Background and scope

CIPFA’s ‘Delivering Good Governance in Local Government: Framework’ is clear on the contribution that risk management should make in any successful local authority. In particular, successful management of risk is integral to meeting two of the framework’s seven principles of good governance:

1. Determining the interventions necessary to optimise the achievement of intended outcomes

2. Managing risks and performance through robust internal control and strong public financial management

The framework is universally applied across the sector in order to prepare an annual governance statement that meets the CIPFA/LASAAC Code of Practice on Local Authority Accounting in the United Kingdom. This Code of Practice is, in turn, based on the requirements of the Accounts and Audit Regulations 2015 which expect local authorities to operate a sound system of internal control that includes effective arrangements for the management of risk.

Over and above the legal requirement placed on local authorities to have effective risk management arrangements, North Yorkshire Council absolutely recognises that risk management is an integral part of good management and corporate governance. It is therefore central to how the Council operates in striving to achieve its objectives.

The Council aspires to achieve a good level of risk maturity that sees the organisation identify and manage its key risks on an ongoing, proactive basis, supported by a fit-for-purpose risk management framework, use of which is embedded into our culture and ways of working. To that end, this policy sets out the contribution that risk management is expected to make to the continued success of North Yorkshire Council, what that success looks like, and the framework and process by which it should be achieved.

This policy applies to all employees and workers of the Council and elected Members, and should be read in conjunction with the Council’s Risk Management Procedures.

North Yorkshire Council context

North Yorkshire Council’s vision/ambitions are…[to be inserted once available]

Risk, uncertainty and change combine to create a challenging dynamic as the Council strives to deliver on these ambitions.

Risk, whether known or unforeseen, creates a threat to delivering services, achieving performance targets and undertaking successful change. A risk event materialising may result, for example, in reductions in service quality or delay in project delivery. Uncertainty and change, when considered thoroughly, however, can also provide the opportunity to introduce new, innovative and effective ways of delivering services. It can also act as the catalyst for developing services with better outcomes and fewer risks for our staff and our communities.

North Yorkshire Council’s view is that successful risk management involves choosing the correct response to risk, based on the best available information, rather than seeking to simply eliminate it in all cases. It is about ensuring that the correct level of control is in place to provide sufficient protection from harm without stifling creativity and service delivery, getting the balance right and making the best use of available resources.

Definitions

· Risk is the uncertainty around an event occurring that may affect the achievement of objectives. It is measured in terms of likelihood and impact.

o Likelihood is the probability of a risk event occurring.

o Impact is the potential severity of the consequence(s) should a risk event occur.

· Risk Management is the range of coordinated processes, structures and culture adopted by the Council in order to identify, evaluate, monitor, control, and mitigate the risks it faces.

· Risk appetite is the amount and type of risk that North Yorkshire Council is willing to accept in pursuit of its objectives. The Council’s risk appetite allows it to operate within agreed tolerances, to better manage uncertainty, and to place reasonable constraints on decision-making.

Principles of risk management

Risk management at North Yorkshire Council is:

An integral part of all organisational activities – including strategic planning, service delivery, and all project and change management.
Structured and comprehensive – we will ensure that risk management contributes to consistent, and comparable results.
Based on the best available information – we will ensure that the inputs to the risk management process are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
Customised and proportionate – we will ensure that the risk management framework and process are customised and proportionate to the Council’s external and internal context and are related to its objectives.
Sensitive to human and cultural factors – we will ensure that we recognise human behaviour and culture significantly influence all aspects of risk management at each level and stage.
Inclusive – we will ensure the appropriate and timely involvement of stakeholders and enable their knowledge, views and perceptions to be considered, resulting in improved awareness and informed risk management.
Dynamic – risks can emerge, change or disappear as the Council’s external and internal context changes. We will ensure that risk management arrangements anticipate, detect, acknowledge and respond to those changes and events in an appropriate and timely manner.
A process of continual improvement – we will ensure that risk management is continually improved through learning and experience.

