Audit Committee Friday 30 March 2012 at 10.00Am Item 8 - Risk Management Annual Report 2011-12

Audit Committee Friday 30 March 2012 at 10.00Am Item 8 - Risk Management Annual Report 2011-12

HERTFORDSHIRE COUNTY COUNCIL

AUDIT COMMITTEE

THURSDAY 28 MARCH 2013 AT 10.00AM

RISK MANAGEMENT ANNUAL REPORT 2012/13

Report of the Assistant Director Performance and Procurement

Authors: Peter Stanley, Performance and Risk Manager Tel: 01992 555306

Melanie Gilhooly, Performance and Risk Management Officer Tel: 01992 555218

1. / Introduction
1.1 / This report is an annual item to outline the Risk Management activity undertaken since the last report presented in March 2012 and as requested by the Audit Committee.
1.2 / The following items are included in this report:
  • A summary of corporate risk movements over the last year
  • A brief update regarding the Performance and Risk function
  • A summary of Risk Focus Reports and general risk reports
  • Benchmarking/ best practice
  • Audit findings on Risk Management
  • An update of the Risk Management Policy
  • A training programme update

2. / Corporate Risk Register
2.1 / The latest review of the corporate risk register took place during January and was subsequently reported to the Strategic Management Board (SMB) and the Policy, Resources and Performance Cabinet Panel in February.
2.2 / There are currently 33 Corporate risks. The table below shows the risk movements broken down by risk classification. The movements detailed are a continuation from the previous annual report dated 30 March 2012.
2012/13 / Quarter 1 / Quarter 2 / Quarter 3 / Quarter 4 *
Red / 9 / 7 / 7 / 7
Amber / 26 / 26 / 25 / 23
Yellow / 2 / 2 / 2 / 3
Green
Total / 37 / 35 / 34 / 33
Difference +/- / -2 / -1 / -1
* The final quarter (highlighted in grey) is the current quarter and details movements to date. No change in absolute numbers may hide movement in and out. These will be outlined in the following section
The quarterly variations and changes to risk categories are indications of the continued active management and scrutiny of risks and controls. These movements also include newly identified risks which is a further indication of the continued activity around identifying future areas of risk and uncertainty.
2.3 / Current position and key movements
As previously reported, a number of Corporate Risk appendices accompany this report:
  • A risk movement report at Appendix 1 details movements of current risk scores in the last quarter.
  • A risk status report at Appendix 2 summarises current risk scores at each of the last 4 quarters.
  • A report giving details of risks with a rare probability but very high impact can be found at Appendix 3
  • A list of risks considered as part of the risk focus reports can be found at Appendix 4.

2.3.1 / There are currently 7 Red risks, 2 with a score of 48:
  1. Economic conditions or poor investment decisions give rise to poor investment performance of the LG pension fund (CSHF0002)
  1. HFRS may have insufficient resources to cope with unplanned incidents which may result in a reliance on regional or national resources (HFRS0007)
  • Reviewed by Audit Committee on 22 November 2012

2.3.2 / 3 new Corporate risks have been added since the previous annual report (March 2012)
  • ENV0106 As a result of the complexity, public interest, scale and number of partner organisations involved in taking the Croxley Rail programme forward, there is a risk that the programme may be delayed or cancelled,
  • ENV0104 As a result of the Residual Waste Treatment contractor failing to deliver a waste treatment facility for Hertfordshire, there is a risk that this may result in: - Increased costs e.g. for waste disposal, procurement, damage to HCC's reputation, being unable to fulfil statutory obligation as the Waste Disposal Authority.
  • Due to inaccurate projection of demographic pressures, insufficient HCS resources are available to meet new and existing demand for adult social care services.(only corporate from 2/10-15/11) (HCSCP0003)

2.3.3 / 3 red risks from the previous annual report have been re-rated to amber, as follows:
  1. There is a risk that Property & Technology will not achieve the capital receipts target as the UK economic status dictates the value of assets and therefore influences the revenue that can be raised (PROP0002) (now amber 24).
  1. Failing to meet the 25% carbon reduction target by 2012/2013 (CSCE0010) (now amber 16).
  1. As a result of internal and national changes to employee packages, there is a risk of declining industrial relations which may result in industrial action (CSCE0016) (now amber 16).

2.3.4 / 3 Risks have been withdrawn
  1. CSHF0013. As a result of legislative changes which increase the statute of limitations for Employer Liability claims, there is a risk that HCC will have to meet additional liabilities.
  1. CP0001; The risk is that poor performance or failure of services delivered or commissioned by HCC result in a less than successful Olympics which adversely affects HCC's reputation.
  1. CFTF0002 There is a risk that Staff crucial to leading change and delivering operations may leave if they do not have a good understanding of the transformation programme, and the future opportunities for them within Hertfordshire County Council.

2.3.5 / Over the last 12 months 4 risks were de-escalated from the Corporate Risk Register:
  1. In the event of inadequate capital being made available from a number of funding streams, the costs of delivering the primary and secondary expansion programme may not be met and this will lead to inadequate provision of additional school places (CSF0070).
  1. Due to inaccurate projection of demographic pressures, insufficient HCS resources are available to meet new and existing demand for adult social care services (only corporate from 2/10-15/11) (HCSCP0003).
  1. There is a risk that failing to invest in and maintain the IT systems that specifically support the command and control call handling centre, will result in a failure to mobilise fire engines to emergency calls' (HFRS0009).
  1. As a result of undetected ancient chalk mines beneath the highway there is a risk of highway collapse in affected areas (ENV0055).

