Risk Management Policy and Strategy

(A pdf version of this policy is available for download here)

Introduction
St Stephen in Brannel Parish Council recognises that it has a responsibility to manage risks effectively in order to protect its employees, assets, liabilities and the community against potential losses; to minimise uncertainty in achieving its goals and objectives and to maximise the opportunities to achieve its goals.

Responsibility for effective Risk Management rests with all Members of the Council, the Proper Officer (Clerk & Responsible Finance Officer), and employees.

Risk management is an integral part of the Council’s management processes. The Council is aware that some risks can never be eliminated fully and it has in place a strategy that provides a structured, systematic and focussed approach to managing risk.

This policy and strategy applies to all Councillors, employees, contractors or others who may be carrying out operations for and on behalf of the Council, and those who may be affected by their work.

Scope
This document outlines the Council’s Risk Management Strategy. It details:

  • What is risk management;
  • Why does the Council need a risk management strategy;
  • What is the risk management process and its links with existing processes;
  • Roles and responsibilities;
  • Future monitoring

The objectives of this strategy are to:

  • Continually develop the risk management profile across the Council;
  • Integrate risk management into the culture of the organisation;
  • Embed risk management as an integral part of all decision-making processes.
  • Manage risk in accordance with best practice.
  • Ensure and matters raised through Health & Safety Audits are acknowledged and actioned.

What is Risk Management?

The principles of risk management is “the identification, assessment, and prioritisation of risk by the coordinated and economical application of resources to minimise, monitor and control the probability and/or impact of unfortunate events or to maximise the realisation of opportunities.”

Risk management should:

  • Create and protect value
  • Be part of all processes
  • Be part of all decision making
  • Be used to handle uncertainty
  • Be systematic and timely
  • Be based on the best data
  • Be tailored to the organisations environment
  • Consider human factors
  • Be transparent and inclusive
  • Be responsive and iterative
  • Support continual improvement

In the context of Risk Management Members must;

  • exercise leadership,
  • consider and adopt current and future risk management policies and strategies, and
  • support and monitor the risk management process.

Risk management is an essential feature of good governance. An organisation that manages risk well is more likely to achieve its objectives. Risk management applies to all aspects of the Council’s work not just health and safety.

Risks is not restricted to potential threats but can be connected with opportunities.

Risk can be classified into various types but it is important to recognise that the direct financial losses may have less impact than the indirect costs such as disruption of normal working for all the categories described.

The following examples are not exhaustive:

Strategic Risk – long-term adverse impacts from poor decision-making or poor implementation. Risks damage to the reputation of the Council, loss of public confidence and Government intervention.

Compliance Risk – failure to comply with legislation, laid down procedures or the lack of documentation to prove compliance. Risks expose to prosecution, judicial

review, employment tribunals and the inability to enforce contracts.

Financial Risk – fraud and corruption, waste, excess demand for services, bad debts. Risk of additional audit investigation, objections to accounts, reduced service delivery, dramatically increased Precept levels/impact on Council reserves.

Operating Risk – failure to deliver services effectively, malfunctioning equipment, hazards to service users, the general public or staff, damage to property. Risk of insurance claims, higher insurance premiums, lengthy recovery processes. Risks to the relationship of mutual trust and confidence between the Council and its Staff

Environmental Risk – failure to deliver events and activities that protect human health or the environment. Risk of illness and death of the public, damage to the local environment.

Information and Technology Risk – failure to protect information and information systems from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Not all risks are insurable and even where insurance is available, premiums may not be cost effective and the monetary consideration might not be an adequate recompense. The emphasis by Council should always be on eliminating or reducing risk before costly steps to transfer risk to another party are considered.

Why does the Council need a Risk Management Strategy?
Council is fully committed to effective Risk Management, adopting best practices in the identification, evaluation and control of risks, in order to

  • integrate risk management into the culture of the Council,
  • eliminate or reduce risks to an acceptable level,
  • anticipate and respond to changing social, environmental and legislative requirements, for example pandemics,
  • prevent injury, sickness, damage and reduce the cost of risk, and
  • raise awareness of the need for Risk Management.

Risk management will strengthen the ability of the Council to achieve its objectives and enhance the value of services provided. The Risk Management Strategy will help to ensure that the Council understands risk and adopts a consistent approach to identifying and prioritising risks, enabling Council to choose the most appropriate method of dealing with each risk.

Risk management is an integral part of the Council audit process and is an important element in demonstrating good governance and continuous service improvement.

There is a requirement under the Accounts and Audit Regulations 2015 that the Council has a sound system of internal control which includes effective arrangements for the management of risk, financial control systems which ensure that risk is appropriately managed and an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes.

What is the Risk Management Process?
Implementing the Strategy
Risk management is an on-going activity which requires that all risks should be systematically identified and managed in the most cost-effective manner within overall resources available.

Risks and their control are collated into a Risk Register. All projects, changes to services or any partnership agreements will include risks identification and the measures to eliminate or control risks will be documented in agenda reports/briefing papers to be considered by the Council and its committees.

Risk Identification
Identifying and understanding the hazards and risks facing the Council is crucial if informed decisions are to be made about policies or service delivery methods. The risks associated with these decisions can then be effectively managed. Each risk identified by the Council is recorded in the Council Risk Register.

Risk Analysis
Once risks have been identified the impact and likelihood of risks occurring is systematically accessed and their consequences and appropriate control measures are put in place. If a risk is seen to be unacceptable, then steps need to be taken to control or respond to the risk. Action will be taken to address any risks where risk impact is judged to be major. Residual risks will be subject to monitoring. Action will be taken to minimise residual risk in all cases as resources permit.

