3. The role of members

Responsibilities

35. Elected members are responsible for governing the delivery of services to the local community. Failure to deliver services efficiently and high-level incidents and scandals often result in the public questioning the competence of those in charge. It often transpires that such failures and scandals could have been avoided if proper governance procedures had been operating effectively. Such questions can impact on the public perception of individual members or the council as a whole. Members have a responsibility to understand the strategic risks that their council faces, and to decide how these risks should be managed. They should not seek to avoid or delegate this overall responsibility as it is key to their stewardship responsibilities. Members should:

  • seek implementation of a strategic risk management process as soon as is practical, as it is of critical importance now;
  • agree on the member and officer structures for planning and monitoring risk management across the authority;
  • correctly position risk management as a strategic and operational tool that can help officers and members to meet the new and existing challenges and demands facing them, rather than as a mere compliance exercise;
  • promote the desired mindset and attitude that is essential for successful implementation and robust, ongoing risk management processes;
  • view the process as a significant change management exercise, there is no ‘quick-fix’ solution and the right level of resources will need to be committed to implementation and training over the medium term;
  • take a top-down approach, focusing on issues of corporate significance rather than a ‘bottom-up’ exercise which would be too large for members themselves to manage – although members should require officers to summarise the main messages emerging from the operational level, and from best value and risk selfassessment workshops, for example; and
  • aim for continual improvement on a longer-term basis.

Key tasks for members

36. Members need to determine within existing and new leadership structures how they will plan and monitor the council’s risk management arrangements. They should:

  • decide on the structure through which risk management will be led and monitored;
  • consider appointing a particular group or committee, such as an audit committee, to oversee risk management and to provide a focus for the process;
  • agree an implementation strategy;
  • approve the council’s policy on risk (including the degree to which the council is willing to accept risk);
  • agree the list of most significant risks;
  • receive reports on risk management and internal control – officers should report at least annually, with possibly interim reporting on a quarterly basis;
  • commission and review an annual assessment of effectiveness; and
  • approve the public disclosure of the outcome of this annual assessment, including publishing it in an appropriate manner.

37. Members must support and monitor both the initial implementation and the ongoing risk management processes. This includes:

  •  embracing risk management in a positive way to: – drive service and organisational improvement; – assist in the achievement of council objectives; – ensure that sensible management decisions are taken; – minimise the likelihood of things going wrong and their potential impact; and – provide a framework to meet new challenges; and
  • promoting the right management culture on an ongoing basis. Most problems that materialise are likely to be people-based and arise through lack of proper application of management processes rather than through weaknesses in systems.

Exactly how members approach these tasks from an organisational perspective is a matter for them to decide in the context of their own governance arrangements.

Developing an implementation strategy

38. Members will need to approve a strategy that covers all aspects of implementation, and includes a number of key features [BOX F].

BOX F The features of an implementation strategy
  1. Discussion about the need for better risk management.
  2. Identification and prioritisation of areas of change, business objectives, critical success factors and risks that may be significant.
  3. Identification of related significant risks that could undermine:
    • the quality of service provision;
    • the reputation of the council;
    • the reliability of internal and external reporting;
    • the safeguarding of assets from inappropriate use, loss and fraud; and
    • liabilities being identified and managed properly.
  4. Identification of key tasks to be completed in order to:
    • develop risk management strategies and a risk management policy documenity
    • consult throughout the council;
    • develop the ‘risk culture’ at all levels of the council;
    • provide the senior management and council with early warning mechanisms; and
    • monitor and report on the system of internal control. 
  5. Setting out the role of members, officers and council committee(s).
  6. Allocation of:
    • resources (as necessary), including nominated champions;
    • responsibility for each stage of the plan; and
    • responsibility for the management of each significant risk.
  7. Timetable.
Source: Audit Commission

39. Implementing a risk management strategy poses a number of challenges as described below. Committing the right level of resources

40. There is no ‘quick-fix’ solution that results in ongoing, risk management systems. Members must commit sufficient resources to risk management both from an implementation perspective and to ensure that systems are sustainable. Nominated risk champions should be appointed with sufficient authority to bring about change, and their roles and responsibilities should be clearly defined within the strategy.

