RISK MANAGEMENT POLICY, STRATEGY & · PDF file22 – Risk Assessment & Analysis 21 ... Bow Tie Template ... Risk Management – Policy, Strategy & Guidance

Doing more than we have ever done to make Essex safe

RISK MANAGEMENT

POLICY, STRATEGY & GUIDANCE

2013

Essex County Fire & Rescue Service

2

Doing more than we have ever done to make Essex safer

CONTENTS

1. Risk Management Policy Statement 5 2 Definition of Risk 5 3. Definition of Risk Management 5 5. Aim 7 6. Principles 7 7 Objectives 8 8 Framework 9 9 Context 9

Operational Risk (Risk of loss or gain, resulting from inadequate or failed internal processes, people or systems or from external events)” 13

10 Roles and Responsibilities 14 11 Risk management tools 16 12 Risk Appetite 16 13 Risk Profile 17 14 Corporate Governance 17 15 Alignment to a Risk Standard 17 16 Alignment to other Risk Registers 17 17 Training 17 18 Implementation Process & Procedures 19

19 Where and when should Risk Management be applied? 19 20 – Risk Identification 20 21 – Risk Description 21 22 – Risk Assessment & Analysis 21 23 Risk Assessment Methods– The Bow Tie Methodology 22 24 Risk Evaluation 22 Bow Tie Template – Working Example. 23 25 Likelihood and Consequence 24 26 Risk matrix 24 27 Risk Based Action Plan 26 28 Risk Response 26 29 Control measures and decisions 26 30 Control Measure Plans 27 31 Reviewing and Reporting Risks 27 32 Monitoring 28 33 Audit and Review 28 34 Influences on Risk Management 29

ANNEX A – RECORDING RISK & JCAD RISK SOFTWARE 30 A 1 Introduction 30

ANNEX B – ECFRS/EFA Reports – “What are the risk management implications?” Guidance for authors 31

B 1 The “Science” 31 B 2 The Practical Explanation 32

ANNEX C – ESSEX FIRE AUTHORITY RISK MANAGEMENT 34 C.1 Introduction 34 C.2 Risk Management Committee – Membership and Constitution 34 C.3 Co-opting of Members 34 C.4 Committee attendance 34 C.5 Meetings and Reporting 35 C.6 Risk Management Committee Terms of Reference: 35 D.1 Introduction 37 D.2 General 37 D.3 What is a partnership? 38 D.4 Assessing prospective partners 39 D.4.1 High and Medium Risk Partnerships. 41 D.4.2. Low Risk Partnerships 43

3


D.5 Identifying risks associated with delivering objectives 43 Appendix 1 – How to manage low risk/opportunity partnerships – key questions 44

D.6 Partnership Auditing 49

Version Control

Title Version

Risk Management – Policy, Strategy & Guidance Version 8 November 2012

Version Changes

Version 1 August 2008

Version 2 December 2008

Version 3 April 2009

Version 4 July 2009

Version 5 April 2010

Version 6 October 2010

Version 7 August 2011

Version 8 November 2012

Document purpose

To provide The EFA/ECFRS with risk management policy, implementation and guidance in one source document

Author

Strategic Risk & Business Continuity Manager

Directorate

Prevention Protection & Resilience

Issue date

November 2012

Next Formal Review date June 2013

Reviewed by

Strategic Risk & Business Continuity Manager

4


FOREWORD Risk management is about managing threats and opportunities. By managing our threats effectively we will be in a stronger position to deliver our objectives. By managing our opportunities well, by gauging risk and reward, we will be in a better position to provide improved services, value for money, effective corporate governance, and optimise partnership arrangements This Risk Management Policy, Strategy and Guidance combines a number of sources on the subject of Risk into one unified source document. It replaces, although may not substantially alter, other individual documents. The RMPSG reflects the revised risk management arrangements that exist in February 2012. The Compendium should be considered against the Strategic Risk Register and the Service Business Continuity arrangements, as well as the Business Excellence Systems Toolkit, some of which content will be superseded by this document. Finally, risk management is everyone’s business, but particularly for risk owners, and their nominees. Chief Executive and Chief Fire Officer Kelvedon Park February 2012

5


1. Risk Management Policy Statement The risk management policy of Essex Fire Authority, (EFA), and the Essex County Fire & Rescue Service, (the Service), is to adopt best practice in the identification, evaluation and cost effective control of risks to ensure that they are eliminated or reduced to an acceptable level. Risk management is a process to assist in understanding and managing risk, not to design out risk. Sound risk management will support the intent to make Essex the best Fire & Rescue Service in the UK. Effective risk management will improve performance against objectives by contributing to:

Decision making at all levels

Better service delivery across all departments

Reduction in management time spent problem solving

Increased likelihood of change initiatives being achieved

More internal focus on doing the right things at the right time

Better basis for strategy setting

Fewer shocks or unwelcome surprises

Reduced waste, remove room for fraud, and better value for money Risk management will be conducted by establishing principles, creating a framework and processing risks. The diagram on page 7, taken from ISO31000 and see 2 below, identifies the overall relationship of these components. These components are examined in more detail throughout this document. Risk management also makes a significant contribution to the Fire Authority and Service Corporate Governance arrangements. Whilst this Policy is primarily aimed at Departmental managers and above, all Members and staff should understand the nature of risk and accept responsibility for risks associated with their area of authority. 2 Definition of Risk ISO 31000 defines Risk as: The effect of uncertainty on objectives. To put it another way, Risk is the uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. The risk has to be assessed in respect of the combination of the likelihood of something happening, and the impact or consequences which arises if it does actually happen. 3. Definition of Risk Management ISO31000 defines Risk Management as: The coordinated activities to direct and control an organisation with regard to risk. Risk Management can also be described as the culture, process and structures that are directed towards the effective management of potential opportunities and adverse effects. Risk Management protects and adds value to an organisation and its stakeholders by supporting the corporate objectives. If the risk can be linked to a corporate objective we can then identify whether the risk threatens or enables the achievement of those objectives.

6


4. Components for Risk Management The components for risk management are the establishment of:

a risk management strategy

principles within which to work

a framework for managing risk

risk management processes within the framework ISO 31000:2009 and BSI31100:2008 provide the foundations upon which the Service’s own Policy, Strategy and Implementation Guidance is constructed. Unless otherwise stated, the term “operational risk” will refer to the day to day management and operation of the Service and not planned and mobilised response operational risk. For the purposes of this policy, and the subsequent guidance, reference to the Service, which delivers business for the EFA, will include the EFA.

7


RISK MANAGEMENT STRATEGY

5. Aim The aim of our risk management strategy is to improve our ability to deliver the corporate strategy by maximising opportunities, encouraging creativity, innovation, minimising threats, and creating an environment that adds value to operational activities. 6. Principles Effective risk management needs solid principles upon which to build as follows: Risk management creates and protects value Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, quality of services, project management, efficiency in operations, governance and reputation. Risk management should become an integral part of Service processes Risk management is not a stand-alone activity that is separate from the main activities and processes of the Service. Risk management should become a part of every day management and thus become fully integrated with Service processes, including strategic planning, and all programme, project, partnership and change management processes. (This leads to Mandate and Commitment) Risk management is part of decision making Risk management aids decision makers by informing choices, identifying priorities and distinguish between alternative courses of action. Risk management explicitly addresses uncertainty Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. Risk management is systematic, structured and timely A systematic, structured and timely approach to risk management contributes to efficiency and to consistent, comparable and reliable results. Risk management is based on the best available information Risk management inputs are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts, and expert judgement. Decision makers should, however, inform themselves of, and should take into account, any limitations of the data or modelling used, or the possibility of divergence amongst experts. Risk management is tailored Risk management is aligned with the Service’s external and internal context and risk profile. Risk management takes human and cultural factors into account Risk management recognises the capabilities, perceptions, and intentions of external and internal people that can facilitate or hinder achievement of the Service’s objectives. Risk management is transparent and inclusive Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the Service ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented, and to have their views taken into account in determining risk criteria.

8


Risk management is dynamic, iterative, and responsive to change Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and reviewing of risks takes place, new risks emerge, some change and others disappear. Risk management facilitates continual improvement The Service should develop and implement strategies to improve its risk management maturity with all other aspects of itself 7 Objectives By determining the principles under which risk management will subsist, a number of objectives can be identified, as follows:

Acknowledge the roles of corporate (strategic) and operational risk management.

Integrate risk management into the culture, business planning and performance processes in all Service areas by raising awareness of risk management amongst all employees, making it an integral part of our thinking, behaviour and actions.

Manage risk cost effectively and in accordance with best practice and in the circumstances prevailing, including dynamic risk assessment, and the integration of corporate and operational risk where necessary, ensuring that risk control/mitigation measures are effective, appropriate, proportional, affordable and flexible. Controls may not be set up where the cost and effort is disproportionate to the expected benefits.

Increase the likelihood of achieving corporate aims and objectives.

Anticipate and prevent or minimise the potential consequences of events which could have been reasonably foreseen instead of dealing with the consequences, notably around events or actions that could damage the Service’s reputation and public image, thereby undermining community confidence.

Consider the risks of not undertaking activities and not exploiting opportunities, thereby avoiding the development of a risk averse culture.

Maximise opportunities and encourage innovation, providing reassurance to stakeholders that due consideration has been given to the management of potential risks.

Improve decision making and planning, and assist in the allocation and prioritisation of resources.

Fully document major threats and opportunities

Clearly identify risk exposures

Ensure conscious and properly evaluated risk decisions are taken, and properly recorded These objectives are achieved by:

The establishment of a risk management organisational structure to act in an advisory and guiding capacity that is accessible to all support and operational staff.