Risk Control
Risk control is the process of taking action to minimise the likelihood of the risk event occurring and/or reducing the severity of the consequences should it occur. Typically, risk control requires the identification and implementation of revised operating procedures, but in exceptional cases more drastic action will be required to reduce the risk to an acceptable level.

Options for control include:

  • Elimination – the circumstances from which the risk arises are removed so that the risk no longer exists.
  • Reduction – loss control measures are implemented to reduce the impact/ likelihood of the risk occurring.
  • Transfer – the financial impact is passed to others e.g. by revising contractual terms.
  • Sharing – the risk is shared with another party.
  • Insuring – insure against some or all of the risk to mitigate financial impact.
  • Acceptance – documenting a conscious decision after assessment of areas where the Council accepts or tolerates risk.

Risk Monitoring
The risk management process does not finish with putting any risk control procedures in place. The effectiveness in controlling risk must be monitored and reviewed. It is also important to assess whether the nature of any risk has changed over time.

The information generated from applying the risk management process will help to ensure that risks can be avoided or minimised in the future. It will also inform judgements on the nature and extent of insurance cover and the balance to be reached between self-insurance and external protection.

The identification of risks will be carried out by the Clerk who will compile a list of the risks to form the Risk Register. A panel from the Finance and Policy committee will review the Risk Register for the Council. The Council will build risk management procedures into the way that it operates as part of a commitment to quality and continuous service improvement.

As part of any review process the strategic and operational risks associated with the review will be assessed.

Projects and Service Changes – projects or changes to services will include risk identification and the measures to eliminate or control risks will be documented in reports or briefing papers to be considered by the Council and its committees.

Partnership Working – the Council will continue to enter into a number of partnerships with organisations from the public, private, voluntary and community sectors where appropriate. Part of the process of setting up future partnerships will be to ensure that all relevant risks are identified and that appropriate control mechanisms are built into the management arrangements for the partnership.

Roles and Responsibilities

Risk management must be embedded into the everyday culture and performance management process of the Council. The roles and responsibilities below are designed to ensure that risk is managed effectively across the Council and its operations, and responsibility for risk is located in the right place.

Elected Members
Responsibility for effective Risk Management rests with all Members of the Council who have ultimate responsibility for Risk Management. Members will lead and monitor the approach to risk management adopted by the Council, including

  • Approval of the Risk Management Strategy.
  • Analyse key risks in reports on major projects or national events, ensuring that all future projects and services undertaken are adequately risk assessed and managed.
  • Consider and endorse of the Annual Statement of Internal Control.
  • Assessment of risks whilst setting the budget.

Finance & Policy Committee
This committee will ensure continuous review and improvements to the Risk Management Policy and Strategy and will oversee regular reviews of the Risk Register with reports to Council.

The committee also has delegated powers to act as Data Controller with regards to the Data Protection Act 2018.

Clerk and Responsible Finance Officer (RFO)
Responsible for overseeing the implementation of the detail of the Risk Management Strategy. The Clerk/RFO will:

  • provide advice as to the legality of policy and service delivery choices;
  • provide advice on the implications for service areas of the Council’s aims and
  • objectives;
  • update the Council on the implications of new or revised legislation;
  • provide and/or seek advice on human resource matters;
  • advise on any health and safety implications;
  • assist in handling any litigation claims
  • report progress to Council or the relevant committee;
  • assess and implement the Council’s insurance requirements;
  • assess the financial implications of strategic policy options;
  • provide assistance and advice on budgetary planning and control;
  • ensure that the financial information system allows effective budgetary control;
  • effectively manage the Council’s cash holdings and loan portfolio.

Internal Auditor
Internal Audit provides an important scrutiny role as the auditor carries out an independent audit with written reports detailing recommendations as appropriate. This contributes to good governance arrangements with the Council having the necessary risk management systems in place to effectively manages all significant business risks.

Internal Audit helps the Council to improve and implement proper arrangements to manage both its financial and operational risk, including adequate and effective systems of internal control to reduce or eliminate the likelihood of errors or fraud.

The Council will ensure appointment of independent and competent internal auditors.

Training
The Council will aim to ensure that both Members and staff have the skills necessary to identify, evaluate and control the risks associated with the services they provide and receive risk management training as appropriate.

Relationship between the Clerk/RFO and the Council
The Council will ensure that it maintains a relationship of mutual trust and confidence with the Clerk/RFO.

Review and Monitoring
This Strategy will be reviewed by council on an annual basis as part of the Council’s continuing review of its policy documents, Standing Orders and Financial Regulations.

It is crucial that the Risk Register is reviewed and updated annually. New risks will emerge and need to be controlled. Feedback from Internal and External Audit can identify areas for improvement, as can the sharing of best practice via professional bodies, the National Association of Local Councils and relevant local Council forums.

The adoption of a sound risk management approach has a number of benefits. Most importantly, it assists in demonstrating that the Council has in place policies and processes to effectively management its resources. In addition, it indicates a commitment to continuous service improvement and effective corporate governance.

In accordance with the Freedom of Information Act 2000, the Risk Management Strategy and Risk Register will be posted on the Council’s website www.ststephenininbrannel-pc.gov.uk and be available for inspection at the Council Offices.

Adopted by Full Council at the meeting held on Wednesday 10th July 2024 under minute number FPC155/24. Due for review in September 2025.