CABINET – 25 APRIL 2006 – FOR INFORMATION

BOROUGH OF POOLE

REPORT TO SERVICE PROVISION SCRUTINY & AUDIT COMMITTEE

16 MARCH 2006

INTERNAL AUDIT – RISK MANAGEMENT ACTIVITY REPORT

DECEMBER 2005 – FEBRUARY 2006

PART OF PUBLISHED FORWARD PLAN: NO

STATUS – GENERAL

1.PURPOSE AND POLICY CONTEXT

This report summarises activities undertaken by Internal Audit in relation to risk management during the period 16 December 2005 to 28 February 2006, including outstanding actions relating to the Corporate Statement on Internal Control (SIC) for the 2004/05 financial year, and proposed arrangements for the 2005/06 SIC.

2.DECISION REQUIRED

2.1Members are asked to:

(a)note the actions which have been taken to develop and embed risk management at the Borough of Poole during the period;

(b)give consideration to the identity of suitable individuals to act as Member and Senior Officer risk management ‘champions’; and

(c)note the proposed arrangements for outstanding actions relating to the Council’s 2004/05 Statement on Internal Control (SIC) and production of the 2005/06 SIC.

3.RISK MANAGEMENT

3.1Online Risk Assessment Tool

3.1.1The online Risk Assessment Tool (RAT) is now available for use by Service Units to risk assess their business plan objectives.

3.1.2The minor ‘teething problems’ with the reporting element of the RAT have now been resolved. The first consolidated risk report will be run following completion of Service Units’ 2006/07 business plans and associated risk assessments at the end of March 2006 and will be reported to this Committee at the earliest opportunity.

3.1.3Training sessions on the online RAT and business planning tool have been held for Service Units, and ad hoc advice on completion of risk assessments provided as required.

3.2Risk Assessment of Service Units’ Annual Business Plans

3.2.1It is a requirement under the Corporate Planning Framework that all Service Units have in place risk-assessed business plans for the 2006/07 financial year by the end of March. To this end, in addition to the online RAT and business planning tool training sessions (see 3.1.3 above), meetings are currently being held with all Service Units to assess progress on their business plan risk assessment, gather feedback on the process to aid continuous improvement and to provide help and support as required.

3.3Audit Commission Review of Risk Management

3.3.1As previously reported to this Committee, the Audit Commission have carried out a review of risk management as part of their CPA Use of Resources assessment, the criteria for which are detailed in Appendix A to this report.

3.3.2Overall the Council scored a Level 2 for Use of Resources which included a Level 2 score for risk management. The detail of the risk management element of the assessment is also contained in Appendix A. Further actions required have been encompassed in the Risk Management Position Statement (see 3.3 below).

3.3.3The Audit Commission have also recently published their Annual Audit and Inspection Letter in which they say that “excellent progress has been made in implementing comprehensive risk management arrangements although these still need to be embedded”.

3.4Risk Management Position Statement

3.4.1At the last meeting, Members enquired about the ultimate shape of the Borough’s risk management framework and where we are now. In response to this request, a paper has been produced showing the ultimate aims of each element of the risk management process and what has been achieved to date (see Appendix B).

3.4.2Work is continuing to put in place the outstanding elements of the framework and to ensure that existing processes are successfully embedded.

3.5Internal Audit Methodology

3.5.1Work is continuing on reviewing and updating our existing risk-based internal audit methodology to ensure that risk registers are factored into both the annual audit planning process and individual audits, and that our methodology more effectively supports the Statement on Internal Control production and validation process.

3.6Strategic Risk Register

3.6.1In January 2006, Management Team approved a proposal develop a new strategic risk register to be based on the strategic objectives to be outlined in the forthcoming Corporate Plan.

3.6.2The format for the new risk register has been agreed and examples of strategic risks provided to Management Team for discussion following which it is intended that Cabinet will be invited to participate in the strategic risk identification, assessment and review process.

3.7Review of Risk Management Strategy

3.7.1Best practice and the Audit Commission’s Use of Resources Assessment criteria dictate that the Borough’s Risk Management Strategy should be reviewed on an annual basis.