3. / Performance and Risk Management Function
3.1
3.2
3.3 / The Performance and Risk Management Unit function has further developed since its formation mid 2011. The unit continues to support key programmes and projects, including Croxley Rail, Energy from Waste and New Ways, completing a number of successful risk workshops and providing guidance and advice.
New areas of activity now include working with the new Public Health team during their transition and integration into HCC; also assisting and developing risk registers for the Health and Wellbeing Board, the Household Waste Recycling Centre Project, and working with Finance to support the development of the Pensions risk register which will be reported to the Pensions Sub-Committee over the coming months.
Communicating and enabling good practice in risk management remains a priority for the unit and following member challenge in 2012, significant progress has been made in supporting risk owners in reviewing risk target scores and revising them to be more realistic where necessary.
4. / Audit Committee Risk Focus Reports and General Risk Reports
4.1
4.1.2 / In addition to receiving and considering the Corporate Risk Movement report, Members of the Audit Committee nominate an area of risk for further scrutiny. So far members have concentrated on departmental red risks and those risks considered to be rare in terms of likelihood, but with the potential to have a very high impact. Departments have produced reports and presented the risks in question. Health and Community Services are attending again at this meeting, offering further details on risks HCSCP0001 and HCSOPD0006.
As so many of the Corporate risks have now been subject to this process, it is proposed that at the Committee’s first meeting in the new Council, the Committee reviews the risk focus report approach with a view to agreeing what subsequent meetings receive.
4.2 / Following direct member feedback on risk reports, the following reports have been developed or amended:
  • Risk owner job title included in appropriate reports – e.g. see Appendix 1.
  • Risk Status Report – see Appendix 2. Developed to give members an overview of the risks over time.
  • A ‘heatmap’ report which includes risk references is included as Appendix 5. This is a new report created by the system developers following discussions with the Performance and Risk Management Unit. Considered to be a strategic look at the Corporate Risk register, officers continue to work with the developers to make it consistent with other reports.

4.3
4.3.1
4.3.2 / It should be noted that due to the nature of the Risk Management Information System from which these reports are derived, we are limited to choosing from a menu of already designed and populated reports, rather than being able to build the reports ourselves from fields held within the system.
This has the effect of providing a number of separate reports, rather than being able to provide all the details in a single report. In addition, where information is not held within the system e.g. where a risk has been the subject of a risk focus report, it is very difficult to incorporate this information into a system derived report.
We therefore offer members a range of reports and continue to work with the developers to improve these, and welcome member feedback.
5. / Risk Management Benchmarking Club / Best Practice
5.1
5.2 / The Risk Management function and approach continues to be benchmarked annually against Alarm’s National Performance Model for Risk Management in Public Services published in 2009, developed by members of the professional body ALARM and expert Risk consultants and coordinated by CIPFA. This is developed and challenged by Risk and Benchmarking experts. Based on a self-assessment, the response from the Council is moderated through a sub-group of Risk Champions (seen as a model of best practice by the review group), before being compared against the model by ALARM / CIPFA. A review group of authorities (including Hertfordshire) then identify issues to be picked up for the future.
The assessment received in 2012 described the risk management function as ‘Embedded and Integrated’, ‘Driving’ and ‘Working’ in 7 different areas, which was a very encouraging analysis. Having joined the benchmarking club for a further year, we will be undertaking an analysis against the model again shortly. We will report back to the Committee on the outcomes once we have received the results.
6. / Audit and Risk Management
6.1
6.2 / Risk Management is a key element of the governance and assurance structures in the organisation. The Shared Internal Audit Service (SIAS) has adopted a risk approach to assessing activity for the audit plan.
The Annual Assurance Statement & Internal Audit Annual Report, 20 June 2012, stated:
In our opinion, based on our work to support the Annual Governance Statement review of effectiveness, the corporate governance and risk management framework of the Council substantially complies with the best practice guidance on corporate governance issued by CIPFA/SOLACE.”
6.3 / In addition, an audit undertaken by PwC as part of the SIAS planned audit work, considered how Risk Management was being undertaken in key programmes and projects in HCC. The report provided overall substantial assurance that there are effective controls in operation for those elements of the project risk management processes covered by the review. Actions to continue to embed good practice in this area are being undertaken.
7. / Risk Management Policy
7.1 / The Risk Management Policy is coming up for its annual review and will be shared with Audit Committee once agreed. The current policy, which included a statement of risk appetite for the first time, was brought to the attention of this Committee in June 2012 and is available on Compass.
8. / Training Programme
8.1 / A comprehensive training programme continues to be delivered or commissioned by the team. Areas of training have included:
  • Risk Management training for members (12 December 2012)
  • Performance and Risk Management training for new managers (throughout the year)
  • Enterprise Risk Management training for officers (19-20 September 2012)
  • Risk Management Information System training (throughout the year)
  • Ad-hoc specific risk management training

8.2 / A number of guides and tools have also been developed and updated to support staff. These have been made available via Compass and ilearn and include:
  • An Introduction to Risk Management (ilearn module)
  • Risk Management Information System (ilearn module)
  • A Risk Management Guide (Compass)
  • Risk Tools and Techniques (Compass)
  • Risk, Equality and Health and Safety in Procurement (Compass)

9. / Recommendations
9.1 / That the Committee note the Risk Management Annual Report and agree to consider the risk focus report approach at the Committee’s first meeting in the new Council.

1

Top View