Including risk management as an item at all meetings, at whatever level.

Providing risk management awareness training

Embedding risk management principles into the various decision making processes

Maintaining appropriate incident reporting and recording systems with investigation procedures to establish cause and prevent recurrence

Maintaining effective communication both within the Service and with the Service’s external partners and stakeholders

Monitoring arrangements for the management of risk on an ongoing basis

9


FRAMEWORK DESIGN FOR MANAGING RISK 8 Framework Given the risk management mandate through the Policy statement, with a commitment to undertake risk management, the risk management framework will consist of a number of iterative processes and interrelated components.

Mandate &

Committment

Framework design for

managing risk

Implementing risk

management

Monitoring & review of

the framework

Maintenance and

improvement of the

framework

9 Context Our risk management framework requires an understanding of the internal and external context for the Service is operating in. An external context may consist of, but not be limited to:

The social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environments,

Key drivers and trends having an impact on Service corporate objectives,

Relationships with, and perceptions and values of, stakeholders and partners. The tables on pages 11 and 12 identify these aspects in more detail. In addition, the manner in which Essex County Fire and Rescue Service (ECFRS) manages its response to various risks is part of a continuum of risk management that edges out from the National Security Strategy to the National Risk Register (NRR), to the Essex Resilience Forum Community Risk Register, (CRR), and finally to organisational strategic and operational risk registers, represented in the diagram below. The National Framework published in July 2012 makes it clear that an IRMP is an outcome and not a process. The Strategic Assessment of Risk, (SAOR), will underpin the Service IRMP by identifying risks and their proposed mitigations in order to improve capabilities where capability and/or capacity are identified through gap analysis. (New risks, per se, are unlikely to emerge.) This will lead to “closing the loop” around prevention, protection and operational response. Response is fundamentally about the optimum use of appropriately trained and led Firefighters, with the right equipment, in the right place, at the right time. Protection and Prevention work are key parts of ECFRS service delivery strategy. These activities seek to minimise those occasions on which an emergency response is required

10


National Security Strategy

National Risk Assessment

Essex Resilience Forum – Community Risk Register

ECFRS – Strategic Risk Register

ECFRS – Strategic Assessment of Risk

IRMP – Risk Assessment Management

Review

Identify

Assess

Controls

Consultation

Report

Corporate &

Business Plans

Command & Station Operational Risk Registers (cleansed through PORIS)

Outcomes – PTRIF, SSRIs TFPs

End to End Operational Risk Management by Stations and Community

Commands (Operational Risk Information)

Stage I – Review site/premises data

held. Enough? Go to Stage III.

Not enough? Get additional data

and/or invoke “fast track” action to

ensure compliance

Stage II – Additional data

gathering in order to

conduct Stage III

Stage III – Determine level

of risk; determine

timescales and

subsequent visits

Stage IV – Assess risk

management control

measures to apply

Stage V – Provide

operational Information for

incidents at Bronze and

Silver levels

An internal context may consist of, but not be limited to:

Governance, organizational structure, roles and accountabilities;

Policies, objectives, and the strategies that are in place to achieve them;

Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);

Information systems, information flows and decision making processes (both formal and informal);

Relationships with, and perceptions and values of, internal stakeholders;

The Service culture;

Standards, guidelines and models adopted by the organization; and

The form and extent of contractual relationships. The tables on pages 13 and 14 identify these aspects in more detail.

11


External (Strategic) Risks (Risks concerned with where the organisation wants to go, how it plans to get there, and how it can ensure survival)

Po

liti

cal

The

overa

ll polit

ical situatio

n

Change of Central Government policy leading to funding problems

Failure to deliver central government policy

Change of local policy or priorities

Unfulfilled promises to communities

Political make-up (construction of Local/District Authorities)

Stability of political situation (hung Parliament)

Impact of Election cycle

Failure in the decision making structure leading to bad decisions.

Meddling/abuse (fraud, corruption, lack of strategic focus)

Poor and/or slow response to innovate or adapt to modernisation

Leadership issues

Reputation management (damage to organisational credibility, adverse corporate media attention, etc)

Terrorism/New Dimensions

Regulatory Inspection (audit process)

Requirement to train new Elected Members

Eco

no

mic

The

overa

ll natio

nal lo

cal an

d S

erv

ice

sp

ecific

econom

ic s

itu

ation

Comprehensive Spending Review and degree of uncertainty 2013 – 2016 and beyond

Inflation (or Deflation)

Interest Rate fluctuations (Increase)

Treasury Management – investments and reforms, internal budgetary pressures

Borrowing, lending, investments and investment rates

Budgetary position as a consequence of poor central government grant reductions / reduced Council tax base

Demand predictions (e.g. as a consequence IRMP)

Competition between suppliers and the effect on procurement

General economic climate, external macro level economic changes

Unrecorded liabilities

Value/cost of capital or assets

Missed opportunities

Immediate impact of civil emergency

Government changes to Welfare funding and Council Tax benefit

So

cia

l / C

ult

ura

l

Coun

ty d

em

ogra

phic

s a

nd s

ocio

-econom

ic

tren

ds tha

t could

im

pact on S

erv

ice d

eliv

ery

;

Cultura

l consid

era

tio

ns

Societal changes – needs expectations, attitudes, growing and more diverse population – failing to take account

Failure to be recognised as an employer of choice

Failure to understand/track demographic profiles

Residential patterns and profile (e.g. Commuter, HMO, elderly (care), public/private mix, state of, and increase of, housing stock

General community health (including cultural diversity health issues)

Crime statistics / Fire related crime

Disadvantaged, vulnerable, or hard to reach groups or communities

Cultural diversity and our ability to cater for that

Increase in “at risk” groups due to the economic climate

(Un)Employment

Missed or minimal Third Sector involvement

Partnerships – Failure to spot opportunities, or failing arrangements (shared services)

Rural/Domestic fire risks

Inter-operability/Major incident response

Non-domestic fire risks

Transportation risks

12


Te

ch

no

log

ica

l

Serv

ice c

apacity to a

dapt to

chan

ge o

f

pace/s

cale

of te

chno

logic

al chan

ge

Technological strategy inadequate/obsolete

Technological change/advance and capacity to process

Current / future use/reliance on technology – Mobile data

Current or proposed technological partners

Current performance and reliability (delivering objectives)

Condition of architecture/infrastructure/staffing

Life span/obsolescence date identified

Security and standards e.g. back-up, recovery (sites), confidentiality, compatible equivalent security systems allowing data transfer etc.

Recovery plans/ Business Continuity planning

Technological demands – customer needs and expectations

Support to innovation/adaptation & change management

Procurement of best technology to deliver objectives, with sustainability

Failure to communicate (at all/effectively)

Achieving passive fire safety advances

Technical advances in service delivery equipment/support functions

Impact of security requirements on BAU

Le

gis

lati

ve

Faili

ng t

o r

esp

ond

to c

urr

en

t or

po

ten

tia

l cha

ng

es in

na

tio

na

l o

r

Euro

pean

La

w o

r R

egula

tions

New primary & secondary legislation – National/European Law/Regulations

Exposure to Regulators – e.g. auditors/inspectors, intervention – Fireground safety

Annual Assessment – Use of Resources; Direction of Travel; Governing the business; Managing finances; Current climate; Corporate Killing; CLG/CFOA guidance

Statutory duty to cooperate, targets, performance and annual report

Responsiveness to criticism

European Directive – Procurement

F&RSA 2004 – How we conduct our business /Maritime response?

CCA 2004 – Preparedness & Response, Business Continuity, Resilience

Crime & Disorder Act 1998 – Section 17

Equality Act 2010 - Compliance.

National Framework 2012

Judicial Review

National guidance such as GRA or operational bulletins/improvement notices

En

vir

on

me

nta

l

Consequ

ences o

f th

e

Serv

ice

’s s

trate

gic

obje

ctives (

ene

rgy

effic

iency,

pollu

tio

n,

etc

). Nature of environment (urban, rural, mixed)

Land use – green belt, brown field sites

Waste disposal and recycling issues

Exposure to drainage problems/flooding/erosion/subsidence/landslip

Impact of civil emergency (e.g. flood)

Traffic problems/congestion

Planning, Transportation

Pollution, emissions, noise

Climate change

Energy efficiency

ECFRS impact as a consequence of operational response

13


Operational Risk (Risk of loss or gain, resulting from inadequate or failed internal processes, people or systems or from external events)”

Pro

fess

ion

al

Associa

ted

with

th

e p

art

icu

lar

na

ture

of

pro

fessio

nal w

ork

are

a

Views arising from peer reviews, consultancy reviews, internal audit, etc.

Professional /managerial standing of key officers

Over reliance on key officers

Stability of officer structure/management teams

Poor staff motivation

High sickness levels

Competency and capacity – Organisational and Individual

Key staff changes and personalities

Turnover, recruitment and retention, talent management and succession planning, inability to recruit

Change – implementation and management

Lack of investment in training and development

Partnership working

Management frameworks and processes – efficient, effective

National Framework document

Profession specific issues

Mission, Vision and Values

Info

rmati

on

ma

na

ge

me

nt

Associa

ted

with

syste

ms

Systems and management data not up to date

Data not quality assured

Inadequate volume of data

Ineffective prediction of trends and forecasting of Service needs.

Fin

an

cia

l

Associa

ted

with

fin

an

cia

l

pla

nn

ing

,

Financial situation of authority & level of reserves

Budgetary policy and control – overspends?

