Introduction
Good corporate governance requires mechanisms to be in place for the identification and management of risk. There must be clear focus on risks that can prevent the Council from achieving its priorities as set out in the One Coventry Plan, delivering services as planned and fulfilling its statutory duties. This policy seeks to provide a mechanism for the management of these risks.
Good corporate governance requires that risk management is embedded into the culture of the Council with Members and Officers managing risk at all levels and recognising that this is part of their job. It is important that the nature of how the Council delivers services is acknowledged. In particular, the use of partnerships, projects, shared services, and business transformation programmes bring fresh risks to manage.
Definition of risk
The definition of risk applied to local circumstances is:
Any potential development or occurrence which, if it comes about, would jeopardise the Council’s ability to:
- Achieve its priorities
- Provide services as planned
- Fulfil its statutory duties
Definition of Risk Management
Risk Management is the process by which the Council continuously and methodically addresses the risks which could hinder the achievement of its priorities, provide services as planned and fulfil its statutory duties. The focus of good risk management is the identification of risks, assessment of them, and mitigation where necessary, in order that success is achieved. Risk management increases the probability of success and reduces the probability of failure.
Risk Management Strategy
The aim of the policy is to facilitate effective risk management throughout the Council so that risks are identified, evaluated, mitigated, and monitored to enable the Council to achieve its One Coventry priorities, deliver services as planned and fulfil its statutory duties.
This will be done by:
- Keeping risks under regular, methodical, and recorded review
- Ensuring that the One Coventry priorities, delivering services as planned and fulfilling statutory duties are the focus of risk management
- Considering not just the present but also the medium and long term
- Managing risks at an appropriate level
- Monitoring key corporate risks at the highest levels including Strategic Leadership Team and by Members at the Audit and Procurement Committee
- Managing risk within the usual business processes of the Council
- Assessing risks against a common understanding of the Council’s risk appetite set by the Strategic Leadership Team
- Maintaining Directorate risk registers which are reviewed at appropriate intervals by Directorate leadership teams
- Understanding when risks should be escalated from Directorate risk registers to the Corporate Risk Register
- Maintaining service risk registers which are reviewed at appropriate intervals by the Head of Service
- Understanding when risks should be escalated from service risk registers to the Directorate risk register.
- Establishing mitigation measures to manage down risks to appropriate levels
- Establishing clear accountabilities and roles
- Ensuring that the risk assessment is considered and aligned with the budget setting process and the Medium Term Financial Strategy
- Working closely with partner organisations and other bodies such as the National Audit Office and external auditors
- Managing risk via a process that is compatible with any guidance provided by regulatory bodies.
- Ensuring that the Council has access to accurate, meaningful, and timely data
- Considering external factors affecting overall risk management strategy such as changes in Government legislation or the current state of the economy
Accountabilities and roles
Roles, responsibilities, and reporting lines within the Council are set out below.
Audit and Procurement Committee
The Audit and Procurement Committee will monitor the effective development and operation of risk management and corporate governance within the Council. The Committee will consider the report on the Corporate Risk Register annually.
Cabinet
Cabinet is responsible for maintaining and improving the corporate governance of the city, the preparation and implementation of the One Coventry Plan including its priorities and the effective implementation of the Council’s policies including the Risk Management Policy.
Cabinet Members
Cabinet members provide risk management oversight of service provision in the services aligned with their portfolio. They must be aware of the key risks within their portfolio of services and within any projects or partnerships related to these.
Chief Executive
The Chief Executive Chairs and leads the Strategic Leadership Team and the wider corporate governance agenda of which risk management is part. The Chief Executive will review an annual governance statement and together with the Leader consider and sign it off as appropriate.
Colleagues
All colleagues have responsibility for identifying hazards and risks whilst performing their day-to-day duties and to agree with their manager how these should be controlled.
This may involve:
- Informing their manager if they identify a new risk, or an existing risk that has not been properly assessed
- Assisting in the development and implementation of processes and risk assessments to manage the risk
- Working in accordance with safe procedures and the findings of a risk assessment
- Informing their manager of changes in their personal circumstances that influence their ability to work safely and in line with a risk assessment.
Directorate and Service Management Teams
Management and management teams have responsibility for delivering services. For successful delivery, many factors such as objectives, people, budget etc. must be considered. Risk Management is just one aspect of the overall management task. Risks that threaten the successful delivery of services must be identified through the business planning process. Managers will put in place actions to reduce the risks and promote success. The risks will be monitored and reviewed at appropriate intervals by the service leadership team.
