Agenda Item No. 9
The Vale of Glamorgan Council
Audit Committee: 1st May 2018
Report of the Managing Director
Review of the Corporate Risk Management Strategy
Purpose of the Report
- To present the revised Risk Management Strategy to Audit Committee for consideration and approval.
- That Audit Committee considers and approves the revised Risk Management Strategy.
- That Audit Committee refer this report to Cabinet for their consideration and approval.
Reasons for the Recommendations
- To make Members aware of the changes to the Risk Management Strategy and ensure there are robust mechanisms in place to effectively identify, manage and monitor risks.
- To ensure that Cabinet are aware and approve of the changes made to the Council's Risk Management Strategy.
- As part of the Council's work to improve the internal business planning processes and the ongoing implementation of the Well-being of Future Generations Act, the Insight Board undertook a review of the approach to Corporate Risk Management.
- As a result of this review, a new approach to Corporate Risk Management was developed and has been documented through the creation of a new risk methodology and the development of revised Risk Register template. The new Corporate Risk Register and its associated Reporting tool was endorsed by Audit Committee on 31st January 2018.
- As a result of making changes to the way in which risks are evaluated and documented, a review and update of the accompanying strategy has been undertaken. This report outlines the process undertaken and changes made to the Risk Management Strategy and seeks consideration and approval for the strategy by the Audit Committee.
Relevant Issues and Options
- The Council's Risk Management Strategy was last reviewed in February 2016. It is considered good practice to regularly review and update the Risk Management Strategy to ensure it strengthens the Council's approach to Risk Management. As described above, a number of changes to the methodology for corporate risk management have been made and as such, the revised strategy reflects these changes. Members will note, however, that the fundamental approaches to managing risk have remained the same.
- The revised Corporate Risk Management Strategy is attached as Appendix 1 to this report. There are a number of annexes to the Strategy as follows:
- A - Risk Register Template
- B - Risk Management Guidance Note (Worked Example)
- C - Service Risk Template
- D - Project Risk Matrix
- E - Project Risk and Issue Log
- The revised Corporate Risk Management Strategy outlines our approach to risk management and focuses on three main stages:
- Identification of a risk and its definition
- Evaluation of the inherent risk, the effectiveness of controls and the residual risk
- Management of risk.
- Risk Identification and Definition - This involves scanning the horizon to identify new and emerging risks. Once identified, risks need to be clearly defined and understood. This stage considers risk in the context of influencing factors associated with political and legislative, resource, service delivery and well-being and reputational drivers.
Risk Evaluation - To effectively assess the scale of a risk we have developed a three step evaluation process as part of this stage. This involves:
- Assessing the inherent risk - The risk is scored in terms of both likelihood and impact assuming an environment where there are no risk controls in place (a pre-control environment). This enables us to fully understand the gravity and severity of risks in terms of the likelihood and impact of them occurring, if there were no control mechanisms in place.
- Assessing the effectiveness of controls - This considers the effectiveness of our existing controls at managing the risk. It explores the controls which are in place and how effective they are at regulating the likelihood and impact of the inherent risk occurring. The scoring is based on how effective the controls are at reducing the likelihood and the impact of the risk occurring.
- Evaluating the residual risk - This involves assessing the risk score as a result of applying controls to mitigate the risk.
- Managing Risk- This stage involves identifying the actions that are already in place that control the risk as well as identifying the actions we need to take to further mitigate/manage the risk.
- The new approach to risk is outlined in the Strategy and applies to all types of risk. How we apply this approach in relation to managing Corporate Risks, Service Risks and Project Risks is also described in the Strategy as these types of risk require a different application of the approach.
- Appendix 2 provides Members with a summary of the key sections of the new Risk Strategy, the purpose of the section and a summary of the changes/revisions and the reasons for these changes.
Resource Implications (Financial and Employment)
- Managing and reducing risks effectively helps prevent unnecessary expenditure for the Council, reduces insurance claims and premiums and provides better protection for the Council and its staff and members.
Sustainability and Climate Change Implications
- Corporate Risks are considered in the context of the Well-being of Future Generations Act in terms of the impact they could potentially have on our contribution to the Well-being Goals. The five ways of working are also a key consideration in relation to our Corporate Risks to show how these ways of working can have a mitigating effect through actions taken as part of the risk management plans within the Risk Register.
Legal Implications (to Include Human Rights Implications)
- Identifying, managing and reducing risk effectively mitigates against potential legal challenge.
Crime and Disorder Implications
- None directly.
Equal Opportunities Implications (to include Welsh Language issues)
- Mitigating actions and controls to counteract any equalities related risks are outlined in each risk template in the Risk Register and monitored by the Insight Board, CMT, Audit Committee and Cabinet.
- Risk management is an intrinsic part of corporate governance and integrated business planning which underpins the delivery of the Council's Corporate Plan and Well-being outcomes.
Policy Framework and Budget
- The proposals are within the Council's Policy Framework. The approval of the Strategy is the responsibility of the Council's Cabinet.
Consultation (including Ward Member Consultation)
- Consultation has taken place with nominated risk owners and members of the Insight Board.
Relevant Scrutiny Committee
- Corporate Performance and Resources
Corporate Risk Management Strategy
Corporate Risk Register
Huw Isaac, Head of Performance and Development.
Corporate Management Team
Head of Performance and Development
Operational Manager, Performance and Policy
Operational Manager, Internal Audit
Rob Thomas, Managing Director