Visit our devolution and LGR hub for the latest information, support and resources

Must know guide: Risk management

Thumbnail image of publication front cover
Identifying and managing risk – and gaining assurance that this is being done effectively – are key roles for senior political and managerial leaders. This guide aims to help those in leadership roles to understand what good risk management looks like and to undertake their roles successfully.

Introduction

To state the obvious, we are surrounded by risks, threats, concerns, issues and indeed opportunities in everything we do, personally, professionally, and organisationally.

Senior political and managerial leaders have a key personal and collective role in the identification and management of these things. It is also critical that they have assurance that they are being identified, acted upon, and managed.

Such assurance of risk (or broader governance) is a must. It should be continuous, not just an annual activity or one prompted by an unwanted event. Embedding a risk culture (see A good risk culture) means that it is understood across the organisation that risk management is important, enabled and everyone’s responsibility. This is fundamental to good governance and effective risk and opportunity management.

Allied to that responsibility is accountability. It is therefore important to build and maintain simple processes that clearly identify accountabilities for risk management (and broader governance) that are as easy to understand and comply with as possible.

Creating the right risk culture is key. Almost every ‘failure’ or major issue in organisations, once dissected, identifies culture and poor governance at their core.

Increased pressure on councils itself presents greater risk, and opportunity. Whilst that pressure can push councils into new territories, such as to embrace technology advances, there remains the need and duty to ‘stay safe,’ and to ensure the basics, the boring stuff, is done properly. Risks of non-compliance should not emerge because of meeting current and future challenges. The risk of ‘taking one’s eye off the ball’ is important to acknowledge.

This guide aims to help senior political and managerial leaders understand:

  • the key ingredients of effective risk management as part of the organisation’s broader governance assurance arrangements
  • their role in ensuring that they are carried out appropriately
  • what good risk management looks like
  • the questions to ask to receive the vital assurance that the risk management arrangements are effective and facilitating the successful achievement of objectives and keeping the council safe, compliant and accountable.

Whilst reference is made to some risk management processes and techniques, this is not a technical guide (Annexe 1 includes an overview of the typical elements of a council’s risk management processes and structures). This guide focuses not on the ‘how’ of risk management but rather the ‘so what’ and the assurances you can get as a leader about risk management. The focus is therefore more on ensuring the right behaviours and the organisational culture to reap the benefits of effective risk management. When you break it down, risk management is just common sense and good management.


General terms and references

This guide uses a common language regarding council structures. It would be unwieldy to refer throughout to the myriad of ways that have developed over the years in how individual councils structure and organise themselves.

When referring to the political leadership, this includes the leader or elected mayor, portfolio holders and/ or committee chairs.

When referring to the senior management team (SMT) this includes the most senior officers of the council along with the chief executive as the highest-level officer group. These are sometimes called executive directors.

The term senior manager refers to those officers below that SMT level, to include those often referred to as service directors, assistant directors, or heads of service.

The term audit committee covers the member body performing the role of an audit committee as recommended by the Chartered Institute of Public Finance and Accountancy (CIPFA) in CIPFA Audit committees: Practical guidance for local authorities and police (2022 edition). In many councils the audit committee is called something different, such as audit and governance audit, or risk and assurance, and other combinations.

Scrutiny committee refers to the member body that performs the overview and scrutiny role, usually in a leader or mayor and cabinet governance system. Again, these have developed to take on various names and structures.


Risk in the local government context

We all have a good idea of what is meant by risk and risk management but is this different in a local government context?

Naturally, the constitutional, strategic, and operational uniqueness of local government and individual councils present different risks, but the ‘risk process’ is fundamentally the same as anywhere.

What is the most marked difference is that we are dealing with public money and delivering essential services. With that goes a responsibility to be publicly accountable and to be able to obtain and provide assurance that we have the right arrangements in place to meet those responsibilities.

With regard to risk management as political and managerial leaders, your focus needs to be on the information and assurances you get from the ‘risk process’ rather than the mechanics of it. That said, the risk mechanics need to be effective, clear, understood, used, and embedded. Most importantly they must have an impact, make a difference and inform decision-making and day to day operational delivery.


The case for good risk management

In successful organisations, risk management enhances strategic planning and prioritisation, assists in achieving objectives and strengthens the ability to be agile to respond to the challenges faced. For an authority to meet objectives successfully, improve service delivery and achieve value for money, risk management must be an essential and integral part of planning and decision making from policy or project inception through implementation to the everyday delivery of services. While risk practices have inevitably developed over time in local government, the volatility, complexity, and ambiguity of the operating environment has increased, as have demands for greater transparency, accountability, and assurance. Effective risk management is therefore an essential element of strategic and political leadership.

Risk management is also a key management tool and forms part of the wider governance system of every public sector organisation. It helps managers to demonstrate good governance, be accountable, better understand their risk profile and better mitigate risks (particularly uninsurable risks). Externally it can help the organisation to enhance political and community support and satisfy stakeholders’ expectations about the council’s management of public money.

There are many benefits of having an effective risk management approach. Below are some of them, which will be touched upon in this guide:

  • enabling risk taking in chosen areas
  • reputation protection
  • improved operational efficiency
  • better mitigation of key risks
  • increased ability to secure funding
  • maximised opportunities
  • enhanced cross-party political and community support
  • reduced losses from workplace accidents and illnesses
  • knowing now, rather than later and therefore having more time to respond or react
  • demonstration of good governance
  • achievement of the organisation’s objectives
  • better delivery of intended outcomes
  • protection of budgets from unexpected financial losses
  • increased effectiveness of change projects and programmes
  • protection of assets.

Given these benefits, why wouldn’t you want to ensure you had that assurance and confidence by leading and supporting the right risk and governance culture?


What good looks like: The characteristics of effective risk management

Risk management is not about adding new processes; indeed, creating complicated, jargon-heavy processes is counter-productive. Instead, effective risk management is about ensuring that risk management is integrated in the way we lead, direct, manage and operate. As an integrated part of the council's governance, assurance, and management systems, and through the normal flow of information, the risk management framework should harness the activities that identify and manage the uncertainties faced and systematically anticipate and prepare successful responses.

While there are some important principles to bear in mind, effective risk management stems from an organisation’s culture and leadership: what matters is what works. Every council has its own context, challenges, and resource issues, and therefore needs a way of delivering its responsibilities through good systems of governance, with risk management being a key ingredient.

Below are words and phrases that describe the characteristics of an effective risk management approach.

Table 1: Characteristics that describe an effective risk management approach
  • impactful
  • influential
  • permissive
  • simple
  • logical
  • accessible
  • practical
  • flexible
  • useful
  • focusses attention
  • provides assurance
  • disciplined
  • consistent
  • accurate
  • specific
  • has management buy-in
  • integrated
  • enabling
  • dependencies
  • highlights controls
  • strategic
  • operational
  • projects / programmes
  • identifies hazards
  • strategies / objectives
  • is complied with
  • transparent
  • embedded
  • linked to audits
  • action driven
  • accountable
  • timely
  • visible
  • engaging
  • scrutinised
  • member input
  • supported
  • resourced
  • reviewed
  • whole organisation.

 

Question: How many of these apply to your council’s risk management arrangements?


Barriers to effective risk management

Conversely, these words and phrases are common features where risk management is not effective:

Table 2: Characteristics that describe an ineffective risk management approach
  • mechanistic
  • bureaucratic
  • inconsistent
  • controlled by Corporate Risk Manager
  • hard to report
  • never a priority to discuss
  • poor timeliness
  • no buy-in from management
  • subjective scoring
  • no risk management system
  • not communicated
  • lack of information / data
  • no training
  • poor guidance
  • stand alone
  • no member input
  • narrow focus
  • in silos
  • limiting
  • complicated
  • general aversion
  • not utilised.

 

Question: If any of these resonate, how will you ensure that improvements will be made?


Risk management strategy

It is important that the approach to and the process of risk management is articulated in a guiding strategy and framework. A risk management policy statement should also be considered as part of the overall strategy as a ‘one page’ statement signed by the Leader and Chief Executive that provides a clear message of the culture needed and the reason this is important. An example of a risk management policy statement is provided in Annexe 2.

The council’s Corporate Risk Manager, or an officer with responsibility for the risk management process (see The respective roles of elected members and officers in risk management), is usually technically trained in risk management and will be able to draft this document for senior management consideration and wider consultation.