Delegation of budget and financial disciplines

Failure in accounting systems/unrecorded liabilities/unreliable records

Monitoring and reporting systems

Control weaknesses – anti fraud and corruption – occurrence of fraud

Income and Revenue

Grants and External funding

Insurance – adequacy of covers, level of self funding, deductibles, etc.

Capital

Interest rates, inflation, income tax, etc.

Efficiency, invest in priorities, disinvestments non-priority areas

Failure of major projects/partnerships involving external finance sourcing.

Te

ch

no

log

ica

l

Re

latin

g t

o

relia

nce

Reliance on operational equipment e.g. ICT systems or equipment and machinery.

Failure of big technology related project

Crash of ICT systems affecting service delivery

Breaches of security of network and data

14


Le

ga

l

Re

late

d t

o p

ossib

le b

reach

es

of

leg

isla

tio

n

Legal challenges, judicial review

Adequacy of legal support

Boundaries of corporate and personal liabilities

Sufficient reserves to defend legal challenge or unrecorded liabilities

Reputation Management

Partnerships – Legal Liabilities, contractual liabilities

Not meeting statutory duties or deadlines, (Court proceedings, service of Regulatory Notices etc)

Breach of confidentiality

Failure to implement legislative change

Incident ground safety

Equality & Diversity

Marine Incidents

En

vir

on

-

men

tal

Re

latin

g

to

po

llutio

n

Pollution in offices

Pollution on the incident ground

Noise or energy (in) efficiency of ongoing service operation.

Rep

uta

ti

on

Inte

rna

l

Damage to individual credibility

Damage to departmental credibility

Possible adverse individual or Service media attention

Ph

ys

ica

l

Re

late

d t

o s

afe

ty.

Assets – Nature and state of asset base including record keeping

Commitment to health, safety and well-being of staff, partners and the community

Risk assessments

Accident and incident record keeping

Maintenance practices

Lack of Business Continuity planning

Security – staff, assets, buildings, equipment, plant, machinery, vehicles

Assets – purchase, leasing, sales, rent, revenue, income, maintenance

HR Strategy – training, development, health, etc.

10 Roles and Responsibilities Everyone in the Service is involved with risk management, although the ultimate responsibility for managing risk lies with:

The Chairman of the Fire Authority, and

The Chief Executive/Chief Fire Officer, and the SMB The following table identifies responsibilities, in order to ensure the successful implementation of the policy and strategy:

Role Responsibilities

Members The responsibility for compliance with corporate governance requirements and for implementing the corporate risk management policy and strategy lies with the EFA.

The Policy & Strategy

Committee

To set and determine the Risk Management policy and strategy for the Authority.

The Chief Executive /Chief Fire

Officer

Overall coordination of risk management across the Service and SMB risk lead. SMB leads the implementation of the strategy, providing clear directions and guidance to other managers, officers and staff.

15


SMB The Deputy Chief Fire Officer and individual Directors take full ownership and management of all risks within their remit, through the Strategic Delivery Board, (SDB).

Strategic Delivery Board

The SDB is responsible for the review of progress against organisational corporate risk, and for the identification and implementation of control measures to reduce or mitigate strategic risks that may prevent achievement of organisational planned performance. The SDB will provide assurance to the SMB that the Service is adhering to the corporate risk management policy. Corporate Risks will be reviewed at SDB meetings with reporting by exception of movement of risk likelihood or consequence values. SDB members will conduct quarterly reviews of the risks falling within their areas of concern, on their own behalf or on behalf of their Principal officer.

Risk Management Committee

The Risk Management Committee takes an overview of the Service’s risk management arrangements including, the risks identified, the management of those risks, and communication on risk management matters. In essence, the purpose of the Committee is to deal with the risk management framework and to provide policy proposals to the SDB, and to encourage a culture within the Service that emphasises and demonstrates the benefits of a risk-based approach to internal control and management of the Service. This Committee has an Elected Member Risk Champion.

Programme & Project Managers

Conduct risk assessment(s) as required by the MP2/full Prince2 process. Ensure that programmes & projects have risk logs / registers.

Risk & Business Continuity Manager

Ensures the Service has effective systems in place to provide sound corporate risk management across its activities, including developing policy and process, that all groups across the Service understand their responsibilities in respect of corporate risk management, and that the Service maintains an awareness of external developments in risk management Leads, develops and maintains an effective framework for managing the Service’s risks and promotes, supports and co-ordinates its implementation at both officer and Member level to ensure that sound risk management is accepted as an essential element of every manager’s role. Deals with the management of the Risk Management Committee. Provides support and advice to all within the Service to ensure that their approach to risk management considers both the risks and opportunities of actions and inaction. This includes quality control of risk registers during the business planning cycle. Provides constructive challenge to Members and officers to ensure that corporate strategies, standards and processes for the management of risk and business continuity planning are complied with across the Service’s activities and partnerships. Ensures that risk action plans and management processes are embedded into the Service’s culture and practices; Maintains a register of strategic and operational risks on software and reports to Members and senior officers on progress in embedding risk management and the management of risk exposure across the Service at all levels.

16


Departmental Managers

Identify risks to their departmental business plans and logs them for quality assurance by the Risk & Business Continuity department. Reviews risks quarterly.

Staff

Ensuring accountability for individual tasks Enabling continuous improvement of risk management and risk awareness Reporting systematically and promptly to their manager any perceived new risks or failures of existing control measures.

11 Risk management tools Tools enable managers to capture information in a consistent way, engage with stakeholders, provide more thorough and reliable analysis results, make explicit the risks associated with different options, prioritize actions, improve communication and produce a reliable audit trail. Although tools are not an end themselves, they can be powerful aids to support effective risk management. There is a considerable range of tools to choose from. Each is suitable for a specific task and not all will be needed at the same time. While the tool(s) to be used is sometimes immediately apparent, the choice of others is not always straightforward. Amongst other attributes, selection of a tool will depend on:

the intended user or function and the desired output;

the purpose or goal of undertaking the risk management activity, such as calculating a contingency or selecting an option;

the level of detail that the sponsor requires;

the degree to which risk management is embedded in the organization;

the willingness of the participants to use the tools; Some of the more commonly used tools for stages of the risk management process are identified in this document, i.e. the tables on pages 11 – 14, the Bow Tie technique on page 21, risk profiling through, e.g. the SAOR, and JCAD Risk software. The Risk & Business Continuity Department can assist managers with further. 12 Risk Appetite Once set, a risk appetite will enable the Service to increase its benefits by optimising risk taking and accepting calculated risks within an appropriate level of authority. The Service risk appetite will be established and approved by the Fire Authority and effectively communicated throughout the Service. The Service will prepare a risk appetite statement, to: • provide direction and boundaries on the risk that can be accepted at various levels of the Service, how the risk and any associated reward is to be balanced, and the likely response; • consider the context and the Service understanding of value, cost-effectiveness of management, rigour of controls and assurance processes • recognize that the organization might be prepared to accept a higher than usual proportion of risk in one area if the overall balance of risk is acceptable;

17


• define the control, permissions and sanctions environment, including the delegation of authority in relation to approving the Service risk acceptance, highlighting of escalation points, and identifying the escalation process for risk outside the acceptance criteria, capability or capacity; • be reflected in the Service risk management policy and reported upon as part of the Service internal risk reporting system • include qualitative statements outlining specific risks the organization is or is not prepared to accept; and • include quantitative statements, described as limits, thresholds or key risk indicators, which set out how certain risks and their rewards are to be judged and/or how the aggregate consequences of risks are to be assessed and monitored. 13 Risk Profile The Service risk profile is defined by the Strategic Assessment of Risk, the Integrated Risk Management Plan, and the departmental Business Plans, which are supported by their own risk registers. 14 Corporate Governance Corporate governance is the ongoing activity of maintaining a sound system of internal control to ensure that effective management systems, including financial monitoring and control systems have been put in place to protect assets and the reputation of the Fire Authority and the Service. Risk management is one element of internal control alongside Financial, Operational and Compliance. More details on Corporate Governance can be found in the Essex Fire Authority Local Code of Corporate Governance. 15 Alignment to a Risk Standard The publication of Risk Standards in November 2008, (British Standard 31100), and in December 2009, (International Standard 31000), provided the Service with the opportunity to align itself with one or the other. Professional risk organisations back the International Standard as a more straightforward Standard to aspire to. There are, however, strong similarities between them. The BS offers an expansion to the ISO, through its Code of Practice. Neither Standard is intended to offer any accreditation, testing, or inspection processes. There are, however, benchmarking benefits to the Service by alignment to Standards. 16 Alignment to other Risk Registers There are a number of influences on the Service that surround Risk Management. A principle driver for all that we do is having the capability to respond to the hazards and threats referred to in the Essex Resilience Forum Community Risk Register. There are numerous references to the Service as a lead agency; there are a number of references that require a multi - agency response, including ECFRS. Service Strategic Risks will align with the Community Risk Register to ensure the appropriate continuum is present. This is particularly evident in the SAOR. 17 Training An essential part of ensuring effective risk management and of extracting full benefit is training of personnel to ensure that all managers understand their part in:

Roles and responsibilities with regard to the management of risks.

The purpose of risk registration on JCAD Risk management software (See page 29).

