Supporting high quality sustainable growth in England

Risk Management policy

1 Introduction

1.1 English Partnerships (EP) is accountable to a variety of stakeholders and the environment in which it operates is subject to wide range of risks, thus the need for effective risk management has been recognised for some time. This document details both the policy and strategy for continuing to develop the framework to manage risk within EP, however, it will only be successfully delivered on a day to day basis if staff incorporate it into their daily working practices; it does not work if it is merely seen as a paper exercise.

1.2 EP first approved its Risk Management policy in 2003; it explains the Agency’s underlying approach to risk management. It gives key aspects of the risk management process and identifies the main reporting procedures. The policy is reviewed approximately every eighteen months and amended if appropriate, the last review being in May 2005. This policy statement builds on the previous version and is intended to summarise EP’s view of risk and to define the risk management framework within which everyone is expected to operate.

1.3 The purpose of the policy is to create robust structures, systems and processes that will minimise or eliminate risks where possible, to EP and its delivery partners. The statement can be seen as a catalyst for improving awareness and responsibilities for the assessment and the management of risk at all levels of EP, and with our partners and suppliers.

1.4 In May 2005 the Prime Minister stated in his ‘Risk and the State‘ speech: ’We cannot eliminate risk. We have to live with it, manage it.’ Risk management is not about ticking boxes; it is about making a real difference.

2 Policy Objectives

2.1 EP’s policy is to pursue a structured approach to the effective management of risk in pursuit of business objectives. This approach and the framework for its achievement is set out in more detail below, which covers the continuous process of integrated activities by which the potential impact of risks to the achievement of EP’s objectives are managed. EP’s policy is to adopt good practices in the identification, evaluation and cost effective control of risks to ensure that they are eliminated where possible, reduced to an acceptable level or managed and contained; and to embed risk management practices within management and planning activities.

2.2 This policy is designed to ensure that the following ten objectives are met:

  1. Financial, operational and management systems directly support the management of risks that threaten the achievement of the Agency’s objectives.
  2. The Executive Management Board has an active, structured, and commonly shared knowledge of the whole range, and the relative priority, of risks that they have to manage.
  3. Managers at every level share that understanding of risks and priorities.
  4. Staff objectives are set in terms that reflect the Agency’s strategic and operational risk priorities.
  5. Responsibility for the management of risks is assigned to staff who have the authority to ensure that they are managed.
  6. Resources are assigned to the management of risks in such a way to optimise value for money.
  7. The Executive Management Board priorities in respect of risk are fully communicated down the Agency.
  8. The Executive Management Board’s view is informed by upward reporting of risks through the Agency.
  9. Systems of control support the preparation of the Statement on Internal Control.
  10. The risk management system is functioning efficiently and effectively integrates with the Corporate and Business Planning processes.

Principles of best practice in risk management will be used to develop EP’s processes of risk management, however these will be tailored to take account of EP’s needs rather than be applied as a template.

2.3 EP’s approach recognises that to advance and thrive the Agency needs to strike a balance between stability and innovation. In a changing and challenging environment risk management helps to create and seize opportunities in a managed way e.g. by considering alternative actions to those originally intended. Some risks will always exist and will never be eliminated; all staff must understand the nature of risk and accept responsibility for risks associated with their area of authority. EP wishes to be an innovative organisation taking calculated risks, which have been identified and evaluated.

2.4 EP senior management will:

  • Set the tone and influence the culture of risk management across the Agency
  • Determine the appropriate risk appetite for the Agency
  • Monitor the management of fundamental risks
  • Periodically review the Agency’s approach to risk management
  • Consider whether risk management continues to be linked to the achievement of EP’s objectives
  • Consider the level to which risk management is embedded in EP’s processes and procedures
  • Consider the effectiveness of the overall approach to risk management.

3 Nature of Risk

3.1 Risk can be defined as the combination of the probability of an event and its consequences (PD ISO/IEC Guide 73:2002). In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit – the upside, or threats to success – the downside. Risk Management is increasingly recognised as being concerned with both negative and positive aspects of risk.

3.2 Risks can be categorised as strategic, programme or operational (including projects):

  • Strategic risk is associated with a failure to meet our corporate objectives as set out in EP’s Corporate Plan that cuts across programme and operational boundaries.
  • Programme risk is associated with failing to deliver the objectives of our various business plan objectives and programmes by not turning strategy into action.
  • Operational risk is associated with the delivery of routine activities which would include, but not be confined to specific projects centred on implementation.