Building on existing processes

41. It is unlikely that councils will need to start from scratch, as many features of risk management will already be in place in most cases. Risk management implementation should, therefore, adapt, improve and codify existing processes. New systems should be introduced only where necessary. Rolling out a separate ‘risk management’ initiative should be avoided, particularly where a major change initiative is already underway, be it a national one such as best value, or a local one such as improving staff performance through annual appraisal based on personal objectives. Incorporating the principles of effective risk management into existing planning and management processes is likely to be the most efficient implementation approach.

42. To ensure that risk management delivers value it needs to be integrated into day-to-day management practice and to involve a degree of formality and consistency. This provides senior management with a ‘window’ on the entire organisation so that they can appreciate clearly the significant risks and how they are being managed. Achieving this in practical terms involves:

  • an analysis of how risks are currently identified and by whom;
  • reviewing how decisions are made on what risks to take and which exposures need to be controlled; and
  • deciding how and what risk data need to be reported to senior management and when.

43. One simple example of an improvement in day-to-day practice would be the inclusion in reports to committee of an explicit section on the risks associated with a decision and the steps to be taken to manage those risks. Getting the process right

44. A well-established but flexible process for good risk management needs to be put in place to address the rapid changes with which local authorities are being asked to cope in the period ahead. However, risk management cannot, and should not, be ‘sold’ for its own sake. It should be linked to the top concerns and priorities of members and senior management, and should be positioned as a framework to help meet the council’s objectives and improvement targets and to deliver best value.

45. There may well be resistance to the process. Senior management is likely to challenge, for example, whether there will be a sufficiently independent-minded assessment of the risks identified by their employees; whether enough attention will be directed to the fraud risks or the risks around service delivery to the public; whether the extra resources needed to manage risks are warranted; and whether sufficient recognition is being given to what is being done already. Bruising experiences along the way and a high level of intellectual debate are to be expected.

Adopting a ‘top-down’ rather than ‘bottom-up’ approach

46. Members should be concerned with ‘significant’ risks – that is, those that could potentially have an effect on a council’s ability to achieve its objectives. Implementation of the high-level risk management strategy should, therefore, be on a ‘top-down’ basis, focusing on matters of key strategic and operational importance.

47. The ‘top-down’ approach will help to avoid the problem of risk overload that can result from a ‘bottom-up’ approach, where more detailed operational risks are identified. The results of this more detailed analysis, typically associated with risk self-assessment workshops, can be used to inform the wider top-down corporate risk analysis but should not dominate it. It can also help to ensure that proper systems of control are in place to manage risks that are not considered significant for the purpose of regular reporting to members. However, for the organisation as a whole, it is the high-level risks that really matter.

Formulating risk policy

48. Members will need to formally establish their attitudes to risk – namely the degree to which they are willing to accept it – at an early stage in the process, and have this documented within an overall policy statement on risk management. This is important because risk management is fundamentally about supporting employees within organisations in making informed decisions about risk taking and the degree of control required.

49. A council’s approach to risk sets the overall parameters within which operational managers should consider the acceptability of each risk. It also helps to determine the trigger points for reporting incidents and for escalation procedures.

50. If the approach to risk is not established and communicated effectively at the start of the process, it is likely that different managers will gauge potentially significant risk areas on an inconsistent basis. This can lead to either acceptable risks being ‘over controlled’, or worse, to unacceptable risks being taken and not being reported.

Regular monitoring and reporting

51. Members must satisfy themselves that the risk management system is functioning effectively and in a manner that they have approved. Members need to ask themselves a series of questions.

BOX G Questions that members should ask

  • Is the external environment regularly monitored?

  • Is risk and control monitored on an ongoing basis?

  • Is risk embedded within regular reporting routines?

  • How are risks in the council being reported?

  • How often are risks being reported?

  • Who is responsible for reporting risks?

  • Are early warning mechanisms focused on risk?

Source: Audit Commission

52. The two elements of effective monitoring are:

  1. An ongoing review process.
  2. An annual assessment.

Ongoing review process

53. An ongoing review process is itself split into two parts, the results of both of which act as inputs to the annual assessment.

