------------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------

Annual Risk Management Report

2017/18

Steve Tinkler,
Head of Audit and Risk Management

1
Contents

Section Page no

1.0 Introduction 3

2.0 Risk Management team 3/4

3.0 Corporate Risk Management Process 4-10

4.0 Risk Management Support and Interventions 10

5.0 Preparation and Publication of Risk Management 11

Information

6.0 Risk Management training 11-12

7.0 Promotion of Risk Management 12

8.0 Risk Management performance 12-14

9.0 Risk Management Action Plan 2018/19 15

Appendix 1: Corporate Risk Register

Appendix 4: Risk Management scoring matrix

2
1.0 Introduction

1.1 The Council’s ongoing risk and assurance aims are:

 To provide Members and Senior Officers an understanding of the

key risks facing the Council and its community, and to show how
these risks are being effectively mitigated.
 To implement and maintain a fluid process for business as usual
management of risks relevant to our objectives, outcomes, services
and assets.
 To align reporting mechanisms for finance, risk, audit and
performance providing members and senior officers triangulated risk
and assurance profiles.
 To continue to meet the requirements of our external auditor and
compliance providers.

2.0 Risk Management Team

2.1 The Risk Management team comprises of Internal Audit, Fraud, Insurance
and the Risk Management services. The team is led by the Head of Audit
and Risk Management. The following section focuses on the Risk
Management service this is delivered by the Head of the team and the
Strategic Risk Adviser. It highlights the aims of the team and the services
that underpin these objectives.

The Risk Management team aim’s and services

2.2 The Risk Management Team has the following targets:

A. Ensuring the consistent use of risk management and ownership of

risk at all levels;

B. Building and maintaining a risk aware culture within the council,

including appropriate education and training;

C. Developing, implementing and reviewing the risk management

3
 framework and risk management processes;

D. Developing competence and maturity in risk management;

E. Linking with the other functions within and beyond the Risk
Management team that advise on specific aspects of risk
management (e.g. insurance, health and safety, business continuity,
civil contingencies, occupational health, internal audit);

F. Reporting, escalating and communicating risk issues to key

stakeholders.

2.3 In order to meet these aims the team delivers the following services:

 Management and coordination of the corporate risk management

process which is part of the council’s corporate governance
framework.

 Provision of professional risk management support on a range of

corporate and directorate projects. This includes, where appropriate,
attendance at management meetings, risk interventions such as the
production of risk strategies and process guides, risk identification
and control workshops, access and training to the council’s Risk
Management Information System (JCADCORE).

 Facilitating a series of risk workshops to continually refresh and

review risk registers which include identification, analysis and
evaluation of risks to objectives, discussion on existing and proposed
mitigation with an in-depth look at its effectiveness, reliability,
relevance and cost. Concluding with a review and confirmation of
assigned risk and control responsibilities.

 Preparation and publication of risk information on TH Net.

 Maintenance and development of the Risk Management Information

System.

 Provision of risk training including members, and senior managers,

new managers and staff as well as regular training opportunities on
JCADCORE.

4
2.4 Role of the Audit Committee in supporting the risk management
process.

 The Committee oversees the Council’s risk management strategy,

anti-fraud and anti-corruption arrangements; and to be satisfied that
the Authority’s assurance framework properly reflects the risk
environment.
 Members have a critical role in establishing the environment that will
allow the effective management of risk to flourish.
 To consider all audit or external reports relating to any directorate in
the Council and seek assurance that action has been taken where
necessary.
 To receive an annual report from the Head of Audit and Risk
Management reviewing the effectiveness of the Council’s risk
management strategy.
 To consider and report back on any risks related to all governance
issues.

3.0 Corporate Risk Management Process

3.1 The approach to managing risk is outlined in the Council’s Risk

Management Strategy which also contains the Risk Management Policy
Statement.

The Statement encourages innovation and creative approaches to service

delivery whilst requiring careful consideration of the risks involved and
taking appropriate measures to manage them. The Corporate Risk
Management process is aimed at identifying, assessing, prioritising and
mitigating the significant risks that could impact on the delivery of the
council’s objectives (i.e. corporate risks). This process is also aligned with
the council’s team planning arrangements. Risks are prioritised for
reporting in accordance to the scoring methodology in the risk
management scoring matrix.