3.3 However, it is important to appreciate that risks do not always conveniently fit or stay in the boxes allocated to them and that the importance and relevance of a good reporting system is to include a mechanism to highlight those risks whose nature has changed.

4 Risk Management

4.1 Risk Management is the process whereby EP methodically addresses and quantifies the risks attaching to its activities with the aim of achieving sustained benefit within each activity and across the portfolio of all activities.

4.2 The focus of good risk management is the identification and treatment of these risks. Its objective is to add maximum sustainable value to all the activities of the Agency. It marshals the understanding of the potential upside and downside of all those factors that can affect the Agency. It increases the probability of success, and reduces both the probability of failure and the uncertainty of achieving EP’s overall objectives.

4.3 Response to risk will involve one or more of the following:

  • Tolerating the risk, supplemented by contingency plans if deemed necessary
  • Treating the risk in an appropriate way to constrain the risk to an acceptable level or actively taking advantage, regarding the uncertainty as an opportunity to gain a benefit
  • Transferring the risk, for example by insurance or paying a third party to take the risk in another way
  • Terminating the activity giving rise to the risk where possible, bearing in mind that this option is limited given the scope of EP’s activities
  • Taking the opportunity - this option is not an alternative to those above, rather it is an option which should be considered whenever tolerating, transferring or treating a risk.

5 Responsibilities and Accountabilities

Responsibilities and Accountabilities are assigned as follows:

5.1 The Board of English Partnerships

  • Requires assurance from the Accounting Officer that a framework for the effective management of risk is in place
  • Endorses the policy and approves the strategy
  • Receives a formal annual review from the Accounting Officer as the basis for the preparation of the Statement on Internal Control
  • Receives and comments upon periodic reviews of key risks facing the Agency and actions put in place to manage those risks.

5.2 Executive Responsibilities

5.2.1 The Accounting Officer (normally the Chief Executive)

  • Accepts overall responsibility for risk management within the Agency
  • Sets the policy and strategy for the management of risk within the Agency.

5.2.2 The Executive Management Board

  • Implements the policy and strategy set by the Accounting Officer and endorsed by the Board
  • Reviews strategic risks and action plans, including those identified through the operational risk management process on a periodic basis and reports this to the Board
  • Ensures that an appropriate overarching framework is in place and operational in order that the policy objectives set out above are met.
  • Determines the level of maturity the risk management process should achieve

5.2.3 Executive Directors

  • Identify key risks to business plan objectives as an integral part of the business planning process
  • Ensure that management plans are in place and reviewed to mitigate the key risks identified during the business planning risk assessment process
  • Ensure regular receipt and review of risk reports on key business plan objectives within their area of responsibility
  • Ensure that an escalation process is in place for key risks in their area of responsibility to facilitate upwards reporting to Executive Director level for further consideration and review of action plan
  • Ensure that risk to business plan objectives is a standing item on the agenda for senior management team meetings

5.2.4 Risk Sponsor – The Director of Investment and Performance

  • Receives and approves periodic reports on operational risk management issues
  • Reports any strategic issues and risks identified through the operational risk management process to EMB
  • Promotes and supports the development of good risk management practice
  • Acts as the conduit to EMB.

5.2.5 Head of Programme Management

  • In this context, to ensure that business planning integrates performance management and risk management

5.2.6 Risk Manager

The Risk Manager’s role is to provide a dedicated resource and focus for the development and implementation of the risk management framework. This involves:

  • Maintaining appropriate methodologies
  • Facilitating workshops
  • Compile reports for the Risk Sponsor
  • Monitor progress against action plans drawn up by senior staff to manage risk
  • Maintain guidance for staff via the Risk Management Guide found on Intrepid.
  • Identifying training needs and organising the provision of suitable courses.

The Risk Manager’s role is not to assume responsibility for the management of strategic or operational risks, this clearly remains the responsibility of the individual assigned to ensure that action plans are developed and implemented to manage risks i.e. the risk owner.

5.2.7 Risk Owners

  • The risk owner is the individual charged with the delivery of the task in hand, regardless of size and where this is an individual project the risk owner is usually the project manager.