Internal consultation amongst key senior and operational managers is important to ensure the strategy is presented in language that is understandable, with as little jargon as possible, and written with the risk owners in mind. Given most councils have numerous stakeholders who will all need to contribute to the effective identification and management of risk, their views of how they can engage with the strategy and risk management process are very important.


A good risk culture

A risk culture is a phrase often bandied about as being critical in ensuring the appropriate and effective approach to risk management. As with all aspects of good governance, the effectiveness of risk management depends on the individuals responsible for operating the systems put in place. The risk culture must embrace openness, support transparency, welcome constructive challenge and promote collaboration, consultation, and co-operation. There should be an openness to scrutiny, embracing expertise to inform decision-making. Risk management, and good governance generally, must be invested in to ensure the necessary capabilities and to continually learn from experience.

What does that mean in a local government context? In simple terms, creating and sustaining an effective risk culture should encompass the following:

  • Leadership commitment: Leaders at all levels setting the tone and personally demonstrating the importance of the management and assurance of risk with clear accountability, to give greater confidence in decision-making.
  • Clear communication: Creating channels that enable and encourage conversations and challenge about risks throughout the organisation as well as communicating corporate messages of success and learning from both positive and negative experiences.
  • Employee empowerment: Encouraging employees to own and therefore manage risks at an operational level, and for all employees to feel able and empowered to speak up where there is a concern that threatens success, delivery, achievement, and good performance.
  • Training, awareness and responsibility: An embedded and accessible source of information, practical examples and scenarios, and easy to understand guidance to make the ‘risk process’ real and relatable to everyone’s working life – making the consideration of risk a part of the ‘day job’ at every level in the organisation and making it a responsibility through job descriptions and performance and development appraisals.

Question: As a leader in the organisation, can you see and feel that these cultural elements of effective risk management are in place and are providing assurance and confidence? And even though risks and concerns will remain, are you comfortable that the organisation is aware and is/has taken all reasonable measures to manage them?


Risk assurance

Simply put, risk assurance refers to the processes of evaluating and verifying that an organisation’s risk management strategies are not only in place but are functioning effectively to mitigate existing and emerging risks.

It provides a structured approach to ensuring that all identified risks are adequately managed and aligned with the organisation’s overall objectives. This process typically involves regular risk and control assessments, monitoring, and reporting, which collectively help maintain an organisation’s resilience in the face of uncertainties and doing so through the right risk culture.

The internal audit function (see Must know guide: Working with auditors), operates to provide management with independent and objective assurance about the organisation’s arrangements for risk management (and internal controls and governance). This is a valuable resource to contribute to your confidence. They will in various ways review the corporate arrangements for risk management as well as the compliance with and effectiveness of risk management practice across the organisation. This assurance (or otherwise) is usually provided through the audit committee but must be shared and communicated to all members and senior managers.

As organisational leaders you need assurance; assurance regarding the mechanics of processes and that they are effective and efficient and importantly consistently complied with. Ensuring this is a management responsibility of course, supported by internal audit and the audit committee. Ultimately it is the responsibility of ‘those charged with governance’ – that is, all the elected members of the authority.

Annexe 4 provides a range of questions to pose to get assurances regarding the effectiveness of risk management. These questions may assist in assessing the effectiveness of the council’s risk management arrangements. They are equally applicable to be asked from the perspective of the audit committee, the executive or senior management, although for the latter, it may be more about having the answers.


Risk and assurance considerations

You need to have the mechanisms to create the formal opportunities for conversations about risks and their management directly: in Cabinet or the relevant policy committee, between portfolio holders/ committee chairs and their respective directors, but also in the senior management team and throughout the organisation. The culture of openness significantly supports the right risk culture.

Risk management and how risks are usually articulated are steeped in negative language – the risk of failure, suffering a loss, some element of being inadequate or an inability. Many ‘risks’ are not really risks at all; they are inevitabilities or matters that will prevail for the long-term if not in perpetuity. There will be the ‘normal’ event and hazard risks of course, but at the corporate level certainly these are unlikely to feature greatly.

Whilst thinking in those negative terms is common and traditional, at the leadership level the focus should be on seeking more positive outcomes. Seeking assurance should ideally be focused on what do we have in place that ensures success, delivery, performance, and achievement. Although this could be viewed as semantics in flipping the focus of risk / governance assurance in a more positive way, it can provide a powerful approach that engages better, promotes accountability, and drives a focus on broader organisational governance.

When using traditional risk registers it can be useful to think about obtaining positive assurances about how risks have been identified and how the mitigating actions will have the desired and positive impact.

As leaders it is important to understand and see how assurances are triangulated. First-hand experience - being involved in risk conversations - is key, as is seeing the risk registers where risk owners should be demonstrating their effective management of the risks. Effective management of risks and particularly the impact of any mitigating actions should be supported by information and data that clearly shows the impact and influence of an action. To complete the triangulation, seek independent assurance from internal audit and the audit committee who should consider the effectiveness of risk management arrangements. External audit will also take a view of the council’s risk management arrangements within their annual work to assess value for money.

A useful approach to think about risks and the assurance needed is to consider them in three ways. Each focuses on seeking positive assurance, with less negative language, such as how we succeed, deliver, perform, and achieve:

  1. A concern: Something to address, avoid, or prepare for in the future. This could be how to deliver a particular objective, meet a future requirement like a change in legislation, or a focus on maintaining or achieving specific service levels. So, what do we need to have in place to ensure we deal with the concern?
  2. An issue: Something that has gone wrong, a live problem that needs a specific response. This could have arisen from a complaint, enforcement action against the council, a failure of a contractor or hazard that has occurred, hence understanding what aspect of the council’s governance arrangements failed. So, what wasn’t in place or what wasn’t complied with that led to the issue arising so we can minimise the chance of it happening again?
  3. Area of focus: Those matters of inevitability, or of a long-term nature that need oversight so that management at the appropriate level maintain a focus on them and therefore receive continuous assurance. These can be at any level in the council. At the highest-level, this is maintaining a focus / continuous assurance on matters like health and safety, safeguarding, organisational resilience, business continuity, cyber resilience, financial sustainability, meeting environmental responsibilities or sustaining community cohesion. At a more operational level, such a focus might be on a long-term project or a change in a regulatory framework. So, what is in place that provides this assurance?

Highlighting this way of thinking about the matters (risks) that you need assurance on is not necessarily to suggest or recommend moving away from the traditional approach to risk management. However, re-framing the language and approach has been proven to significantly help with ownership and accountability and indeed in the general appreciation of why managing ‘risks’ is so important.

A good example of re-framing a common strategic risk is when considering the risk of having insufficient or reduced resources to deliver strategic objectives. Although somewhat simplified, this is an inevitability and one that is likely to prevail for the long-term if not forever. There is little a council can do in a practical sense to mitigate against this. Re-framing this risk and looking at it in a different way can focus attention more effectively.

The actual area of strategic focus and assurance would be on whether the council has an effective financial management framework in place that enables it to manage with the resources it has. This approach would seek positive assurances on such things as:

  • the robustness of the Medium-Term Financial Strategy
  • the budget setting process
  • the budget monitoring process
  • the financial acumen of budget holders
  • the quality of performance and activity measures to assess the impact of reduced resources
  • the quality of contract management, or partnerships and collaborations where council funds are ‘spent’ by others, and so on.

In other words, ensuring a focus on the governance arrangements that should be in place, and that they are efficient, effective, and complied with.

Question: Are the risks on your council’s strategic risk register really risks or are they inevitabilities?  Does the register identify the governance and assurance mechanisms that enable you to be confident that the risks are being managed effectively?


Cumulative risk assessment

Cumulative risk refers to the combined risks from multiple sources that can impact such things as public health, safety, or the environment. The process involves assessing the total potential impact of various factors rather than looking at them individually. This approach helps in understanding the broader implications and to make informed decisions for risk management and policy making.

Here are a few examples of cumulative risk assessment in local government:

  1. Emergency planning: Cumulative risk assessments are used to prepare for potential emergencies involving identifying multiple hazards (for example, natural disasters, industrial accidents) and evaluating their combined impact on the community. The goal is to mitigate risks by implementing measures to reduce the likelihood and severity of these hazards.
  2. Financial resilience and capacity: This requires consideration of the financial resilience of the council in meeting multiple initiatives, projects, and general financial pressures as well as the cumulative impact of any initiatives, projects and transformations on the overall financial sustainability of the council and the organisational capacity required to support and deliver them. Each project should have its own risk register, but there should be an overarching perspective to consider the impact of any failed delivery or significant delays.
  3. Public health initiatives: Cumulative risk assessments are used in public health initiatives to address multiple health risks in a community. For example, assessing the combined impact of poor housing conditions, lack of access to healthcare, and environmental pollution can help in designing comprehensive interventions to improve overall health outcomes.

