Waverley Borough Council Home Page Waverley Borough Council Home Page

Waverley Borough Council Committee System - Committee Document

Meeting of the Executive held on 04/03/2008

Summary & Purpose
This report updates Waverley’s Risk Management Policy and Strategy. The key risks currently facing the Council and the proposed action plan for managing these risks will be reported to a future meeting of the Executive.




[Portfolio Holder for Risk: Cllr M H W Band]
[Wards Affected: N/A]

Summary and purpose:

This report updates Waverley’s Risk Management Policy and Strategy. The key risks currently facing the Council and the proposed action plan for managing these risks will be reported to a future meeting of the Executive.

Environmental implications

Good management of risk helps to ensure that Waverley achieves its objectives and minimises loss and damage which has a positive impact on the Borough’s environment.

Social / community implications:

The community benefit from Waverley’s services being provided in an effective, safe manner.

E-Government implications:

There are no direct e-government implications.

Resource and legal implications:

There are no direct resource implications arising from this report.

Introduction and Background

1. All organisations face risks in undertaking their business. Local authorities, with their wide-ranging responsibilities and duties, face a significant number of risks. A risk is the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives. Clearly Waverley has been, and always will be, faced with many potential risks in all areas of its business. Each year Waverley updates its policy that sets out its approach to the management of these risks.

2. The effective management of risks is an essential element in the overall operation of the Council and the delivery of its services and should not be seen as a separate task or function. In recent years local authorities have been required to do more to demonstrate to the community that managing risk is at the heart of their governance framework and that they have effective arrangements in place to identify and respond to the risks that they face. Last year the Audit Commission considered that the measures in place at Waverley are good. The Audit Commission’s best practice matrix, which forms part of the annual Use of Resources assessment, is attached at Annexe 1.

The Risk Management Policy and Strategy

3. The revised Policy for managing risk and the proposed Strategy for implementing the Policy are set out in Annexe 2. The Policy sets out why it is necessary to have a corporate approach to managing risks and the Strategy provides the details of the processes and actions required to implement the Policy objectives.

4. It is good practice for Audit Committees to ensure that proper arrangements are in place to identify and manage risks and for the Executive to ensure that these risks are being actioned effectively. The Risk Management Officer Group, comprising senior officers from each department, is responsible for overseeing the implementation of Waverley’s Risk Management Strategy and to report to the Corporate Management Team, and Members if necessary, on any areas of concern. It is important that a ‘Member Risk Champion’ is identified from both the Executive and the Audit Committee to liaise with the officer group and to help determine whether any issues should be referred to the committee for further analysis.

The Key Risks

5. Waverley identifies and evaluates its risks under four categories:

a) Key Business Risks - those which affect the whole Council or Borough and could impact on the achievement of the Corporate Plan objectives in the Council term
b) Operational Risks – those that are more service-specific or in control of particular groups of officers.
c) Project Risks – Risks associated with a specific project or key decision eg. Leisure Strategy, new IT systems etc.
d) Partnership Risks – Risks inherent in partnership arrangements that need to be considered by all parties and addressed in the governance arrangements.

6. In Jan/Feb 2008, with the assistance of an external facilitator, Waverley’s Senior Managers, Members of the Executive and the Audit Committee considered the Key Business Risks currently facing the Council in relation to the new Corporate Plan. A similar exercise had previously been undertaken in 2003 and 2005. The Risk Management Officer Group revised the register of Operational Risks early in 2007 following workshops with all managers and it has subsequently undertaken a further review in January 2008. Operational risks are also identified via the service plans and, in future, it is intended that this will be the main identification process. Operational Risks are considered to be ‘live’ issues and their assessment is updated regularly by managers on the Council’s ‘Covalent’ management information system.

7. The update of the evaluation of the risks identified has enabled officers to determine which issues currently require the greatest or most urgent management attention. CMT and service heads are currently developing action plans to ensure that the risks identified are being managed effectively. A summary of the Key Business Risks and a snapshot from the current register of operational risks, showing those with the highest priority, will be reported to a future meeting, along with the proposed action plans.


It is recommended that the Executive:

1. considers the revised Risk Management Policy and Strategy set out in Annexe 2 and asks the Audit Committee to consider the adequacy of the proposed framework;

2. appoints the Finance Portfolio Holder as the Member ‘Risk Champion’;

3. agree that the Deputy Chief Executive should be the officer Risk Champion; and

4. recommends to the Council that the Terms of Reference for the Executive should be amended to include “the responsibility for ensuring that effective actions are taken to manage Waverley’s key business risks”.

Background Papers (DoR)

There are no background papers (as defined by Section 100D(5) of the Local Government Act 1972) relating to this report.


