1. PURPOSE OF REPORT 2. RECOMMENDATION(S) 3. FINANCIAL

1

ABERDEEN CITY COUNCIL

COMMITTEE Audit & Risk DATE 12 February 2013 DIRECTOR Stewart Carruth TITLE OF REPORT Corporate Risk Register REPORT NUMBER CG/13/013

1. PURPOSE OF REPORT To present members of the Committee with the output of the Corporate Risk Register review. 2. RECOMMENDATION(S) The Committee are asked to:

1. Agree the revised Corporate Risk Register (appended to this report); 2. Approve the addition of 1 newly identified corporate risk to the register; 3. Approve the removal from the active register of 1risk which is considered

to be properly reflected elsewhere in the register; 4. Instruct any further action considered appropriate.

3. FINANCIAL IMPLICATIONS There are no direct financial implications, but the mitigation of risk is a key element of good financial stewardship. 4. SERVICE & COMMUNITY IMPACT There are no specific service or community issues arising from this report but robust risk management is intrinsic to the conduct of Council business and the delivery of services. As this is an internal management report, no Equalities and Human Rights Impact Assessment has been undertaken. 5. OTHER IMPLICATIONS Risk management is resourced through nominated risk ‘champions’ within each Service. This ensures the timely review, monitoring and development of Service Risk Registers in accordance with the strategic steer provided by the Committee, through monitoring of the Corporate Risk Register. This steer is supported by the Corporate Risk Management Group and the Performance and Risk Team within Corporate Governance.

2

6. REPORT 6.1 Risk Management is the process of identifying risks, assessing the likelihood

and impact of their occurrence and determining the most effective methods of managing them or reducing them to an acceptable level. The aim is to reduce the frequency of risk events occurring and minimise the severity of their consequences if they do occur. An effective risk management process also provides a framework wherein a cost-benefit analysis approach to opportunity risks may be taken. Risk management provides a means of improving strategic, operational and financial management, all of which are central to the delivery of Best Value. Good risk management also ensures the Council is in a position to minimise financial losses, service disruption, bad publicity, threats to public health and welfare, and compensation claims.

6.2 The Council, in common with many large organisations, adopts an ‘Enterprise

Risk Management’ approach to our strategic and operational risk processes. This approach classifies risks according to ‘hazard’, ‘control’, and ‘opportunity’ groupings. It is an approach which emphasises the positive as well as the negative aspects of risk management. These classifications are described below:

Hazard Risks Risks which inhibit the achievement of benefits to the Council, the city and its communities.

Control Risks Risks which increase uncertainty or doubt about achieving benefits for the Council, the city and its communities.

Opportunity Risks

Risks which enhance the possible achievement of benefits for the Council, the city and its communities.

6.3 Additionally, risks are categorized according to the Accounts Commission

definitions of impact on specific aspects of organisational operations: Business, Professional/Management, Financial, Legal, People, Partnership, Physical, Political, Contractual, Technological, Environmental and Customer.

6.4 This report sets out the current status of the Corporate Risk Register and

advises the Committee on the recommendations of the Corporate Management Team with regard to reassessment of corporate risks, inclusion of a newly identified risk and removal of one risk.

6.6 The table summarises the changes proposed to the risk register:

Proposal Risk

Removal / Archiving

Risk that major projects and strategies are not delivered.

(The substance of this risk is being managed effectively

through the existing risk: Risk that services do not deliver

the the Corporate Business Plan priorities.

New Risks Risk of market failure in commissioned services.

6.7 Risk Ownership Our approach to risk management involves appointing a Lead Officer to

oversee the management of each risk. Typically, these officers are members of the Corporate Management Team, which retains collective responsibility for

3

the register as a whole. Many controls and actions to mitigate the risks fall within the remit of other officers and these have therefore been assigned a supporting role in the management of the risks.

6.8 Monitoring and Review

The process for review of the Corporate Risk Register involves an annual development workshop in which managers have the opportunity to raise areas of anticipated risk to the Council, our workforce, our communities and the services we deliver. These issues are then debated and a determination made whether the risk is significant enough to require registration and management. Risks deemed to have reached an acceptable or tolerable level, are considered for removal and archiving. However, these historic risks are retained for audit and scrutiny purposes. Some risks, by their nature, are of an ongoing significance to the Council and are retained on the register on a semi-permanent basis for this reason.