3.7.2The Strategy was agreed by Cabinet in March 2005 and is currently being revised to take account of progress on developing and embedding the risk management framework to date, and to correct minor errors and omissions in the original document.

3.7.3The revised Strategy will shortly be circulated to Management Team and Senior Officers for review and will subsequently be submitted to this Committee for agreement and recommendation to Cabinet for approval.

3.8Appointment of Risk Management Champions

3.8.1The Audit Commission’s Use of Resources criteria require the appointment of a Senior Officer and Member to act as joint risk management champions and take overall responsibility for embedding risk management throughout the Council. Consideration is currently being given to the specific role and responsibilities of these individuals and also to who would be the most appropriate candidates. Committee Members’ suggestions will be most welcome.

4.STATEMENT ON INTERNAL CONTROL (SIC)

4.1Audit Commission Review of the 2004/05 SIC

4.1.1The Audit Commission’s Annual Audit and Inspection Letter includes the results of their review of the 2004/05 SIC as follows:

“The Council is required to include a statement on internal control (SIC) within its annual financial statements. We are satisfied that the Council carried out a rigorous and well-evidenced review of the effectiveness of its internal control framework to support the assurances provided in the SIC for 2004/05”.

4.2Actions Outstanding from 2004/05 SIC Action Plan

4.2.1The Council recorded in its 2004/05 SIC that “committee reports and some significant decisions made by officers are not formally considered for legal issues before presentation. This resulted in an initial decision being taken by a committee which was later amended to avoid the possibility of being ultra vires, and some previous Officer decisions which were also found to be ultra vires and had to be reversed”.

4.2.2In response to this, a proposal has been drafted in conjunction with the S.151 Officer and Monitoring Officer to change the format of reports to Cabinet (including Portfolio Holder decisions) and Council, to introduce signed Assurance Statements to support decision-making, and to develop and communicate improved report writing guidance. The purpose of these changes is to improve the quality, consistency and timeliness of information provided to Members and to ensure that in addition to legal implications, financial and other implications are also routinely considered when making decisions. Not only will these changes satisfy the Council’s 2004/05 Statement on Internal Control Action Plan, but also the requirements of the CPA Use of Resources Key Lines of Enquiry and our Risk Management Strategy relating to reports to Members.

4.2.3The proposal will shortly be submitted to Management Team for review, and will be shared with this Committee as soon as possible.

4.3Proposed Arrangements for the Production of the 2005/06 SIC

4.3.1The detailed process for producing the 2005/06 SIC to accompany the financial statements will be agreed with the Chief Auditor and S.151 Officer. However, given the Audit Commission’s satisfaction with the arrangements for the 2004/05 SIC (see Section 4.1 above), the process is likely to be largely unchanged with the exception of a report on the SIC to this Committee for review / challenge prior to agreement of the accounts.

5.CONCLUSIONS

5.1Work continues to develop and embed risk management at the Borough of Poole and to ensure that business plans for 2006/07 are risk assessed and monitored effectively. Technical problems with the Consolidated Risk Register have been resolved and this will be in place for the start of the next financial year. Both the Strategic Risk Register and Risk Management Strategy are under review and will be shared with this Committee as soon as possible.

5.2The Audit Commission have expressed satisfaction with the processes and outcomes of the 2004/05 SIC and arrangements for the production of the 2005/06 SIC will shortly be agreed. Outstanding actions from last year’s Statement relating to committee reporting are underway and the SPSAC will continue to be kept informed of progress.

