Most of the content on this intranet is made up of ex county council information due to the county intranet being turned off. Please read the blog to find out more about how we have developed this new intranet and where you can go to find information that relates to you.
Purpose and scope
Purpose and scope of risk management.
Why do we need risk management?
Local Government is in a time of increased uncertainty and change. The impact of national political events, and of wider societal and world events all bring uncertainty which impacts on the planning for future public services.
Cumberland is a new Council with high expectations of improving outcomes for the public and at the same time reducing costs. Customers expect good quality services and to deliver on our commitments the Council will need to do things differently and to look for more innovative ways of working to provide these services, as well as collaborating increasingly with partners and outside organisations. The risks associated with change of this magnitude must not be underestimated.
The Council recognises the need to identify, understand and manage its key risks and is committed to ensuring that appropriate arrangements are in place to enable informed risk decision taking, recognising the need to optimise the balance between risks and reward.
When implemented and maintained, the effective management of risk enables the Council to:
- Increase the likelihood of achieving its goals and delivering outcomes.
- Improve the identification and prioritisation of opportunities and threats.
- Improve governance, stakeholder confidence and trust.
- Establish a reliable basis for decision making and planning.
- Effectively prioritise the allocation of increasingly scarce resources to manage or reduce the likelihood of the risk occurring.
- Improve organisational resilience.
What is risk management?
In carrying out its business Cumberland Council faces internal and external factors that make the successful achievement of its objectives uncertain. Risk arises because our objectives are pursued against this uncertain background.
Risk can be defined as ‘an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives’.
In practice, assessing a risk relies usually on qualitative and subjective judgments but typically risks have two defining characteristics:
- The Impact (or severity) that the risk will have if it occurs.
- The Likelihood (or probability) that the risk will occur.
Since risks have to be considered in context of the Council Plan and its outcomes, the management of risks are closely linked to the delivery of strategic, service, programme, project, contract or partnership objectives.
Risk management describes the continuous process that enables the Council to understand, evaluate and take action to manage their risks with a view to increasing the probability of successfully delivering their objectives and outcomes and reducing likelihood of failure. It is therefore essential that the risk management process is fully integrated across all management processes within the Council.
The risk management process follows a series of distinct stages:
- Identify risks
- Assess risks
- Risk response
- Report risks
- Review risks
What is the scope of the Risk Management Framework?
This framework is in place to ensure that risk management is applied effectively and consistently across all of the Council and employees use the risk management process proportionately.
This framework applies to all activities and assets controlled or occupied by the Council. It applies to all employees within the Council, including elected members and to those employees within partnerships, commissioned or contracted services.
Decisions about a risk will vary depending on whether it relates to long, medium or short-term objectives and activities. There is need to identify, register and understand the impact of all risks facing the Council across a number of different levels:
- Strategic Level. Risks at this level relate to longer term Corporate outcomes and strategies contained within the Council Plan and are managed by Directors and Statutory Officers. These risks will be collated within the Strategic Risk Register, overseen by Senior Leadership Team and managed within the relevant Directorate.
- Programme/ Project/ Partnership Level. Risks at this level will often relate to medium term outcomes and are usually addressed through programmes, projects or partnership to bring about business change or new ways of working. These risks will be collated within relevant programme, project or partnership risk registers and overseen by the relevant programme, project or partnership board or within Directorates. These risks will be collated by the Programme Management Office, with regular reporting to Senior Management and relevant programme oversight boards in line with the agreed governance structure, alongside regular liaison with Internal Audit and Risk Management.
- Operational or Service Level. These risks will relate to the day to day operational or management activities and will provide assurance that the key operational risks arising from service operations are identified and managed. At this level the emphasis is on shorter term goals to ensure ongoing continuity of business services. Decisions about risks at this level may also support the achievement of medium to long term goals. These risks will be identified and managed by each service and overseen by the relevant Assistant Director through their service management team meetings. Operational risks with risk exposure higher than the Council’s risk appetite will be classified as Significant Operational Risks (15-25 score – Amber to Red), which will be referred to and monitored by the Director, or where risks have a wider implication on the Council, the Senior Leadership Team, until sufficient mitigating controls have been introduced to limit exposure to the risk (see risk escalation procedures).
Who needs to use risk management and when should it be used?
Risk management is part of the day-to-day work of the Council, and its elected members and Council employees have collective and individual responsibilities in the management of risk.
Each of the Council's Directorates will have its own framework of plans, strategies, programmes of work, partnerships and contracts in place to deliver its services and risk management must be considered across all of these activities in a proportionate manner.
The minimum risk management requirements for these delivery mechanisms are as follows:
Risk Management Process |
Minimum Risk Management Requirements |
| Risk Context |
Identified objectives and outcomes:
|
| Risk Identification | Risk descriptions for each risk with identified risk owners. |
| Risk Evaluation | Risk ratings evaluated, both initial risk score and target risk score. |
|
Risk Response |
Clarity of the internal controls in place and other mitigating actions needed to manage or reduce the risk exposure. |