Techniques for risk identification and source of information

The system of risk evaluation used by the Service

The preparation of risk treatment options and plans

18


The format and protocol for communicating information about risks which cannot be dealt with locally to the appropriate level

Keeping a risk registration “live” and up to date

19


IMPLEMENTING RISK MANAGEMENT 18 Implementation Process & Procedures The implementation of risk management involves its own iterative processing of risks through the following steps:

Review

Context & Identification

Assess, analyse &

evaluate

Response, (controls &

treatment)

Report

Establishing the risk context (See pages 10 – 14) and risk identification

Risk assessment, analysis and evaluation

Risk response (controls & treatment)

Risk reporting

Risk review These steps are iterative, and should be supported by communications and consultation. 19 Where and when should Risk Management be applied? Risk management will, to a greater or lesser degree, be applied to every decision. Risk management will be rigorously applied where critical decisions are to be made. Decisions around risks will vary depending on whether the risk relates to long, medium or short-term goals.

Strategic risks are mostly concerned with long-term goals, which set the context for decisions at other levels of the Service. As risks associated with strategic decisions may not become apparent until well into the future, those risks and decisions should be reviewed on a regular basis.

Programmes and projects usually deal with medium-term goals, and are associated with business change. Decisions relating to medium-term goals are generally more defined in terms of timeframe and financial responsibilities.

Operational level decisions relate to short-term goals to ensure everyday business as usual; however, decisions at the operational level must also support medium and long-term goals, e.g., financial achievements.

The overall associations and risk management perspective is described in the diagram below.

20


Strategic

Change

Operational

Future Direction of the Service

Turning Strategy into Action including

Programme, Project & Change

Management

Day-to-day operations including

People, Processes, Financial,

Information Security, H&S, Business

Continuity, etc.

Formal risk management will be conducted for the following activities:

SAOR leading to,

The Service Integrated Risk Management Plan (for Prevention, Protection and Response),

Corporate Objectives and Plan

Departmental Business Plans,

Programmes and Projects,

External Partnerships involving legal and / or financial responsibilities and accountability,

Reports to the SDB, SMB and to the EFA and its Committees

Any activity that could impact finance, reputation and brand name. 20 – Risk Identification Risk identification should generate a comprehensive lists of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives, including identifying risks associated with not pursuing an opportunity. Risk identification should be approached methodically to ensure that, wherever possible:

all significant risk sources potentially affecting the achievement of objectives are identified and recorded;

the risk source is under the control of the Service;

cascade, cumulating and consequence effects are taken account of;

risks are clearly defined, do not overlap, and there are no unintended gaps;

threats and opportunities are addressed as appropriate;

each risk’s cause is examined;

the validity of assumptions is challenged;

interaction/conflict between stakeholders and objectives, which can be a significant source of risk, is identified;

the risks are owned; and

existing risk responses perceived to be addressing the risks, and their owners, are identified. risks should be recorded consistently and explicitly to allow review and development of effective responses.

The Service will identify both strategic and operational threats and opportunities. Once identified and assessed, essential information about them should be entered on JCAD Risk, a key building block of our strategy. Entries are dynamic and a source of information for the efficient and effective provision of services. To assist with identifying threats and opportunities, it is helpful to consider the different categories of risk set out on pages 11 – 14, and use these in conjunction with the table on page 24.

21


21 – Risk Description It is important to describe a risk accurately and not to mix it up with causes and consequences. Objective: Hold an Open Day at Service HQ using the currently available open space

for stalls Identified risk: Forecast risk of heavy rain Looking at the risk given above it is not immediately clear what the problem is (how the objective will be affected). The following statements may help: Apply these statements to the above example and it becomes clear that ‘rain’ is the cause of the risk, as shown below. “Due to forecast of heavy rain on the day of Service HQ Open Day there is a risk that the surrounding open space will become waterlogged, which may result in having to cancel the event.” The risk could also be looked at from another perspective: “We have an opportunity to improve our Service HQ Open Day by holding it on the hard standing and car park area, and utilising the large Reception lobby, which may result in more people attending the event.” This shows that many risks can be seen as both positive (opportunities) and negative (threats). Despite this process, the next stage, verification and assessment, may identify an alternate and more defined risk. 22 – Risk Assessment & Analysis Risk assessment stage should involve:

analysis of individual risks;

analysis (and quantification where relevant) of potential risk

aggregation; and

evaluation and prioritization. Risk assessment should determine the level of and exposure to risk and provide input to decisions on where responses to reduce or exploit risk are necessary or likely to be worthwhile A risk might have a number of consequences, some positive and some negative. Managing the risk and its consequences could change a consequence, potentially from negative to positive. Each risk should be analysed to an appropriate extent, considering its consequences, and summarised in terms of the consequences arising and their likelihood. (See page 23) Risks should be reviewed and revised to take account of instances where links between risks or common risk responses suggest that risks could be split or aggregated, or considered in groups. Action should be taken accordingly.

Due to . . . . .there is a risk that . . . . which may result in . . . .

We have an opportunity to . . . by . . . . which may result in . . . .

22


23 Risk Assessment Methods– The Bow Tie Methodology There are a number of methods and techniques to assess risks. A useful thought process at the desk is to use the Bow Tie method. Once a risk has been identified, the next task is to verify that risk description and assess that risk against PESTLE, Likelihood and Impact criteria. Risks will have triggers. Once triggers are identified, it should be possible to ascertain the controls that would prevent that trigger occurring. The risk could, however, occur, in which case the consequences, (impacts) should be identifiable. In turn, the controls to mitigate that impact should also be identifiable. A template for this thought process is on page 22, with a worked example to illustrate how the boxes might be completed. The template should be completed by the risk owner or departmental risk lead responsible for reviewing and accepting the assessment that will feed into the risk register. Strategic Risks are reviewed by the SDB on a quarterly basis. 24 Risk Evaluation Service risk owners, or those managing risk on their behalf, should prioritise the analysed risks taking into account how soon the risks might occur (proximity) and manageability, the context of the risks, and include consideration of the possible acceptance or rejection of the risks by stakeholders. This information should be used to inform and facilitate decisions about whether to respond to risks and how to set priorities.

23


Bow Tie Template – Working Example.

Control No. P

Uniform not a requirement

to fulfil the role

Trained officers not available

(leave/sick)

Owner

Staff with relevant knowledge not

on flexi rota

Training not available

Insufficient staffing to cover rota

Insufficient uptake of vacancies in

WFS

Importance of role not recognised

in Service

Controls

(Preventative)

Triggers /

CausesConsequences / Impacts Controls

(Mitigating)Risk / Event

Rag Rating

Review Date

L

I

Score

P E S T L E

Risk Description

Lack of availability of a

duty fire safety officer

(out of hours)

Risk Owner

SDO Community Safety

Control No. P

Different method of

provision for duty fire

safety role

Owner

Rag Rating

Review Date

Control No. P

Flexi duty not a

requirement to fulfil role

Owner

Rag Rating

Review Date

Control No. P

Outsource of function

Owner

Rag Rating

Review Date

Control No. A

Reinstate station based

WFS inspections

Owner

Rag Rating

Review Date

Control No. A

Promotion process to incl.

WFS aspects

Owner

Rag Rating

Review Date

Inappropriate advice given to

responsible person

Evidence gathering process at

fault

Failure to serve a prohibition

notice

Reputation

Lack of WFS input to fire

investigation post incident

compromising eventual

prosecution

Prohibition notice served with

inappropriate procedures

Prohibition notice served in

inappropriate circumstances

Inappropriate advice given to

partner organisations

Financial liability

Control No. M

Review any decisions from

the night shift in the

morning

Owner

Rag Rating

Review Date

Control No. M

To review situation in

office hours

Owner

Rag Rating

Review Date

Control No. M

Communications strategy

Owner

Rag Rating

Review Date

Control No. M

Fire investigation officer to

liaise with WFS in office

hours

Owner

Rag Rating

Review Date

Control No. M

Re-serve in office hours

Owner

Rag Rating

Review Date

Control No. M

Lift prohibition – offer

explanation

Owner

Rag Rating

Review Date

Control No. M

Insurance

Owner

Rag Rating

Review Date

Control No. A

WFS learning reinstated at

FF level+

Owner

Rag Rating

Review Date

Control No. A

Change procedures

Owner

Rag Rating

Review Date

24


25 Likelihood and Consequence Assuming that a risk is accepted, a method for scoring likelihood and consequence (impact) is required. Values need to be given to likelihood and consequences. The significance of the scores within the risk assessment matrix can be further enhanced by using a ‘traffic light’ colour coding system. (See page 24) Likelihood Scoring Scale

Level Descriptor Likelihood

1 Very Unlikely < 10%. The event may occur only in exceptional circumstances

2 Unlikely 10 – 35% The event could occur infrequently

3 Possible 35 – 65% The event could occur at some time

4 Likely 65 – 90% The event is expected to occur in most circumstances

5 Certain >90% The event will occur in most circumstances

Consequence Consequence, (impact) has, hitherto, been a single category value that deserves to be the subject of greater scrutiny, as consequences can occur in a number of areas. Accordingly the consequence may need moderation across those areas to understand the true value. The following table may assist.

26 Risk matrix Having identified likelihood and consequence, the resultant risk matrix can be produced to provide a form of “heat map”

LIK

EL

IHO

OD

5 Almost Certain

5

10

15

20

25

25

20

15

10

5

5 Almost Certain L

IKE

LIH

OO

D

4 Likely

4

8

12

16

20

20

16

12

8

4

4 Likely

3 Possible

3

6

9

12

15

15

12

9

6

3

3 Possible

2 Unlikely

2

4

6

8

10

10

8

6

4

2

2 Unlikely

1 Rare

1

2

3

4

5

5

4

3

2

1

1 Rare

Insig

nif

ican

t

1

Min

or

2

Mo

dera

te

3

Sig

nif

ican

t

4

Majo

r

5

Majo

r

5

Sig

nific

an

t

4

Mo

dera

te

3

Min

or

2

Insig

nific

an

t

1

CONSEQUENCE

25


Threats Opportunities

Negative Description Positive Description

Major 5

- Inability to deliver all or a number of corporate objectives.