6.9 As well as the workshop, the register is subject to further formal review after a

six month interval. These reviews are conducted through one-to-one meetings and discussions with directors and risk owners where their specific owned risks can be reviewed and revised where necessary. These meetings also present an opportunity to identify new risks. The register before the Committee reflects the output of the latest of these reviews which took place during December 2012 and January 2013.

6.10 Current and Residual Risk

The appended register uses ‘heat maps’ to identify the rating attaching to each risk in the register. Current risk refers to the level of risk persisting with controls currently in place. Residual risk refers to the level which is anticipated when all mitigating actions are complete. The red area (top right) in each heat map shows the area of most serious impact and likelihood and requiring management with the green area (bottom left) displaying risks which are mostly tolerable. In normal circumstances, risks become eligible for archiving when the residual level is achieved. However, some risks have achieved this level but continue in the register for record purposes because of their strategic importance to the Council’s business.

7. AUTHORISED SIGNATURE Stewart Carruth, Director of Corporate Governance [email protected] 522550

8. REPORT AUTHOR DETAILS

Neil Buck, Performance and Risk Manager [email protected] 522408

9. BACKGROUND PAPERS

None

mailto:[email protected]

mailto:[email protected]

4

5

Corporate Risk Register January 2013

Description Business Risks

Title Potential Impact Current Risk Residual Risk Assigned To

Risk that services do not deliver the 5 year business plan priorities. (Control Risk)

The Council is unable to deliver its agreed priorities.

Budget limits / constraints are exceeded. Reputational damage in the community. Central government censure / poor inspection and regulatory reports. Urgent remedial action required to rectify budget deficits and statutory obligations in the future. Workforce do not support transformation of service delivery programmes.

Stewart Carruth

Internal Controls

Ensuring adequate management controls are in place.

Ensuring that the programme management office fully understands and manages programmes effectively. Ensuring robust communication processes are in place, both internally and externally. Ensuring services are fully engaged with the corporate agenda. Ensuring that the business plan contains sound metrics and deliverable actions. Ensuring that planning and performance management is aligned through Service business planning. Planned audit of the PMO.

Mitigating Actions

Develop and progress Programme Office remit to deliver Business Plan Programmes. Refresh and communicate project risk management guidance. Establish effective communication strategy for both internal and external service users, to engage all stakeholders. Embed self-evaluation based on HGIOC model in all services and ensure alignment with requirements of regulatory bodies. Fully embed public service value model and robust weighted metrics to support effective performance management and reporting.

6

Business Plan Actions

Linked Risks

CG001 Risk that the needs of our customers are not understood and met. (Control Risk)

CG003 Risk that major projects are not effectively delivered. (Hazard Risk)

CG026 Risk of not meeting Service Option/Targets (Hazard Risk)

7


Risk that planned welfare reform will negatively impact on the council and its communities (Hazard Risk)

See attached document. Further document attached detailing the management of this risk.

Fred McBride

Internal Controls To be scoped

Mitigating Actions

See attached document. There are now 5 work streams to the welfare reform project with a nominated leader for each stream. £1million has been set aside to support this work. This is built in to the budget setting process. A report to Council will evidence further work on welfare reform and will be uploaded to the risk when available.

Business Plan Actions Linked Risks

8


Risk that decisions taken are not legitimate and that legitimate decisions are not implemented appropriately (Control Risk)

Standing Orders / Financial Regulations are not complied with. Decisions are open to challenge legally and by scrutiny bodies. Strategic objectives are not achieved because decisions are not implemented.

Ciaran Monaghan

Internal Controls Ensure progress towards formalising the Local Code of Corporate Governance in line with accepted Best Practice.

Mitigating Actions

Training and awareness raising on aspects of Standing Orders / Financial Regulations. Finalise and approve the Local Code of Corporate Governance. Agree committee reporting format which meets elected members and public expectations for concise, clear, informative reporting and effective decision-making.