Benefits of risk management

In practicing effective risk management across North Yorkshire Council, we expect to be able to deliver the following benefits:

An increased ability to deliver against our objectives, to take advantage of opportunities, and to enable innovation
Better informed decision making
Improved stakeholder trust and confidence
Enhanced efficiency as less management time, and fewer council funds, are lost dealing with risk events
Improved customer service
Improved health and safety
An ability to secure the most favourable risk financing solutions
An ability to evidence robust corporate governance arrangements and our compliance with legal and regulatory requirements
Being more flexible and responsive to new pressures, and to any changes in the market and community needs

Risk management objectives

The objectives of this Risk Management Policy are to:

1) Support and embed a risk-aware culture of informed, well-measured risk taking throughout the Council’s business, ensuring that the benefits of risk management are realised

2) Communicate the Council’s risk management approach and its value to stakeholders and partners, and raise awareness of the need for risk management by all those involved with the delivery of Council services

3) Ensure that the risk management framework is understood by all staff, and is implemented consistently and proportionately

4) Inform policy and operational decisions by ensuring that risks, and their likely impact, are identified and assessed

5) Minimise loss, disruption, damage and injury and reduce the cost of risk, thereby maximising the resources available for service delivery

6) Ensure that the Council’s approach to the management of risk is in line with best practice

These objectives will be achieved by:

Activity	Link to policy objective(s)
Clearly defining the roles, responsibilities, and reporting lines within the Council for risk management		1
Ensuring that risk is an integral part of business planning, service delivery, decision making processes, and project and partnership governance		1, 3
Members and management providing leadership and commitment to ensure that risk management is considered throughout all of the Council’s activities		1, 5
Reinforcing the importance of effective risk management as part of the everyday work of Members and employees		1, 5
Monitoring arrangements and seeking continuous improvement		2, 6
Using a consistent methodology to develop, monitor and review risk registers		2, 6
Increasing understanding and expertise in risk management through targeted training and the sharing of good practice		4
Operating an officer Risk Management Group, led by the Chief Finance Officer, that will support, coordinate, and facilitate key activities across the Council’s risk management framework.		4, 5

Risk appetite statement

Some degree of risk-taking is inevitable if North Yorkshire Council is to achieve its objectives. The Council’s approach, corporately, is to be risk aware rather than risk averse, and to manage risk rather than to seek to eliminate it in all cases.

Decisions on which risks to accept and which to avoid will depend on the context, on the nature of the potential losses or gains, and the extent to which information regarding the risks is complete, reliable and relevant. Given that risk appetite is a moveable, context-driven concept Corporate Management Team will review and approve corporate thresholds each yearto ensure that the Council’s risk appetite continues to reflect its strategic objectives and the prevailing risk environment.

A more detailed explanation of how risk appetite is applied in practice is contained in the Council’s Risk Management Procedures.

Risk management framework and process

The Council’s Risk Management Policy makes an important distinction between the risk management framework and the risk management process.

The risk management process is the systematic application of agreed procedures relating to the assessment, treatment, monitoring, review, recording, and reporting of risk. The risk management framework is designed to implement, and provide support to, the risk management process. It comprises defined risk management roles and responsibilities (including reporting and assurance arrangements), the Council’s risk culture and appetite, and the guidance and methodologies to be followed.

Not only should the risk management framework provide support, it should also ensure that the outputs from the process are communicated, achieve the desired benefits for the Council and contribute to continuous improvement.

The relationship between the principles of risk management, the risk management framework, and the process is depicted below. It is not the purpose of this policy to detail the requirements for each step in the risk management process. The procedures to follow when managing risk, and the methodologies underpinning those procedures, are detailed in the Council’s Risk Management Procedures.

Roles and responsibilities

To support the maintenance of a risk-aware culture, all elected Members and employees should have a good understanding of the Council’s risk management framework and regard risk management as part of their responsibilities. However, within the Council’s framework for managing risk there are several groups and individuals who make a particularly important contribution to the achievement of our policy objectives. These are set out below:

Full Council

Full Council is ultimately responsible for approving the Risk Management Policy. It is also responsible for directing and overseeing the work of the Audit Committee in assessing the ongoing effectiveness of the Council’s risk management arrangements.

Audit Committee

Working under delegation from the Council, the Audit Committee has overall organisational responsibility for overseeing the management of risk in the Council and the continued effective operation of the Risk Management Policy. It is responsible for providing suitable scrutiny and challenge to officers on the Council’s corporate risk register and directorate risk registers, and for considering any proposed changes to the reviewing the Risk Management Policy.

