5. Pitfalls to be aware of and conclusions

83. Based on the experiences of risk management across the sectors, there are a number of important lessons to be learned by those seeking to strengthen their existing risk management arrangements. The most common pitfalls can be summarised [BOX H].

BOX H Pitfalls to avoid
  • Lack of member involvement.
  • No clearly-defined risk management policy.
  • Lack of planning and buy-in – no clear implementation strategy.
  • Failure to identify clear objectives.
  • Viewing risk management as a compliance exercise.
  • Failure to consider risk in the broadest context.
  • Establishing risk management as a separate initiative.
  • Failure to link risks with corporate objectives.
  • Risk management systems that are too complex.
  • Failure to prioritise and focus only on significant risks.
  • Lack of clearly identified roles and responsibilities.
  • Inadequate focus on control strategies and risk exposure.
  • Inappropriate or no risk champions identified.
  • Lack of consultation throughout the process.
  • ‘Bottom-up’ rather than ‘top-down’ approach.
  • Lack of regular monitoring and reporting.
  • Poor communication
  • Not addressing the change management issues from a human resource and cultural perspective
  • Inadequate resourcing and training.
 Source: Audit Commission

Conclusions

84. Every organisation faces risks and threats to its success. Local government faces a particularly wide-ranging set of risks because of the diverse range of its activities and the extensive changes taking place under the Government’s modernisation agenda. The need for effective risk management in local government has probably never been greater as public expectations increase and tolerance of failure by public service organisations reduces by the day.

85. This management paper has been prepared to serve as a practical guide to local authority members and officers as they grapple with the need to manage risk ever more effectively, but with limited resources. The paper has been designed to help with the implementation and monitoring of risk management throughout the organisation, and has set out the pitfalls to avoid as well as good practice guidance. No councillor or senior officer wants to be taken to task by the local or national press for failing to address identified risks satisfactorily. Application of the guidance in this paper should help to avoid the possibility of this happening.

Appendix 1

Private sector developments in governance and risk management Why is there a need for better governance and risk management? Over the years there have been a number of major incidents in the private sector that have given rise to adverse publicity and adverse financial effects for companies. These have driven the need for change in the governance arena and formed the backdrop to the Cadbury Report (Ref. 10) on governance and subsequent reports. In addition, recent initiatives have been necessary to:

  • reduce the likelihood of poor performance;

  • improve transparency, disclosure and accountability; and

  • address problems that have their roots at the top of the organisation.

Summary of initiatives

There have been significant advances in governance and risk management practices throughout the private sector in recent years. The publication of the Cadbury Report in 1992 (Ref. 10) firmly established corporate governance on the agenda of UK companies. The Cadbury Report was restricted to those aspects of corporate governance specifically related to financial reporting and accountability, namely the control and reporting functions of PLC boards, and the role of auditors.

The Cadbury Report led to an increased focus on risk management and control by recommending that directors should make a statement in the report and accounts on the effectiveness of their system of internal control and that auditors should report thereon. This recommendation was taken up by the Rutteman Committee which developed a framework for reporting on internal financial control.

Since then, the governance debate has been moved on by Greenbury (1995) (Ref. 11), who looked at wider aspects of corporate governance and the Hampel Committee (Ref. 12), which recommended in January 1998 that the original Cadbury recommendation for a public statement on the effectiveness of the entire system of internal control be re-affirmed. Subsequently, the Turnbull Committee was charged with putting such a framework for  reporting on the broader aspects of control into place to meet the London Stock Exchange’s requirements for companies who were, or who sought to be, listed on the Exchange.

These requirements are set out in the Combined Code of the Committee on Corporate Governance (Ref. 13). These initiatives are not only UK focused. Other countries have been establishing risk and control guidelines in parallel. For example, the Australian and New Zealand standard on risk and control underpins much of the current guidance issued by the NHS Executive for implementation in the health sector.

The Turnbull guidance

‘Turnbull’ (Ref. 3) refers to the guidance for directors on the Combined Code and Internal Control (Ref. 13) produced by a working party, chaired by Nigel Turnbull, which provides a framework for reporting on the broader aspects of control. Although the guidance was not intended originally for the public sector, many in the sector are seeing that it is of considerable relevance to them as a source of what can be done to bring about improvement.

The guidance was developed in response to pressure within and on the corporate sector to report on the review of effectiveness of not only internal financial control but also the wider aspects of control. There was also a general feeling that there was a need to go beyond the mere annual box-ticking approach which was frequently associated with statements of internal financial control within the corporate sector. The Turnbull working party was particularly keen to move away from risk management and control as an exercise purely for the sake of compliance. An opportunity was seen, therefore, to link risk management and control to the achievement of the organisation’s objectives. The working party also positioned risk management and control as something that does not overlay, but is integral to, operational activities and which does not need to create bureaucracy, added costs and delay.