These examples illustrate how cumulative risk assessments help local authorities make informed decisions and develop effective strategies to protect their communities. Again, you need to be assured that such risk assessments are undertaken and that they are demonstrated in risk registers, risk reporting and critically in decision-making.

Question: Do members in your authority have a view of the cumulative risk that the council is exposed to?


The respective roles of elected members and officers in risk management

A good risk management strategy / framework, the constitution and job descriptions should set these out, supported by induction and regular training.

Fundamentally, it is management’s responsibility to design, implement and maintain an effective risk management process: the ‘what.’ And it is members’ role through the executive or committee arrangements to approve that process and for the audit committee to receive assurance: the ‘so what?’. It is good practice and recommended that there is an appropriate and regular interface (formally and informally) between members and officers to exchange risk information, give and receive assurances and contribute to the identification of risks.

How these roles and responsibilities are practically discharged should be reviewed regularly. Only when there is deep-rooted accountability can effective risk management be truly part of ‘business as usual.’

In broad terms the role of members in the council can be described as follows:

All members

  • commit to understand, use, and actively engage with the risk management policy, strategy, and process
  • maintain that understanding through attendance at or completion of relevant training
  • be proactive in considering risks (and opportunities) to the council and any matters are referred to the appropriate officer for investigation
  • assist in embedding and demonstrating the risk culture through behaviours and actions.

Executive / Cabinet collectively, or the ‘Policy’ or ‘Resources’ committee where these roles are discharged

  • approve and actively support the risk management strategy and framework
  • demonstrate the risk culture of the council in behaviours and actions by having an open and transparent approach to risk management and risk challenge
  • consider the strategic risk register (and major project or partnership risk registers), ideally quarterly
  • receive supporting reports and presentations from the relevant member of SMT regarding the status of the strategic risks
  • ensure that the risks identified in the risk register reflect the current position and risk profile of the council
  • ensure any emerging trends are considered and captured on risk registers
  • ensure that cumulative risk assessments have been undertaken
  • ensure that barriers to achieving the organisation’s strategic goals are reflected in the content of the strategic and other risk registers
  • be satisfied through questioning and challenge, that risks associated with a decision have been appropriately identified, assessed and that there are effective actions in place (detailed risk registers associated with the decisions are attached to the report or are available). Make decisions informed by the risk analysis
  • receive assurances from the audit committee on their consideration of the effectiveness of the risk management process
  • receive assurances from the scrutiny committees in their challenge of decisions and corporate performance that risks have been properly identified, assessed, and managed
  • individually, assume the role of risk owner for particular strategic risks.

Portfolio holders (separately from the role on the Executive)

  • engage regularly with the relevant member of SMT and other senior managers to discuss risks and the management of them
  • contribute to the identification of risks
  • assist in the horizon-scanning to identify any emerging risks
  • discuss the risks associated with forthcoming decisions or policy areas.

Scrutiny committee

The Centre for Governance and Scrutiny provide a useful description of the role of scrutiny in risk management. Their publication, Audit, scrutiny and risk, offers the following guidance:

In general terms the scrutiny committee will ask: Are the outcomes that we are trying to deliver, deliverable? Are they, therefore, the right outcomes?

Scrutiny looks at questions like:

  • How does our culture of risk management influence and inform our overall priorities – how are we using our appetite for risk to determine what we should, and should not, be doing?
  • Where, and how, do different politicians’, and different officers’, approach to and understanding of risk diverge? What is the implication of that divergence, where it exists?
  • How do members, and officers, in decision-making roles account publicly for their decisions? How does scrutiny know where political, and operational, choices have been made in a way that is informed by an understanding of risk? Have decisions been made with appropriate consideration of current and future risks?
  • What lessons have we learned from specific events, or series of events, that have had adverse consequences? How have these lessons informed our approach in the future?

Scrutiny may also look at the policy implications of specific risks should they materialise, and the policy implications of putting certain mitigations in place.

Scrutiny’s own work programme should be informed by risk – by exploring policy options and priorities in service areas where the council may be particularly exposed to risks. This may be particularly important where the council is exposed to external risks, such as high demand – or internal risks, such as a fragile financial position.

The scrutiny committee should look at the council’s forward plan and consider which areas may have the greatest risk and ensure their questioning and challenge provides assurance that those risks have been adequately identified.

Audit committee

This committee plays a significant role in the council’s risk management and risk assurance arrangements. The Chartered Institute of Public Finance and Accountancy (CIPFA) has issued practical guidance regarding the role of audit committees in local government and police. The following extract is taken from their 2022 guidance:

The role of the audit committee in relation to risk management covers three major areas.

1. Assurance over the governance of risk, including leadership, integration of risk management into wider governance arrangements and the ownership of and accountability for risks. Specifically, this includes:

  • overseeing the authority’s risk management policy and strategy and their implementation in practice
  • overseeing the integration of risk management into the governance and decision-making processes of the organisation
  • ensuring that the Annual Governance Statement (AGS) is an adequate reflection of the risk environment.

2. Keeping up to date with the risk profile and the effectiveness of risk management actions by:

  • reviewing arrangements to co-ordinate and lead risk management (an example of such an arrangement is the existence of a group to examine, challenge and support the risk assessment process to ensure consistency across the organisation)
  • reviewing the risk profile and keeping up to date with significant areas of strategic risks, major operational risks or major project risks and seeking assurance that these are managed effectively and owned appropriately (the committee should avoid duplication of risk monitoring and scrutiny undertaken by other committees)
  • seeking assurance that strategies and policies are supported by adequate risk assessments and that risks are being actively managed and monitored
  • following up risks identified by auditors and inspectors to ensure they are integrated into the risk management process.

3. Monitoring the effectiveness of risk management arrangements and supporting the development and embedding of good practice in risk management by:

  • overseeing any evaluation or assessment of the body’s arrangements, such as a risk maturity assessment or risk benchmarking
  • reviewing evaluation, assurance and audit reports on risk management and monitoring progress on improvement plans.

Acting as a risk committee: Local government bodies do not usually establish a dedicated committee with responsibility for risk management. Instead, committees such as policy and resources, cabinet or scrutiny are likely to play a role in the oversight of individual risks and the adequacy of the risk response. The leadership team, including the executive member body, will take the lead in establishing the risk appetite of the authority. The audit committee should understand the roles played by other committees to avoid duplication and confusion with its own role.

Where other member bodies do not actively review key risks, the audit committee could take on additional functions involving more in-depth reviews of risks. In doing so, the committee should be mindful of when it is acting as a risk committee rather than just as an audit committee.

These functions could include:

  • regular reviews of risk registers, particularly strategic risks, and significant operational risks to consider their adequacy and effectiveness in capturing and assessing risks
  • risk challenge to evaluate whether planned mitigations are appropriate and effective, making recommendations to the responsible risk owner where appropriate
  • identifying dependencies or links between risks and considering if the planned mitigations recognise this
  • considering if risks have been escalated appropriately and in a timely manner
  • supporting the leadership team in their review of risk appetite, though the final decision should remain with the leadership team.

The audit committee’s terms of reference should make it clear whether risk committee roles are included.

It can be seen how influential the audit committee is in a council’s risk management arrangements. It is equally important that the audit committee has the organisational status, respect, and ability to operate truly independently and objectively to discharge its role and have the necessary impact and influence.

Whilst the roles of the scrutiny committee and the audit committee are separate and different, there is scope for them to interface with each other. In general terms, aside from the specifics of risk management, there should be a formal protocol for how both audit and scrutiny can utilise each other’s work and for the respective Chairs (and Vice-Chairs) to meet periodically to inform respective work planning.

In broad terms the role of officers at various levels in the council can be described as:

All staff

  • commit to understand, use, and actively engage with the risk management policy, strategy, and process
  • maintain that understanding through attendance at or completion of relevant training, both general and role specific
  • maintain awareness of risks, speak up about them and take steps to manage them as part of day to day operations
  • understand their accountability for their part in the risk management process
  • demonstrate the risk culture of the council in behaviours and actions.

