arrangements
Presents assurances to the Committee on the effectiveness of the Council’s corporate risk management arrangements
Audit and Governance Committee
Quarterly Strategic Risk Management Report
Updates Audit & Governance Committee on the Council’s most significant corporate risks and provides assurance on how they are being managed
Audit and Governance Committee
Corporate Management Team
Strategic Risk Report
Strategic cross cutting risks that could have a significant impact on the Councils’ operations
Corporate Management Team
Directorate Risk Report
Risks that impact on the objectives of the directorate and its services. ‘RAG’ ratings for programmes & major projects also reported
Directorate Management Team
Service, operational and programme / project risks
Risks directly impacting on the service, operation, or programme / project delivery
Programmes & Projects: Each has its own risk register. Summary ‘RAG’ rating and supporting comments escalated to directorate management teams for review
Service/Operational Management Teams
Programmed and Project Boards

Risk management policy and procedures review

It is important that the Risk Management Policy and Framework remain up to date, fit for purpose, are embedded across the Council and that they work as intended.

The following actions help achieve this:

  • Keeping up to date with risk management best practice and guidance
  • Regular risk management reporting, including feedback from stakeholders
  • Obtaining feedback from risk management training sessions and workshops
  • Periodic reviews of the controls and governance arrangements behind the most significant corporate risks
  • Periodic comparison against arrangements of UK Core Cities and LA’s and national standards
  • Ensuring consideration of Equality, Diversity and Cohesion matters.

Risk governance assurance

Risk Management is a key part of the Council’s governance arrangements, and the Risk Management Policy supports the authority’s compliance with its statutory requirements. Local authorities are required to conduct a review of the effectiveness of their systems of internal control, which include the arrangements for the management of risk, at least once a year.

Through the Annual Governance Statement, the Council is required to comment on the effectiveness of its arrangements in this regard. The Statement must also identify any significant governance issues that may have resulted from failures in governance and risk management.

Risk management training

It is important that elected members, and staff develop their knowledge and understanding of risk management.

Organisational Development & Learning will annually set out a risk management training programme which will include a variety of training modules that must be completed: Employee training will be subject to their role and responsibilities for Risk Management issues.

The training programme will contain a mixture of both formal and informal training sessions and will remain adaptable to the changing risks within the organisation.

Managers will be responsible for ensuring employees within their Service/Team receive adequate Risk Management training and that records of training are retained.

Roles and responsibilities

This section details our responsibilities for risk management.

Elected members

The Leader of the Council will:

  • Ensure the work of Policy Committee and Full Council is conducted in accordance with Council policy and procedures for management of risk and with due regard for any statutory provisions set out in legislation

Policy Committee will:

  • Approve and review the Council’s Risk Management Policy
  • Require officers to develop and implement an effective framework for risk management
  • Understand the risks facing the Council and the Borough of Reading

Members will:

  • Ensure that they understand the Council’s risk management arrangements and the strategic risks facing the Council
  • Take reasonable steps to properly consider all the risks implications during the decision making and policy approval taken by them
  • Understand the risks facing the Council and the Borough
  • Take an active and supporting role to Council Officers and communities of Reading in times of emergency
  • Ensure that all the decisions they make are in line with Council policy and procedures for health and safety and any statutory provisions set out in legislation

Risk Management Champion (Chair of Audit and Governance Committee) / Lead Member will:

  • Raise the portfolio of risk management, promoting the benefits to Members and staff, ensuring that everyone is aware of their responsibilities and accountabilities
  • Ensure that the risk management process is applied to all key and major decisions made by elected members through the use of quality risk assessments with all reports requiring decisions
  • They will promote risk management and related training to elected members

Audit & Governance Committee will:

  • Agree and endorse the Corporate Risk Management Policy
  • Review and scrutinise the implementation and effectiveness of the Corporate Risk Management Policy
  • Monitor the Council’s Strategic Risk Register
  • When appropriate, undertake ‘deep dives’ into high level risks
  • Receive an annual review of the Council’s approach to Corporate Governance, including risk management

Council staff

Chief Executive will:

The Chief Executive takes overall responsibility for the Council’s risk management performance and in particular will ensure that:

  • The Council has effective and efficient risk management arrangements in place
  • All decision-making is in line with Council policy and procedures for management of risk and any statutory provisions set out in legislation
  • Adequate resources are made available for the management of risk
  • Management of risk performance is continually reviewed
  • The risks facing the Council and the Borough are understood

Corporate Management Team will:

  • Promote and oversee the implementation of the Corporate Risk Management Policy and Procedures
  • Take a lead in identifying and analysing significant corporate and crosscutting risks and opportunities facing the authority in the achievement of its key objectives; determine RBC’s approach to each risk and set priorities for action to ensuring they are effectively managed, and reviewed and updated on a quarterly basis
  • Identify, develop, manage, and update the Strategic Risk Register on a quarterly basis
  • Ensure that “decision book” reports and ‘delegated decision reports’ incorporate a section on risk management information
  • Understand the risks facing the Council and the Borough of Reading
  • Review and challenge the Directorate Risk Registers as appropriate
  • Support and promote a risk management Culture throughout the Council