5
3.2 Corporate risks (strategic risks) are those concerned with ensuring overall
success of Council objectives, and the vitality and viability of the
organisation. Materialisation of such risks can have a number of
consequences, for example they could significantly affect the reputation of
the Council, or present significant financial costs. Risks are identified and
assessed by impact and likelihood on an ongoing basis across all
Directorates. Guidance has been produced to help Risk Champions (see
3.4 below) and their directorates identify corporate risks from their service
level assessments.

3.3 The review of both corporate and directorate risk is undertaken on a

monthly basis by the Risk Champions Group. A process is in place to aid
all directorates capture key risks and assess their significance. The
methodology adopted by the authority (the UK Government’s Management
of Risk approach) is used to assess and prioritise key risks and to focus
attention on those risks that require attention.

Significant risks are examined at directorate level and any risk that remains

Significant after existing controls are taken into account (residual risk) are
reported quarterly to the Corporate Leadership Team (CLT) so that they
can be considered further.

Risk Champions Group

3.4 The Risk Champions Group is a key part of the council’s corporate risk
process. The Group is currently chaired by the Head of Audit and Risk
Management and its members comprise senior officers from each of the
directorates. The group meets monthly and its primary purpose is to ensure
that there is appropriate scrutiny of risks that have been identified by
directorates and recommended for elevation to the corporate risk register.
It also reviews and scrutinises directorate risks.

3.5 The role of a Risk Champion is set out in the group’s terms of reference
and includes the following activities:

6
  Update and maintain directorate risks on JCADCORE every quarter;
 Maintain close liaison on risk and risk dynamics with individual
Divisional Directors and Directorate Leadership Teams (DLT)
collectively;
 Challenge officers in their directorate in their assessment of risk and
seek explanations over the proposed actions to manage the risk;
 Build a risk-aware culture within their directorate and disseminate
good risk management practices;
 Provide advice and assistance as required;
 Obtain and update on planned actions from appropriate service
heads for reporting to CLT; and
 Bring significant risks to the attention of the CLT.

3.6 Once the group have scrutinised, reviewed and updated the corporate risks
the risk management team prepare a quarterly risk management update
report for CLT and subsequently to Mayor’s Advisory Board (MAB). A
quarterly update is also presented to the Audit Committee.

3.7 Corporate risk owners continue to be invited to discuss their risk(s) with the
group to get a better understanding on how well the risk is being managed.
It may then make recommendations to the risk owner for suggested
improvements to the controls.

Corporate Risk Register

3.8 Risks that feature on the corporate risk register have been identified by the
corporate leadership team and also include risks that have met the
corporate risk criteria and escalated by each directorate.

3.9 The current corporate risk register (as at 01/06/18) identifies 12 corporate
risks. The definition of each of these risk ratings is set out in Appendix 4

7
(Risk Scoring Matrix).

Risk Score
Grand
Directorate 8 12 15 16 20 25 Total
HAC 0 1 1 0 0 0 2
CSD 0 1 0 2 0 2 5
Place 0 0 2 0 0 0 2
Governance 1 0 0 0 0 0 1
Resources 1 0 0 0 1 0 2
Grand Total 2 2 3 2 1 2 12

Table 1. The number of risks within each directorate by risk score.

Key: HAC – Health, Adults and Community Services directorate

CSD – Children’s Services directorate
Place – Place directorate
Governance – Governance directorate
Resources – Resources directorate

Compared with the same period in 2017, the numbers of corporate risks
have decreased from 13 to 12.

Risk Current Risk Rating Risk Description

CSD0016 25 Death or serious harm to a child that
(Children’s) was or should have been in receipt
of services, either from the council or
a partner agency.

CSDSC0014 25 Ofsted Inspection in Jan-Feb 2017

has raised significant failings in the
(Children’s) delivery of services to vulnerable
children and families in LBTH
following the Single Inspection
Framework. The report is due for
publication on the 7th of April and
provisional grading’s plus a draft
report has been received.
REV0007 20 Impact on local income from Appeals
(Resources) on the new local rating effective from
1/4/17, due to all business premises
having new rateable values.
On the 1/4/17 all business premises

8
 will have a new rateable value to
reflect a more up to date economic
valuation of their premises.