Chief Executive and the Senior Management Team (SMT)

  • Chief Executive to sign the risk management policy statement and therefore be able to ‘walk the talk’
  • overall collective leadership for the effective delivery of the risk management policy and strategy
  • setting and personally demonstrating the right organisational and risk culture, leading by example
  • identifying and owning the strategic risks of the council
  • prioritise risk discussions in SMT meetings to ensure the risk profile of the council is understood and reflected in strategic and financial planning
  • ensuring cumulative risk assessments are undertaken and their implications understood and taken into account
  • constantly considering and reviewing the council’s risk appetite in relation to current and emerging risks and opportunities
  • creating and maintaining an accountability framework – holding management to account for managing risks within their leadership portfolios
  • creating and maintaining a broader governance assurance framework within which risk management is part
  • ensuring arrangements are in place and understood to ensure appropriate escalation and de-escalation of risks
  • ensuring there is clear and meaningful action identified around the mitigation of risks that has the desired impact and influence
  • ensuring there is consistency in the identification and treatment of risks across the council
  • ensuring risk considerations are woven into the decision-making process at all levels
  • ensuring adequate resources are deployed to support risk management
  • report regularly to and engagement with the Executive / relevant committees on progress in the management of risks and the general risk profile of the council.

Senior and middle management

  • leading by example in supporting and personally demonstrating the organisational risk culture
  • understanding their risk responsibilities and being accountable for them
  • demonstrate the consideration of risks in reports to senior management or the Executive/ committees
  • escalate risks to SMT in a timely manner
  • maintain appropriate risk information and data to support decision-making in the treatment of risks
  • facilitate and prioritise risk discussions in management, team, and individual meetings
  • maintain accurate up-to-date risk registers for the service, any projects and partnership or collaboration working
  • create self-sufficiency and ownership in the management of risk within their services.

Project / Partnership Managers

  • ensure that the appropriate risk management arrangements are created and maintained relevant to the project or partnership arrangements
  • promote conversations about risks and their management within the project or partnership governance arrangements
  • ensure regular reporting to the relevant senior management / project board / partnership board
  • communicate risk issues to all staff within the project or partnership
  • lead by example in embedding risk management within the project or partnership.

Whilst it would not be feasible to articulate the detail of all these roles and responsibilities in individual job descriptions, descriptions do need to include a clear link or reference to them. This reference should be well-defined to make clear that every member of staff has a duty to consider risks and be an active participant in their identification and management. Without this explicit link, enforcing accountability is harder.

There are two other employee roles which are key to an effective risk management process.

Most councils will have a post called (something like) a Corporate Risk Manager. This position may well be supported by a small team in larger councils. Ideally, this role is not to ‘do risk’ for risk owners. It is important that the corporate risk manager is not writing risk registers for managers, nor presenting them at audit committee or cabinet, in order to develop self-sufficiency in managers/ risk owners to manage risk on a day-to-day basis. The role’s focus is to manage and advise on the right risk management processes to use. The corporate risk manager will draft the risk management strategy and framework and develop training and guidance materials.

The Head of Internal Audit (HoIA) is independent of management and therefore, other than their own service risks as a risk owner, should not play any role in the direct management of risks. A fundamental role of internal audit and therefore the HoIA is to establish and maintain a risk-based audit plan. To do this, assurance is needed regarding the risk management arrangements in place. The HoIA will therefore undertake audits and reviews of how well the risk management process is working such that (at least some) reliance can be placed on it to then inform which risks should be reviewed as part of the annual plan. Every piece of audit work will have regard to the risks of the area being reviewed, and so the HoIA, through their reports to management and the audit committee, will provide a continuous view of the effectiveness and efficiency of the risk management arrangements.

Question: Do members and officers in your council receive adequate training to support them to carry out their roles in relation to risk?


Making effective risk management normal business

This is best achieved when driven from the top and as part of that enabling culture where risk management is understood and actively engaged with. This should mean that all strategic, operational, project and partnership activities and decisions have risk hard-wired.

Effective financial and performance management needs to be supported by good risk management. This is primarily driven by data and information – the money, statistics, metrics and key performance indicators that would provide the early warnings or triggers for intervention.

Processes such as budget monitoring, case management, wellbeing reviews, complaints handling, grievances and disciplinaries and the like are about risk management. They are seeking to manage activity so that performance standards and financial targets are met and processes and compliance improved. The conversations, the analysis of what the information is saying and getting people’s views enrich the consideration of risk management.

Performance management frameworks set targets and report regularly on whether they are being achieved. Naturally, anything outside of the expected parameters exposes a potential risk, such as any material over or under spend linked to performance activity. This is not complicated, but it does require work to establish the roles and responsibilities and the integrated processes (and systems) that join everything together. Good risk management is easier where there is an integrated approach across services, systems, and information, looking at finance risk and performance together for example.

The Corporate Risk Manager (and internal audit) will support senior management to design and implement an integrated approach to risk management.


Risk appetite and risk tolerance

Risk appetite is defined as the amount and type of risk that the council is prepared to pursue, retain or take, or the level of risk that the council aims to operate within.

This should not be confused with or interchanged with risk tolerance, which is the absolute level of risk within which the council will operate.

A good way to think about risk appetite and tolerance is a speedometer as shown in the diagram below.

Diagram 1: Organisational risk appetite versus risk tolerance

Speedometer visualisation of organisational risk appetite compared to risk tolerance. The green area (risk appetite) is how fast it is ok to go, up to the speed limit. The amber element (risk tolerance) is where you are exceeding the speed limit, but the speed remains within an acceptable tolerance. The red part (intolerable risk) shows where the excessive speed is beyond tolerance and the brake (and intervention) needs to be applied.

 

The green area (risk appetite) is how fast it is ok to go, up to the speed limit. Then there’s an amber element (risk tolerance) where you are exceeding the speed limit, but the speed remains within an acceptable tolerance. The red part (intolerable risk) is where the excessive speed is beyond tolerance and the brake (and intervention) needs to be applied!

The management element of risk management is focussed on taking actions to reduce either or both of the likelihood of an adverse event happening and its impact. In considering a risk at any particular moment, the task is to either accept it and monitor it or take further action or contingency action which may involve seeking insurance cover or making a provision (see Financing risk).

Typical levels of risk appetite, from high to low risk appetite, are defined below:

Table 3: Spectrum of risk appetite
Eager / high A willingness to be innovative and to choose options offering potentially higher rewards despite greater risk

Highest risk appetite

 

 

 

 

 

Lowest risk appetite

Open / high / moderate A willingness to consider all potential delivery options and choose the one that is most likely to result in successful delivery while also providing an acceptable level of reward, VFM and moderate to high risk.
Cautious / moderate A preference for safe delivery options that have a lower degree of risk and only a limited potential for reward.
Minimal / moderate / low A preference for very safe business delivery options that have a low degree of risk and a potential for limited reward.
Averse / low The avoidance of virtually any risk and uncertainty is a key organisational objective.
 

 

Although there may be a tendency to divert management focus to the areas of low-risk appetite, all appetites need management attention to be assured that the risks are being managed and, at the higher risk appetite level in particular, the rewards are being achieved.

Defining risk appetite is a way of setting boundaries in terms of how much risk is acceptable and which risks the council aims to manage if it is to realise its objectives. The benefits of adopting a risk appetite include:

  • leads to informed decision-making
  • reduces uncertainty
  • improves consistency across governance mechanisms and decision-making
  • supports performance improvement
  • focuses on priority areas
  • informs spending review and resource prioritisation processes.

The following table expresses an example of a council’s risk appetite for each category of risk, which would be agreed and continually reviewed by the SMT and the political leadership together. These assessments will be unique to each council and therefore those below are not recommendations.

Table 4: An example of a council’s risk appetite for each category of risk
Risk category Risk appetite
Objectives Eager
Service delivery Open
Financial Cautious
Reputation Open
People (Health and safety / safeguarding) Minimal / averse
Regulation Cautious
Environmental Open

 

Whilst it is senior management’s responsibility to set the risk appetite, this should be consulted upon, involving managers, staff, and stakeholders. Engaging widely throughout the ‘risk process’ is essential to demonstrate the risk culture and get a wide buy-in. And whilst setting the risk appetite can be useful, it is equally important to recognise that the appetite will and can change – it is not something that is necessarily fixed. A review of various risk appetites across the council should be part of the overall annual review of the risk management arrangements as a minimum. They should also be considered as and when there is an event, or change in circumstances that need to be taken into account, such as a change in legislation.