Major 5

- Improved ability to deliver a number of corporate objectives.

- Major disruption to a number of critical services.

- Improved delivery of critical services.

- Loss of life. Severe/Multiple injuries & long term hospitalisation

- Extensive improvements to the safety of the community/employees.

- Extended national media coverage, inc broadsheet editorial & TV.

- Positive local and national media campaigns.

- Major local and significant national environmental damage.

- Extensive improvements to the local and national environment.

- Financial loss >£501k - Income/Savings >£501k

Significant 4

- Inability to deliver one of the corporate objectives.

Significant 4

- Improved ability to deliver one of the corporate objectives.

- Major disruption to important services.

- Improved delivery of important services.

- Severe/multiple injuries. Long term hospitalisation.

- Improvements to the safety of the community/employees.

- Some national broadsheet & TV coverage.

- Positive local and national media coverage.

- Major damage to local environment.

- Improvements to the local and national environment.

- Financial loss >£251k <£500k - Income/Savings >£251k <£500k

Moderate 3

- Inability to deliver departmental objectives.

Moderate 3

- Improved ability to deliver departmental objectives.

- Significant disruption to important services.

- Improved ability to deliver important services.

- Serious injury. Short term hospitalisation.

- Improvements to the safety of the community.

- Extensive front page press & local TV coverage.

- Positive local media campaigns.

- Moderate damage to local environment.

- Improvements to the local environment.

- Financial loss >£101k <£250k - Income/Savings >£101k < £500k

Minor 2

- Inability to deliver a departmental objective.

Minor 2

- Improved ability to deliver a departmental objective.

- Minor disruption to delivery of services.

- Improved ability to deliver normal services.

- Minor injuries (first aid required). - Limited improvements to the safety of the community.

- Some local media coverage. - Some local media coverage.

- Minimal damage to local environment.

- Very little improvement to the local environment.

- Financial loss >£26k <£100k - Income/Savings >£26k <£100k

Insignificant 1

- Some problems delivering departmental objectives.

Insignificant 1

- No change to delivery of departmental objectives.

- Very little disruption to normal services.

- Very little improvement in the delivery of normal services.

- No injuries. - No improvements to the safety of the community.

- No media coverage. - No media coverage.

- No damage to local environment. - No affect on the environment.

- Financial loss <£25k - Income/Savings <£25k.

26


27 Risk Based Action Plan The higher the value of risk the higher the priority for action becomes. Risk values can be grouped and are shown below. Read these in conjunction with the risk treatments, (controls).

THREAT OPPORTUNITY Value Level of

Priority Action & Timescale Value Level of

Priority Action & Timescale

1-3 Low

Treatment is not essential as Risk is trivial

1-3 Negligible Gain is small, if any.

Treatment not essential as Opportunity is limited Report when able.

4-6 Medium Low Risk is tolerable

Risk is acceptable as long as all reasonable practicable controls are in place. Report to department manager.

4-6 Marginal Gain is small, but may have slight benefits elsewhere.

Apply treatment as soon as reasonably practicable. Aim to induce Opportunities. Work should continue whilst Opportunity is induced

8-12 Medium High Risk is moderate

Significant action should be planned to reduce risk. Report to Strategic Risk & Business Continuity Manager

8-12 Considerable Gain is worth the effort, will have immediate benefits, and possibly some benefits elsewhere.

Induce opportunities. Report to Strategic Risk & Business Continuity Manager.

15-20 High Risk is substantial

Significantly high risk that where reasonably practicable, activity should cease until action taken to reduce risk. Where not practicable, strict deadlines should be agreed for mitigation. Report urgently to Strategic Risk & Business Continuity Manager

15-20 Substantial Notable financial, structural or reputational benefits

Commence activity and negotiate Opportunity expeditiously. Maintain Opportunity to ensure no threats occur. Report urgently to Strategic Risk & Business Continuity Manager.

25 Very High Activity should be suspended immediately until action taken to mitigate risk. Report immediately to Strategic Risk & Business Continuity Manager

25 Extensive Very high value benefits to the Service.

Commence activity and negotiate Opportunity immediately. Report immediately to Strategic Risk & Business Continuity Manager

28 Risk Response Risk response, or treatment, involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify risk controls. Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:

avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;

taking or increasing the risk in order to pursue an opportunity;

removing the risk source;

changing the likelihood;

changing the consequences;

sharing the risk with another party or parties (including contracts and risk financing); and

retaining the risk by informed decision 29 Control measures and decisions Control measures involve selecting one or more options for modifying risks, and implementing those options. Once implemented, they provide or modify the controls.

27


Applying control measures involves a cyclical process of:

Assessing a control measure

Deciding whether residual risk levels are tolerable.

If not, generating a new control measure, and

Assessing the effectiveness of that control measure Control measure options are not necessarily mutually exclusive or appropriate in all circumstances. Options can include:

Risk avoidance by deciding not to start or continue with the activity associated with the risk.

Taking, or increasing the risk in order to pursue an opportunity.

Removing the source of the risk.

Changing the likelihood.

Changing the consequence.

Sharing the risk with another party or parties (including contracts, risk financing, partnerships).

Retaining the risk by informed decision. Selecting the most appropriate control measure option involves balancing the costs and efforts of implementation against the benefits derived, having regard to legal, regulatory, and other requirements such as social responsibility and protecting the natural environment. Decisions should also take account of risks that can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks. Selected control measures may also introduce their own risks, e.g. a significant risk can be the failure or ineffectiveness of the control measure. Secondary risks can occur that need their own controls and so on. Where appropriate, risks should be considered in the light of the values and perceptions of Service stakeholders, e.g. our Partnership arrangements (See Annex E) and in connection with the IRMP consultation process. 30 Control Measure Plans A control measure plan documents the control options chosen and identifies how they will be implemented. Such information will include:

The reason for selection, and anticipated benefits

Those accountable for approving the plan and for implementing the plan.

The proposed actions

The resources including contingencies required.

Performance measures and constraints.

Reporting and monitoring requirements.

Timetable for action. A control measure plan can be integrated with management processes, and take account of the extent of residual risk. (Also refer to Risk Assessment template) 31 Reviewing and Reporting Risks Appropriate and effective review and reporting arrangements reinforce and support risk management activities. This will allow up-to-date and accurate performance information to be passed to risk owners and senior managers. This should include trend analysis mechanisms.

28


We need evidence that our management interventions are having the desired outcome on our risks. Risk owners should use JCAD Risk as a dynamic agent to monitor and review risks and controls on an ongoing basis. In addition to the ongoing identification and monitoring of risks, a formal and annual assessment of the effectiveness of the process is included in the Service’s Statement on Internal Control reported to Policy & Strategy Committee. The reporting chain will be the Risk Management Committee to the SDB for SMB. 32 Monitoring The risks identified within each register and associated action plans need close monitoring at regular intervals at Directorate, Departmental or project meetings. This process will assist in the development of staff to be more risk aware and not risk averse. This provides further opportunities to identify emerging risk, to allow for the appropriate assessment to be carried out, and to ensure that key controls and other mitigating actions can be put in place. A high priority emerging risk at any level within the organisation is to be assessed and recorded as a matter of urgency. Do not wait for the next programmed meeting but report to the relevant manager or the Risk & Business Continuity Manager. An additional aspect to monitoring is the need to watch for trends, that is a second or subsequent occurrence of the same or similar risk, in one or more locations and/or at one or more levels. 33 Audit and Review The changing environment and introduction of new initiatives and control measures means that risk is always changing and new risks and opportunities will arise. For this reason Risks and their Controls should be reviewed quarterly and refreshed annually as part of the business planning process. Risks will be amended to reflect the current situation; obsolete risks deleted, whilst new and emerging risks are identified, and entered on JCAD Risk accordingly. (See page 29) A more frequent and independent review by Risk owners, (or their nominees), of some Risks may be appropriate in some circumstances; for example, for a critical major project or where a Department is implementing many new initiatives.

Strategic Risks will be reviewed quarterly by the SDB.

Directorate Risk will be reviewed quarterly and refreshed annually by the Director and Department heads, with reference up to the Strategic Risk Register on review as required.

Department Risks will be reviewed quarterly and refreshed annually by the Department Manager, with reference up to Directorate level on review as required.

Project and/or Partnership Risks should be reviewed quarterly and refreshed annually by the relevant Project Manager and joint risk review meetings with our partners, with reference up to Directorate or Strategic level on review as required.

It is vital that each Risk is considered in terms of level of accuracy and fitness for purpose. The strategic risk management policy and associated procedures are reviewed annually to ensure that they still meet the needs of the Service and corporate governance arrangements. Remember that a reduction in risk is only ‘’real’’ when the proposed actions have been implemented.

29


34 Influences on Risk Management There are a number of influences on risk management that may affect us from time to time. These currently are:

Central Government requirements

Regionalisation projects

Partnership Working:

Corporate Influences on Strategic Risks:

Changing the culture of the Service to accept risk management as a normal part of overall management, and then managing the embedding of risk management across the Service.

Limits on resources (finance, people, and time) often mean that additional identified controls cannot be implemented. The information on JCAD Risk can help to set priorities by assessing the reduction in risk that can be achieved versus the resources required to implement the additional controls. The aim is to achieve the best reduction in risk with the resources available. The risk owner will have ultimate responsibility for seeing that actions are implemented. Control measure owners will be responsible for ensuring that existing controls remain effective and that the agreed additional controls are implemented. In some cases, implementation of additional controls may be managed by another individual. It is important to be clear on who ‘’owns’’ the actions. Risk management must be used to inform the decision making process within the Service. Ideally, all decisions such as changes in policies, procedures or practices, and all resource commitments, should result in the reduction to the Service’s highest priority risk. This means that at all levels, proposals to make changes or commit resources should include reference to the effects that this may have on the risk profile of the Service.