Chief Finance Officer

The Chief Finance officer (CFO) has overall senior management level responsibility for risk management in the Council, championing it as a strategic management discipline, overseeing the consistent application of the Risk Management Policy by officers, and actively seeking opportunities for continuous improvement. The CFO will advise the Executive and Corporate Directors on all significant risk management matters as they arise and, at least annually, will report to the Audit Committee on the effectiveness of the Council’s risk management arrangements. The CFO will periodically review the Risk Management Policy and recommend any necessary changes to the Audit Committee for consideration prior to approval by Full Council. The CFO also has overall responsibility for the work of the Council’s Risk Management Group.

Corporate Management Team

As a collective, the Corporate Management Team (CMT) is responsible for setting an appropriate tone from the top, ensuring that the Council adopts a consistent, comprehensive, and integrated approach to risk management at strategic and operational levels, as well as within projects. CMT is also responsible for maintaining North Yorkshire Council’s corporate risk register so that it enables key strategic risks to be monitored and reported to the Audit Committee.

Corporate Directors

The Council’s Corporate Directors are individually responsible for ensuring that areas under their leadership have procedures in place to systematically identify, assess, and mitigate risks and, where risks cannot be contained within the directorate, that these are escalated to CMT for potential inclusion on the corporate risk register. In consultation with the CFO, where appropriate, Corporate Directors are responsible for preparing risk mitigation plans for significant risks, monitoring the progress of these plans, and recording all of this information on the directorate risk register. In addition, Corporate Directors must ensure that all reports to Executive Committee or Executive Committee Members which require a decision include adequate reference to associated risks to enable a properly informed decision to be taken.

Risk Management Group

With the support of the Chief Finance Officer and the wider Corporate Management Team, the Risk Management Group facilitates and coordinates key risk management activities corporately, and between directorates and service areas. Its specific responsibilities include:

· Advising and supporting the Corporate Management Team on risk strategies

· Communicating risk management principles and developing good practice

· Driving forward new risk management initiatives, and leading on continuous improvement efforts

· Providing training to officers and Members in risk management

· Regularly reviewing risk register(s) to ensure their continued effectiveness and relevance

· Ensuring that the Risk Management Policy and Procedures continues to reflect best practice and allows the Council to maintain or improve its risk maturity

· Coordinating the information requirements for comprehensive risk monitoring and reporting (including the maintenance and administration of the Pentana system)

· Coordinating the work of task and finish groups that address particular risk issues

Internal audit

Through its assurance and consulting activity, internal audit is responsible for evaluating the effectiveness and contributing to the improvement of the Council’s risk management processes. In addition to these specific risk management responsibilities, internal audit is responsible for:

· Evaluating the adequacy and effectiveness of controls in responding to risks within the Council’s governance, operations and information systems

· Assessing and making appropriate recommendations to improve the Council’s governance processes for overseeing risk management and control

Review

This Policy, and the accompanying Risk Management Procedures, will be reviewed annually. This review process will be coordinated by the Risk Management Group and will involve:

· Comparison of existing procedures, processes, and guidance with current and emerging best practice

· Reflection on the overall success of implementation during the preceding 12 months (with reference to the objectives set out in the Risk Management Policy), in consultation with the Chief Finance Officer

· Consideration of whether the Council’s stated risk appetite remains appropriate in the context of the prevailing risk environment

· Incorporation of any significant lessons learned, including consideration of feedback from Members and officers

The outcome(s) of the annual review will be reported to Corporate Management Team and the Audit Committee.

Links to other policies and key governing documents

It is the Council’s expectation that, in developing any policy, the full implications of that policy are considered, risks are identified, and that measures are put in place to manage those risks on an ongoing basis. The aim is therefore to embed the consideration of risk across all of the Council’s policies.

The policies and other governing documents which are of particular relevance to North Yorkshire Council’s Risk Management Policy are:

· Risk Management Procedures

· The Council’s constitution (in particular, the Financial Procedure Rules)

· [Local Code of Corporate Governance]

· [Performance management policy]

· [Project management framework]

· [Information governance policy]

· Counter Fraud and Corruption Policy

· [Health and safety policy]

· [Business continuity policy]

· [Insurance / risk financing policy]