The term risk tolerance is typically used as a specific benchmark for the acceptability of a given operational risk exposure or metrics, such as a risk or control effectiveness indicator. Tolerance is therefore informed by information and data, those early warning signs, or triggers to prompt intervention, as shown in the speedometer diagram above.

Risk tolerance is typically expressed simply using the traditional red / amber / green (RAG) approach:

Table 5: Risk tolerance expressed using the RAG approach

Green is acceptable risk with no immediate action required except for routine monitoring. Amber is tolerable risk with the need to investigate to verify and understand the underlying causes, and consider ways to mitigate or avoid within a specified period. Red is unacceptable risk with the need to take immediate steps to mitigate or avoid.

 

Through the continual review of data relating to strategic, operational, project or partnership deliverables, risk tolerance is being considered, in other words, at what point do certain metrics go beyond tolerance such that intervention is necessary. This is not inherently complicated but does rely on a consistent approach and the availability of reliable and timely information.

The council’s Corporate Risk Manager will be able to provide greater detail and assist the SMT in determining both the risk appetite and the parameters for tolerance. As leaders you need assurance that these have been defined and approved and processes exist to ensure their continual review.

Context is everything, and it is therefore essential that the SMT continually reviews the council’s risk appetite and tolerance. As shown in the risk appetite table above, there is likely to be a different risk appetite for each risk category which can change. In the case of projects, major procurements, or transformation initiatives for example, each will have its own appetite.

Good risk management is based on quality data and information that can alert management when intervention is needed. This includes ‘pulling the plug’: the ‘terminate’ of the 4Ts (see Annexe 1). Problems such as delays, overspends, contractor issues, IT system issues are all events that could trigger consideration of action to mitigate or avoid the risk and all are capable of early warning through effective risk management.

In many ways the management of risks will be happening instinctively through good general management, it’s just not always recognised as risk management! This is when it is truly embedded.

Question: How would you describe your council’s risk appetite? Would other members agree with you? Would officers describe it in the same way?


Risk factors

However, and whatever the risks are that have been identified, they are all subject to internal and external factors that can have both negative and positive implications. The table below highlights a number of internal and external risk factors that can undermine the delivery of objectives and effective management.

Many are related, but the distinction between the two lists is the ability to control and influence them, therefore directing management attention, and the type of action needed. They are risks in their own right of course, but they can also be major factors in other risk areas, particularly impacting on the ability to respond or mitigate.

Table 6: The impact of internal risk factors
Internal pressures Impact / implications
Resource pressures Leading to short-cuts being taken, short-termism / firefighting, inability to maintain assets or plan or fund investments.
Capacity Staff shortages creating workload pressures, compliance challenges, use of interims/agency and reduced accountability, reduced supervision and management, performance monitoring and training.
Capability Erosion of skills and/or reduced capacity to keep pace with technology changes for example – missed opportunities.
Supplier availability and viability Commercial pressures forcing suppliers / contractors to fail or provide poor service.
Fraud Personal financial pressures pushing employees into committing fraud or opportunistic fraud due to reduced supervision and control.
Pace of and demand for transformation and change Failure to adequately resource change / project management.
IT systems Capacity, resilience, age, and lack of integration.
Data quality Data sources and timeliness compromised.
Employee wellbeing Increased absence, poor performance, increased grievances, retention, reduced goodwill.

 

Table 7: The impact of external risk factors
External pressures Impact / implications
Funding reductions General squeeze on public funds, short-term funding.
Interest rates / inflation Implications for existing commitments – contracts, supplies, and debt.
Cyber-attacks Growth of organised crime and hackers, digital disruption.
Organised crime / fraud Public sector seen as a softer target and potentially weaker controls.
Cartels, price-fixing in tendering Commercial pressures leading to dishonest contractors / suppliers.
Supply chain issues Impact of national and international factors.
Public / clients / customers Heightened demand and expectation adding pressure to deliver.
Environmental events and responsibilities Emergency events, like flooding, storms or extreme heat and more longer-term issues and the expectation of reducing climate impacts.
Demographic changes Added pressure, demand, and expectations beyond current capacity.
Societal changes and pressures For example, housing, immigration, and community cohesion issues that increases demand.
Regulatory changes Creating the need to change processes, skills, systems, and so on.

 

Few risks stand in isolation. There is a complex web of relationships, dependencies and influences that can contrive to expose a council to risk. Taking a holistic approach to organisation-wide risk is essential to highlight and be aware of how inter-twined areas of the council are and how serious risks can manifest from often small issues.

In cases of corporate failure or tragic safeguarding incidents, there are always opportunities identified in the ensuing inquiry that could have prevented the risk arising. Having a strategic focus and commitment to create and maintain an effective governance framework is probably the single most important risk mitigation.


Risk scenarios and categories

Whilst far from a comprehensive list of risk scenarios a council will face, below are a few of the most significant. The types of risk issues within each scenario are not intended to be a complete list: each council’s context and way of working will have a bearing on what the risks are.

Partnerships, collaborations, and shared services risks

These present a different risk profile and exposure where the council is not necessarily in complete control and is therefore reliant upon others to engage and share in the objectives. Such arrangements need clarity, openness, and good information. How mutual risks are identified and managed should be a key element of the guiding governance arrangements of the partnership. At the outset, there needs to be a risk-based approach in building the right governance structures and shared ownership. Creating an initial risk register for the establishment of a partnership arrangement could be useful.

The key risks or threats to effective partnership working are:

  • poor or waning partner engagement and commitment
  • scope or goal creep
  • one dominant partner taking over
  • poor information sharing and openness
  • disputes arising from poor performance
  • expectations of external funder not being met
  • lack of agility to change course or respond to changed circumstances
  • not knowing when it might be best to end the partnership
  • poor communication within and outside the partnership.

This warrants inclusion on the strategic risk register as an area of strategic focus requiring continuous assurance.

Projects and programmes risks

These can range significantly in overall size, complexity, cost, timeframe, and methods of delivery and so there is ‘no one size fits all’ approach to managing risks in projects and programmes. However, there are some standard areas of risk that are worth considering:

Scope creep: A type of project risk that occurs when tasks are added to the project scope without the proper approval of the project management team, causing the scope to grow without control, which has a direct impact on the project schedule and budget.

Performance risk: This occurs whenever work is not progressing as expected, and deliverables and milestones are not accomplished. This can compromise project completion as more resources are potentially needed to complete the project plan.

Financial or cost risk: This occurs when the project goes over the budget initially set. Cost risk can occur because of an unrealistic budget or lack of detailed budgeting in the project planning phase and then subsequent poor financial control, procurement, and supply chain management.

Schedule risk: This is the risk of individual tasks in the project taking longer than expected. Delayed task timelines often impact other things like the budget, completion date or overall performance. This is probably the most common risk in projects, particularly where there are many participants and understanding the dependencies and careful scheduling is critical. Projects are also often over optimistic or set unrealistic timescales by senior management or external funders, for example.

Resource risk: This occurs if insufficient resources have been allocated to complete the project. Resources may include time, skills, money, or tools. Again, along with the project timeline, the resources needed are often underestimated.

Operational changes: This involves unplanned changes such as in project staffing, changes in senior management, structure changes, savings requirements, or new processes. Such changes can create distractions, require significant adjustments in workflows, and ultimately impact on project timelines.

Lack of clarity: This may come in the form of miscommunication from stakeholders, vague project scopes, or unclear deadlines. The result can be a lack of visibility due to siloed work, going over budget, falling behind project deadlines, changing project requirements, having to change project direction, or disappointing project outcomes.

Often there is great expectation from a project or programme and therefore there is even more pressure for it to be successful in all respects – to deliver its intended benefits, to time and to budget. The biggest single risk to projects and programmes is to underestimate and under-resource the oversight needed.

Project and programme risks – and any major projects or programmes - should also be considered for inclusion on the strategic risk register, regardless of the inherent risk as an area requiring continuous assurance.

Procurement and contract management risks

A large and increasing proportion of council spend is through contracts in some shape or form. This highlights the importance of ensuring procurement and contract management are efficient and effective, to deliver value for money, maximise added social value and consider environmental factors (to name three critical areas). This is another category of risk that needs careful consideration and assurance.