Heads of Service and strategic leads
Implement plans within their services to deliver agreed objectives. They should ensure that risks and the management of those risks have been explicitly considered in the framing of these plans. The risks that could cause them to fail to meet their objectives must be identified, assessed, and mitigated and recorded and reviewed in order that their objectives are successfully achieved.
Internal Audit
Internal Audit is an assurance function that provides an independent opinion on the control environment, including risk management, by evaluating its effectiveness in achieving the Council’s One Coventry priorities. Annually, Internal Audit examines, evaluates, and reports on the adequacy of the risk control environment giving the Council assurance concerning the management of risk and the proper economic and effective use of resources.
Leader of the Council
To lead the Council and the Cabinet in the governance of the city. The Leader of the Council will review an annual governance statement and together with the Chief Executive consider and sign it off as appropriate.
Members
Members collectively are the ultimate policymakers. They will represent their communities and bring their views into the Council decision-making process being advocates of and for their communities. They contribute to the continual improvement of Council services and directly to risk management via membership of the Audit and Procurement Committee.
Insurance Manager
The Insurance Manager will coordinate work on the Corporate Risk Register, collate the Directorate Risk Registers and act as a point of reference and support, including attending service leadership meetings when required.
Monitoring Officer
The Monitoring Officer is appointed under section 5 of the Local Government and Housing Act 1989 and is required to report to the council where it appears to them the authority has done, or is about to do, anything which would contravene the law, or which would constitute maladministration.
Section 151 Officer
The Section 151 Officer is responsible for the proper administration of the Council’s financial affairs and oversees the production of the Corporate Risk Register prior to its consideration by the Strategic Leadership Team. They must ensure that risks are fully considered and aligned with the Council’s Medium Term Financial Strategy.
Service Directors
Together with the Chief Executive they are integral to the leadership of the risk management process. They lead on the management of risks arising from corporate initiatives, business transformation, major projects, external environment, and partnership working and assessing the wider implications of risk assessments associated with service provision.
They also embed risk management within their service, to provide assurance to the Chief Executive and Strategic Leadership Team. They have responsibility for the delivery of relevant One Coventry priorities, including service improvements and efficiencies.
They shall ensure that appropriate risk registers are in place and are kept under regular review, including a service risk register and project risk registers, and that risks are managed at the appropriate level, with escalation of risks to Strategic Leadership Team for consideration to be added to the Corporate Risk Register if necessary.
Strategic Leadership Team
The Strategic Leadership Team will set the Council’s risk appetite. They will also scan the horizon for new risks to the Council, provide a view of the medium to long term impacts of Government policy, financing, business transformation and partnership working.
Strategic Leadership Team will oversee an annual Corporate Risk Register and keep it under review throughout the year. They will review risks that are escalated to them by Directors and the effectiveness of actions put in place to mitigate risk at other meetings throughout the year.
Risk Management Methodology
The risk management methodology describes the way in which risks are managed by the Council.
Part 1 – Setting the Council’s Risk Appetite
Risks must be assessed against the Council’s risk appetite. Risk appetite can be defined as the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to before it takes proactive action. Setting a risk appetite helps the Council to view risks in a consistent way across all services areas.
The Council’s risk appetite is demonstrated by reference to the matrix below. The colours of the matrix are a traffic light system. Those which exceed the Council’s risk appetite are in the red zone. Low risks within the appetite are in the amber and green zones.
Part 2 – Identifying Risk
Risk identification is concerned with identifying events and their consequences which could impact on the Council’s achievement of its One Coventry priorities, delivering services as planned and fulfilling its statutory duties. Consequently, the starting point is knowing what the One Coventry priorities are, as set out in the One Coventry Plan, the services that need to be delivered and the Council’s statutory duties. Risk identification is not a stand-alone activity but is part of strategic business planning processes of the Council.
How to identify risks
There is no one right way of identifying risks but it can help to use prompts which identify different sources of risk.
