The key and main document and process used in Risk Management is the maintenance of a Risk Register. It is considered to be so fundamental to an organisation's management that the Corporate Governance Questionnaire issued by the Internal Auditors includes a specific question of the Chairman, "Has the Council reviewed an updated version of the financial risk assessment and formally approved its re-adoption (Governance and Accountability Manual – 2014 refers)". Failure to undertake the review, agree the risk register or to Minute that you have done so will result in its inclusion in the Auditor's Annual report!
The Parish Council has a basic Risk Register (linked to its Aims and Objectives - Sept 2016). This comprehensive Risk Register is supported by two further more specific 'risk assessments' that are closely aligned to more specific (and constantly changing) aspects of risk ie Highways Matters and Village Green. All three of the latest versions of the Risk Register and the 'risk assessments' are available below.
In constructing a robust and resilient Risk Register the following steps must be followed:-
STEP ONE:1. Identify and characterise risks
Identification of risks was first undertaken by the Parish Council in 2012. Some risks will be ‘industry’ specific eg problems affecting residents when they are snowed in for prolonged periods, however general areas of risks can be divided into two categories Strategic Risks and Operational Risks. In 2016, the Council decided that the process would be improved and be more relevant if the risks identified were actually aligned with the Council's Aims and Objectives. This action was undertaken by the Council in September 2016 when it formally agreed its Aims and Objectives.
These risks will affect the achievement of the Council’s key objectives and in general are relatively static in nature. They are usually sub divided into four categories, but not all will be appropriate for every organisation :
Political – relating to political policy which may affect the marketplace in which the Council is operating; Economic – relating to economic changes, such as central government cutbacks in local government funding, or the consequences of investment decisions;
Competitive – relating to the ability to deliver a competitive product or service;
Environmental – relating to the environmental consequences of progressing the objectives of the organisation (eg energy efficiency, carbon emissions, pollution, recycling, climate change).
These are risks likely to be faced on a day to day basis by the Clerk/ Responsible Finance Officer. They are usually sub-divided into five categories but not all will be appropriate for every organisation:
Financial – relating to financial planning and control, such as the performance of investments and adequacy of insurances;
Contractual – relating to contractors delivering services or products to the agreed cost and specification;
Technological – relating to the reliance on operational equipment, such as IT systems or machinery;
Human Resources – relating to staffing issues, health and safety, skill needs, management structures and disputes;
Environmental – including adverse weather that might impact service delivery or the health and safety of its residents.
STEP TWO: Assess risks
Once identified, risks need to be assessed as to their Severity. Severity is identified by way of combining the Likelihood of an occurrence with the Impact of that occurrence. For instance, there may be a high likelihood of a risk occurring, but its impact is considered to be small. Or the likelihood of an event could be considered small but its effect could be catastrophic ie the Titanic effect. Consideration should be given to more than just the financial impact on the Council and its objectives. Legal, environmental, social and moral aspects of the risks are also factors. For example, one risk can result in only a minor financial loss but also a very big reputational loss (from any negative media coverage that might follow).
STEP THREE: Evaluate risks
Risk evaluation is used to decide what the significance of risks to the organisation is and whether each risk should be accepted or managed. The estimation of the impact can be in qualitative or quantitative terms. The key issue for the Council to understand is which risks are ‘unacceptable’ to them, and to decide how they are to manage those risks. The key question is "How severe is the risk?"
A relatively simple and the most commonly used method of assessing Severity and hence the potential seriousness of a risk to an organisation is to allocate a score of 1 to 3 to each of Likelihood and to Impact, with a score of 1 being low and a score of 3 being high, and multiplying these two scores together to arrive at a combined score for Severity. The Severity score will therefore be 1, 2, 3, 4, 6 or 9. Generally, a combined score ie Severity of 1 or 2 will be considered ‘acceptable’ and the Council will probably be satisfied that no action is required. A score of 3 or 4 may also be considered to be 'acceptable' but further action may/may not be thought appropriate. However, a score of 6 or 9 is generally considered to be ‘unacceptable’ and remedial action MUST be taken.
If the Council has considered an initial assessment of severity is unacceptable ie 6 0r 9, it may consider that action that has already been taken to reduce the potential Severity and that this action once implemented will be adequate; and a review of the Severity score would reduce to say 3 or 4. The fundamental question for the Council is ‘is the latest score (after actions/countermeasures) considered to be ‘acceptable’, and if not then what further action (see STEP FOUR below) is necessary?’ This iterative process should continue until a reassessment of the Severity of the risk has concluded that the Severity is now ‘acceptable’. It is advised that a score of 3 or 4 may still require ‘further consideration’.
STEP FOUR: Manage risks
In order to determine how to manage risks, the acceptable level of exposure to risk, or 'risk appetite' needs to be determined. This risk appetite is subjective according to each organisation – factors which can be taken into account in deciding this are:
Cost effectiveness – what is the cost relationship between implementing the change and the expected risk reduction benefits?
Compliance – any controls in place must comply with the law Stakeholders – what risk reduction measures would residents or Basingstoke and Deane BC, who fund the PC, expect? The approach to managing the various risks identified will be dictated by the severity of the risk by reference to its likelihood and the potential impact of the risk, in conjunction with the risk appetite of the organisation.
The strategies to manage the identified negative risk include:
Transferring (eg: insurance cover - paying a third party to take the impact of the risk if it occurs)
Avoiding the risk (eg: in extremis this could be ceasing an activity in a certain area)
Reducing the negative effect of the risk (eg: through internal controls, such as introducing a new procedure to reduce errors) Accepting some or all of the negative impact of the risk (eg: if the cost of reducing risk is too high, then the Council may decide to accept the risk and its possible impact) Where the risks identified are beneficial, there are strategies to manage these too:
Exploit – removing the uncertainty by seeking to make the opportunity definitely happen
Share – passing ownership to a third party best able to manage the opportunity and maximise the chance of it happening Enhance – increasing its probability and/or impact to maximise the benefit to the project
Accept – adopting a reactive approach without taking explicit actions
STEP FIVE Reporting and Monitoring
As stated in the opening paragraphs the importance of 'Reporting and Monitoring' has been heightened recently with the requirement (Governance and Accountability Manual – 2014) that the Council MUST reviewed an updated version of the financial risk assessment and formally approved its re-adoption... each year! As Agendas, Reports and Minutes including those relating to Risk Management/Risk Registers are circulated to residents and are publicly available, there is a transparency to the Parish Council's approach to Risk Management.
Conclusion An effective risk management system will tread the middle ground between:-
(a) being insufficiently thorough in identifying potential risks that the Council is vulnerable to volatility through disruption, and
(b) being overly burdensome that the Council is prevented from operating effectively, and from seizing new opportunities.