For significant changes, this should be incorporated into the requirements for business planning, so that all business plans, bids for funding, proposals etc are required to include a section which shows how they will help reduce the risk to the organisation and whether any additional risk will arise. Risk entries on JCAD and action plans should be flexible enough to allow the Service to respond to unforeseen risks, serious incidents, external events or changes in national policy. A dynamic, comprehensive and effectively used risk management system will not only drive effective risk management, but will also ensure that the organisation can justify the decisions it has made.

30


ANNEX A – RECORDING RISK & JCAD RISK SOFTWARE A 1 Introduction In previous times, paper and electronic Risk Registers logged negative and positive risks that influence success in achieving aims and objectives. They were dynamic living documents, populated through risk assessment and evaluation processes, identified in previous paragraphs. The Service now uses JCAD Risk software to

Record negative and opportunity risks,

Provide transparency of risk information across the Service, and

Provide a mechanism for audit and review of risks and controls. This enables each risk to be quantified and ranked, and provides a structure for collating information about risks that helps both in the analysis of risks and in decisions about whether or how those risks should be treated. The same principle applies to all registers. Using JCAD Risk is the start of an action plan with the identification of additional control measures that could be implemented to reduce threats or increase the potential to benefit from opportunities. All involved with entering or reviewing risks will receive a JCAD User Guide. It is not the place of this document to repeat the content of that Guide. In brief, however, this Internet Explorer style intuitive programme opens to a “My Summary” screen from which a risk owner or risk control owner can migrate to tasks, risks, and construct reports, amongst other activities. The dashboard style report screen provides overviews of the Risk register, Control measures, and Diary Actions, as well as a colour coded “My Charts” pie chart representation. The JCAD Guide and the JCAD FAQ document describe activities in more detail.

31


ANNEX B – ECFRS/EFA Reports – “What are the risk management implications?” Guidance for authors Reports have summary statements concerning potential Financial, Legal, Environmental, and Risk Management implications. This brief paper aims to provide some guidance around how to respond to the question, “Risk Management implications”. This comes in two forms; firstly the “science”; secondly, a practical explanation B 1 The “Science” Risk Implications Risk is the effect of uncertainty on objectives. Risk management is the coordinated activities to direct and control an organisation with regard to risk. Risk management helps decision makers make informed choices, prioritise actions and distinguish among alternative courses of action. Risk management is based on the best available information. The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among other managers. The risk implications may have been covered already in one or more of the other guard headings, as the report author exposed those implications. This section provides the report author with the opportunity to collate those risks, or if not mentioned, identify and discuss them. This section should: Identify the risk(s)

Properly identify the controllable and uncontrollable risks

Identify the triggers and consequences associated with each risk. All significant triggers and consequences should be considered.

Analyse the risk(s)

Risk analysis involves understanding the risk(s). Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment. Risk analysis provides input to making decisions where choices must be made.

Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur.

Evaluate the risk(s)

The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment, (controls), and the priority for treatment implementation.

Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.

Decisions should be made in accordance with legal, regulatory and other requirements.

32


Identify controls to apply to the risk(s) Risk control options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;

Taking or increasing the risk in order to pursue an opportunity;

Removing the risk source;

Changing the likelihood;

Changing the consequences;

Sharing the risk with another party or parties (including contracts and risk financing); and

Retaining the risk by informed decision. B 2 The Practical Explanation First, it is necessary to consider upside as well as downside risks, or put another way, opportunities and threats. At first glance the word “risk” does not seem appropriate to consider for a positive. The point here is that whilst there may be a risk connected with the proposed activity, the returns, in terms of either financial gain, or gain in kind, outweigh the potential losses, and the odds favour going with the risk. In simple terms, positive and negative risks are two sides of the same coin, as we will see below. One aspect of opportunity risk is that whilst these might be planned, they may be more likely to occur with little notice. Therefore the decision cycle must be rapid if the full benefit of an opportunity is to be gained. Next, the report will provide details of a proposed activity. In general terms, it will set out:

Why the activity is necessary, (history, current circumstances, future situation(s))

What options exist in real terms to conduct the activity, taking account of, e.g. environment, financial climate, supplier issues, etc?

Proposed optimum activity Risk management implications are likely to fall out of the text as the Report is written. In general, risk management is broad in intent, and can take into account Financial, Legal and Environmental issues, amongst others. The illustration below concerns premises owned by the Service, the future of which has to be considered. Situation Workshop premises are old, and whilst still useable, are beginning to become unfit for purpose. They were built more than 50 years ago, and appliances have changed considerably since then, in both size and weight. In addition, work and health & safety best practices, though legal, could be improved in a modern facility. Upkeep and refurbishment of the premises is beginning to become expensive. The potential for moving another department, with stores requirements, may offer some greater site utility. Finally, the facility sits on a large plot, which, despite the current climate, may be worth selling on, to relocate more centrally. The Report The report will describe the history of the site, its size, what surrounds it, what activities are conducted on it. It will go on to describe what, in the opinion of workshops, the site should now be able to provide, and why those provisions should be made. The report will consider the wider uses that the existing site may be put to, both for the Service, and following sale. The report will set out a number of options, with costs for each as appropriate, and an explanation of specific upside and downside, (opportunity and threat) risks attached to those options. Finally, the report will offer a recommendation, expanding on reasons why as necessary.

33


Risk management implications If not covered in the main body of the report, which may well obviate the need for elaboration under a specific paragraph heading, the risk management implications will need to cover the “what ifs”. Risk considerations may be: What if we just carry on as we are? So what? What if we sell up and move to a new site? What if we refurbish the existing premises to a high standard, and build a block for storage? What are the implications around demolition and rebuild? How much is this going to cost now, and how much might it cost in, say, five years time? How does this fit with our strategic proposals for the Service? How does this sit with compliance with current legislation? What future proposed legislation are we aware of that we need to take account of now in order to future proof compliance as far as possible? (Cross reference to Legal Implications). What risks are associated with project management? How long will this take? By taking the opportunity now, we may find a saving over taking the same step in five years time because….By improving our site to X standard, we will be able to take in additional fee earning work from…. In general terms, the risk management implication might focus on the PESTLE risks, shown more fully elsewhere in this Risk Policy, Strategy and Guidance, but for reference are:

Political, Economic, Social, Technological, Legislative, and Environmental. In noting both the positive and negative aspects of the “risk” involved with the proposals, it is incumbent upon the author to show how proposals manage or mitigate any resultant added risks.

It is highly unlikely that any report will contain nil risk content.

34


ANNEX C – ESSEX FIRE AUTHORITY RISK MANAGEMENT C.1 Introduction This part of the Compendium looks in more detail at constitutional matters, and the responsibilities of the Risk Management Committee outlined in the table on page 6. Two substantive Committees of the Essex Fire Authority involve themselves with risk management. The Policy and Strategy Committee of the EFA has, as one of its terms of reference:

“ To set and determine the Risk Management policy and strategy for the Authority” That policy is informed and managed by a tri-partite arrangement involving:

The Risk Management Committee (RMC)

The Strategic Delivery Board (SDB)

The Senior Management Board (SMB) The Audit, Governance & Review Committee, through the Audit Sub Committee, will consider and report on Internal and External Audit reports, which will include reports on Risk (and Business Continuity) Management C.2 Risk Management Committee – Membership and Constitution The Risk Management Committee is a standing joint Member Risk Champion and Senior Officer working group that advises SDB, through its Minutes, of the strategic risk and business continuity management arrangements and issues prevailing. It also demonstrates internal control. The membership of the Committee for the Municipal Year 2012 – 2013 is:

Chair – SDO Special Projects. (Rapporteur to SDB)

Vice Chair – Risk & Business Continuity Manager

Finance Director & Treasurer

Elected Member Risk Champion

SDO Operations

SDO Safer Communities

Head of Fleet

Health & Safety Manager

Training Manager

Minutes Secretary (Risk & Business Continuity and Special Operations Support Officer) C.3 Co-opting of Members The Committee may co-opt any member of staff from within the Service for any particular meeting if it is in the interests of promoting Service risk management. Any member of staff may make a request to attend the meeting as an observer. Such requests should be forwarded to the Chair. C.4 Committee attendance Those selected for the Committee will be expected to attend every meeting to ensure continuity of the group so that information can flow consistently through the Service. If a member is unable to attend, substitutes should be sent in their place or at the very least a position statement should produced for the meeting to identify progress on outstanding or ongoing actions.

35


C.5 Meetings and Reporting

The Committee will meet every three months or thereabouts and the dates will be circulated in advance.

In exceptional circumstances other meetings will be arranged with a sufficient amount of prior warning.

The meetings will take place at Service Headquarters, Kelvedon Park.

Agendas will be provided via email and will be circulated no less than five working days prior to the meeting.

Minutes will be taken at each meeting and then circulated via email to all members as soon as possible after the meeting for comment.

At the next available meeting, Minutes from the previous meeting will be formally approved, and reviewed to ensure that actions have been completed or progressed.

C.6 Risk Management Committee Terms of Reference:

To maintain an overview of, and to keep under review, the effectiveness of the risk management infrastructure within the Service and to make appropriate recommendations to the Strategic Delivery Board on all significant matters relating to the Authority and Service risk strategy, policy and management arrangements, reflecting any changes in the wider operating environment.