CG023 Risk that inadequate information management processes create inaccuracies and uncertainty over compliance with statutory obligations and lead to under-informed decision making (Control Risk)

9


Risk of Community Planning failing to deliver city wide projects/opportunities and associated funding (Control Risk)

Reputational damage due to the Council's lead role in CP development. inability to secure funding for partnership strategies and to make best use of existing scarce disposable income. Poor shared risk assessment (SRA). Poor community planning audit (Accounts Commission led).

Martin Murchie

Internal Controls Revised CPP structure. Strengthened management group arrangements. Internal audit availability for targeted audits.

Mitigating Actions

Self-evaluation exercise of the CPP. Develop shared vision for the CPP. Develop shared accountability for the SOA. Implement Community Planning Development Plan arising from self-evaluation process. Establish performance and risk management frameworks in order to embed strong governance arrangements.


CG0031 We will actively engage with existing community planning partners and build new relationships, to develop an innovative service planning and delivery model based on a 'whole systems' approach

Linked Risks

10


Risk that an adequate and consistent quality of service is not defined and delivered. (Control Risk)

Customers and service users have no information on which to assess the quality of service provided. Consumers may have unrealistic expectations. The Council receives an increase in complaints from members of the public. Potential reputational damage from escalated complaints. An increase in resources (officer time and financial) required to deal with queries and complaints.

Paul Fleming

Internal Controls

Mitigating Actions

Engagement on, and agreement and publication of, service standards for external customers; Agreement of SLAs with defined service standards for internal customers; Ensuring quality and service standards in all contracts with external providers;

Establish and maintain effective monitoring arrangements for performance against agreed quality and standards; Review the range of skills to ensure highly skilled and motivated employees.

Business Plan Actions Linked Risks CG001 Risk that the needs of our customers are not understood and met. (Control Risk)

11


Risk that culture of council does not support an entrepreneurial operational approach to opportunities (Control Risk)

Disinvestment as businesses shrink in size or leave the city. Inability to attract new investment, especially non-oil and gas related investment as new investors choose to locate in more business-friendly cities. Reduction in local business tax revenue (net of the impact of any upward ratio reviews). Lower GVA level for the city. Falling employment levels over the medium to long term (unemployed as a % of the total population).

Gordon McIntosh

Internal Controls none at present.

Mitigating Actions Demonstrate economic impact of existing and proposed business related support programmes, so the impact of not supporting these becomes apparent. Council to enshrine support for an entrepreneurial operational approach to opportunities in the Council's manifesto and business plan.


12


Risk that information is not managed effectively to support policy and decision making and statutory requirements

The Council is unable to base decision making on robust information sources. The Council suffers censure and financial loss through ineffective processes for complying with statutory requirements. The Council experiences poor policy formulation processes due to inadequate information management.

Martin Murchie

Internal Controls

Policy, procedures and processes (e.g. Data Protection, Breach Reporting, Remote Working, ICT Security) Training / Induction Audit and Inspection Self reporting of breaches and CMT governance of these (quarterly reporting). Information Management Strategy. Corporate Records Management Approach to increase confidence in information management practice and the governance framework.

Mitigating Actions

Corporate gap analysis undertaken and improvement plan in place (includes Policy Review, implementation of procedures); Actions from audits and inspections being taken forward (e.g. Laptop encryption); Training - OIL course; Compliance with Public Records (Scotland) Act from Jan 2013 - Development of Records Management Plans.


CG023 Risk that inadequate information management processes create inaccuracies and uncertainty over compliance with statutory obligations and lead to under-infomed decision making (Control Risk)

13

Description Customer/Citizen Risks


Risk that those in need are not protected (Hazard Risk)

Reputational damage. Potential litigation. Members of the public

exposed to actual danger and unrecognised potential danger and hazard. Deaths.

Fred McBride

Internal Controls Robust policies and procedures. Self evaluation processes.

Mitigating Actions Raising public awareness of services and how to contact. Ensure swift access to those in need, or provide for investigations without delay.


14


Risk of market failure in commissioned services (Hazard Risk)

Vulnerable groups suffer disturbance / relocation leading to stress and harm. The Council incurs increased costs due to emergency provision requirements.