5.3 Assurance Responsibilities

5.3.1 Audit Committee

  • Reviews the adequacy and effectiveness of the overall arrangements put in place by management to manage risk
  • Reviews the annual Statement on Internal Control
  • Reviews the operation and resourcing of Corporate Assurance.

5.3.2 Corporate Assurance

  • Reports to the Accounting Officer and the Audit Committee its opinion on the overall arrangements put in place for effective risk management
  • Builds its own strategy and work plans around management’s assessment of risk
  • Constructs individual reviews around the risks and opportunities of each area being reviewed.

6 Framework Diagram

6.1 The executive framework for the overall risk management process is set out in the following diagram:

The executive framework

7 Nature of EP’s Approach

7.1 A strategic approach to risk management articulates how EP manages risk; the main challenge does not lie in the initial identification and analysis of risk, but rather in the ongoing review and improvement of the risk management process.

7.2 Therefore this approach is dynamic in as much as any lessons learned in the course of its operation will be used to adapt and improve the process. The challenge for risk management is to provide the framework to help management deal with uncertainty, and the associated risk and opportunity to agreed levels of acceptability, with risk management embedded as part of EP’s strategic and operational management processes.

7.3 Risk management will continue to be embedded in the operation of the Agency and be part of its culture by actions such as:

  • Raising awareness through workshops
  • Training and communication
  • Use of documented risk assessments in decision-making
  • Review of risk management arrangements
  • Monitoring by Corporate Assurance and the National Audit Office
  • Operating a formalised reporting process
  • Promoting at a high level

8 Risk Management Processes

8.1 Strategic Risk Management Process

8.1.1 The Strategic Risk Management Process focuses on the views of the Accounting Officer and the other Executive Directors, (both as a team and individually). It will also include the views of key Non Executive Directors, and any issues of a strategic nature identified through the Operational Risk Management process and is facilitated by the Risk Manager.

8.1.2 Workshops - the Risk Manager will hold annual workshops with the Accounting Officer, Executive Directors and Non Executive Directors. These workshops will be used to review Corporate Risks and progress against agreed actions. The outcome will then be fed back to EMB via the Risk Sponsor and the workshops output will facilitate a periodic review of Strategic Risks and allow the Accounting Officer to report to the Board in accordance with the Policy.

8.1.3 Monitoring and Reporting - the management of risk has to be reviewed and reported for two reasons:

  • To monitor whether or not the risk profile is changing
  • To gain assurance that risk management is effective and to identify when further action is necessary
  • Accordingly, there is a recognised reporting route from projects to EMB using the regular team and management meetings to filter out the key risks necessary for escalation

8.2 Programme and Operational Risk Management Process

8.2.1 The Operational Risk Management Process will focus on the views of Operational and Programme Managers and other relevant staff within the Agency.

8.2.2 Workshops - the Risk Manager will draw up a programme of workshops to form the key part of the risk identification, evaluation and review process. The programme will be based on an annual plan to cover Area Directors, Heads of Services and new initiatives, which ensures that all relevant members of management are interviewed to capture programme risks in addition to the capture of risks in individual projects by project managers.

8.2.3 Monitoring and Reporting - the Risk Manager will report the outcome of the interviews back to the Risk Sponsor and where appropriate any Corporate Risks will be reported to EMB.

8.3 Project Risk Management Process

8.3.1 Workshops and PCS - the Project Risk Management Process will focus on the views of Project and Programme Managers ascertained by project team workshops where appropriate, and reports from PCS considered for action by management teams.

8.3.2 Monitoring and Reporting - the Risk Manager will report the outcome of the workshops and reports to the Risk Sponsor and where appropriate any Corporate Risks will be reported to EMB.

9 Risk Review and Reporting

9.1 In order to ensure that the risk management cycle of risk identification, analysis, control, review and reporting is complete, it is necessary for key risks to be considered on a regular basis and reported up the EP hierarchy as required. Risks should flow upwards through the Agency, from project manager to programme manager to area director to regional director to Risk Sponsor to EMB to Board. Designated managers at various levels report upwards (on either a quarterly of half yearly basis) on the work done to keep risk and control procedures up to date and appropriate to circumstances within their particular area of responsibility.