Name: Brian Gilmour Telephone: 01483 523262
E-mail: bgilmour@waverley.gov.uk

Name: Graeme Clark Telephone: 01483 523236
E-mail: grclark@waverley.gov.uk



All organisations face risks in undertaking their business. Local authorities, with their wide-ranging responsibilities and duties, face a significant number of risks. A risk is the threat that an event or action will adversely affect an organisation’s ability to achieve its objectives.

Clearly Waverley has been, and always will be, faced with many potential risks in all areas of its business. This Policy statement recognises Waverley’s responsibility for the management of these risks and sets out the framework for achieving this effectively.

A managed approach to dealing with risk is important to help Waverley:

- Achieve its objectives - Ensure compliance with statutory obligations - Safeguard the Council’s employees, Members, service users and all other persons to whom the Council has a duty of care

- Ensure that good quality services are delivered

- Maintain effective control over the Council’s resources and assets and prevent damage or loss

- Develop innovative ways of service delivery and maximise opportunities

- Promote and protect the image and reputation of the Council

- Protect the Borough’s environment This Policy and Strategy aims to:

- Embed good risk management practice into the culture of the Council - Ensure that any actions necessary to minimise the likelihood of risks occurring and/or reducing the impact on the Council if they do occur, are identified and carried out

- Communicate risk issues to staff, Chief Officers and Members

- Provide a framework which gives the necessary assurance required under Waverley’s corporate governance responsibilities

- Ensure that Waverley’s key partnerships have proper arrangements in place to manage risks

Waverley’s Strategy for managing risk details the roles and responsibilities and the proposed activity for achieving the Policy aims. This Policy and Strategy will be reviewed each year to ensure that it continues to provide the necessary framework for managing Waverley’s risks effectively.



Effective management of risk should be a key part of every manager’s day-to-day job. Whilst there are currently many well-established areas of good practice across the Council, it is often easy to overlook some of the common vulnerable areas where the organisation can be particularly exposed to the consequences of risk. This can often be the case in managing projects but can also occur in major business risk areas or service specific operational risks.

Waverley’s risk management framework is a ‘tool’ that should help individual mangers, Chief Officers and Members to identify and assess potential risks facing the Council and from this, prioritise actions necessary to protect the Council, its staff and stakeholders and its resources. The Risk Management Strategy does not sit in isolation and it should be used to support the normal achievement of service and corporate objectives through the Corporate Plan, Service Plans and individual staff appraisals. There is also a strong link with Waverley’s resource strategies, particularly the Medium Term Financial Strategy and the Workforce Plan.


- To develop the existing structured framework for the identification, evaluation and control of risks - To clearly identify the roles and responsibilities for managing risk

- To raise awareness of potential risks and to support officers in managing them

- To encourage the sharing of good practice across the Council

- To help improve the Council’s performance

- To help inform decision-making at all levels by considering risk issues

- To support innovative working practice and encourage opportunities to be taken in a controlled way 3. WHAT SORT OF RISKS COULD WAVERLEY FACE?

The diagram shown above illustrates some of the main categories of risk that Waverley could face. This diagram was provided by Zurich Municipal Management Services (ZMMS) who have provided assistance in developing and reviewing Waverley’s risk management framework.

Risks can arise in any of Waverley’s services across any of these categories. Risks can be external, such as risks arising from Government changes, or internal, such as health and safety of staff and buildings. The changing environment in which Waverley operates makes it increasingly difficult to manage risks without a formal strategy and process in place. Factors such as limited resources, increasing responsibilities and demands from customers, new legislation and more litigation against Councils are all examples.


A risk is the threat that an event or action will adversely affect Waverley’s ability to achieve its objectives. Waverley’s approach to managing its risks involves the identification, evaluation and controlling of the risks. This process is taken at a point in time and the existence and impact of risks often change over time. Therefore it is important to monitor and review the risk assessment on a regular basis to focus on those risks which present the greatest threat. Waverley’s cross-department Risk Management Group coordinates the delivery of the Strategy aims.

Pro-actively identifying areas of risk before any loss or event occurs enables preventative actions to be taken and/or actions which minimise the impact on services or resources.

i) Identification
Waverley maintains a schedule of Key Business Risks that are the major issues that could potentially have a significant impact on the Council and its delivery of the Corporate Plan. Key Business Risks will be identified in conjunction with the Council’s agreement of the new Corporate Plan at the start of each Council term and reviewed as described below. The identification process will involve senior managers and members of the Executive and Audit Committee.

Operational Risks tend to be specific to certain service areas or functions. The identification and review of these risks will be an ongoing process by managers using the corporate ‘Covalent ‘ system. However, the Risk Management Officer Group will review the risks identified and report to the Heads of Service Team on a quarterly basis and to Corporate Management Team every 6 months, or by exception if a particular area of concern emerges. Opportunities should also be identified alongside risks and evaluated by managers.