R L Jackson

Head of Financial Services

Background Papers Nil

Name and Telephone Number of Officer to Contact:Keith McCormick 633123

APPENDIX A

Audit Commission Use of Resources Assessment – November 2005

A1. Key Lines of Enquiry – Criteria

4. INTERNAL CONTROL
How well does the council’s internal control environment enable it to manage its significant business risks?
Key line of enquiry
4.1 The council manages its significant business risks
Audit Focus
Evidence that:
  • the council has a risk management process in place
  • the risk management system covers partnership working

Criteria for Judgement
Level 2 / Level 3 / Level 4
* The council has adopted a risk management strategy / policy that has been approved by members.
* The risk management strategy / policy requires the council to:
  • identify corporate and operational risks
  • assess the risks for likelihood and impact
  • identify mitigating controls
  • allocate responsibility for the mitigating controls.
* The council maintains and reviews a register of its corporate business risks linking them to strategic business objectives and assigning ownership for each risk.
* There is a member committee with specific responsibility included in its terms of reference to consider corporate risk management.
* Reports to support strategy policy decisions, and project initiation documents, include a risk assessment. / * The risk management process is reviewed and updated at least annually.
* The risk management process specifically identifies risks in relation to partnerships and provides for assurances to be obtained about the management of those risks.
All staff have been given appropriate training and guidance to enable them to take responsibility for managing risk within their own working environment.
* The members with specific responsibility for risk management have received risk management awareness training.
* The member committee with responsibility for risk management receives reports at least quarterly and takes appropriate action to ensure that corporate business risks are being actively managed, including reporting to full council at least annually. / A senior officer and member jointly champion and take overall responsibility for embedding risk management throughout the council.
The council can demonstrate that it has embedded risk management in its corporate business processes, including:
  • strategic planning
  • financial planning
  • policy making and review
  • performance management
All members have received risk management awareness training.
The council considers positive risks (opportunities) as well as negative threats (risks).

A2. Findings

Findings / Conclusions / Improvements needed to move to next level (optional)
KLOE 4.1 The Council manages its significant business risks – Score = 2
The organisation has adopted a risk management strategy / policy that has been approved by members.
RM Strategy details the Council’s risk identification and assessment process. Supported by the Corporate Planning Framework which sets out the process in greater detail, and the Risk Assessment Tool (RAT) which is the template for Service Units’ Risk Registers and the Strategic Risk Register.
The ‘draft’ Strategic Risk Register is in place and seemingly being used (with only one or two known gaps).
All Service Units maintain risk registers at that level.
Detailed risk assessments have been done for those of their strategic projects for which this is most timely and likely to be effective.
There is a much-improved and improving culture and awareness of risk management. / The Council has made good progress recently on the development of risk management and most of the key features are now in place. / Complete the Strategic Risk Register.
Consider inclusion of RM (including partnerships), legal considerations and equality impact assessments in Committee reports.
Ensure that annual review of RM Strategy is incorporated into the Audit Committee timetable.

1

APPENDIX B

Risk Management Position Statement – February 2006

1. Overall RM Framework

In support of the Council’s published risk management strategy, the overall risk management framework is as follows:

Whilst not captured as part of the Corporate Risk Register, another important element of the framework is risk assessment for decision-making (ie. by Cabinet and Council).

2. Position Statement

As at February 2006, the position in respect of each of the main elements of the risk management framework is as follows:

ULTIMATE AIM / CURRENT POSITION
1. Strategic Risk Register
  • Linked with strategic (corporate) objectives
  • Regular consideration of new and emerging risks – updated quarterly by Management Team and Cabinet
  • Jointly ‘Owned’ by Management Team and Cabinet
  • Quarterly reporting to SPSAC (full register) and Full Council (high level gross / residual risks)
  • Risk owners assigned to manage principal risks
  • Used to support the SIC
/
  • 1-2-1 meetings held with all PDs
  • Corporate objectives under development as part of the Corporate Plan
  • Agreement by Management Team In January 2006 to separate the operational Policy Directorate risk register from the Management Team’s Strategic Risk Register, and to record XL Project risks in separate registers
  • Suggested format and example strategic risks provided to Management Team in January 2006 for discussion

2. Project Risk Register
  • Consolidation of high level risks from individual project risk registers
  • Quarterly reporting to Management Team, SPSAC and Cabinet
  • Half-yearly reporting to Full Council
  • Used to support the SIC
/
  • Not yet in place