To provide support to the SDB under its Terms of Reference and in particular the SDB role in recommending new risks and reviewing the Strategic and Emerging Risk Registers.

To promote coordinate and facilitate the implementation of effective risk management across the Service to ensure it becomes embedded.

To regularly assess the completeness and accuracy of all risk registers.

Consider, and where appropriate recommend, training on risk management issues for all connected to the Authority.

Where appropriate, consider and act upon any major findings of an external and formal Audit function, other external findings, Internal Audit and Management responses on key business areas to assess the level of risk exposure.

Horizon scanning for:

o Good practice. o Emerging risks

The Terms of Reference will be reviewed at least annually as part of the Strategic Risk Management Strategy, through the annual review of the Risk Management Policy, Strategy and Guidance.

36


Departmental Risk

Register

A collection of risk

assessments managed by

Departmental Managers

Directorate Risk Register

Records Directorate Risks

or higher value risks

referred up by

Departments. Managed by

Directors

Partnership Risk

Strategic Risk Register

Records strategic and

organisation wide risks and

higher value risks referred

up by Directorates.

Managed by the Strategic

Risk Management

Committee via the SDB

Project Risk

Risks that cannot be

treated at that level -

risks with

implications beyond

the Department

Risks that cannot be

treated at that level -

risks with

implications beyond

the Directorate

SDB

Risk Management

Committee

Essex Fire

Authority

Devolution

Management

SMB

Devolution and Management of Corporate Risk

JCADREVIEW

(JCAD)

CONFIRM

(JCAD)

ASSURANCE

1/4ly Risk Management Committee meetings

1/4ly Risks and Risk Controls Reviews prompted by JCAD

Exception reporting to the SDB when required

SMB Overview

CREATE

37


ANNEX D – PROGRAMME, PROJECT AND PARTNERSHIP RISK

Partnerships are a significant feature of public service delivery. At the last count, around 5,500 partnerships existed in the UK, accounting for some £4 billion of public expenditure (Audit

Commission 2005) D.1 Introduction The Service Risk Management Policy statement and the subsequent Strategy apply to Programme Project and Partnership risk management. The paragraphs below identify aspects that inform the risk management processes required when dealing with these two topics. Programme management is the process of managing several related projects, often with the intention of improving an organization's performance. In practice and in its aims it is often closely related to systems engineering.

There are two different views of how programmes differ from projects. On the one hand, projects deliver outputs; programmes create outcomes. On this view, a project might deliver a new fire station or IT system. The other view is that a programme is nothing more than either a large project or a set (or portfolio) of projects. On this second view, the point of having a programme is to exploit economies of scale and to reduce coordination costs and risks. The project manager's job is to ensure that their project succeeds. The programme manager, on the other hand, will care less about individual projects, but will be concerned with the aggregate result or end-state.

According to the view that programmes deliver outcomes but projects deliver outputs, programme management is concerned with doing the right projects, whereas project management is about doing projects right. And also according to this view, successful projects deliver on time, to budget and to specification, whereas successful programmes deliver long term improvements to an organisation. Improvements are usually identified through benefits. An organisation should select the group of programmes that most take it towards its strategic aims whilst remaining within its capacity to deliver the changes. On the other hand, the view that programmes are simply large projects or a set of projects allows that a programme may need to deliver tangible benefits quickly.

As can be seen, often Project and Partnership run hand in hand in the delivery of outputs; however, each topic must be subjected to a separate process. Unless a partner has been examined from a risk basis, the appropriateness and effectiveness of the partnership cannot be examined, and therefore neither can the project be exposed fully to worth. An important foundation element to all this work is the correct identification of the risks, which means understanding the business, (as for business continuity), and then applying an accurate risk descriptor. Working in partnership usually means that organisations will commit significant resources, in terms of staff time or finance to develop and then deliver the desired outcome. It is therefore essential that all of the partners identify, understand and manage their role in the partnership in the most appropriate way. D.2 General A programme, with a number of projects, or a series of individual projects, are already, and are increasingly, being delivered through partner organisations, and high risk/reward options are often being taken, in pursuit of innovation and maximum improvement. Effective and successful partnership working requires identifying the risks and opportunities that can hinder or help the partnership achieve its objectives. If this is done properly, and at the start of the process, there is a much better chance that the partnership will be successful and all parties enjoy a win/win outcome. It doesn’t matter if the partnership is small, involving only two parties, or a large and complex multi-agency arrangement: the same principles apply. Risk management must be seen as an integral

38


part of the partnership process, which needs to have resources devoted to it, as with any other areas of work, if it is to be successful. With somewhat less than direct control, there are risks around failing to align agendas, cultures, and communicating effectively. Partnerships can lead to a higher level of uncertainty (especially when working with new partners), and introduce different, and potentially unfamiliar, risks inherent in the partner’s business. Problems experienced have included polarised perspectives on risks; difficulty in generating a sense of ownership of action to address risks; lack of clarity about what risks had been transferred etc. A project managed through MicroP2 can, and should, use the Risk log within that system. A joint and shared, Project/Partnership Risk Register provides a good basis for ensuring that partners share their assessments of risks, thus giving the opportunity to come to agreed judgements, allocate responsibility for action, possibly resource, and trigger monitoring information. Such a Register ensures complete understanding for both parties about risks to implementation and ongoing service delivery, and enables a joint approach to managing risks. Clarity of who is responsible for, and manages, which risks is also essential. Other than determining the objectives of the partnership, the four steps described on page 18 should be followed. Meanwhile, this document is not intended to be a full Partnership Management paper, but clearly an exit strategy must be considered under risk in order to ensure a clean, unambiguous, mutually agreed and non-contentious, (i.e., no outstanding business, insurance claims, or litigation pending) point of partnership termination. The key is total mutual involvement from the very start. D.3 What is a partnership? A Partnership can be defined as an arrangement where the partners;

are otherwise independent bodies and

agree to co-operate to achieve a common goal or

create a new organisational structure or process, which is separate from each parent organisation, to achieve a particular goal or

plan and implement a jointly agreed programme often with joint staff resources and

share relevant information or

might pool resources, risks and rewards

are flexible to allow change, but

where the partnership is not subject to the normal command and control management within each organisation, it does have joint (agreed) governance arrangements.

Partnerships can vary hugely in size and complexity, from a mutual coming together to solve a joint problem to a multi-agency partnership used to deliver a completely new set of services in a completely new way. From a risk management perspective, it is not necessarily appropriate to devote the same resources and attention to every partner or partnership, although the risks and opportunities involved are not necessarily in proportion to the size of the partnership and will change as it develops and matures.

39


D.4 Assessing prospective partners There are many different forms of partnership but they generally fall into one of two distinct types:

Procurement partnership, which has a much stronger client/contractor split to the partnership where the gains for each partner differ (money for the contractor; services for the client).

Mutually supportive partnership, where two or more organisations join forces to work together to improve services or reduce cost. Examples are partnerships where the Service works with the Police and Local Authority to meet the requirements of the Civil Contingencies Act 2004, or the Crime & Disorder Act 1998.

Two simple tools can help identify how important the partnership is to the Service. Risk management activities can then be proportionate to the risks associated with a particular partnership agreement.

40


Siz

e o

f p

art

ne

r re

lative

to

yo

ur

org

an

isa

tio

n

Impact on organisation of failure of partnership

Quadrant 1

A failure of the partner

to deliver may not

cause any significant

problem for ECFRS or it

may be easily rectified

Quadrant 2

The partner may be

bigger than ECFRS but

failure of the

partnership agreement

would not be a

significant issue for the

Service.

Quadrant 3

The partner may be

small compared to

ECFRS but the output

from the partnership

may be significant to

the Service

Quadrant 4

The partner may be

large compared to

ECFRS and the output

of the partnership is

critical to the Service

achieving its objectives

LOW HIGH

SM

AL

LL

AR

GE

Co

mp

lexity o

f p

art

ne

rsh

ip a

rra

ng

em

en

tImpact on organisation of failure of partnership

Quadrant 1

The partnership is simple

and not critical to

achieving objectives

Quadrant 2

The partnership is

complex and may involve

several organisations but

it is not critical to

achieving objectives

Quadrant 3

The partnership is simple

and may only involve

ECFRS and one other

organisation. However,

failure would have a high

impact on ECFRS

Quadrant 4

The partnership involves

many organisations and

may even be in existence

over a number of years.

ECFRS may not achieve

objectives if the

partnership fails

LOW HIGHC

OM

PL

EX

SIM

PL

E

Making this simple assessment of a partner organisation in relation to the Service can immediately indicate whether significant attention is needed on assessing and managing the risks associated with the partnership or whether risks are unlikely to be of major concern.

Diagram 1 shows a simple way of assessing the relative importance of different partners / partnership activities against the size of the Service.

Diagram 2 shows a simple way of analysing the complexity of the partnership against the potential impact on the Service of its failure.

41


This additional simple assessment of a partnership arrangement can immediately indicate whether significant effort is going to be needed on assessing and managing the risks associated with the partnership or whether risks are unlikely to be of major concern. Based on the above analysis, the efficacy of the partnership can be risk-ranked.

Diagram 3 - Putting diagrams 1 and 2 together

IMPACT of failure of partnership

SIZE of partner relative to ECFRS

COMPLEXITY of partnership

RISK ACTION

High impact

Large High

HIGH

See D.4.1 below Low

Small High

Low MEDIUM

See D.4.1 below

Low impact

Large High

Low

LOW

See D.4.2 below Small

High*

Low

* This category may be found where there are many partners and, while the partnership is important to the organisation, individual partners are not. The whole process is about ensuring that risk management efforts are prioritised towards the most critical areas first. For some partnership arrangements other factors may make important contributions to the overall risk and will need to be taken into account. For example, a high risk might be where the potential partner is the only one that can provide that particular service combined with a high impact if the partnership fails.