These include:
- Strategic: doing the wrong things as an organisation so that the goals of the One Coventry Plan are not prioritised
- Customers/citizens: Failure to deliver services of a required standard or misunderstanding their needs
- Finance: losing monetary resources, exceeding budgetary limits, or incurring unacceptable liabilities
- Reputation: The Council’s image, loss of public confidence
- Legal and regulatory: claims against the Council, non-compliance, not meeting statutory duties, new regulations resulting in new or severe risks
- Information: loss of or inaccuracy of data, systems or reported information
- Environmental: things that may be, but not always, outside of the Council’s control; environmental impact, loss of biodiversity or the impact of climate change
- Environmental Risk Assessment & Environmental Impact Assessments
- People: risks associated with employees, management, and Members
- Political: political embarrassment, not delivering local or national policies
- Partnerships: the risks the council is exposed to because of partnerships
- Considering the long-term projected impacts of a business as usual approach
- Considering how changes in one factor may contribute to or adversely impact upon other factors
- Policy Impact Assessments
These categories can be used to identify events that can prevent or hinder the Council from achieving its One Coventry priorities, delivering services, or fulfilling its statutory duties. There are different techniques that can be employed to facilitate risk identification.
These include but are not limited to:
- Brainstorming with colleagues
- Questionnaires
- Risk assessment workshops
- Incident investigation
- Auditing and inspection
- Dependency analysis
- SWOT analysis (Strengths, weaknesses, opportunities, and threats)
- PESTLE (Political, Economic, Social, Technical, Legal, Environmental)
Risk description
The information gained during the risk identification process needs to be gathered into common themes and developed into risk descriptions. The risk description should have an event which leads to a consequence which then has an impact:
- An event – this is the something that could go wrong and is where the uncertainty lies
- The consequence – this is the potential outcome of the event which may or may not happen
- The impact – this is the affect that the outcome will have if it does develop
A risk description would be framed as the event which leads to a consequence which then has an impact. E.g., A loss of xxxxx will lead to xxxx resulting in xxxx.
Examples are:
If the Council mismanages personal data (event) there may be data loss, misuse, or breach of privacy (consequence) resulting in breaches of legislation, fines, and reputational damage (impact).
There is a risk that an economic downturn (event) will mean that businesses struggle (consequence) resulting in an increase in unemployment (impact).
If the Council fails to develop its workforce (event) colleagues will be less able to offer good service (consequence) resulting in vulnerable members of the community suffering harm (impact).
When will risks be identified?
Risk identification should take place as part of managing and reviewing the business, decision making and managing performance.
Key opportunities to identify risk are when:
- The One Coventry priorities are agreed
- Strategic Leadership Team considers how One Coventry priorities will be delivered
- Service Strategic Leadership Teams consider what services will be delivered and how this will be done
- There are management team meetings
- Something significant changes
- The Council provides a new service or starts a new partnership
- Something nearly goes wrong
- After something has gone wrong
- Budgets are set
Part 3 - Assessing the inherent risk
When the risks that threaten the achievement of the Council’s One Coventry priorities, the delivery of services as planned or the fulfilment of statutory duties have been identified, they must be assessed in terms of the likelihood that they will occur now or in the future and the impact if they do. This information will then be used to inform professional judgements about the significance of the risks to the Council and how they relate to the Council’s risk appetite.
The Council has agreed criteria for the levels of likelihood and impact. These are shown in Tables 1 and 2 below. The definitions for the likelihood of occurrences are quite short. However, because the impact of the risk, should it occur, can be much wider, there is a more comprehensive set of definitions.
When first considering the likelihood and impact any existing controls that are in place should not be taken into consideration. The risk score you have will be an inherent or uncontrolled score.
When both the likelihood and impact have been considered, the likelihood is multiplied by the impact to get the overall inherent risk score. This should be mapped onto the matrix in Table 3. The colours of the matrix are a traffic light system. Those which exceed the Council’s risk appetite are in the red zone. Lower risks within the appetite are in the amber and green zones.
The risk score should be used to inform the judgement, rather than dictate how risks compare and what the priorities should be. The scores help to identify the serious threats and to inform decisions about the significance of those risks to the Council, now or in the future and how, or whether, they should be treated.