2.1 Individual Project Risk Registers
  • Risk assessments undertaken before the commencement of major projects (preferably in the report on which the decision to proceed is based)
  • Separate risk registers for each XL Project (and other major projects within Service Units)
  • ‘Owned’ by Project Manager
  • Regular consideration of new and emerging risks – reviewed and updated quarterly by Project Manager
  • High level risks reported to Project Board at each meeting
  • Risk owners assigned to manage principal risks
  • Clear and published project management framework in place including guidance notes on Project Risk Management
/
  • Risk registers in place for some XL projects
  • RM support provided to Customers First, Full Sail Ahead and Schools for the Future projects
  • Further Full Sail Ahead risk assessment workshop scheduled (3 March 2006)

3. Consolidated Risk Register
  • Consolidation of high level risks from individual Service Unit risk registers
  • Identification of areas of overlapping risk
  • Quarterly reporting to Management Team, SPSAC and Cabinet
  • Half-yearly reporting to Full Council
  • Used to support the SIC
/
  • Reporting functionality in place – awaiting completion of Service Units’ 2006/07 RATs (due by 31 March 2006)

3.1 Service Unit Risk Registers
  • Linked to annual business plans / budget setting process
  • Formally signed-off as part of annual Business Plan
  • Formally updated half-yearly by Service Units for discussion at Performance Forums
  • Risk owners assigned to manage principal risks
  • Regular consideration of new and emerging risks – quarterly update by Service Units (as per guidance notes)
  • Used to support SIC Management Assurance Statements
  • Identification of risks associated with partnerships and contracts including formal risk assessments undertaken before the commencement of major partnerships / contracts and documented partnership agreements in place
/
  • Online RAT linked to online Business Planning tool
  • Online RAT requires actions to be assigned to an individual with a specified completion / review date
  • High level risks will be formally signed-off by Portfolio Holders as part of Business Plan
  • RM guidance requires

4. Committee Reporting
  • Decision-making considers risk on a formal and consistent basis
  • Reports to Cabinet and Full Council specifically detail legal, financial and policy framework implications of proposed course of action
  • RM embedded in strategic and financial planning, policy making and review and performance management
/
  • Proposal for Cabinet and Full Council reporting developed and agreed with Tim Martin & Bob Jackson – to be taken to Management Team for approval in April

5. General Framework
5.1 Risk Management Strategy
  • Comprehensive and coherent Risk Management Strategy in place
  • Formally reviewed on an annual basis by Management Team and SPSAC (and ratified by Cabinet)
  • Communicated to all relevant staff
/
  • Risk Management Strategy in place and approved by Cabinet in March 2005
  • Published on The Loop

5.2 Appointment of RM Champions
  • Appointment of Risk Management Champion from Management Team and Member Community (as per CPA Use of Resources KLOEs)
/
  • No formal arrangements for ‘champions’ although Peter Pawlowski is the lead on risk management within the Management Team

5.4 RM Framework
  • Systematic procedures for risk identification and evaluation agreed and consistently applied across all business units
/
  • RM processes developed and procedures documented (published on The Loop)
  • Online RAT linked to business plans with reporting functionality to enable production of consolidated risk register

5.3 Independent Audit / Assessment of RM
  • Risk management systems subject to independent assessment
  • Risks not properly addressed identified in internal audit reports and fed into risk management process
/
  • High-level review of risk management process carried out by Audit Commission (Summer 2005) and results reported to Management Team and SPSAC
  • Proposal in place to adapt existing risk-based internal audit methodology to include reference to Service Unit risk registers

5.5 RM Training
  • Risk management training programme in place
  • All Members to be given RM training
  • Regular newsletter or other means of communicating risk management issues to staff
  • Induction programme includes risk management
  • Appropriate responsibilities for risk management incorporated into job descriptions and EDI reviews
/
  • Members’ RM seminar held in March 2005
  • RM guidance notes presented to SPSAC in November 2005
  • E-mail copies of RM guidance notes provided to all Members and hard copies placed in Members’ Rooms (November 2005)

5.6 Keeping Pace with Best Practice
  • Communication of risk management and sharing good practice
/
  • Attendance at relevant training courses and conferences
  • Membership of appropriate benchmarking / best practice sharing forums (eg. CIPFA BGF & SW Unitaries RM Group)

1