Specific projects will be the subject of a risk assessment and key risks will be identified, evaluated and recorded on the Covalent system if appropriate. Risks associated with key decisions will be set out clearly in reports to Members with details of proposed mitigation measures.

Risks associated with key partnerships should be identified and addressed in the governance arrangement and agreed by all parties. Assurances should be provided to CMT about the adequacy of the arrangements.

ii) Evaluation
The risks identified are evaluated in terms of:
- the likelihood of the loss or event occurring; and,
- the impact on the Council or the service if the risk does materialise.

The evaluation process enables the overall severity of the risk to be assessed and consequently, any action necessary to be determined, prioritised and reported on.

The combined likelihood/impact evaluation of each risk is plotted against a predetermined acceptability threshold. Risks above this threshold will be reported to members and those that require management action will be given priority.

iii) Control
Once the risk has been identified and evaluated, it is determined whether any action is required to control the risk or mitigate its impact. The following are the general options that are considered:
- Accept the risk and live with the consequences if a problem does occur
- Eliminate the risk by stopping or radically changing a service or activity
- Transfer the risk to a third party, such as insurance or contracted-out services
- Mitigate the risk by taking action to reduce the likelihood or impact

The risk records will include an action plan, where necessary, which identifies the action, risk owner and timescale for completion.

The Council must accept that, whatever action is taken, risk cannot be eliminated entirely. Actions must be proportionate to the risk and not obstruct service provision. It is also important that the system to manage risks supports the managers and does not introduce unnecessary bureaucracy. Managers should be encouraged to identify opportunities as well as risks and to record their proposals to manage any associated risks.

iv) Monitoring and review
A risk assessment is a snapshot in time and can only reflect the position known at that time. The risks identified will change over time, as may the evaluation of their likelihood and impact. Therefore, it is essential to review the risks and the action plans on a regular basis. The following is the proposed review framework:

Key Business Risks
- Comprehensive review every 4 years involving senior managers and key Members
- Refresh key business risks after 2 years
- Corporate Management Team consider the management arrangements on an annual basis and report to Audit Committee
- Risk Management Group and Heads of Service Team review on 6-monthly basis and report on adequacy of management arrangements to Corporate Management Team
- New risks or sudden changes to risks or evaluations reported on an exception basis

Operational Risks
- Risk owners to review risks on a monthly basis, at least, and update Covalent to reflect new/amended/obsolete risk scenarios, new revised evaluation and any management action
- Risk Management Group review entire register on a 6-monthly basis and report to Departmental Management Teams
- Risk Management Group report above threshold risks to Corporate Management Team and the Audit Committee on 6-monthly basis
- Manager workshops to comprehensively review risks and refresh training every 2 years
- New risks or sudden changes to risks or evaluations reported on an exception basis

Project and Partnership risks
- Should be monitored as appropriate by project teams with reports to CMT if required
- Partnership risks should be reviewed by the partnership and documented


The responsibility for managing risk extends throughout the Council. It is important that there is high level support and that all managers and staff are aware of their role. The following summarises the roles and responsibilities.

- The Audit Committee to ensure that robust arrangements are in place, in line with best practice, to ensure the effective identification and evaluation of risks
- The Executive to ensure the effective management of risk by officers
- To consider risk issues when making key decisions
- Member Champion to liaise with the Risk Management Group as appropriate

Corporate Management Team
- To ensure that the Risk Management Strategy is fully implemented
- To ensure that agreed action plans are completed
- To ensure that risk issues are properly considered when making decisions
- To ensure that an effective control mechanism is in place and adhered to

Risk Management Group
- To coordinate actions necessary to implement the Risk Management Strategy
- To maintain and update the risk registers and report to CMT and DMTs in accordance with the agreed Strategy framework
- To raise awareness of risk issues across the Council and promote good practice
- To provide support to managers in implementing effective solutions to managing risk
- To facilitate training for key managers to develop skills in tacking risk issues
- To liaise with the Member champion for risk management
- To review the Policy and Strategy each year and report to Members if necessary

Heads of Service and Service Managers
- To identify the risk of loss, damage or injury in services and to implement appropriate measures to minimise their likelihood of occurring and/or their impact to the Council
- To record risks identified in their service plan and in the corporate risk register
- To regularly update records of all risks in their work areas in the Covalent system
- To encourage staff to be risk-aware and to raise risk issues at team meetings/DMTs
- To ensure that an effective control environment exists in all service areas
- Effective communication of the Risk Management Strategy in their service areas.