The council will have specialist procurement staff and contract managers to advise and deal with the strategic and operational aspects, but it is also critical that leaders have an awareness that the key risk areas are being identified and managed appropriately.

The key procurement risks include:

  • inaccurate internal needs analysis and specification writing
  • poor vendor sourcing – not ‘casting the net’ wide enough
  • cartels and price-fixing and other fraud
  • ineffective supplier and vendor onboarding
  • inadequate vendor management
  • price instability
  • resistance to digitalisation leading to poor e-procurement adoption
  • supply chain disruptions
  • manual procurement processes
  • inaccurate forecasting and contract planning
  • weak compliance management and compliance
  • budget overspends (and underspends)
  • talent shortage
  • inefficient contract management.

Internal audit and the audit committee should be reviewing the overall arrangements to manage these risks to provide senior management with the necessary assurances. There should also be specific assurances provided for individual and major procurements which are often associated with new IT systems, long-term maintenance, or outsourcing contracts. These carry a higher risk should they fail to deliver the intended outcomes.

Fraud risks

Fraud risk, unfortunately, is an ever-present issue. The profile of fraud is now significantly technology driven or e-enabled with organised crime groups targeting councils as perceived soft targets. Attempts at bank mandate and impersonation fraud are common and so particular attention is needed to have robust vendor checking and layered controls in the ‘procure to pay’ process. There have been cases of significant frauds against councils and other public sector organisations. The increasing use of AI to commit fraud presents a particular threat.

The insider threat has not disappeared of course, and fraud opportunities can emerge particularly where layers of supervision and management have been removed. The financial pressure that individuals and families are under can also give risk to fraud risks. Effective supervision and management may perhaps be harder when staff are working remotely. A new area of fraud risk emerging from the agile approach to work is from duplicate employments. This is when someone is employed in two or more places and does not disclose the fact to the other(s), and due to not being required to go into the place of work at all or infrequently, effectively gets paid twice for the same time. Again, there are cases of this occurring in councils.

Most councils will have an anti-fraud team, perhaps linked to internal audit. They should be prompting fraud risk / vulnerability assessments periodically (and as part of the process to prepare the annual governance statement) to raise awareness amongst management particularly where the fraud risks are.

A suite of easy-to-understand anti-fraud policies, procedures and training are the basic risk mitigations. These should be reviewed regularly, and awareness tested. Having an accessible whistleblowing / confidential reporting process is another key element of tackling fraud and other irregularities. This policy should be well communicated, and its use reported to the audit committee at least annually to give assurances of its effectiveness. The overall risk culture should support openness and an empowered workforce who are able and encouraged to speak up.

This is another wide-ranging area of risk and can touch any part of the council. What is important from a leadership assurance perspective is that the audit committee are looking at the corporate arrangements for preventing fraud, and that if a suspected fraud occurs, an investigation has been undertaken and any lessons from the incident communicated widely. The anti-fraud team should also be proactive in ensuring there is accessible training for general fraud awareness and developing role-specific fraud training in areas like procurement, contracting, payments, cash handling, benefits and other claims, grants, and physical assets.

There is an obvious public expectation and a duty on councils to protect public funds and resources. Ensuring there is a continuous senior management oversight of fraud risk by its inclusion on the strategic risk register would be an effective way to keep this important area visible.

Cyber and IT risk

This area of risk has links and an overlap with fraud. However, what poses an equally significant threat to councils is the risk of disruption to systems, denial of service, viruses, hacking, and ransomware. There have been several incidents where councils have been rendered inoperable for weeks and even months because of a cyber-attack with the costs of recovery rising to millions of pounds: unfortunately, it is probably a matter of ‘when’ rather than ‘if’ an attack is successful.

This requires a strategic approach, and councils need to invest in cyber protection and resilience. This adds an additional element to risk management, a focus on business continuity and resilience, with consideration of how best to respond and deal with an incident occurring. One risk mitigation is cyber-attack simulations, an effective way to test a council’s arrangements and generate better awareness of the threat.

A range of technical risk mitigations will inevitably be in place. To obtain assurance about the effectiveness of these mitigations, senior management, the audit committee, and executive should all receive regular briefings on the council’s cyber resilience measures and particularly its response to any attacks. There should be a designated Senior Information Risk Officer (SIRO) and a Chief Information Security Officer (CISO) as well as the Data Protection Officer (DPO) who together should provide the necessary assurances about cyber, IT and information risk management.

This is another area of council threat that will never go away, and so should feature on the strategic risk register as another area requiring continual oversight and assurance.

It is sometimes helpful to consider potential risks in terms of their general category. Annexe 3 provides a list of risk categories typically used in the identification of risks.


Risk registers

Risk registers are the main vehicle to present the risks and how they are being managed. The detail of them varies significantly between councils but there should be certain elements to enable them to be used for assurance and oversight purposes as well as for the risk owners and action managers to record details of actions. It is important however to recognise that the risk register is not an end in itself, but merely a tool to present risk information.

A good guide for the degree of detail required is that someone unfamiliar with the risk, should be able to read from ‘left to right’ and understand:

  • what the risk is, why it is a risk (fully explained) and who owns it
  • the logic to the scoring (if scoring is used)
  • the assessment of current control / governance measures and their effectiveness
  • the rationale and reasons for further actions, the intended impact, any links or dependencies and any resource implications
  • who is responsible for the action and when it will be completed / reviewed
  • the logic to the revised score / assessment
  • a narrative to reflect the status of actions and any problems
  • some degree of assurance / confidence about the ultimate treatment of the risk
  • a reference to the risk appetite for that particular risk
  • date of review / update.

Without that detail it is difficult to see how risk owners and action managers can be held accountable, how progress can be tracked, where management intervention may be needed or how the risk should ultimately be treated.

It is of course not always possible to gain (positive) assurance - but there should be sufficient information in the risk register to be able to come to a conclusion and where necessary instigate further action or information.

A key point is to avoid the term ‘on-going’! Whilst many risk mitigations are indeed ‘on-going’, for the purposes of assurance, there should be a review date included in the risk register to prompt an action to report that the intended impact of the action is indeed still occurring.

Strategic risk registers can also become too high-level and include things that are expressed as risks but are really inevitabilities or matters that require a long-term focus. Using the example highlighted earlier, a common ‘risk’ in strategic risk registers is along the lines of:

'There is a risk of not having sufficient resources.’

This is not a risk; it is an inevitability. The real strategic risk or concern relating to this area would be better articulated in a more positive tone as:

‘Ensuring the council has the appropriate financial management framework in place that enables the council to deal with the resources it has.’

This better focuses management attention to ensure the financial governance framework is effective, efficient, and complied with. The quality and comprehensiveness of the council’s governance framework that is consistently complied with, remains the key risk mitigation. The effectiveness of that governance framework is essential to have assurance about risk management. Such an approach would also apply in relation to safeguarding or health and safety risks.

Question: Is the risk register in your council an end in itself or a prompt to take action where needed?


Reporting risks

The public reporting of risks can be a delicate matter and one of balance.

On the one hand councils are publicly accountable. They are required to publish an annual governance statement (AGS), giving an assessment of the effectiveness of the authority’s governance arrangements, and highlighting where improvements need to be made. As a minimum, the strategic risks should be explained, including how they may have changed during the year and what actions have been taken to mitigate them. On the other hand, however, exposing certain risks the council faces or has been exposed to could be reputationally damaging.

Unless disclosure of risk mitigations, for example cyber resilience measures, would expose the council to even greater risk, then the default position should be to make risk registers public. That said, it is reasonable for the ‘public’ version of the strategic risk register to be in a summary form.

In reports prepared for decision-makers, there should be reference to how any risks associated with the various options have been identified and managed. Unless covered by a legitimate exemption from publication, the reports are publicly available and the risk information also. In councils with the executive system, scrutiny will need to be able to understand the assessment of risks which has informed recommendations.

In essence therefore there should be a presupposition that risk information will be made available to the public. In any event, requests can be made through the Freedom of Information Act that would require disclosure at least in part, subject to legitimate exemptions. Advice about disclosure of information should be obtained from the council’s Monitoring Officer.


Financing risk

There is an inherent cost of risk management in deploying resources to mitigating actions, particularly in the areas of cyber resilience for example. Other direct risk management costs are in the form of insurance premiums.