9.2 Project Progress Reports will provide the mechanism for risk reporting and escalation. These reports indicate the risks and controls recorded on PCS for each project, including changes in each risk's net score from the baseline score, with the option to view all risks or just those above a specified risk score. These reports can be used at several levels within the Agency, from Senior Regeneration Manager team meetings to Area Director team meetings to Regional Management Team meetings, followed in turn by the monthly Operational Review meetings with the Accounting Officer. Each Operational Review meeting (and the preceding SRM, AD and RMT meetings) provide the opportunities to ensure that all projects have recorded the key risks and controls on PCS and highlight those projects with high net risk scores.

9.3 Each monthly Operational Review meeting is followed by a report from the respective Regional Director to the Accounting Officer, summarising progress with delivery of their region's business including a commentary on:

  • Key project risks and dependencies
  • Key strategic risks impacting on business and
  • Management actions being taken to keep delivery on course

10 EP Risk Appetite

10.1 Risk appetite is the level of risk that is acceptable to EP and can be expressed as a series of boundaries that gives the Agency clear guidance on the limits of risk it can take. A model for the assessment of risk has been developed that enables risks to be evaluated on a consistent basis so that both over-control and under-control can be avoided. This will be periodically reviewed by EMB to ensure that it remains current and appropriate. One point to note is that this is not a ‘one size fits all’ model, it is a norm and the level of risk that is appropriate to take for an individual project or initiative will be determined by the circumstances of the project after due consideration by the appropriate body.

10.2 All risks should be scored in terms of Impact and Likelihood using the following five-point scale; the scores are multiplied together to produce the overall assessment:

Impact

Likelihood
5

Fundamental

5

Almost Certain
4

Major

 4

Likely
3

Moderate

3

Possible
2

Minor

 2

Unlikely
1

Insignificant

1

Rare

10.3 This model indicates degrees of risk severity, as measured by the combined impact and likelihood of occurrence. Guidance sheets are available for staff to assist in assessing scores for impact and likelihood together with lists of suggested risk areas and emergent risks that may be considered for inclusion in the process.

10.4 Risk scores can be broken down into the following groups:

  • Risks below the threshold i.e. 10 or below, should be managed and monitored using existing management processes
  • Risks above the threshold i.e. 12 to 16, should be managed to ensure that the residual risks fall below the threshold where possible
  • Risks significantly above the threshold i.e. 20 and above, should be considered seriously before adoption. Risk management strategies should be put in place to eliminate where possible or reduce the risk within a short timescale. Frequent monitoring would be appropriate to actively manage the risk.

10.5 The EP risk appetite model is shown below:


RISK APPETITE

 

Impact Severity

Multiplier

 

Fundamental

5

5

10

15

20

25

Major

4

4

8

12

16

20

Moderate

3

3

6

9

12

15

Minor

2

2

4

6

8

10

Insignificant

1

1

2

3

4

5

 

Multiplier

1

2

3

4

5

Likelihood

 

Rare

Unlikely

Possible

Likely

Almost
Certain

Key

Severe

20 - 25

Unacceptable level of risk exposure which requires immediate corrective action to be taken

Major

12 - 16

Unacceptable level of risk exposure which requires constant active monitoring, and measures to be put in place to reduce exposure

Moderate

5 - 10

Acceptable level of risk exposure subject to regular active monitoring measures

Minor

3 - 4

Acceptable level of risk exposure subject to regular passive monitoring measures

Insignificant

1 - 2

Acceptable level of risk subject to periodic passive monitoring measures

 

11 Risk Registers

11.1 Risk registers are an integral part of the process of managing risk and are used to:

  • Record risks related to EP’s objectives and express risks in terms of event, consequence and impact
  • Store information on significant risks in a meaningful way that can be distributed to key stakeholders and used to make better informed decisions
  • Rank risks by severity of consequences in order that they may be prioritised for action.

11.2 EP has adopted a standard format risk register, a sample of which is shown below:

Risk
No.		 Key
Busi
ness
Risk		 Risk
Prox
imity		 Absolute Risk
Assess ment		 Miti
gati
on		 Residual risk
Assessment		 Risk
Owner
 Review
Date
Impact Like
liho
od		 Risk
Score		 Impact Like
liho
od		 Risk
Score
1

 

 

 

11.3 Each risk is assessed twice; firstly the inherent risk, which is the exposure arising from a specific risk before any action has been taken to manage it and secondly the residual risk which is the exposure arising from a specific risk after action has been taken to manage it and making the assumption that the action is effective. The residual risk to EP is then identified. The appropriate manager should update the risk register to ensure that the information is up to date. The register will be the source of reporting on the level of risk EP is exposed to and the actions identified to manage the risk.

