Adopted by Council: 3rd March 2020
Review Date: March 2022
This document sets out the framework on which risk management processes at Crewe Town Council are based. This framework should assist in ensuring that a consistent approach is taken across the Council for the identification, assessment and evaluation of risks, and for ensuring that actions are proportionate to identified risks, thereby efficiently and effectively utilising resources and maintaining a balance between risks and controls. Risk management will strengthen the ability of the Council to achieve its objectives and enhance the value of services provided.
Risk – ‘Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative’.
Risk Management - ‘Process which aims to help organisations understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure.’ [Institute of Risk Management (IRM)]
Risk management is an essential feature of good management and applies to all aspects of the Council’s business.
There is an Audit requirement under the Accounts and Audit (England) Regulations 2015 s.3 to establish and maintain a systematic strategy, framework and process for managing risk. Risks and their control will be collated in a Risk Register. A statement about the system of internal control and the management of risk will be included as part of the Annual Statement of Accounts and summarised in the Council’s Business Plan.
Implementing the strategy involves identifying, analysing/prioritising, managing and monitoring risks.
Long-term adverse impacts from poor decision-making or poor implementation. Risks causing damage to the reputation of the Council, loss of public confidence, or in a worse case statutory intervention.
Failure to comply with legislation, or laid down procedures or the lack of documentation to prove compliance. Risks exposure to prosecution, judicial review, employment tribunals, inability to enforce contracts etc.
Fraud and corruption, waste, excess demand for services, bad debts. Risk of additional audit investigation, objection to accounts, reduced service delivery, dramatically increased Council tax precept levels/impact on Council reserves.
Failure to deliver services effectively, malfunctioning equipment, hazards to service users, the general public or staff, damage to property. Risk of insurance claims, higher insurance premiums, lengthy recovery processes.
Not all these risks are insurable and for some the premiums may not be cost-effective. Even where insurance is available, money may not be an adequate recompense. The emphasis should always be on eliminating or minimising risk. Risk can be connected to opportunities as well as potential threats.
Identifying and understanding the hazards and risks facing the Council is crucial if informed decisions are to be made about policies or service delivery methods. The risks associated with these decisions can then be effectively managed.
Identified risks need to be systematically and accurately assessed using proven techniques. Analysis should make full use of any available data on the potential frequency of events and their consequences.
An assessment should be undertaken of the impact and likelihood of risks occurring, with impact and likelihood being scored Low (1), Medium (2) and High (3). The scores for both impact and likelihood are scored in this manner. Risks scoring 6 and above will be subject to detailed consideration and preparation of a contingency/action plan to appropriately control the risk.
Risk control is the process of taking action to minimise the likelihood of the risk event occurring and/or reducing the severity of the consequences should it occur. Typically, risk control requires the identification and implementation of revised operating procedures, but in exceptional cases more drastic action will be required to reduce the risk to an acceptable level.
Options for control include:-
- Tolerate - Documenting a conscious decision after assessment of areas where the Council accepts or tolerates risk;
- Treat - Loss control measures are implemented to reduce the impact/likelihood of the risk occurring;
- Transfer - The financial impact is passed to a third party or by way of insurance. This is good for mitigating financial risks or risks to assets;
- Terminate - The circumstances from which the risk arises are ceased so that the risk no longer exists;
Details on the impact and likelihood matrix are included below. A summary is carried forward in to the annual Business Plan. Health and Safety risks are assessed in a similar manner but are assessed, recorded and managed separately.
The risk management process does not finish with putting any risk control procedures in place. Their effectiveness in controlling risk must be monitored and reviewed. It is also important to assess whether the nature of any risk has changed over time.
The information generated from applying the risk management process will help to ensure that risks can be avoided or minimised in the future. It will also inform judgements on the nature and extent of insurance cover and the balance to be reached between self-insurance and external protection.
Roles and Responsibilities -
Risk management is seen as a key part of the councillors’ stewardship role and there is an expectation that Elected Members will lead and monitor the approach adopted. This will include:-
- Approval of the Risk Management Strategy;
- Consideration of the Annual Risk Assessment Matrix
The Finance and Governance Committee have a responsibility to set and undertake a programme of annual Member audit checks on financial procedures, other governance and operational procedures in accordance with their terms of reference and to monitor that recommendations from internal and external audits are implemented.
Proper Officer and Responsible Financial Officer
Will ensure that Risk Management is an integral part of any service review process, ensure that recommendations for risk control are detailed in service review reports and will lead in developing and monitoring Performance Indicators for Risk Management.
Project Officers and Service Managers
When developing projects or recommending service changes will ensure that risks are identified and the measures to eliminate or control risks are documented in agenda reports/briefing papers to be considered by Council and committees.
Will undertake their job within risk management guidelines ensuring that the skills and knowledge passed to them are used effectively.
Role of Internal Audit
The Internal Auditor, appointed by the Council, provides an important scrutiny role carrying out audits to provide independent assurance to the Council.
Internal Audit assists the Council in identifying both its financial and operational risks and seeks to assist the Council in developing and implementing proper arrangements to manage them, including adequate and effective systems of internal control to reduce or eliminate the likelihood of errors or fraud.
Role of External Audit
External auditors are the “public watchdog”, responsible for checking accounts comply with relevant enactments, proper practices, the council’s annual statement is true and fair and the authority has proper arrangements for securing economy, efficiency and effectiveness in its use of resources. The external audit approach is based on completion of the annual return by the Council and relies heavily on the cooperation of the Council with the external auditor and a significant amount of self-certification by the Council. Crewe Town Council have determined to opt in to Smaller Authorities Audit Appointments Ltd (SAAA) an audits appointment body (Sector Led) to appoint its external auditor.
Risk Management training will be provided to Officers. Councillors will receive appropriate briefings.