Not all risks can be insured against, and even where something is technically insurable, the premiums may be prohibitive. Many, if not most councils, will have their own insurance fund or reserve to self-insure. This is usually to minimise external insurance costs and to cover exceptional losses. In simple terms services are ‘charged’ an internal annual premium to maintain the internal insurance fund. Claims are made to the council’s insurance team and, where certain criteria are met, the claiming service will receive recompense. The mechanics and conditions for self-insurance and claims will be more complex than that described, but it is a common and useful vehicle to minimise external costs.

The insurance fund can, as an earmarked reserve, be used to fund risk mitigations. Some councils will have a process to allow services to ‘bid’ for money on the basis that such an investment will reduce risk exposure.

Provisions can also be made in the case where a claim against the council is likely but has not been received or paid out. These are earmarked for specific purposes and events. In circumstances where there may be a claim against the council, but it is less certain in terms of timing or value, a contingent liability is made in the accounts recognising the possibility. The potential for equal pay claims is a good example where a contingent liability would appear in the financial statements. At a point in time when there is greater certainty regarding the claim, then a specific provision would need to be made.

In terms of assurance, the Section 151 Officer should make it clear in the budget report as to the level and basis for any provision, contingent liabilities, or reserves. Whilst not necessarily referred to in risk management terms, these are a key part of the strategic approach to managing risk and its implications.


Summary

Effective risk management is an essential part of a local authority’s risk management arrangements. The role of those in leading positions is to seek assurance that risks are being identified, acted upon and managed.

Those leaders also have a vital role in ensuring a good risk culture across the organisation, so that everyone understands the contribution that they make to owning and managing risks and all employees and members feel able to speak up where there is a concern that threatens success, delivery, achievement, and good performance.


About the author

Rob Winter FCPFA was a Head of Internal Audit for 25 years in a local authority before retiring from full-time work in April 2024, after a 40-year public sector career. Rob is now an associate with the LGA, delivering training to councillors on the Leadership Academy and Leadership Essentials programmes and has authored the Must know guide: Working with auditors. Rob is also a CIPFA and freelance audit, risk, and governance consultant.


Annexe 1: Some basics of risk management

The risk management process is inherently simple and none of this should be new. It is helpful however to have an awareness and appreciation of what is going on behind the risk registers and reports that ultimately give you the information necessary for good decision-making and assurance.

The risk process is traditionally shown in these broad stages:

  • identify the risks
  • assess the risks (scoring)
  • mitigate the risks
  • re-assess (score) the risks
  • monitor the risks
  • report.

Risk identification

There are a variety of starting points to this. Thinking about what could go wrong, fail, what is the bad event and so on, is the obvious one, but it is also helpful to consider the key objectives of the council and the risk to their achievement. These two basic approaches are likely to overlap somewhat of course, but what matters is what works.

The thinking process is usually in three parts:

  1. The cause, or an event (the risk) which alone or in combination with other events has the potential to give rise to the unwanted situation. This is usually (traditionally) articulated as a possible failure, a loss, a reduction, an inability, or inadequacy, that threatens the achievement of a desired objective, responsibility, or outcome.
  2. The impact is the result of an event or a change in a set of circumstances, either something expected that does not happen or something that is not expected that does happen.
  3. The consequences should the event occur – the results of the impact of an event occurring that effect the objectives.

Risk assessment / scoring

Traditionally, risks are considered in terms of the likelihood / probability of them occurring and the impact if they do.

There are numerous ways that councils describe these factors, and some go into some detail to help the ‘assessor’ determine the most appropriate ‘score.’

These likelihood and impact scores are usually simply multiplied together to determine the risk score. A 4 x 4, or 5 x 5 grid is typically used to grade the risk in terms of red / amber / green. A simple 5 x 5 example is shown below:

Table 8: Colour version of risk assessment/ scoring grid

decorative image

 

 

There may also be a table that provides guidance as to the criteria to score the likelihood and impact scores.

Table 9: Risk assessment and scoring grid criteria

decorative table

 

 

Risk registers / reporting

Risks are usually captured in a risk register. These can vary from simple word or excel formats to quite complicated ones or may be generated through a specific risk management system. They are important documents / reports and the ones that will provide the best insight, and assurance, into the detail of the key risks. A Chief Executive once said about getting assurance, “if it’s not written down, it didn’t happen”, so risk registers and their supporting information must be an accurate and timely account of the actions undertaken.

Risk registers are not necessarily everyone’s favourite document, so getting the format and detail right is important. They are / need to be:

  • a key management tool
  • a key assurance mechanism
  • a means by which responsible individuals can be held accountable
  • a record of decision-making and positive action
  • a way to demonstrate links to other risks and any resource implications
  • a tool to drive strategic, operational and project meetings (not be the last item on an agenda)
  • owned and managed by the lead responsible officer, and corporately by senior management.

A good guide for the degree of detail required in a risk register is that someone unfamiliar with the risk, should be able to read from left to right or top down, and understand clearly:

  • what the risk is, why it is a risk (fully explained) and who owns it
  • the logic to any risk assessment score
  • the existing control / governance measures and their effectiveness
  • the logic to any revised risk assessment score
  • the rationale and reasons for further measures to be taken
  • the risk category (degree of assurance / confidence about the ultimate treatment of the risk)
  • date of review / update.

Many risk registers end up being lists of things – instead, they should really tell the ‘story’ of the risk.

The 4Ts of risk management

So, after the assessment, what are we going to do with the risks? Again, there are four approaches that are considered:

  1. Treat: Basically manage the risk, taking actions to reduce the risk score.
  2. Tolerate: Accepting the risk, perhaps after treatment, or accepting that the cost of further actions outweighs the benefits.
  3. Transfer: Insurance is one way of transferring a risk but also through contracts or collaborations, although that may be a partial transfer with some residual treatment / tolerance needed.
  4. Terminate: Could be that an intended activity just does not start, or an existing activity is going wrong such that it needs to stop, or a change of direction is needed.

Whilst it is useful to think about the 4Ts, in practical terms these are normally considered instinctively through the risk management process.

Risk structure

Risks are often considered in structural layers and presented in risk registers, commonly described as:

  • Strategic or corporate: Those organisation-wide matters that are likely to be of a long-term nature, ones that require continual assurance, or the big-ticket events or changes that need high-level strategic oversight. Also included could be a major project or programme that because of its significance needs to have the highest-level of oversight.
  • Directorate: Those risks that effect a range of services, often related within a directorate. Such risks may include a major service restructure, the implementation of a new system, a major contract or an out or in-sourcing process.
  • Service: Risks relating to a particular service. Again, such risks could be in relation to a restructure, major contract, staffing issues – capacity and retention, a response to an unforeseen event or complaint.
  • Operational: More likely to be around hazard and event risks, those that threaten the continuity or delivery of a service or function. These can relate to complaints, contracts, restructures, but more likely to be time limited. Having a focus on operational risks can be a way that service managers get assurance about day-to-day matters and to keep staff focussed on delivery and performance.
  • Projects / programmes: The risks associated with the delivery of a project or programme covering its initiation, delivery, and post project review. Such risk registers may take a different format if working with a third party or use a format prescribed by a funding body. Regardless of format, it is essential that all the critical information is captured and maintained and that individual risks are properly assigned.
  • Partnership / collaboration: More and more council services are delivered by or through collaborations in some shape or form. Such delivery arrangements create a different type of risk which need careful management and often shared management. Ensuring there is a strong council input or oversight is critical. Such partnership risks can naturally range from the strategic to operational delivery.

It is clearly up to individual councils and their particular contexts to determine and manage their risks and identify the areas requiring assurance.


Annexe 2: An example of a risk management policy statement

The council recognises that it has a responsibility to manage the risks it faces effectively in order to:

  • ensure that statutory obligations and policy objectives are met
  • prioritise areas for improvement in service provision and encourage meeting or exceeding customer and stakeholder expectations
  • safeguard its employees, clients and service users, members, and all other stakeholders to whom the council has a duty of care
  • protect its property and assets including buildings, equipment, vehicles, information and all other assets and resources
  • identify and manage potential liabilities
  • maintain effective control of public funds and the efficient deployment and use of resources to achieve ‘value for money’
  • preserve and promote the reputation of the council
  • support the quality of the environment
  • engage effectively with its partner organisations and wider community
  • learn from previous threats, opportunities, successes, and failures to inform the future management of risks.