Score | Description |
---|---|
5 | Highly likely to happen – More than an 80% chance |
4 | Likely to happen – 60% to 79% chance |
3 | Will possibly happen – 40% to 59% |
2 | Unlikely to happen – 20% to 39% |
1 | Highly unlikely to happen – Less than 20% |
Impact | Example |
---|---|
5 | Death or life changing injury to more than one person Long term loss of service capability Failure to deliver a One Coventry priority Long term negative perception of the Council Litigation is certain and impossible to defend Significant corporate budget realignment Breaches of law punishable by imprisonment Large scale irreversible environmental damage |
4 | Medium term loss of service capability Death or life changing injury to a person Adverse UK wide publicity Litigation almost certain and difficult to defend Some corporate budget realignment Breaches of law punishable by fines Persistent environmental damage |
3 | Short term loss of service capability Serious injury to a person causing 6-month recovery Adverse regional wide publicity Litigation to be expected Budget adjusted across service areas Breaches of major statutory duty Environmental impact on a small area or a wider area with limited damage |
2 | Short term disruption to service capability Less serious injury requiring one-month recovery Adverse local publicity High potential for complaint, litigation possible Financial implications contained within the Directorate Breaches of statutory regulations/standards Environmental impact that is contained and rectified easily |
1 | No significant disruption to service capability Minor injury Unlikely to cause any adverse publicity Unlikely to cause complaint or litigation Financial implications contained within the service area Breaches of local procedures or standards Environmental impact that disperses in a short time |
Now that the inherent risk score has been calculated, you can plot the risks on to the risk prioritisation matrix in Table 3. This is a guide of their relative significance to the Council, and how they will be managed.
Table 3.
Part 4 - Managing and mitigating risks
Having considered how corporate risks should be identified and assessed for likelihood and impact, it is necessary to consider how risks can be managed and mitigated. The risk score should not dictate the level of management required; however, it is a guide as it does point to matters that will require managing.
This involves:
Assessing the inherent risk against the Council’s risk appetite
The degree to which an inherent risk is tolerable should be considered against the Council’s risk appetite. Table 3 identifies which risks are high (red zone), medium (amber zone) or low (green zone). Those which are red exceed the Council’s risk appetite.
Assigning ownership to manage the inherent risk to specific officers or designated officers
The following is a guide to the correct levels of ownership:
Red risks – These are high risks that exceed the Council’s risk appetite. They require active management by senior officers at Director level. The risk owner will report to Strategic Leadership Team.
Amber risks – These are medium risks that are within the Council’s risk appetite, but which still need to be closely monitored. The risk owner will be a Director or a member of their service Strategic Leadership Team reporting to the Director.
Green risks – These risks are within the Council’s risk appetite and will be managed and monitored within the service.
Assessing the method of risk mitigation
There are four ways that the Council can choose to respond to any risk. The Council could tolerate the risk, treat it, terminate it, or transfer it in whole or in part to a third party.
The cost and effectiveness of mitigations is a key consideration and needs to be balanced against the short and long-term potential consequences if the event occurred. The cost of implementing the mitigation should not normally exceed the maximum potential benefit.
Depending on circumstances mitigations will fall under one of four basic approaches.
- Tolerate the risk. If the score is low, the correct response might be to recognise that the activity brings risk but continue with it. You would typically take this approach when it is not cost effective to act, because the likely impact of the risk, should it occur, is minimal. When a decision is made to tolerate a risk, the reason should be documented. In addition, you should continue to monitor the risk so that you can ensure that your decision remains the correct one.
- Treat the risk. This is the most widely used approach. The purpose of treating the risk is to continue with the activity, but at the same time take action to bring the risk score lower, to an acceptable level. This is done through either prevention actions, that remove the likelihood or consequences, containment actions that lessen the likelihood or consequences and are applied before the risk materialises or contingent actions which are pre-planned responses that will reduce the impact after the risk has happened.
- Terminate the risk. This involves stopping an activity altogether or doing things differently so that the risk is removed.
- Transfer in whole or in part the risk to a third party. The transfer of risk to another organisation can be used to reduce the financial exposure of the Council and/or pass the risk to another organisation which is more capable of effectively managing it. An example would be the transfer of a risk through the terms of a legal contract, such as an insurance policy.
All mitigation measures should, wherever possible, be SMARTER - specific, measurable, agreed, realistic, time bound, evaluated and reviewed. This will make it easier to assess whether they are being implemented to the full extent necessary.
The costs of managing risks should be understood and be proportionate to the risk being addressed. Resources should be prioritised to the higher-level risks that need active management.
The reasons why a course of action has been taken should be documented and the decision implemented by the risk owner.