The result of the initial categorisation should be recorded before going on to the next step.

D.4.1 High and Medium Risk Partnerships. For partnership arrangements that are categorised as ‘’high’’ or ‘’medium’’ risk, a risk assessment should be carried out and the results recorded in a Risk Register for that partnership. As previously stated, the methodology for the risk assessment of partnerships is the same as that adopted for risk assessments throughout the Service. In accordance with the methodology, possible further control measures should identified and an action plan developed for the implementation of those, where they are cost effective and proportionate to the risk identified. In order to identify, assess and then manage the risks in a medium or high risk partnership, it may be helpful to break down the process into its component parts, as shown in the diagram below.

42


1

Assess need for

goods/services2Specify

requirements

10

Exit ensuring

trust & loyalty

3

Agree list of

potential

partners

9

Manage, Monito

r

and evaluate

perform

ance

8

Formal

partnering

contract agreed

5

Evaluate

options

6

Enter

partnership

4

Invitatio

n to

partner

7Agreeing form of

Contact, SLA, orMoU

Key information on

partners

performance

and motivation

Preparing

the ground

Choosing partners

and partnering

strategy

Setting up the

partnership,

managing and

monitoring

You can then use this breakdown as a prompt to work out more precisely what risks might occur, and at what stage they might occur in the partnership process. The mutual need for each other might be on the opposing line – so if you really need each other, even if there is only one choice, the risk is minimised because both sides will work very hard to make the partnership work. The questions in Appendix 1 may also assist. The result of the initial categorisation should be recorded before going on to the next step. Note that if the partnership is very high profile, or where the (financial) risks are potentially high, a process known as “Due diligence” may be necessary. Due diligence is a term used for a number of concepts involving either the performance of an investigation of a business or person, or the performance of an act with a certain standard of care. It can be a legal obligation, but the term will more commonly apply to voluntary investigations. A common example of due diligence in various industries is the process through which a potential acquirer evaluates a target company or its assets for acquisition. In business transactions, the due diligence process involves investigation into the details of a potential investment, (the partnership), such as an examination of operations and management and the verification of material facts. Investigation varies for different types of companies. The relevant areas of concern may include the financial, legal, HR, tax, environment and market/commercial situation of the potential partner. Other areas include intellectual property, real and personal property, insurance and liability coverage, debt instrument review, employee benefits and HR matters, ethics, possibly even immigration, and international transactions. Process is defined as a sequence of interdependent and linked procedures which, at every stage, consume one or more resources (employee time, energy, machines, and money) to convert inputs (data, material, parts, etc.) into outputs. These outputs then serve as inputs for the next stage until a known goal or end result is reached.

43


Consider too the related business terms of misfeasance, malfeasance and nonfeasance. The expressions misfeasance and nonfeasance, and occasionally malfeasance, are used in English law with reference to the discharge of public obligations existing by common law, custom or statute. Misfeasance is determined in relation to privity of contract. When a contract creates a duty that does not exist at common law, the parties can do one of three things: (1) perform the duty fully; (2) perform the duty inadequately or poorly; or (3) fail to perform the duty at all. When a party fails to perform at all, it is nonfeasance. When a party performs the duty inadequately or poorly, it is misfeasance. Malfeasance is used to denote outright sabotage which causes intentional damage.

Do not forget that your partner(s) should be going through the same exercise on the Service!

D.4.2. Low Risk Partnerships For those partnerships that are categorised as ‘’ low risk’’ it not necessary, but may remain appropriate, to carry out a detailed risk assessment of the partnership arrangement. For example, it remains important to check that the essential elements are in place, or are being addressed, to ensure that the risks associated with that partnership are managed effectively. The checklist in Appendix 1 below indicates the areas that should be considered. For any low risk partnerships, the checklist should be completed as a minimum and actions should be identified to address any areas that are not adequately covered. The checklist should be reviewed periodically during the life of the partnership to determine whether anything affecting the risk has changed and whether any additional actions are needed to manage those risks. Key partnership risks and opportunities should be managed through your own internal process looking at both the risks and opportunities TO the partnership and OF the partnership. Registers should be drawn up both for the process of forming a partnership and for the live partnership. The risk and opportunity register for the live partnership, however embryonic its form, is a vital document to consider as part of the decision to proceed, or not, with the partnership. Although the initial categorisation may have indicated ‘’low risk’’, if there are any specific issues or concerns about the arrangement, then a risk assessment should be carried out as described above for the medium and high risk partnerships.

D.5 Identifying risks associated with delivering objectives So far, we have looked at mechanisms around partnership risk arrangements that will help in the identification of risk areas, but what are some of the risks that entering into a partnership may bring? The Tables below asks some questions as score checklist. The results would need translation onto a Risk Register. This is adequate for low, and some medium, risk partnerships, but a more complex partnership, or a simple partnership with significantly higher risk in say, financial terms or reputation, may need a more scientific approach. It is suggested that you contact the Risk & Business Continuity Manager in this instance.

44


Appendix 1 – How to manage low risk/opportunity partnerships – key questions

Key tasks you need to consider

Is it needed? Who is responsible?

Status Action required

Reason for partnership?

What are its agreed aim and objectives? Are these clear and unambiguous?

Establish added value in partnership. Tangible? If so, how to demonstrate to public?

Who will answer to the public purse, and who will deal with enquiries from the public?

Formal partnership agreement (duration and gateway reviews)

Define individual and partner roles and responsibilities

Governance arrangements in place are?

Performance monitoring arrangements (including budget and Value for Money)

Who is responsible for insurance, insurable risks and risk sharing requirements?

45


Key tasks you need to consider

Is it needed? Who is responsible?

Status Action required

Is there any question of personal liability arising for any single person, (Members or officers), or group of people within the partnership?

What business continuity arrangements or other contingency plans in general for individual partners and the partnership itself are there, or are needed?

Human resource implications (health and safety, equality, pay and conditions, diversity and data protection and so on)

How to deal with under or over achievement against targets

Clear, unambiguous, agreed, yet flexible exit strategy apparent before the Project/Partnership commences activity.

Who will own any physical or intellectual product of the partnership?

What is the partnership risk appetite and how does that compare to the constituent partners’ individual risk appetites?

46


Identifying Risks Associated with Delivering Objectives.

Risk to potential success of Project or Partnership

Lo

w

Med

ium

Med

ium

Hig

h

Particularly important for

Internal factors E

xce

llen

t

Go

od

Acce

pta

ble

Po

or

Ou

tco

mes

Ou

tpu

ts

Inp

uts

Policy. Does the proposed arrangement meet our partnership policy conditions?

Has a cost/benefit analysis been carried out to determine whether the proposed partnership objectives can be delivered without a different form of partnership arrangement, for example by way of contract or bilateral agreement?

Commitment. How committed is/are your partner(s) top management?

How committed are our (senior and other) managers that will be involved in the actual work?

Is there a partnership management structure?

Who has the balance of power in the partnership, if anyone?

Does the structure have executive powers?

Are staff assigned – with time!

Expertise. Is there a track record of managing long term projects/partnerships?

Are there any training issues to resolve?

47


Finance. Is there a budget, with year on year commitment for the life of the project/partnership?

Does it take account of inflation or other contingencies?

Are losses insurable by the partnership? (See Legals) Who is responsible?

If insurable, to what extent?

Does or do your partner(s) face more financial exposure than the Service?

Have all project or partnership costs been properly exposed, and accounted for with a contingency arranged if necessary?

Time. Is there a project or partnership time table?

Is it realistic?

Is it flexible?

Is it agreed by all stakeholders?

Is it sustainable?

Reputation. If the project fails, who will be hurt the most in the eyes of the public or the peer group community?

Communications. Is there an agreed project or partnership Communications strategy?

Opportunities. Have downstream opportunities been identified?

If present, are these absorbed into the project or partnership now?

If not, have the positive and negative risks associated been taken into account?

Risk. Is a properly constructed and agreed Risk Register in place in connection with the project or partnership?

48


Can risk be balanced across all proposed partners?

Resources. Are all the resources required to undertake the project or partnership known and accounted for, either as already available, or for procurement via the budget?

Suppliers and sub-contractors. If needed, are third party suppliers involved with the project or partnership?

Do they supply key ingredients to the project or partnership?

If so, do these third parties have business continuity plans to support the project or partnership during its lifetime?

Procurements. If required, are procurements during the lifetime of the project or partnership guaranteed? (This is whether through the partners, suppliers or (sub) contractors.

Technical and Product Maturity. Where appropriate, are all products identified as necessary for the project or partnership tested?

Geography. Are there any geographical impediments to the project or partnership?

Legals. Have all legal aspects been considered, and any issues resolved? Should / can the partnership exist as its own legal entity? Is it legal?

Audit arrangements. Is one of the partners providing an Internal Audit mechanism in advance of any one partner’s own formal Internal Audit process? What are the arrangements? (See E.6 below)

49


D.6 Partnership Auditing The Service external auditor will use a methodology to determine how well we are managing our audit arrangements. The audit may follow the model shown below.

It therefore follows that managing our partnership arrangements should follow this model.

50


RISK MANAGEMENT POLICY, STRATEGY & · PDF file22 – Risk Assessment & Analysis 21 ... Bow Tie Template ... Risk Management – Policy, Strategy & Guidance

Documents