Fred McBride

Internal Controls

Mitigating Actions

Establishment of trading company. Take some services back in-house. Redistribution of people amongst other providers. Development of Joint Commissioning Strategy to encourage greater collaboration and co-operation between providers. Renegotiation of framework agreements for future provision.


15

Description Environmental Risks


Risk of not planning for emergencies (as defined by the Civil Contingencies Act 2004) which may affect Aberdeen City and/or an incident having a significant adverse effect on the operations of Aberdeen City Council. (Hazard Risk)

The Council is unable to support or lead the response to an emergency affecting the

city and/or is unable to deliver critical functions in relation to: 1. Human welfare or the environment 2. The finances of the Council 3. The Council's statutory obligations 4. The Council's reputation 5. The Council's ability to respond to emergencies

Pete Leonard

Internal Controls CMT reporting; Internal audits; Scottish Government reporting on Resilience Capability.

Mitigating Actions

Effective participation in all aspects of multi-agency Civil Contingencies activity within Grampian and, where appropriate, Scotland; Ongoing assessment of the Grampian Strategic Coordinating Group Community Risk Register to ensure appropriate Risks are considered in ACC Corporate Risk Register; Maintenance of Emergency Planning Policy and Procedures; Maintenance of Business Continuity Policy and Procedures; Maintenance of Business Continuity and Disaster Recovery Plans for all the Council's critical functions.

Business Plan Actions Linked Risks CG004 Risk that effective business continuity and disaster recovery arrangements are not in place. (Hazard Risk)

16

Description Financial Risks


Risk of lower than anticipated income (national and local) (Hazard Risk)

Services cannot be resourced; Additional efficiencies / savings are required; Additional expenditure to collect income may be required.

Stewart Carruth

Internal Controls

Priority based budgeting and option appraisal (including below the line); Medium term financial planning; Scenario planning and sensitivity testing; Reliablility of systems developed; Business continuity planning for income collection.

Mitigating Actions

Embed rolling priority based budgeting approach and option appraisal (including below the line options); Maintain medium term financial planning; Undertake further scenario planning and sensitivity testing, developing actions from this; Continue to develop and implement anti-poverty strategy; Continue to develop reliability of systems, particularly for income generation; Build on Business Continuity Plans for income collection.

Business Plan Actions Linked Risks CG007 Risk of poor financial management and decision making. (Control Risk)

17


Risk that business rates collection in future years fall below anticipated levels impacting on funding from Scottish Government encompassing combined impact of TIF and BRIS (Control Risk)

The Council suffers loss of revenue having a detrimental effect on our ability to resource key priorities.

Barry Jenkins

Internal Controls In year monitoring and variance analysis.

Mitigating Actions Early discussions with the Scottish Government.

Business Plan Actions Linked Risks CG007 Risk of poor financial management and decision

making. (Control Risk)

18

Description Legislative Risks


Risk that statutory obligations are not met. (Control Risk)

The Council experiences legal claims by third parties on the basis of poorly or incorrectly

administered services and functions. The Council experiences Government censure and challenge by scrutiny bodies.

Jane MacEachran

Internal Controls Internal and External Audit; Research of legislative requirements; Legal Advice.

Mitigating Actions


Linked Risks

CG014 Risk that legislative changes are not effectively planned for. (Control Risk)


19


Risk that the council does not fully comply with Health & Safety obligations (Hazard Risk)

· Loss of life or serious injury to employees and or third parties, damage to property, plant or equipment. · Criminal prosecution by the enforcing authorities and civil legal challenge. Breach of health and safety legislation minimum fine in lower courts £20,000. Potential for imprisonment and disqualification. Manslaughter and Corporate Homicide Act 2007 maximum penalty unlimited fine and publishing of conviction and fine. · Issue of enforcement notices that could stop service delivery and require additional resources to comply. · From October 2012 introduction of HSE “fee for intervention” to recover costs from businesses who are found to be in breach of health and safety law. · Adverse media affecting organisation reputation.