Part 5 – Assessing the residual risk
Risks will have been identified and assessed and have an inherent risk score. In addition, mitigations will have been considered and decisions made about which are appropriate and been put in place. These controls will either make the likelihood that the risk will occur less, or they will reduce the impact of the risk should it take place
As the likelihood or impact of the risk has changed, it is now necessary to re-score the risk, taking these changes into consideration. The resulting score is the residual risk score.
The mapping of the score onto the matrix in Table 3 should be repeated to record the residual risk. This will show what influence the mitigations have had. The residual risk score should be lower than the inherent risk score. If it isn’t, the mitigation measures are just having the effect of stopping the risk from deteriorating. The residual risk score needs to be at an acceptable level when considered against the Council’s risk appetite. If the score does not reduce the risk to an acceptable level, the effectiveness and adequacy of the mitigation should be considered.
Part 6 – Recording and reviewing risks
It is necessary to monitor risk mitigation action plans to regularly report on the progress being made in managing risk. Alternative action will be needed if the mitigations taken prove ineffective.
All the information relating to the identified risks should be recorded in a risk register. This information should, as a minimum, include: a description of the risk; its impact; the inherent risk score, the mitigations in place or being put in place; the residual risk score and the risk owner. A template for a risk register is shown at Appendix C.
The risk register needs to be reviewed and approved at the right level of management. This will include the Corporate Risk Register being reviewed and approved by Strategic Leadership Team, Directorate risk registers by the Directorate Strategic Leadership Team and the service risk register by the Head of Service.
Corporate Risk Register
The corporate risk register will be reviewed quarterly by the Strategic Leadership Team.
This is required because:
- Previously identified risks will change over time
- New risks arising will need to be added
- It might be appropriate to take risks off the register. However, when this is done a record of the reasons for this should be kept.
Prior to review at Strategic Leadership Team, the Insurance Manager will liaise with risk owners and ascertain what changes to the risk assessment are proposed, including risks they wish to escalate. These proposals will be included within the report to Strategic Leadership Team for their consideration.
Strategic Leadership Team will consider:
- Are the risks still relevant?
- Have circumstances surrounding the risks changed?
- What progress has been made in managing the risk?
- Given the progress made, do the risk scores need revising?
- Are any further controls needed? If so, what should these be?
- Have any new risks arisen?
The Corporate Risk Register should then be updated to reflect these changes.
Directorate Risk Register
Directors should review their Directorate risk register at appropriate intervals with their leadership team.
This can be done as follows:
- Agree how often risk is an agenda item
- Allocate a member of the leadership team to lead on risk review
- Circulate the Directorate risk register to the members of the leadership team before the meeting
- The lead will guide the review of the service risk register highlighting areas for consideration
- Have the previously identified risks changed?
- Are risk mitigations acting as expected?
- Are the risk scores for likelihood and impact still correct?
- Have new risks arisen that need to be added?
- Can risks come off the Directorate risk register?
- Does the leadership team believe that a risk should be escalated to the Council’s Strategic Leadership Team so that this group can consider if it should be added to the Corporate Risk Register?
Risks can be considered for escalation to the Council’s Strategic Leadership Team if there is a combination of several of the following factors:
- The risk is a red risk. This means that it exceeds the Council’s risk appetite
- The risk could result in the Council being unable to deliver a One Coventry priority, deliver vital services as planned or fulfil a statutory duty
- The risk cannot be addressed at a Directorate level
- The risk is likely to require considerable additional resource to manage
- The risk could result in considerable reputational damage
- The risk will impact areas of the Council other than the Directorate
- The Service Director believes that it is a risk that should be drawn to the attention of the Council’s Strategic Leadership Team
- The risk will not be managed down into the amber category within the next quarter.
If a risk requires escalation to Council’s Strategic Leadership Team, this will be communicated to the Insurance Manager who will contact the Section 151 Officer and Monitoring Officer.
Service Risk Registers
The Head of Service should review their service risk register at appropriate intervals with colleagues and consider:
- Have the previously identified risks changed?
- Are risk mitigations acting as expected?
- Are the risk scores for likelihood and impact still correct?
- Have new risks arisen that need to be added?
- Can risks come off the service risk register?
- If the risk should be escalated to the Directorate risk register?
Risks can be considered for escalation to the Directorate risk register if there is a combination of several of the following factors:
- The risk is an amber or red risk.