Key elements of the Turnbull recommendations

The Turnbull recommendations (Ref. 3) are tough and include the following:

  • A need for directors to be publicly accountable for internal control, which helps to ensure the quality and reliability of internal and external reporting and facilitates the effectiveness and efficiency of operations, helping to ensure compliance with laws and regulations.

  • A requirement for directors not only to perform an annual assessment of internal control, but also to consider reports relating to risk and internal control regularly during the year.

  • Specific reference that the system of internal control should: – be embedded in the operations of the company and form part of its culture; – be capable of responding quickly to evolving risks to the business arising from factors within the company and changes in the business environment; and – include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified along with details of corrective action being undertaken.

  • Guidance about the respective roles of the board, management and employees. The guidance states that reviewing the effectiveness of internal control is an essential part of the board’s responsibilities, and that the board will need to form its own view on the effectiveness after due and careful enquiry based on the information and assurances provided to it. It also states that management is accountable to the board for monitoring control and for providing assurance that it has done so.

  • Guidance on what is expected from reports to the board and on the matters to be considered regularly during the year.

Under Turnbull (Ref. 3), listed companies are required, for accounting periods on or after 23 December 1999, to make disclosures regarding the maintenance of a sound system of internal control, although transitional disclosure options were available in the first year. The key Turnbull disclosures are as follows:

  •  Acknowledgement by the board of its responsibility for internal control.

  • That there is an on-going process for identifying, evaluating and managing the organisation’s significant risks, and that it is regularly reviewed and accords with the guidance.

  • A summary of the process that the organisation has applied in reviewing the effectiveness of the system of internal control.

  • The process that the organisation has applied to deal with the material internal control aspects of any significant problems that have arisen in the annual report and accounts.

Appendix 2

Implementation checklist
Question        Yes/No Priority/Lead Person
MEMBERS
1. Is there sufficient member involvement in, and support for, risk management?    
2. Has the structure by which members plan and monitor risk management been agreed?    
3. Have members approved a risk management policy?    
 4. Has a strategy been approved by members, summarising the key elements of implementation?    
5. Has the commitment of senior management been secured?    
6. Have sufficient resources been deployed?    
7. Have members agreed a list of the most significant risks?    
8. Do members regularly receive reports on risk management and: • is risk embedded within regular reporting routines? • has responsibility been assigned for reporting risks?    
9. Are there ongoing monitoring procedures for risk and control?    
10. Have procedures been agreed for the annual assessment of effectiveness?
Does the annual assessment consider:
  • the changes since the last annual assessment in the nature and extent of significant risks?
  • the scope and quality of management’s ongoing monitoring of risks and of the system of internal control?
  • the extent and frequency of the communication of the results of the monitoring to the council?
  • the incidence of significant control failings or weaknesses identified at any time during the period and the extent to which they could have impacted on the council’s financial performance or condition?
  • the effectiveness of the council’s public reporting process?
   
11. Has an approval process been agreed for public disclosures on effectiveness?    
12. Have roles and responsibilities been clearly identified?    
Question Yes/No Priority/Lead Person
OFFICERS/IMPLEMENTATION
  13. Have the officers who will serve as risk assessment champions been identified and briefed?    
14. Has the role of internal audit in the process been defined?    
15. Is the proposed system reasonably simple?    
16. Does the process fit with your authority’s circumstances and culture?    
17. Is the process ‘top-down’ rather than ‘bottom-up’?    
18. Are officers focusing on performance improvement rather than on compliance?    
19. Does the formalised risk management system build on existing processes rather than on introducing new ones?     
RISK IDENTIFICATION    
20. Has proper emphasis been given to the identification of objectives?
21. Has a clear link been made between objectives and risks?    
22. Has an attempt been made to consider risk in the broadest context giving consideration to factors such as:
  • the services that the council provides?
  • partnerships?
  • the business process risks?
  • how people might behave in different situations?
  • the quality of the management team?
  • the changing external environment?
  • the changing internal environment?
  • likely reactions of the public, the local community or relevant service users?
   
ASSESSING THE SIGNIFICANCE OF RISKS
23. Has an attempt been made to prioritise risks according to impact and likelihood?     
24. During the risk identification process has an attempt been made to make the likelihood and impact scales comprehensible to all users?    
25. Are lower-priority risks regularly reviewed?    
 