1. Regular risk reports Those members given a direct role in monitoring or scrutinising risk management and internal control within the council (for example, the audit committee) should receive regular reports that assess any significant risks, and the internal control system’s ability to manage them effectively. The reports should also identify any significant control failings or weaknesses, their potential or real impact, and the corrective actions being taken. These reports will enable members to understand and challenge:

  • the significant risks, and how they were identified, evaluated and managed;
  • whether the reports indicate any new significant risks;
  • whether risks previously identified as being significant remain so;
  • the effectiveness of the internal control system in managing the significant risks and whether changes need to be made to control systems;
  • whether any current or possible future failures or weaknesses exist in the system of internal control and the promptness of corrective actions in response to their identification;
  • whether control strategies need to be changed;
  • whether the findings require a more extensive monitoring process;
  • whether the risk management policy document needs to be updated;
  • how quickly the council can respond to any changes that are identified; and
  • the existing communication network and whether it is effective, or if changes are needed.

The reports should be made to relevant members on a regular basis (at least annually, with possibly interim reporting) to ensure that members have an up-to-date picture of the council’s current control situation. It is effectively a process of continuous assessment that needs to ensure that all significant aspects of the council’s business have been addressed. The results of these risk reports and the related reviews that have taken place during the year are the first source of information for the annual assessment.

2. Monitoring In addition to regular risk reports, risk implications should be considered as a matter of routine within other reports that the council’s internal control framework generates. The risk assessment element of the ongoing review process is an important source of information for the annual assessment.

The annual assessment

54. The annual assessment should consider issues dealt with in reports reviewed during the year, together with any additional information necessary to ensure that members have taken account of all significant aspects of internal control for the year under review and up to the date of approval of the annual accounts. The annual assessment should, in particular, consider:

  • the changes since the last annual assessment in the nature and extent of significant risks, and the council’s ability to respond to changes in its business and the external environment;
  • the scope and quality of management’s ongoing monitoring of risks and of the system of internal control, and, where applicable, the work of its internal audit function and other providers of assurance;
  • the extent and frequency of the communication of the monitoring results to the council (or council committee(s)) which enables it to build up a cumulative assessment of the state of control in the council and the effectiveness of risk management;
  • the incidence of significant control failings or weaknesses that have been identified at any time during the period and the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the council’s financial performance or position; and
  • the effectiveness of the council’s public reporting processes.

55. Should the council become aware at any time of a significant failing or weakness in internal control, it should determine how the failing or weakness arose and reassess the effectiveness of management’s ongoing processes for designing, operating and monitoring the system of internal control.

Reporting on risk management and internal control

56. As a direct result of the annual assessment, councils should publish a statement, attached to the annual statement of accounts, summarising the main processes that have been in place for risk management and internal control, and the findings of the annual review of their effectiveness. This statement should be approved by both members and officers and may be reproduced or expanded in other published council material such as the best value performance plan. The statement should be designed to give assurance to the local community and other stakeholders on the risk management processes in place and to disclose where action is being taken to further improve those processes.

57. The CIPFA/SOLACE paper Corporate Governance in Local Government: A Keystone for Community Governance (Ref. 2), provides an example statement of assurance for local government that specifically refers to risk management.

4. What senior officers can do to implement better risk management

Introduction

58. The role of senior officers is to implement the risk management policy agreed by members. This section seeks to help officers to meet their responsibilities and directs them towards a high-level, risk management approach to establishing a sound system of internal control, covering all types of risk. Drawing on current best practice it is suggested that councils should focus on opportunities as well as seeking to deal with potential threats.

59. This section is not intended to be prescriptive in terms of the methodology or implementation approach adopted. It does, however, offer practical guidance to senior officers on implementation, drawing on lessons learnt elsewhere in both the private and public sectors. Chapter 5 sets out pitfalls to be aware of, while Appendix 2 includes an implementation checklist.

Who should lead the implementation?

60. It is important that the chief executive is the clear figurehead for implementing the risk management process by making a clear and public personal commitment to making it work. However, it is unlikely that the chief executive will have the time to lead in practice, and as part of the planning process, the person best placed to lead the risk management implementation and improvement process should be identified and appointed to carry out this task. Other people throughout the organisation should also be tasked with taking clear responsibility for appropriate aspects of risk management in their area of responsibility.