- The risk could result in the Council being unable to deliver a One Coventry priority, deliver vital services as planned or fulfil a statutory duty
- The risk cannot be addressed at a service level
- The risk is likely to require additional resource, beyond the service budget to manage
- The risk could result in reputational damage
- The risk will impact areas of the Directorate other than the service
- The Head of Service believes that it is a risk that should be drawn to the attention of the Directorate leadership team
- The risk will not be managed down into the green category within the next quarter.
Appendix A - Glossary
Corporate Risk
The Council identifies its corporate priorities within the One Coventry Plan. Corporate risks are those which can result in the Council not achieving its stated priorities, as well as those that prevent it from providing services as planned and fulfilling its statutory duties.
Corporate Governance
Corporate Governance are the arrangements that the Council has in place to make sure that its aims are defined and achieved. The Council must make sure that its resources are directed in accordance with agreed policy and according to One Coventry priorities, that there is sound and inclusive decision making and that there is clear accountability for the use of those resources to achieve the desired outcomes for service users and communities.
Corporate Risk Register
A document that contains information about the most significant risks that the Council faces. It will describe them, list the impacts of the risk if it materialises, the inherent and residual risk scores, the risk mitigation measures and who is responsible for the management of the risk. It is kept under review by the Strategic Leadership Team.
Inherent Risk
The level of risk that is in place before actions are taken to either reduce the impact of the risk or the likelihood of it materialising or both.
One Coventry Priorities
These are the priorities which are identified in the One Coventry Plan.
Residual Risk
The level of risk that is in place after risk mitigation actions have been taken to either reduce the impact of the risk or the likelihood of it materialising or both.
Risk
Any potential development or occurrence which, if it comes about, would jeopardise the Council’s ability to:
- Achieve its One Coventry priorities
- Provide services as planned
- Fulfil its statutory duties
Risk Appetite
The Council’s risk appetite is the amount of risk that the organisation is prepared to accept, tolerate, or be exposed to.
Risk Management
Risk Management is the process by which the Council continuously and methodically addresses the risks which could hinder the achievement of its One Coventry priorities, provide services as planned and fulfil its statutory duties.
Risk Mitigation
The planned actions that the Council will take to either reduce the likelihood of the risk occurring or its impact if it does.
Risk Register
A risk register is a document that contains information about the risks. It will describe them, list the impacts of the risk if it materialises, the inherent and residual risk scores, the risk mitigation measures and who is responsible for the management of the risk.
Strategic Leadership Team
Led by the Chief Executive it is the most senior Officer group within the Council and is held to account for its strategic and management responsibilities by the Cabinet.
Statutory Duties
Local Authorities are bound by statute or law. The functions that they must undertake, or statutory duties are set out in Acts of Parliament
Appendix B â Risk Management Flow Chart
- Identify Risks - Identify and describe risks that threaten achievement of priorities, the delivery of services as planned and meeting statutory duties
- Assess the inherent risk - Assess the risk against the descriptions of likelihood and impact, arriving at a score
- Assign ownership - Assign ownership according to risk score
- Risk Mitigation - Assess how the risk will be mitigated to reduce likelihood and impact
- Assess the residual risk after application of risk mitigations - After the application of risk mitigation measures assess the risk against the descriptions of likelihood and impact, arriving at a score. Decide if the risk is now at an acceptable level?
- Record and review - Record the risk in an appropriate risk register and keep under periodic review
Appendix C - Risk Template
Risk Register
Risk Scores
Likelihood is scored on a scale of 1 to 5 with 5 being high. (See a description of likelihood scores [https://www.coventry.gov.uk/strategies-plans-policies/risk-management-policy/4]).
Impact is scored on a scale of 1 to 5 with 5 being high. (See a description of impact scores [https://www.coventry.gov.uk/strategies-plans-policies/risk-management-policy/4]).
To calculate the total score, multiply the likelihood score by the impact score and arrive at a total score. This is done twice, firstly to calculate an inherent risk score and secondly a residual risk score, after risk mitigations are applied.
A risk scoring above 15 is red, those between 6 to 14 are amber and those between 1 to 5 are green.
No | Risk description | Impact | Inherent risk score | Measures to mitigate risk | Residual risk score | Risk owner |
Escalated to Corporate Risk Register Y/N |
---|---|---|---|---|---|---|---|
Likelihood score X Impact score = Total score |
Likelihood score X Impact score = Total score |