Most of the content on this intranet is made up of ex county council information due to the county intranet being turned off. Please read the blog to find out more about how we have developed this new intranet and where you can go to find information that relates to you.
Risk Assessment Criteria
Information about risk assessment criteria.
Risk Appetite
Local authorities have had to venture into new initiatives, which can include commercial enterprises to increase revenue streams and deliver balanced budgets, innovative ways to recruit and retain staff, and restructured and re-designed services to deliver more for less.
The Council’s approach to risk management is guided by its Risk Appetite, which according to ISO 31000 Standard, refers to “amount and type of risk that an organisation is prepared to seek, accept and tolerate”. While risk appetite is about the propensity to take risk, risk tolerance is about the propensity to exercise control.
To ensure the on-going effectiveness of risk management there is a need for strong and sustained leadership and commitment by senior officers and members alike and it is this tone from the top towards risk management that has one of the greatest impacts on the Council's risk appetite.
A key priority for the Council is to ensure that it protects the public purse in accordance with audit and governance provisions. As a large and diverse organisation, the Council recognises that there is risk in all that we do, and that while some risks pose a threat, others may provide an opportunity. Risk appetite is an important tool in guiding what the council is willing to seek or accept in pursuit of its strategic objectives as set out in its corporate plan. As an organisation, we must sometimes take risks to deliver beneficial outcomes to stakeholders and a risk appetite allows for risk-taking to be a controlled process.
Good risk management allows for informed decision making and understanding of associated risks in undertaking certain tasks and activities. The ability to properly manage and understand risks means that the council is more likely to be able to achieve its goals, as well as allowing for control and a high level of due diligence consistent with the responsibilities of a public sector organisation.
The Senior Leadership Team considers the risk appetite of the Council in the context of the regulatory environment, its culture, the sectors in which it operates and its strategic values. They recognise that it is not practical or desirable to avoid all risk and in a rapidly changing public sector environment they will employ sound organisation wide risk management principles, transparent decision-making, and effective communication to prioritise our risk.
Overall responsibility for overseeing the management of risks, compliance with our risk management framework and the agreed risk appetite lies with the Senior Leadership Team. The corporate risk management process continues to be effectively embedded and discussion on risk, mitigations and risk appetite occurs also at both the Directorate and Service management team levels.
Risk management also incorporates opportunities as well as threats. The council’s approach to risk is to seek the right opportunities where possible and minimise risk as effectively as possible. By encouraging managed risk-taking and considering options, the council can take a balanced approach of both caution and innovation.
As an organisation, we are not willing to take risks that will cause significant negative consequences to our objectives. In some cases, the council may have to accept higher risks due to the cost and/or resources available to control them or statutory obligations. The council’s risk appetite reflects its current position - seeking to encourage managed risk taking for minor to moderate level risks but controlling or seeking to actively influence those risks further up the scale. The council’s risk appetite will vary over time due to both internal and external factors such as ambition, priorities, and the landscape of local government both regionally and nationally.
Risk Tolerance, Risk Assessment and Risk Response
Risk Tolerance and Assessment
The Council’s current risk appetite is defined by setting maximum risk limits and tolerances within the 5x5 impact and likelihood matrices and risk assessment criteria.
Each risk is evaluated using the approved risk assessment criteria for both impact and likelihood, these scores are then multiplied together to provide a final risk score.
A 5x5 risk matrix is used to evaluate risks and to rank those risks that have the highest level of exposure for the Council.
Risk Response
Directorates and Assistant Directors are responsible for developing appropriate operational risk registers for their area of service delivery and these should be reviewed quarterly at Service Management Team meetings to monitor the risk environment and the progress on the implementation and effectiveness of the risk controls. Formal reviews of each operational risk by the Risk Lead should be appropriate as to the level of risk exposure identified by the risk score.
Risk tolerances are defined in terms of Severe (Red), Significant (Amber), Mitigable (Yellow) and Manageable (Green) risk exposure and are treated proportionately.
This approach guides staff on the level of risk permitted and encourages consistency of approach across the Council.
In the main, Intolerable risks are those that:
- Negatively affect the safety of customers/ clients and staff.
- Have a direct impact on the Council’s reputation.
- Lead to a breach of laws or regulations.
- Endanger the sustainability of Council services.
- Have a significant financial impact.
Risk Escalation and De-escalation
Risk escalation is the process whereby a manager’s limit of authority has been reached or is likely to be reached. The Council’s escalation process enables managers to understand who to consult when escalation is required in the event that a risk has been identified that will significantly impact the delivery of predefined objectives.
The risk owner will be responsible for deciding on the course of action or for escalating the risk to the next level of management. Similarly, it should also be clear where a risk can be delegated to a lower level of management control.
A risk may be escalated to a higher level of control if:
- The risk will impact more than one service /project or functional area should the risk materialise.
- The risk extends outside the appetite boundary/comfort zone.
- The risk cannot be managed at its current level within the organisation.
- The risk remains very high even after all mitigations and internal controls are implemented.
A risk may be moved to a lower level of control if:
- The risk will only affect one service/ functional area and the impact is limited.
- The risk rating decreases.
- The risk can be managed at a lower level.
Escalating Programme Management Office risks:
Formal governance arrangements are in place for the monitoring and reporting of Corporate and Service transformation programme risks. As projects are developed, key risks are considered by the Strategic Programme Panel before determining whether to allocate resources to deliver the projects. Once in delivery, the Transition and Transformation Board and Capital Programme Board(s) report the escalation of risks to the Senior Leadership Team (see Roles and Responsibilities). If there are significant changes required to project scope, time or cost, project adjustment requests are considered by the Strategic Programme Panel.
Escalating operational level risks:
Directorates and Assistant Directors are responsible for developing appropriate operational risk registers for their area of service delivery and these should be reviewed quarterly at Service Management Team meetings to monitor the risk environment and the progress on the implementation and effectiveness of the risk controls.
Any identified areas of concern, where risks exceed the significant risk threshold (15-25 score – Amber to Red), are to be escalated as a Significant Operational Risk by the relevant Assistant Director to their Director for monitoring; and, where risks have a wider implication on the Council, the Director can escalate the risk to the Senior Leadership Team for review, until sufficient mitigating controls have been introduced to limit the level of risk exposure. The escalation process allows service areas to highlight areas of concern with senior management to enable assistance and support in resolving the issues.
A Significant Operational Risk Register template should be completed to record the details of these risks, the future actions which are being taken to reduce the risk to target and the contingency actions which are in place should the risk occur. The Head of Internal Audit and Risk Management should be informed of all escalated risks so that they can be monitored and the adequacy of control actions assessed.