Internal audit’s role

61. Internal audit has a vital role to play in challenging established risk management processes, challenging risk identification and evaluation, and more fundamentally, in providing assurance to officers and members on the effectiveness of controls. This important role should, however, be separated from the activity of establishing and operating risk management processes and control structures. This should remain the responsibility of line management.

What could the process look like?

62. Risk management should be viewed as an ongoing process with the focus on continual improvement. Councils should consider following a number of key steps, taken from Implementing Turnbull: A Boardroom Briefing (Ref. 9), published by the Institute of Chartered Accountants in England and Wales, for putting risk management into effect [EXHIBIT 4, overleaf].

EXHIBIT 4 Key steps to putting risk management into effect
 Councils should consider following a number of key steps to implement risk management.

Source: Implementing Turnbull: A Boardroom Briefing (Ref. 9)

63. When implementing more formalised risk management systems councils should take account of the following:

  • Be pragmatic: Authorities should recognise that the process is not intended to eliminate risk and that not all identified risks can be managed all of the time. Furthermore, risks will still exist that have not been identified. What is important is that the culture is one of continuous learning, with risk management processes being adapted based on lessons learned.

  • Do not make the processes over complex: In particular, councils should avoid risk overload. The risks that are identified should make common sense and should be linked to senior management’s top concerns. Risks should be prioritised and the focus should be on those that are significant in the context of the council’s objectives.

  • Ensure that the process to be followed fits in with their individual circumstances and culture: Elected members and officers may, therefore, decide that only some of the suggested practices are appropriate to their circumstances.

Keeping things simple

64. Risk management procedures should be kept as simple and straightforward as possible. Local authorities are, of course, governed by wide-ranging statutes that may require particular control procedures, and specific grants from bodies such as central government may require specific conditions to be met. However, beyond such considerations, there is no business sense in maintaining procedures in areas where costs outweigh the benefits to the council [EXHIBIT 5, overleaf].

Linking risks to objectives

65. Risk management and internal control are firmly linked with the ability of the council to fulfil clear corporate objectives, objectives that are examined on an ongoing basis through the rigours of the best value review process, and in particular, the challenge and consultation aspects. Risk management can be used to reinforce what senior management and the council are seeking to achieve. By embracing risk management in this way councils will focus on opportunities for the council as well as on dealing with possible threats. If risk management is to be effective there must be a clear link between objectives and risks. It is, therefore, essential that risk management is embedded in the planning processes.

Identifying risks

66. Whatever techniques are employed to identify risks, the risks must relate back to the objectives of government, the local authority and the function or specific project in question. If the objectives are not already explicit, they will need to be made so. It is important to think about the types of risk that may be identified and to organise them into broad categories. This will help to ensure that issues are not overlooked and will aid in the documentation of the process. Examples of typical risk categories were illustrated in Box E.

EXHIBIT 5 Risk management procedures should be kept simple and straightforward
Authorities should avoid unnecessary complexity and cost in their risk management procedures.

Source: Audit Commission

67. Risks can be identified in a number of ways, for example, by considering:

  • critical success factors in the context of objectives;
  • the services that the council provides;
  • the business process risks;
  • how people might behave in different situations;
  • the quality of the management team;
  • the changing internal and external environment; and
  • the reactions of the public, the local community or relevant service users.

68. Useful questions to ask include the following:

  • What are the major opportunities for the council?
  • How is change affecting the risks faced and the risks that the council has chosen to take? (areas subject to change are often the biggest areas of risk).
  • What are the ‘killer risks’ from which the organisation would be unable to recover?
  • What damaging press headlines need to be avoided?
  • What problems have happened in the past at the authority or elsewhere?
  • What are the types of fraud and business probity issues to which the council could be particularly susceptible?
  • What are the major regulatory and legal risks to which the council is exposed?
  • What risks arise from the business processes?

69. In particular, senior officers need to carefully analyse and address the risks associated with major change programmes. In some parts of the public sector, given the scale and pace of change, change programme risks need to be given as much attention as ongoing risks. Senior officers must also consider strategic risks as these are becoming increasingly important. Risk management makes sense when making strategic decisions not only at the time but also in hindsight, to justify or explain the decisions taken.