Risk management is an integral part of the council’s corporate governance arrangements and has been built into the management processes as part of the Authority’s overall framework to deliver continuous improvement. All members and officers have a responsibility and a role to play in managing risk.

The council will seek to achieve effective risk management by:

  • implementing a Risk Management Framework that is fit for purpose and which complements the other governance processes of the council
  • equipping all employees and elected members with the skills required to identify and assess risk and communicate this appropriately and effectively
  • acknowledging that increasingly risks are shared across partner organisations, which can increase the complexity of analysis and reporting, and that assurances regarding the level of risk may need to be sought from third parties as well as internal sources
  • annually reviewing the effectiveness of risk management and reporting the results as part of the Annual Governance Statement
  • considering on a continuous basis that the council’s approach remains in line with good practice, whilst reviewing the Policy and Framework formally every two years.

Signed:

 

Leader of the Council

 

Chief Executive


Annexe 3: Example of risk categories

These can be useful prompts to consider the exposure to certain types of risk.

In using such prompts, it may be beneficial to ‘flip’ the focus to determine how we get positive assurance that the governance and control arrangements in place are effective and efficient and will therefore help to ensure delivery, success, achievement, and performance.

Strategy: Risks arising from identifying and pursuing a strategy, which is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans, or objectives due to a changing environment (for example, political, economic, social, technological, environment and legislative change).

Governance: Risks arising from unclear plans, priorities, authorities, and accountabilities, and/or ineffective or disproportionate oversight of decision-making and/or performance.

Operations: Risks arising from inadequate, poorly designed, or ineffective / inefficient internal processes resulting in fraud, error, impaired customer service (quality and/or quantity of service), non-compliance and/or poor value for money.

Legal: Risks arising from a defective transaction, a claim being made (including a defence to a claim or a counterclaim) or some other legal event occurring that results in a liability or other loss, or a failure to take appropriate measures to meet legal or regulatory requirements or to protect assets.

Property: Risks arising from property deficiencies or poorly designed or ineffective/ inefficient safety management resulting in non-compliance and / or harm and suffering to employees, contractors, service users or the public.

Financial: Risks arising from not managing finances in accordance with requirements and financial constraints resulting in poor service delivery, failure to manage assets/liabilities or to obtain value for money from the resources deployed, and/or non-compliant financial reporting.

Procurement, partnership, or commercial: Risks arising from weaknesses in the management of commercial or other partnerships, supply chains and contractual requirements, that can result in poor performance, inefficiency, poor value for money, fraud, and/or a failure to meet business requirements/objectives.

People: Risks arising from ineffective leadership and engagement, a suboptimal culture, inappropriate behaviours, insufficient capacity and capability, industrial action and/or non-compliance with relevant employment legislation/HR policies resulting in a negative impact on performance.

Fraud: Risks arise where controls are weak and can occur in many aspects of council activity. Fraud against the council is predominantly financially driven, to obtain money from the council in some way, but there are internal fraud risks that can emerge from conflicts of interest, abuse of position, misuse of time. Basic opportunistic fraud threats also exist where an individual just acts impulsively.

Safeguarding: Risks arising from poor practices and awareness, poor management of agency workers or third parties, inadequate record taking and keeping, workload pressures inhibiting case discussions and interventions.

Health and safety: Risks arising from poor operational practices and awareness, failure to undertake risk assessments or report near misses.

Technology: Risks arising from technology not delivering the expected services due to inadequate or deficient systems / processes, a lack of investment and development, poor performance or inadequate resilience.

Information: Risks arising from a failure to produce robust, suitable, and appropriate data / information and to exploit data / information to its full potential.

Security: Risks arising from a failure to prevent unauthorised and/or inappropriate access to buildings and information, including cyber security and non-compliance with UK General Data Protection Regulation requirements.

Project/Programme: Risks associated with transformation and change programmes, projects that are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost, and quality.

Reputational: Risks arising from adverse events, including ethical violations, a lack of sustainability, systemic or repeated failures or poor quality or a lack of innovation, leading to damages to reputation and or destruction of trust and relations.

Failure to manage risks in any of these categories may lead to financial, reputational, legal, regulatory, safety, security, environmental, employee, customer, and operational consequences.


Annexe 4: Questions to ask to obtain risk management assurance

These questions may assist in assessing the effectiveness of the council’s risk management arrangements. They are equally applicable to be asked from the perspective of the audit committee, scrutiny, the executive or senior management, although for the latter, it may be more about ensuring the right answers.

The questions are not intended to be exhaustive and not all will be applicable in all circumstances. If the answers to the questions raise concerns, consideration should be given to whether action is needed to address possible areas for improvement.

These questions can be used to look at the overall risk management arrangements, specific strategic or operational risk as well as consideration of risk associated with decision making.

Risk governance and leadership

  1. How is the desired risk culture defined, communicated, and promoted? How is this periodically assessed?
  2. How do human resource policies and performance systems encourage and support desired risk behaviours and discourage inappropriate risk behaviours?
  3. How has the council’s risk appetite been determined and communicated, and how is it reviewed?
  4. How are the audit committee and scrutiny committee supported to consider the management of risks?
  5. How effective are risk information and insights in supporting decision-making, in terms of the focus and quality of information, its source, its format and its frequency?
  6. How are authority, responsibility and accountability for risk management and internal control defined, co-ordinated and documented throughout the organisation?
  7. How well is the risk management process resourced to ensure it can support decision-making and strategic and operational success?
  8. How are the necessary skills, knowledge, and experience of those involved in risk management assessed and supported?
  9. How has the necessary commitment to risk management been demonstrated?
  10. How does internal audit utilise and review the council’s risk management arrangements in their annual planning and audit work?

Integration

  1. How are risks considered when setting and changing strategy and priorities?
  2. How are risks transparently assessed within the appraisal of options and business cases for policies, programmes and projects or other significant commitments?
  3. How are emerging risks identified and considered?
  4. How are risks to the public assessed and reflected within policy development and implementation?
  5. How are risks contained in the National Risk Register considered and recognised in risk assessments and discussions?

Collaboration and best information

  1. How is an aggregated view of the risk profile informed across the organisation, arm’s length bodies and partner organisations supporting the delivery of services?
  2. How are the views of external stakeholders gathered and included within risk considerations?
  3. How does communication and consultation assist stakeholders to understand the risks faced and the organisation’s response?
  4. How is functional and professional expertise used to inform strategies, plans, programmes, projects, and policies?
  5. How do expert functions and professions inform the identification, assessment and management of risks and the design and implementation of controls?

Risk management processes

  1. How are risk categories used to facilitate the identification of risks within the overall risk profile?
  2. How are risk criteria set to support consistent interpretation and application in assessing the level of risk? How effective are these in supporting the understanding and consideration of the likelihood and consequences of risks?
  3. How are limitations and influences associated with the information and evidence used with risk assessments highlighted?
  4. How are interdependencies between risks or possible combinations of events (‘domino’ risks) identified and assessed?
  5. How dynamic is the assessment of risks and the consideration of mitigating actions to reflect new or changing risks or operational efficiencies?
  6. How are exposures to each principal risk assessed against the nature and extent of risks that the organisation is willing to take in achieving its objectives – its risk appetite – to inform options for the selection and development of internal controls?
  7. How are decisions made in balancing the potential benefits of the design and implementation of new or additional controls with the costs, efforts, and any disadvantages of different control options?
  8. How are contingency arrangements for high impact risks designed and tested to support continuity, incident and crisis management and resilience?
  9. How is the nature, source, format, and frequency of the information required to support monitoring of risk management and internal control defined and communicated?
  10. How are new and changing principal risks highlighted and escalated clearly, easily, and more rapidly when required?
  11. How comprehensive, informative, and coordinated are assurance activities in helping achieve objectives and in supporting the effective management of risks?

Continual improvement

  1. How are policies, programmes and projects evaluated to inform learning from experience? How are lessons systematically learned from past events?
  2. How is risk management maturity periodically assessed to identify areas for improvement? Is the view consistent across differing parts or levels of the organisation?
  3. How are improvement opportunities identified, prioritised, implemented and monitored?

Questions for Scrutiny to ask regarding risk management

The Centre for Governance and Scrutiny provides an extensive list of questions about risk management from a scrutiny perspective. These can be accessed in their publication Audit, scrutiny, and risk.