CSDSC0004 16 Incidents of serious violence where

young people known to or in the care
(LAC) of the Local Authority are
(Children’s) harmed or perpetrate harm in a
community setting.
CSDSC0005 12 Loss of resources as a result of a
failure to reach target Payment by
Results claims, resulting in loss of
capacity to deliver the Troubled
Families programme.
Reputational risk of being the only
Local Authority in England to be
withdrawn from the programme.
(Children’s)
ASD0015 15 Death or serious harm to a
vulnerable adult that was or should
have been in receipt of services,
(Adult’s) either from the council or a partner
agency.
PLC0013 15 Following the Grenfell Fire tragedy
residents of tower blocks in the
borough are not safe or do not feel
(Place) safe from fire following reassurance,
advice, interim measures and
completed, in progress or scheduled
remedial actions to improve fire
safety.
DRCPCD0022 15 Failure to have in place a lease
extension for Mulberry Place (or
alternative temporary office location)
one year prior to the end of the
(Place) current lease (June 2019).
ASD0017 12 Risk that should a major incident
take place affecting council services,
there may be a failure to implement
an effective response. The risk is
(HAC) increased if there was to be more
than one incident at the same time.
CSDR0011 12 There is a risk that the Council may
be challenged in Court for making a
formal decision under the 1967 Act,
to retain for educational purposes
the newly constructed Christ Church
Primary School's nursery building,
which is built on a disused burial
ground. (The basic premise of the
challenge is that the school had no
right to erect the building, and that it

9
 is unlawful to erect the building on a
disused burial ground, and that it
should be demolished).

(Children’s)

LPGLS0001 8 No-compliance with corporate

governance procedures.
(Governance)

RSB0019 8 Maintaining and strengthen financial

viability/balance across MTFS period
to 2020.
(Resources)

Table 2 – Corporate Risk register summary

Risk Numbers

At the end of June there are 482 identified active risks and 843 active
controls on the Council’s risk register. To ensure risk management process
remains effective and aligned to organisational objectives, this is reviewed
quarterly by the risk team.

4.0 Risk Management Support and Interventions

4.1 An important role of the Risk Management team is to assist teams/services

in using a risk management approach to help deliver operational or project
objectives. During the reporting period risk management has provided
support to a number of areas within the council. Support can take various
forms including the provision of advice and guidance as well as setting up
risk processes and training. In 2017/18 twenty two risk workshops were
held with various Directorates and Divisions to review, identify and analyse
risks to their objectives.

5.0 Preparation and Publication of Risk Management Information

5.1 The Risk Management pages on THnet include information and tools on

10
 managing risks which are updated regularly. Over the period more
documents have been added or revised:

 A quick reference guide to Risk Management (a user friendly two

page guide)
 Further guidance on how to use the JCADCORE Risk system
 Risk management guidance for managers
 LBTH Risk Management strategy

6.0 Risk Management Training

6.1 Risk Management training is essential if managers and staff are to

understand the benefits of this approach and use it to help make effective
decisions and achieve directorate/corporate objectives. Risk Management
training has the following goals;

 Creating positive risk management behaviours and culture.

 Communicating risk information.
 Building risk capability.
 Identifying risks to objectives.
 Assessing risks and establishing tolerance.
 Addressing risks
 Reviewing and monitoring risks.
 Reporting risks.

Fundamentals of Enterprise Risk Management: a practical introduction to

risk management, a bespoke training provided by the Institute of Risk
Management started in May 2017. A major aim of this training is to create a
good risk culture in the Council ensuring the following outcomes for the
Council;

 Risk leadership – creating a distinct and consistent tone from the

top.
 Informed risk decisions allowing sufficient diversity of perspectives,
values and beliefs to ensure that the status quo is consistently and

11
 rigorously challenged.
 Accountability – appropriate risk taking behaviours rewarded and
encouraged and inappropriate behaviours challenged and
sanctioned.
 Transparency – transparent and timely risk information flowing up
and down.
 Risk skills – risk management skills and knowledge valued,
encouraged and developed.
 Alignment with employee engagement and people strategy.

The course contents also include an introduction to risk management, risk

assessment, risk treatment and monitoring & communicating risk. The
training is targeted at senior and middle managers to ensure risk
management capability is consistently embedded across all areas of the
Council. Over a hundred staff have attended and completed the course. By
the end of the training sessions, participants were able to:

 Understand the Council’s approach to risk management;

 Understand how risk management affects decision-making;
 Conduct a risk analysis by drawing up a risk profile and using a risk
matrix;
 Identify risks/uncertainties to achieving a set of objectives and
expected results;
 Prioritize these uncertainties; and
 Decide how to act on the uncertainties within the framework of
project planning.

