Risk Management Methodology
The risk management methodology describes the way in which risks are managed by the Council.
Part 1 – Setting the Council’s Risk Appetite
Risks must be assessed against the Council’s risk appetite. Risk appetite can be defined as the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to before it takes proactive action. Setting a risk appetite helps the Council to view risks in a consistent way across all services areas.
The Council’s risk appetite is demonstrated by reference to the matrix below. The colours of the matrix are a traffic light system. Those which exceed the Council’s risk appetite are in the red zone. Low risks within the appetite are in the amber and green zones.
Part 2 – Identifying Risk
Risk identification is concerned with identifying events and their consequences which could impact on the Council’s achievement of its One Coventry priorities, delivering services as planned and fulfilling its statutory duties. Consequently, the starting point is knowing what the One Coventry priorities are, as set out in the One Coventry Plan, the services that need to be delivered and the Council’s statutory duties. Risk identification is not a stand-alone activity but is part of strategic business planning processes of the Council.
How to identify risks
There is no one right way of identifying risks but it can help to use prompts which identify different sources of risk.
These include:
- Strategic: doing the wrong things as an organisation so that the goals of the One Coventry Plan are not prioritised
- Customers/citizens: Failure to deliver services of a required standard or misunderstanding their needs
- Finance: losing monetary resources, exceeding budgetary limits, or incurring unacceptable liabilities
- Reputation: The Council’s image, loss of public confidence
- Legal and regulatory: claims against the Council, non-compliance, not meeting statutory duties, new regulations resulting in new or severe risks
- Information: loss of or inaccuracy of data, systems or reported information
- Environmental: things that may be, but not always, outside of the Council’s control; environmental impact, loss of biodiversity or the impact of climate change
- Environmental Risk Assessment & Environmental Impact Assessments
- People: risks associated with employees, management, and Members
- Political: political embarrassment, not delivering local or national policies
- Partnerships: the risks the council is exposed to because of partnerships
- Considering the long-term projected impacts of a business as usual approach
- Considering how changes in one factor may contribute to or adversely impact upon other factors
- Policy Impact Assessments
These categories can be used to identify events that can prevent or hinder the Council from achieving its One Coventry priorities, delivering services, or fulfilling its statutory duties. There are different techniques that can be employed to facilitate risk identification.
These include but are not limited to:
- Brainstorming with colleagues
- Questionnaires
- Risk assessment workshops
- Incident investigation
- Auditing and inspection
- Dependency analysis
- SWOT analysis (Strengths, weaknesses, opportunities, and threats)
- PESTLE (Political, Economic, Social, Technical, Legal, Environmental)
Risk description
The information gained during the risk identification process needs to be gathered into common themes and developed into risk descriptions. The risk description should have an event which leads to a consequence which then has an impact:
- An event – this is the something that could go wrong and is where the uncertainty lies
- The consequence – this is the potential outcome of the event which may or may not happen
- The impact – this is the affect that the outcome will have if it does develop
A risk description would be framed as the event which leads to a consequence which then has an impact. E.g., A loss of xxxxx will lead to xxxx resulting in xxxx.
Examples are:
If the Council mismanages personal data (event) there may be data loss, misuse, or breach of privacy (consequence) resulting in breaches of legislation, fines, and reputational damage (impact).
There is a risk that an economic downturn (event) will mean that businesses struggle (consequence) resulting in an increase in unemployment (impact).
If the Council fails to develop its workforce (event) colleagues will be less able to offer good service (consequence) resulting in vulnerable members of the community suffering harm (impact).
When will risks be identified?
Risk identification should take place as part of managing and reviewing the business, decision making and managing performance.
Key opportunities to identify risk are when:
- The One Coventry priorities are agreed
- Strategic Leadership Team considers how One Coventry priorities will be delivered
- Service Strategic Leadership Teams consider what services will be delivered and how this will be done
- There are management team meetings
- Something significant changes
- The Council provides a new service or starts a new partnership
- Something nearly goes wrong
- After something has gone wrong
- Budgets are set
Part 3 - Assessing the inherent risk
When the risks that threaten the achievement of the Council’s One Coventry priorities, the delivery of services as planned or the fulfilment of statutory duties have been identified, they must be assessed in terms of the likelihood that they will occur now or in the future and the impact if they do. This information will then be used to inform professional judgements about the significance of the risks to the Council and how they relate to the Council’s risk appetite.
The Council has agreed criteria for the levels of likelihood and impact. These are shown in Tables 1 and 2 below. The definitions for the likelihood of occurrences are quite short. However, because the impact of the risk, should it occur, can be much wider, there is a more comprehensive set of definitions.
When first considering the likelihood and impact any existing controls that are in place should not be taken into consideration. The risk score you have will be an inherent or uncontrolled score.
When both the likelihood and impact have been considered, the likelihood is multiplied by the impact to get the overall inherent risk score. This should be mapped onto the matrix in Table 3. The colours of the matrix are a traffic light system. Those which exceed the Council’s risk appetite are in the red zone. Lower risks within the appetite are in the amber and green zones.