Appendix 3

Members of the advisory group

This paper has been prepared by the Audit Commission with contributions from and special thanks to: Richard Flatman at Deloitte & Touche, the principal author of this paper. Members of the advisory group

  • Martin Scicluna, Deloitte & Touche – Chairman
  • Mike Barnes, Audit Commission
  • Keith Beaumont, Local Government Association
  • Peter Bounds, Audit Commission
  • Sheila Boyce, ALARM
  • Tony Crawley, Audit Commission
  • Richard Cummins, Wycombe District Council
  • Stuart Emslie, NHS Executive
  • Ian Fifield, Chartered Institute of Public Finance and Accountancy
  • Richard Footitt, Department of Transport, Local Government and the Regions
  • Nigel Johnson, Deloitte & Touche
  • David Richards, The National Assembly for Wales
  • Liz Taylor, Marsh (previously ALARM)
  • Shelley Thornton, Zurich Municipal Management Services

Other contributors:

  • Brighton & Hove City Council
  • Cardiff County Council
  • Carrie Schroter and Zahra Alexander (Kingston Hospital NHS Trust)
  • East Sussex County Council
  • Eric Northcote and James Howell (Deloitte & Touche)
  • Liverpool City Council

References

  1.  The Society of Local Authority Chief Executives & Senior Managers, and Zurich Municipal (2000) Chance or Choice: Risk Management and Internal Control – Guidance for Local Government
  2. CIPFA and The Society of Local Authority Chief Executives & Senior Managers (2001) Corporate Governance in Local Government: A Keystone for Community Governance: The Framework
  3. Institute for Chartered Accountants in England & Wales (ICAEW) (1999) Internal Control, Guidance for Directors on the Combined Code
  4. HM Treasury (2000) Management of Risk: A Strategic Overview ‘The Orange Book’
  5. NHS Executive (1999) Guidelines for Implementing Controls Assurance in the NHS
  6. Local Government Act 1999
  7. Local Government Act 2000
  8. The Accounts Commission for Scotland (1999) Shorten the Odds: A Guide to Understanding and Managing Risk
  9. Institute for Chartered Accountants in England & Wales (ICAEW) (1999) Implementing Turnbull: A Boardroom Briefing
  10. Cadbury Committee (1992) Report of the Committee on the Financial Aspects of Corporate Governance, London: Gee and Co.
  11. Greenbury Committee (1995) Directors’ Remuneration: Report of the Study Group Chaired by Sir Richard Greenbury, London: Gee Publishing
  12. Hampel Committee (1998) Committee on Corporate Governance Final Report, London: Gee Publishing
  13. Committee on Corporate Governance (1998) The Combined Code, London: Gee Publishing

Bibliography

  • The Accounts Commission for Scotland (1999) Shorten the Odds: A Guide to Understanding and Managing Risk, The Accounts Commission for Scotland.
  • The Association of Insurance and Risk Managers, AIRMIC (1999) A Guide to Integrated Risk Management, AIRMIC.
  • ALARM (2001) Risk Management – A key to success.
  • Audit Commission (1995) Taken On Board: Corporate Governance in the NHS: Developing the Role of Non- Executive Directors, London: HMSO.
  • Cadbury Committee (1992) Report of the Committee on the Financial Aspects of Corporate Governance, London: Gee and Co.
  • Canadian Institute of Chartered Accountants (1995) Guidance on Control (CoCo). CIPFA (1998) Accountability: A Framework for Public Services, London: CIPFA.
  • CIPFA (1999) Central Government Panel Bulletin: An Introduction to Risk Management in Central Government, London: CIPFA.
  • CIPFA and The Society of Local Authority Chief Executives & Senior Managers, (2001) Corporate Governance in Local Government: A Keystone for Community Governance: The Framework.
  • Committee of Sponsoring Organisations of the Treadway Commission (COSO) (1992) Internal Control: Integrated Framework, CoSo.
  • Department of Education and Employment (DFEE) (1996) Guidance on Good Governance, London: DfEE Publications.
  • Department of Health (DoH) (1994) Code of Conduct and Code of Accountability, London: DoH.
  • Greenbury Committee (1995) Directors’ Remuneration: Report of the Study Group Chaired by Sir Richard Greenbury, London: Gee Publishing.
  • Hampel Committee (1998) Committee on Corporate Governance Final Report, London: Gee Publishing.
  • HM Treasury (1994) Code of Best Practice for Board Members of Public Bodies, HM Treasury.HM Treasury (1997 and 1999) Guidance on Corporate Governance: Statements on the System of Internal Financial Control, HM Treasury.
  • HM Treasury (2000) Management of Risk: A Strategic Overview ‘The Orange Book’, HM Treasury.
  • Institute for Chartered Accountants in England & Wales (ICAEW) (1999) Internal Control, Guidance for Directors on the Combined Code, ICAEW.
  • Institute for Chartered Accountants in England & Wales (ICAEW) (1999) Implementing Turnbull: A Boardroom Briefing, ICAEW.
  • National Audit Office (2000) Supporting innovation: Managing Risk in Government Departments, The Stationery Office.
  • NHS Executive (1999) Guidelines for Implementing Controls Assurance in the NHS.
  • Society of County Treasurers (1995) Statement on the Proper Conduct of Public Business, Society of County Treasurers.
  • The Society of Local Authority Chief Executives & Senior Managers, and Zurich Municipal (2000) Chance or Choice: Risk Management and Internal Control – Guidance for Local Government, The Society of Local Authority Chief Executives & Senior Managers, and Zurich Municipal.
  • Treasury Board of Canada (1999) Review of Canadian Best Practices in Risk Management, Treasury Board of Canada.