Prioritising the risks

70. A problem encountered often in both public and private sector risk management already alluded to in this paper is the identification of too many risks. Local authorities are no exception. The identification of too many risks is unwieldy, impractical and frightening even if the risk assessments seem to be comprehensive and thorough. It could result in the risks being poorly assessed and may lead to disillusionment with the process. Best practice suggests that the number of risks must be kept to a manageable level. Officers and members will need to consider formally which risks are significant. Experience from other sectors shows that even in the biggest authority there are unlikely to be more than 30 significant risks, in the context of the council as a whole, and that any more than 30 may cause risk overload.

71. The following diagram for risk prioritisation is widely used. Officers need first to undertake an initial prioritisation which is an assessment of the likelihood and impact assuming that the controls are weak or non-existent [EXHIBIT 6].

EXHIBIT 6 Risk prioritisation
An assessment should be undertaken of the impact and likelihood of risks occurring.

Key: A – immediate action is needed
        B – consider action and have a contingency plan
        C – consider action
        D – keep under periodic review 
Source: Audit Commission

72. In order for the scales to be understood by everyone taking part in the assessment, they need to be made meaningful. This will require some thought, and is best done after the risks have been identified. All types of potential impact need to be considered when making the initial prioritisation including, most importantly, the potential impact on the achievement of the council’s objectives. Rating likelihood tends to be more straightforward – for example, likelihood may be never, once a year, four times a year, once a month, all the time. Whatever scales are used, it is important that they are relevant to the organisation, easily understood and provide a common formula for those taking part in the process to undertake the initial prioritisation effectively. Assessing exposure and establishing appropriate control strategies

73. Having identified and prioritised the significant risks in gross terms, it is helpful to determine for each significant risk:

  • whether the members wish to accept the risk;
  • the control strategy, namely the measures needed to avoid or mitigate the gross risk (that is the level of risk before the application of control processes);
  • who is accountable for managing the risk and maintaining and monitoring the controls;
  • the residual risk, (that is, the risk remaining after the application of the control processes); and
  • early warning mechanisms.

74. Taking each of these points in turn we can see the following:

  • Each risk should be considered in the context of the council’s objectives. Members should decide whether the identified risks exceed the benefits that will be obtained by achieving the objectives – that is, is it worthwhile to continue with a particular objective if the risks outweigh the reward? If the decision is to carry on, members must decide how to respond to the risk by adopting specific control strategies.
  • Control strategies include:
        – accepting or tolerating the risk;
        – transferring the risk (for example, by passing it on to another party by changing contractual terms);
        – elimination of the risk;
        – planning to deal with service interruption without disturbing business continuity to a material extent ;
        – control (by building control into the operational process, additional quality control, involving the best people in managing it);
        – sharing the risk with another party;
        – insuring against some or all of the risk to mitigate financial impact; and
  • Delegation of responsibility for managing risk in totality should not be allocated to a single individual. Ideally, it will be spread across those responsible for managing different business activities. Risks cannot be effectively managed unless they are owned. A written record should be maintained of who is responsible for managing each key risk, and the allocation of responsibilities should be kept under review as both the risks and the people in the council will frequently change. Responsibility should be assigned for correcting control weaknesses and for general action plans so that progress can be effectively monitored.
  • Consideration should be given to determining the level of risk remaining after the application of the control strategy. A key point to note is that it is not possible to eliminate risk entirely. Risk management policies need to be aligned with the council’s objectives. Some risks will result from the pursuit of objectives, and other risks may simply be unaffordable to control. For example, the risk of snow-blocked roads twice every five years is unlikely to justify expenditure on permanently owned snowploughs. Officers need to know their own risk profile and how to manage it. Where there are risks, they must be identified and they need to be well thought through.
  • Early warning mechanisms are reporting processes that enable the council and senior management to be alerted before a problem becomes a disaster, and at a stage when action can be taken to mitigate or overcome the situation. The idea behind ‘key risk indicators’ as a form of early warning mechanism is to give early indication of potential problems so that corrective action can be taken promptly. Broad staff awareness of these key risk indicators and genuine encouragement of discussion and the disclosure of potential problems are paramount to ensuring risk prevention or prompt reporting of risk incidents to the right people within the council. The creation of a culture of openness and the early warning of problems will stand organisations in good stead, regardless of the other risk management processes in place.