The risk score should be used to inform the judgement, rather than dictate how risks compare and what the priorities should be. The scores help to identify the serious threats and to inform decisions about the significance of those risks to the Council, now or in the future and how, or whether, they should be treated.
Score | Description |
---|---|
5 | Highly likely to happen – More than an 80% chance |
4 | Likely to happen – 60% to 79% chance |
3 | Will possibly happen – 40% to 59% |
2 | Unlikely to happen – 20% to 39% |
1 | Highly unlikely to happen – Less than 20% |
Impact | Example |
---|---|
5 | Death or life changing injury to more than one person Long term loss of service capability Failure to deliver a One Coventry priority Long term negative perception of the Council Litigation is certain and impossible to defend Significant corporate budget realignment Breaches of law punishable by imprisonment Large scale irreversible environmental damage |
4 | Medium term loss of service capability Death or life changing injury to a person Adverse UK wide publicity Litigation almost certain and difficult to defend Some corporate budget realignment Breaches of law punishable by fines Persistent environmental damage |
3 | Short term loss of service capability Serious injury to a person causing 6-month recovery Adverse regional wide publicity Litigation to be expected Budget adjusted across service areas Breaches of major statutory duty Environmental impact on a small area or a wider area with limited damage |
2 | Short term disruption to service capability Less serious injury requiring one-month recovery Adverse local publicity High potential for complaint, litigation possible Financial implications contained within the Directorate Breaches of statutory regulations/standards Environmental impact that is contained and rectified easily |
1 | No significant disruption to service capability Minor injury Unlikely to cause any adverse publicity Unlikely to cause complaint or litigation Financial implications contained within the service area Breaches of local procedures or standards Environmental impact that disperses in a short time |
Now that the inherent risk score has been calculated, you can plot the risks on to the risk prioritisation matrix in Table 3. This is a guide of their relative significance to the Council, and how they will be managed.
Table 3.
Part 4 - Managing and mitigating risks
Having considered how corporate risks should be identified and assessed for likelihood and impact, it is necessary to consider how risks can be managed and mitigated. The risk score should not dictate the level of management required; however, it is a guide as it does point to matters that will require managing.
This involves:
Assessing the inherent risk against the Council’s risk appetite
The degree to which an inherent risk is tolerable should be considered against the Council’s risk appetite. Table 3 identifies which risks are high (red zone), medium (amber zone) or low (green zone). Those which are red exceed the Council’s risk appetite.
Assigning ownership to manage the inherent risk to specific officers or designated officers
The following is a guide to the correct levels of ownership:
Red risks – These are high risks that exceed the Council’s risk appetite. They require active management by senior officers at Director level. The risk owner will report to Strategic Leadership Team.
Amber risks – These are medium risks that are within the Council’s risk appetite, but which still need to be closely monitored. The risk owner will be a Director or a member of their service Strategic Leadership Team reporting to the Director.
Green risks – These risks are within the Council’s risk appetite and will be managed and monitored within the service.
Assessing the method of risk mitigation
There are four ways that the Council can choose to respond to any risk. The Council could tolerate the risk, treat it, terminate it, or transfer it in whole or in part to a third party.
The cost and effectiveness of mitigations is a key consideration and needs to be balanced against the short and long-term potential consequences if the event occurred. The cost of implementing the mitigation should not normally exceed the maximum potential benefit.
Depending on circumstances mitigations will fall under one of four basic approaches.
- Tolerate the risk. If the score is low, the correct response might be to recognise that the activity brings risk but continue with it. You would typically take this approach when it is not cost effective to act, because the likely impact of the risk, should it occur, is minimal. When a decision is made to tolerate a risk, the reason should be documented. In addition, you should continue to monitor the risk so that you can ensure that your decision remains the correct one.
- Treat the risk. This is the most widely used approach. The purpose of treating the risk is to continue with the activity, but at the same time take action to bring the risk score lower, to an acceptable level. This is done through either prevention actions, that remove the likelihood or consequences, containment actions that lessen the likelihood or consequences and are applied before the risk materialises or contingent actions which are pre-planned responses that will reduce the impact after the risk has happened.
- Terminate the risk. This involves stopping an activity altogether or doing things differently so that the risk is removed.
- Transfer in whole or in part the risk to a third party. The transfer of risk to another organisation can be used to reduce the financial exposure of the Council and/or pass the risk to another organisation which is more capable of effectively managing it. An example would be the transfer of a risk through the terms of a legal contract, such as an insurance policy.
All mitigation measures should, wherever possible, be SMARTER - specific, measurable, agreed, realistic, time bound, evaluated and reviewed. This will make it easier to assess whether they are being implemented to the full extent necessary.
The costs of managing risks should be understood and be proportionate to the risk being addressed. Resources should be prioritised to the higher-level risks that need active management.