Health Circulars

  • HSC1999/123 (1999) Governance in the New NHS: Controls Assurance Statements 1999/2000: Risk Management and Organisational Controls, DoH.

  • HSC1998/070 (1998) Controls Assurance Statements 1998/99 and 1999/2000 (April 1998), DoH.

  • HSC1998/230 (1998) Governing Arrangements for Primary Care Groups, DoH.

  • HSC1999/123 (1999) Governance in the New NHS: Controls Assurance Statements 1999/200: Risk Management and Organisational Controls, DoH.

  • HSC1998/070 (April 1998) Controls Assurance Statements 1998/99 and 1999/2000, DoH.

  • HSC1998/230 (1998), Governing Arrangements for Primary Care Groups, DoH.

The Audit Commission has produced a number of studies covering related issues. The following may be of interest to readers of this paper:

Protecting the Public Purse Ensuring Probity in Local Government – Update 2000 The latest findings of the Commission’s annual survey of fraud and corruption in local government highlights the key risk areas, new trends and increasing areas of risk. In particular, this year’s survey examined councils’ progress in response to the DSS’ Verification Framework and the fresh challenges created by legislation like the Local Government Act 2000. The publication also includes a checklist of good practice measures councils should adopt. Update, 2001, ISBN 1862402655, £10, stock code LUP1494

A Perfect Match Report of the 1998 National Fraud Initiative The National Fraud Initiative is a computerised data matching exercise to detect, primarily, housing benefit fraud perpetrated upon local councils. It involved matching data supplied by over 400 local councils as well as a number of police and fire authorities. A Perfect Match looks at the types and values of frauds detected and other benefits derived from the NFI 1998 and at what more needs to be done to enable councils to get the maximum benefit from participating in future data matching exercises. National Report, 2000, ISBN 186240223X, £10, stock code LNR1394

An Inside Job? Internal Audit & Best Value This management paper sets out the expected and potential roles of internal audit in best value. It provides guidance on audit in relation to best value. The paper includes a checklist to assess whether organisations have considered the options for providing assurance for authorities’ best value frameworks. It provides examples of current work by internal audit using case studies on how they might contribute to their authorities’ approach to best value. It also aims to enable authorities to assess how they use internal audit to obtain assurance. Management Paper, 2000, ISBN 1862402116, £15, stock code LMP1381

To order Audit Commission Publications or a copy of our latest catalogue, please telephone 0800 502030, or write to Audit Commission Publications, PO Box 99, Wetherby LS23 7JA

Managing risk is a difficult task. Local authorities must manage the significant risks that could hamper the delivery of the diverse range of services that the public looks to them to provide. To do this successfully, local authorities must identify and cope with the risks that threaten the achievement of their key strategic aims, and recognise that the process is not a one-off exercise, but an ongoing task. This paper aims to raise awareness about the need for local authorities to identify and address their key strategic business risks as a vital element of good corporate governance. It outlines the benefits of getting the processes right, and provides practical advice on how to manage those risks in a more effective and formal way while avoiding risk overload, or being too prescriptive about structures or methodology. It sets out the key tasks for members and chief officers, and challenges local authorities to keep pace with the advances made by other sectors, such as the NHS and central government, in recognising the importance of effective risk management. The paper is essential reading for anyone charged with governance responsibilities in local authorities.

Further copies are available from: Audit Commission Publications PO Box 99 Wetherby LS23 7JA Telephone: 0800 502030 Stating STOCK CODE: LMP1775 £15.00 net

Farming Politics Government Posters Humour Technology Religion Nature Me Links Email