Levels of consultation

Involve a wide range of stakeholders

75. Throughout the risk management process it is essential to gain the input of a wide range of stakeholders including, for example:

  • employees at all levels, including trade union representatives;
  • other departments with whom there is a strong interface;
  • other internal experts; and
  • external stakeholders.

76. It will also be useful to read what is being said about the council in the media. Other people’s perceptions are vitally important because the council’s reputation is at stake.

Actively involve only those employees who can influence significant risk

77. In an ideal world it would be good to involve ‘all employees’ in the risk management process, but, in practice, this often delivers little extra value for a very significant level of resource input. Councils should only actively involve relevant employees, which means those who are directly responsible for, or who can influence the management of, a ‘significant’ risk. However, merely making changes at the management level is not enough. In order to make the risk management system embedded and ongoing, it is essential that employees understand their role in the process and can see why they should be concerned with risk. Operational staff have direct contact with the public and so can have a huge impact on the external reputation of an organisation.

78. All employees need to be aware of the importance of risk management and the role that they can play in promoting better risk management within the council. This distinction should be reflected in training programmes and the approach that is adopted. Examples of practical issues to consider include the following:

  • Changes to practice and systems: Councils should actively involve all those that the proposed changes affect and the extent of involvement will vary for each risk. For example, health and safety changes may require widespread consultation, whereas the risk of changes to the overall funding mechanisms may be managed by only one or two people. It is important to keep the focus on significance and to ensure the correct balance between time invested and value achieved.
  • Awareness of objectives, responsibilities, key risks and how individuals’ actions can affect the council: This awareness needs to be achieved on a widespread basis throughout the council’s operations and may include specially targeted publications, videos and other staff communications.

Listen carefully to what the stakeholders say

79. It is not enough to identify what the risks are. It is important to  prioritise them and to determine what the root causes are. Senior officers need to listen carefully to operational staff and to study the environment within which they are having to work. Frequently, this is the area where the public interfaces with the council and where the reputational consequences of the quality of risk management are won or lost. A good example of listening to stakeholders is benefit fraud. From a departmental perspective this may be viewed as a financial risk but it is also a publicity/stakeholder risk since the public ask why fraudulent claims are not being rejected and why scarce resources are being misapplied.

Communication throughout the process

80. Effective communication is critical to the implementation and the ongoing success of risk management. This requires consultation on the reasons driving the change, the benefits that will result and the interventions that will facilitate the change. The objective must be to provide timely, accurate and straightforward communication in order that all stakeholders understand the implications of the change.

Addressing change management issues

81. Risk management implementation will require good understanding and anticipation of the human resource and cultural issues to identify ways to break down the barriers. There are several key steps that senior officers should take to reduce resistance to change and to increase the effectiveness of the process:

  • provide a clear explanation of why, and over what period of time, risk management is being implemented;
  • identify change champions, as to be successful the change must have a driving force;
  • communicate, as it is critical that people are fully informed about how they will be affected by the change and what the overall strategy and objectives are; and
  • create visible successes, as early successes show that positive returns are attainable and this helps to generate and maintain momentum for the change process.

82. There are a number of potential hurdles to be overcome:

  •  misconception of change: if change is viewed as an event then it will be just that, a single event and not a process;
  • tunnel vision: focus must be on the desired changed state, with careful attention to each of the required steps to reach it;
  • inappropriate goals: milestones must be set that will create early success and a sense of progress. These should be meaningful and realistic;
  • forgetting the ‘people issues’: providing assurance to staff on the effect of change on existing human resource processes, for example, reward systems, is important but can be forgotten in the desire to deliver change efficiently; and
  • underestimating the level of resources needed: it is critical that appropriate resources are provided to enable the change to take place.

NEXT PAGE

Farming Politics Government Posters Humour Technology Religion Nature Me Links Email