Risk management methodology and the various concepts discussed during

the training session accompany the training module and are designed as a
guidebook for future reference. It therefore follows the structure of the
training module and covers a fairly extensive review of risk management
concepts using examples to help develop a general understanding of the
subject. It enables participants set up a risk profile and a risk management

12
 plan for their services.

Risk management training has raised basic awareness of risk management

concepts and mechanisms, enabling participants to identify and manage
risks in their services and strengthening project management through
adequate forward planning of potential risks.

6.3 The Council’s risk management system JCADCORE contains all recorded
risks from across the Council. Information from the risk managements
system is used to create reports for management teams and members.

7.0 Promotion of Risk Management

7.1 This section highlights the promotional Risk Management activity which
has taken place during the reporting period.

Risk Talks

7.2 Risk talks are regular, usually monthly, lunch and learn sessions and were
initiated in May 2012. Their purpose being to bring life to Risk Management
through the use of case studies, research, sharing best practice and
updates all highlighting the importance and benefits of managing risk. The
talks are advertised on the THnet as well as targeted invitations being sent
to officers. There is usually a mixed audience of senior managers,
managers and staff. Topics have ranged from the Cyber risk landscape,
managing reputational risks, anti-fraud and corruption strategy, GDPR risk
and impact of Brexit on the local Authority.

7.3 A new programme of risks talks featuring internal and external speakers
will commence in June 2018.

8.0 Risk Management performance

8.1 This section provides evidence of the overall council performance of its
formal Risk Management arrangements. Two areas are highlighted. The

13
 first is the Council’s Annual governance statement and also the result of
the council’s most recent participation in the Alarm/CIPFA Risk
Management benchmarking exercise in 2017. The evidence suggests that
the council has processes in place which continue to improve.

The council’s Annual Governance Statement

8.2 The Council is responsible for ensuring its business is conducted in

accordance with the law and proper standards, and that public money is
safeguarded and properly accounted for, and used economically, efficiently
and effectively. In discharging this overall responsibility, the Council is
responsible for putting in place proper arrangements for the governance of
its affairs, facilitating the effective exercise of its functions; this includes
arrangements for the management of risk. Risk management is a principal
element of corporate governance; a risk management strategy is in place
to support this and is regularly reviewed.

The 2017/18 Annual Governance Statement Report noted the following

comments regarding the Council’s Risk Management arrangements.

“All councillors and managers are responsible for ensuring threats and
opportunities are considered in the decisions they take. TH has in place a
formally approved risk management strategy which is subject to annual
review. That strategy sets out a corporate risk appetite that is not risk
averse but seeks to support decision making that consider threats,
identifies mitigations etc. in order to ensure opportunities are seized and
delivered.”

“In support of the delivery of effective risk management arrangements, a

corporate risk management system ‘JCAD’ is used to capture all relevant
corporate / directorate and project related risks. In addition, directorate
Risk Champions oversee the continued development and review of the
council’s approach to risk management, acting as risk specialists to
continually review existing risk and to consider emerging risk matters.”

14
 Benchmarking risk management

8.3 To assess and compare our “risk management health” with other
authorities the Council participates in CIPFA benchmarking exercise. It is
designed as a performance improvement tool and helping Council’s to
raise standards of risk management. The results are expected to be used
as the basis of the evidence to provide the Council with assurance of the
standard of risk management that it has reached. A summary of our
performance from our most recent participation (2017) is provided below:

Level Guide:
Awareness <20%
Happening 20 – 45%
Working
45 – 70%
Embedded &
Integrated 70 – 85%
Driving 85%

15
 Table 3- LBTH Summary of Risk Management Benchmarking results

8.4 The five key risk management enablers were assessed as “Embedded &
Integrated” (4) and “Driving” (1). Our aspiration is to move all ratings to the
“driving” category and work continues on these improvement areas.

9. Risk Management Action plan 2018/19

9.1 The Risk Management team plan includes a number of actions to address
some of the points above and made elsewhere in this paper:

 The council’s Risk Management policy and manager’s guide will be

reviewed and revised to incorporate the revised risk appetite from the
risk appetite workshops.
 Further work will be undertaken to ensure risks are more closely
aligned to service and business objectives.
 Risk Talks will continue with regular features in TH Now.
 Risk Management protocol and risk champions terms of reference will
be refreshed to provide guidance and further assurance on the
application of Risk Management within directorates, with particular
emphasis on identification of key risks and emerging risks.
 Updating the risk management strategy.
 Implement a risk appetite methodology to ensure effective reporting on
risks within and outside appetite for each category. We have identified
six risk appetite categories.

16