11.4 Risk registers are required whether the issues be strategic, programme or operational.

12 Project Control System (PCS)

12.1 There is an online risk register screen contained within PCS, which is to be utilised by Project Managers for the creation of a risk register for every project held in PCS. Data from these registers will then be used to produce reports for consideration by management and will also feed the Management Information Dashboard in Intrepid to provide real time updates on EP’s risk profile for management with the associated financial information on spend and receipts.

13 EP Gateway Approval Process

13.1 EP Project approvals follow a series of gateways based on the OGC model and the project manager is responsible for the identification, analysis and management of the risks relating to his/her project. Gateway 1 requires a list of key risks followed by a comprehensive risk register identifying the impact and probability and the action plan to control the risks as an integral part of Gateway 2 approval. For new projects risk management will be used to inform the decision–making process and also to ensure that the approved projects are delivered successfully.

14 Partnership Working

14.1 Every organisation functions within an environment which both influences the risks faced and provides a context within which risk has to be managed. EP is not self-contained; it has partners upon which it depends for the delivery of its objectives. Effective risk management needs to give full consideration to the context in which the agency functions and address the risk priorities of partner organisations. Risk assessments should be carried out from EP’s own perspective as well as an assessment from the perspective of the joint venture.

14.2 The management of risk at strategic, programme and operational levels needs to be integrated so that the levels of activity support each other. In this way the risk management strategy of the Agency will be led from the top and embedded in the normal working routines and activities of the Agency. All staff should be aware of the relevance of risk to the achievement of their objectives, including working with delivery partners.

14.3 English Partnerships has in place processes for the preparation of an annual Corporate Plan, as well as annual Directorate Business Plans. The risk management process is an integral part of these processes by identifying the key business risks alongside the key business priorities both for sole delivery and partnership delivery.

15 Training and Awareness Raising

15.1 It is important that staff across the Agency are all trained in Risk Management issues and approaches. A programme of training in this area will be developed where required to ensure that staff are kept up to date and are able to effectively implement the Risk Management Policy. The Risk Manager will be responsible for co-ordinating such suitable training.

16 Risk Management Guide

16.1 A Risk Management Guide for all EP activities from strategic to operational is available on the EP intranet, Intrepid, which gives staff guidance on risk appraisal, risk management and the production of risk registers for all EP projects. As part of the register the evaluation of the risk will be recorded, together with the risk management actions taken and proposed.

17 Managing the risk of Fraud

17.1 EP requires all staff at all times to act honestly and with integrity and to safeguard the public resources for which the Agency is responsible.

17.2 Accordingly EP has an Anti-Fraud Policy and Fraud Response Plan and also has a Whistle Blowing Policy to recognise that there may be occasions when staff need to speak up about malpractice on a confidential basis. These documents are available to staff on Intrepid.

18 Risk Management Assessment Framework

18.1 This is a tool produced by HM Treasury for evaluating the maturity of an organisation’s risk management and will be completed for the Agency on an annual basis. This will enable the Agency to establish a benchmark against which improvements can be tracked. The approach is summarised below:


18.1.1 Benchmarking - A Risk Maturity Matrix – Seven questions can be asked:

  • Leadership: do senior management and Board Members support and promote risk management?
  • Risk Strategy and Policies: Is there a clear risk strategy and risk policies?
  • People: Are people equipped and supported to manage risk well?
  • Partnerships & Resources: Are there effective arrangements for managing risks with partners and are there appropriate supporting resources?
  • Processes: Do the Agency's processes incorporate effective risk management?
  • Risk Handling: Are risks handled well?
  • Outcomes: Does risk management contribute to achieving outcomes?

18.1.2 Performance Indicators can be identified as follows:

  • Formal system of identification
  • Mapping risks to internal controls/budgets and resource allocation
  • Review/updated risk register
  • Effectiveness of internal controls through key indicators
  • Changing behaviour and resource due to risk

18.2 There is not a specific standard set for risk management in government organisations and the Risk Management Assessment Framework provides a means of assessing the maturity of risk management in EP. EP’s aim is to return a score of 4 in the 1 to 5 scale of assessment following a rating of 3.05 in 2005 to demonstrate ongoing commitment to the improvement of managing risk across the Agency.

Last updated: 20 August 2007

© English Partnerships 2003-2008