Executive Directors will:

  • Develop a Directorate Risk Register and review and update it on a quarterly basis
  • Monitor the Directorate Risk Register and ensure that mitigating actions are allocated to nominated staff and completed
  • Ensure that the risk management process is an explicit part of all major projects, partnerships and change management initiatives within their Directorates
  • Ensure that Risk Management roles and responsibilities and performance management targets are included within appropriate job descriptions
  • Understand the risks facing their Directorate, the Council, and the Borough
  • Be accountable for escalating/deescalating risks between the different Risk Registers

Deputy/Assistant Directors / Managers will:

  • Take primary responsibility for identifying and managing significant strategic and operational directorate risks arising from their service activities. These will be recorded, monitored, and reviewed via the Directorate Risk Register on a quarterly basis
  • Ensure that identified mitigating actions are nominated to specific personnel and are completed
  • Ensure that reports for decision include comprehensive risk management information to allow effective decisions to be made
  • Promote Risk Management and ensure that the Risk Management Policy is implemented effectively across their Service and that they and their staff undertake training as required
  • Ensure that their teams carry out risk assessments where appropriate as a routine part of service planning and management activities
  • Ensure that all employees are aware of the risk assessments appropriate to their activity
  • Produce Service Risk Registers if required.
  • Provide support and resources in order to effectively respond to an emergency situation or business disruption

Managers will:

  • Support Senior Management in the identification of risks and the completion of actions to mitigate the risk

Project Managers:

  • Are responsible for ensuring that adequate risk management arrangements are in place throughout the project lifecycle
  • Will report the risk status of the project for inclusion in the relevant Strategic / Directorate risk register.

All Staff will:

  • Comply with the Risk Management Policy for their operational activities and processes
    • Comply with mitigating actions identified to reduce risk
    • Report potential hazards and risks they cannot manage to line managers
    • Support continuous service delivery and any emergency response
    • Work in a safe manner not putting themselves, others, or the organisation at risk

Internal Audit will:

  • Provide assurance on the implementation of the Risk Management Policy
  • Ensure that internal audits coverage is risk based, considering the risks identified within the Strategic and Directorate Risk Registers
  • Provide assurance on the robustness of the Council’s management of risks
  • Provide assurance on Resilience

The Health, Safety and Risk Management Lead will:

  • Develop, promote, support, and oversee the implementation of the Risk Management Policy and systems
  • Monitor and review the effectiveness of Risk Management Policy, framework, procedure, and Registers
  • Support identify and communicate risk management issues to services, project managers, contractors, and partner organisations.
  • Assist services in their risk management activity through training and/or direct support
  • To ensure compliance with all risk-based legislation through monitoring systems including Health & Safety, Risk Management, and the Civil Contingencies Act 2004
  • Support the preparation of risk registers for services, projects, and partnerships

Other partners

Schools

  • All maintained schools should be aware of the risk management systems in place at the Council including the Corporate Health and Safety Policy and have a local school policy in place
  • Schools should be aware of the risk in the Schools Emergency Response Plan (Rainbow Plan) and have local arrangements in place

Partners and Contractors

The Council expects third parties upon which it relies (including contractors, partners, associates, and commissioned independents) to:

  • Comply with the Risk Management and H&S Policies and procedures and demonstrate exemplary standards
  • Work safely, comply with all relevant legislation, and best practice and have in place appropriate sources of expert advice. Provide and evidence all Business Continuity procedures that relate to services provided and additional support that has been agreed
  • Establish training requirements with regard to strategy implementation

Specific duties

Risk Management is an integral part of the Corporate Governance Framework. The following service leads/teams bring together the disciplines of Risk Management.

The Insurance Manager will

  • Provide advice on operational risk, risk retention and transfer, by placing transferred risk with a reputable insurer.
  • Provision of operational risk management advice and guidance
  • Working with the Council’s insurers, provide claims management and investigation services for claims made by and against the Council under its insurance policies
  • Provide advice and guidance with regard to insurance requirements, indemnities, and legal liabilities
  • Manage the day to day use of the internal Insurance Fund for payment of self-insured losses
  • Provide provision of a buy back insurance service for schools

The Health, Safety and Risk Management Lead and Health & Safety Advisers will

  • Act as the Council’s competent persons as required by the Management of Health and Safety at Work regulations.
  • Provide expert health and safety advice and support to all levels within the organisation
  • Develop and maintain the Council’s

Health and Safety Policy and Procedures

  • Support the Health and Safety training programme
  • Carry out Health and Safety audits and inspections of Council establishment
  • Evaluate accident/incident near miss reports and carry out accident investigations of serious accidents

Resilience

The Emergency Planning Team will aim to ensure that Reading Borough Council is prepared and able to respond to an emergency situation or business disruption, in compliance with the Civil Contingencies Act 2004 through:

  • Liaison with enforcing authorities
  • Provision of expert advice, assistance and support to Members, Officers and Service Areas in the event of an emergency and/or business disruption
  • Provision of advice and assistance in establishing the Council’s Critical Services and functions
  • Provision of expert advice and support on preparedness and response to all Council services and teams
  • The production and validation of plans and procedures, including training and awareness
  • 24hr/365 day integrated Local Authority on-call service
  • Facilitation of Resilience implementation, awareness, training and exercising
  • Regular monitoring, review and refresh of Resilience Plans, procedures, and reports

Appendix 1: glossary

Accept – A risk response that means RBC takes the chance that the risk will occur, usually after all viable options to treat the risk have been exhausted.
Consequences – The impact and implications for the organisation should the risk materialise.
Delegated control owner – The person chosen by the risk owner to oversee the implementations of controls on their behalf. The delegated risk owner reports progress in managing the risk to the owner.
Inherent risk – The level of risk before any actions have been taken to change the probability or impact.
Issue – An event that has already occurred i.e., not a risk.
Key Risk Indicator (KRI) – An early warning indicator that can be used to monitor a change in the likelihood or impact of a risk. Indicates that the risk event is about to materialise.
Likelihood – How likely the risk is to occur = the probability of the risk actually materialising.
Mitigate – The application of controls and actions to a risk to reduce its probability and/or impact down to acceptable levels. The industry uses the word’ treat’ to describe managing risks.
Opportunity risk – Opportunity risks are those which are taken deliberately in line with RBC’s risk appetite in order to gain a positive return.
Probability – See likelihood (above)
Residual risk – The remaining level of risk after mitigation and control measures have been taken.
Risk – The effect of uncertainty on objectives.
Risk action – Additional/further work required to mitigate the risk.
Risk analysis – Systematic use of available information to determine how often specific events may occur and the magnitude of the impact.
Risk appetite – Amount and type of risk that RBC is prepared to accept or tolerate.
Risk assessment – The process by which the significance of a risk is determined.
Risk category – The general areas, categories or types of risk that may face the Council.
Risk culture – Risk culture is ‘the ways we do risk management within RBC’. The values, behaviours, and attitudes towards risk management.
Risk matrix – The table used for scoring the probability and impact of a risk to determine its overall rating.
Risk management – The term used to describe the process and activities operated to manage risk within RBC.
Risk chart – The pictorial model that displays the relationship between the likelihood and impact of specific risks.
Risk owner – The person responsible and accountable for the risk. They have the knowledge and seniority to allocate resources to manage the risk and ensure actions are completed.
Risk Management Policy – The document that sets out the principals of action regarding Risk Management and how it will be achieved.
Risk Management Process – A series of regular steps, carried out in sequence, by which risks are identified, evaluated, responded to, reported, and monitored.
Risk rating – The result of the probability and impact calculation for a risk.
Risk register – The working document that records the risks identified and their key details such as title/description, risk owner, risk rating and the main controls in place to manage the risk. This is located on SharePoint.
Source – The things that could give rise to the risk / cause it to occur.
Stakeholder – Any individual, group or organisation that can affect, be affected by, to perceive itself to be affected by a risk.
Standing risks – Risks that will always face the Council, no matter how well they are managed.
Strategy – The processes and systems designed to achieve the long-term overall aim.
Target rating – The rating based on the lowest probability and impact scores deemed viable to manage the risk to an acceptable level given the number of resources available.
Treat – The industry uses the work ‘treat’ to describe managing risks. See ‘Mitigate’ above.

Appendix 2: how to use the Risk Management SharePoint

Reading Borough Council use SharePoint to record its risk registers and the background information associated with these risks.

Access to Risk Registers and individual risks is restricted to individual Risk Owners, Directors, and the Risk Management Team.

The Risk Registers operate on a rolling two-year basis as it is recognised that risks do not suddenly ‘appear and disappear’ each financial year.

Incorporating a new risk

Once a new risk has been identified the Risk Management Team will set up a new ‘Risk Card’ for use. This will either be within the Master Strategic, Directorate, Service or Project Specific Risk Register.

The allocated Risk Owner will be responsible for researching the risk, best practice, and mitigations from a number of sources and

incorporating the decisions made regarding the risk within the register.

The Risk Owner is required to complete a series of questions within the risk card. This includes:

  • Details of the risk
  • The potential impact
  • Details of the current actions being taken to mitigate and treat the risk
  • The initial Risk Appetite and the Target Risk Level (note these only need to be recorded on the initial entry)
  • Inherent Impact and Likelihood and Residual Impact and Likelihood for the relevant quarter
  • Specify what actions will be occurring within the next quarter and who will be responsible for them
  • Add attachments that support the decisions or demonstrate completion of the mitigating action

Updating the risk

Each quarter the information detailed above, must be updated by the Risk Owner and the relevant quarters risk ratings must be calculated. A forward look is also required for the next quarter, as above, to explain the actions which will take place in the next quarter.

NB: The Risk Owner does not need to manipulate the charts or change the formatting of the form. The system is set up to automatically display the relevant data.