The reasons why a course of action has been taken should be documented and the decision implemented by the risk owner.
Part 5 – Assessing the residual risk
Risks will have been identified and assessed and have an inherent risk score. In addition, mitigations will have been considered and decisions made about which are appropriate and been put in place. These controls will either make the likelihood that the risk will occur less, or they will reduce the impact of the risk should it take place
As the likelihood or impact of the risk has changed, it is now necessary to re-score the risk, taking these changes into consideration. The resulting score is the residual risk score.
The mapping of the score onto the matrix in Table 3 should be repeated to record the residual risk. This will show what influence the mitigations have had. The residual risk score should be lower than the inherent risk score. If it isn’t, the mitigation measures are just having the effect of stopping the risk from deteriorating. The residual risk score needs to be at an acceptable level when considered against the Council’s risk appetite. If the score does not reduce the risk to an acceptable level, the effectiveness and adequacy of the mitigation should be considered.
Part 6 – Recording and reviewing risks
It is necessary to monitor risk mitigation action plans to regularly report on the progress being made in managing risk. Alternative action will be needed if the mitigations taken prove ineffective.
All the information relating to the identified risks should be recorded in a risk register. This information should, as a minimum, include: a description of the risk; its impact; the inherent risk score, the mitigations in place or being put in place; the residual risk score and the risk owner. A template for a risk register is shown at Appendix C.
The risk register needs to be reviewed and approved at the right level of management. This will include the Corporate Risk Register being reviewed and approved by Strategic Leadership Team, Directorate risk registers by the Directorate Strategic Leadership Team and the service risk register by the Head of Service.
Corporate Risk Register
The corporate risk register will be reviewed quarterly by the Strategic Leadership Team.
This is required because:
- Previously identified risks will change over time
- New risks arising will need to be added
- It might be appropriate to take risks off the register. However, when this is done a record of the reasons for this should be kept.
Prior to review at Strategic Leadership Team, the Insurance Manager will liaise with risk owners and ascertain what changes to the risk assessment are proposed, including risks they wish to escalate. These proposals will be included within the report to Strategic Leadership Team for their consideration.
Strategic Leadership Team will consider:
- Are the risks still relevant?
- Have circumstances surrounding the risks changed?
- What progress has been made in managing the risk?
- Given the progress made, do the risk scores need revising?
- Are any further controls needed? If so, what should these be?
- Have any new risks arisen?
The Corporate Risk Register should then be updated to reflect these changes.
Directorate Risk Register
Directors should review their Directorate risk register at appropriate intervals with their leadership team.
This can be done as follows:
- Agree how often risk is an agenda item
- Allocate a member of the leadership team to lead on risk review
- Circulate the Directorate risk register to the members of the leadership team before the meeting
- The lead will guide the review of the service risk register highlighting areas for consideration
- Have the previously identified risks changed?
- Are risk mitigations acting as expected?
- Are the risk scores for likelihood and impact still correct?
- Have new risks arisen that need to be added?
- Can risks come off the Directorate risk register?
- Does the leadership team believe that a risk should be escalated to the Council’s Strategic Leadership Team so that this group can consider if it should be added to the Corporate Risk Register?
Risks can be considered for escalation to the Council’s Strategic Leadership Team if there is a combination of several of the following factors:
- The risk is a red risk. This means that it exceeds the Council’s risk appetite
- The risk could result in the Council being unable to deliver a One Coventry priority, deliver vital services as planned or fulfil a statutory duty
- The risk cannot be addressed at a Directorate level
- The risk is likely to require considerable additional resource to manage
- The risk could result in considerable reputational damage
- The risk will impact areas of the Council other than the Directorate
- The Service Director believes that it is a risk that should be drawn to the attention of the Council’s Strategic Leadership Team
- The risk will not be managed down into the amber category within the next quarter.
If a risk requires escalation to Council’s Strategic Leadership Team, this will be communicated to the Insurance Manager who will contact the Section 151 Officer and Monitoring Officer.
Service Risk Registers
The Head of Service should review their service risk register at appropriate intervals with colleagues and consider:
- Have the previously identified risks changed?
- Are risk mitigations acting as expected?
- Are the risk scores for likelihood and impact still correct?
- Have new risks arisen that need to be added?
- Can risks come off the service risk register?
- If the risk should be escalated to the Directorate risk register?
Risks can be considered for escalation to the Directorate risk register if there is a combination of several of the following factors:
- The risk is an amber or red risk.
- The risk could result in the Council being unable to deliver a One Coventry priority, deliver vital services as planned or fulfil a statutory duty
- The risk cannot be addressed at a service level
- The risk is likely to require additional resource, beyond the service budget to manage
- The risk could result in reputational damage
- The risk will impact areas of the Directorate other than the service
- The Head of Service believes that it is a risk that should be drawn to the attention of the Directorate leadership team
- The risk will not be managed down into the green category within the next quarter.