Mary Agnew

Internal Controls

· Provision of comprehensive competent advice through the health and safety team. · Health and safety policy with clear roles and responsibilities and supporting procedures and guidance. · Employee Health and safety development programme. · Planning and target setting for health and safety performance. · Monitoring, reporting and review of performance.

Mitigating Actions

· Corporate Health and Safety Committee Action plan. · Strategic decisions taking account of potential health and safety issues at an operational level. · Introduction of health and safety audit by health and safety team across Directorates. · Review of existing health and safety matrix to incorporate Workplace Inspection findings.


20


Risk that we do not act within our legal powers. (Control Risk)

The Council is subject to legal action. Individuals or organisations suffer harm. There are financial penalties resulting from successful legal action. The Council suffers reputational damage and increased scrutiny by regulatory bodies.

Jane MacEachran

Internal Controls

Standing Orders. Procurement procedures. Revised Scheme of Delegated Powers. Scrutiny provided by committees.. Head of Legal and Democratic Services has the role of Monitoring Officer.

Mitigating Actions


Linked Risks

CG014 Risk that legislative changes are not effectively planned for. (Control Risk)


21

Description Management/Professional Risks


Risk that we do not demonstrate that the expectations of regulatory bodies are being met. (Hazard Risk)

The Councill suffers reputational damage and sanction by central Government.

Stewart Carruth; Martin Murchie

Internal Controls

Ensuring the Council is aware of the regulatory requirements placed upon it. Ensuring robust self evaluation processes are in place. Embedding the Corporate Performance Management Group as the coordinating body for management of all performance, self-evaluation, benchmarking and reporting requirements. Ensuring adequate management controls are in place. Recent inspections and the Shared Risk Assessment demonstrate effectiveness of existing controls.

Mitigating Actions

The Corporate Performance Management Group is in place and acts as the coordinating body for all performance management, benchmarking and self-evaluation processes and ensures implementation of active self-evaluation regimes. The 5 year corporate business plan implementation, managed corporately by the Programme Management Office, ensures improvement plans are actioned timeously. Continue preparation for the Information Commissioner Inspection and findings to be implemented timeously.


CG0024a We will participate in the development of a new Scotland-wide Complaints Handling Procedure and implement the agreed model in order to demonstrate compliance with

SPSO regulatory requirements.

Linked Risks

CG001 Risk that the needs of our customers are not understood and met. (Control Risk)

CG007 Risk of poor financial management and decision making. (Control Risk)

CG011 Risk that the needs of scrutiny and regulatory bodies are not met. (Control Risk)

CG021 Risk of collection levels deteriorating (Hazard Risk)

CG023 Risk that inadequate information management processes create inaccuracies and uncertainty over compliance with statutory obligations and lead to under-infomed decision making (Control Risk)

22

Description People Risks


Risk that effectiveness of the Council's workforce is compromised due to poor morale and industrial relations (Hazard Risk)

The Council suffers reputational damage, making recruitment and retention of

high quality employees problematic. Productivity is reduced. Innovations, changes and improvements are not driven from employees. Implementation of key policy decisions is hampered by disconnect between staff and senior management and decision makers.

Ewan Sutherland

Internal Controls Workforce Planning Strategy. 'People First.' Effective internal and external communications strategies.

Mitigating Actions

Business Continuity plans are developed. Ensure workforce planning strategy is implemented in full. Refresh People First Strategy. Develop and implement effective communications strategies.


Linked Risks

CG005 Risk of low levels of employee engagement (Control Risk)

CG027 Risk that workforce planning, recruitment, retention, training and development are not aligned to business and financial planning and the requirements of new technology (Control Risk)

23

Description Physical Risks


Risk that the Council suffers loss of building facilities (Hazard Risk)

The Council is unable to deliver critical functions in relation to: 1. Human welfare or the environment

2. The finances of the Council 3. The Council's statutory obligations 4. The Council's reputation 5. The Council's ability to respond to emergencies

Hugh Murdoch

Internal Controls Internal audit controls of business continuity.

Mitigating Actions Development of high level business continuity arrangements which take account of the move the new corporate headquarters.

Business Plan Actions Linked Risks CG004 Risk that effective business continuity and disaster recovery arrangements are not in place. (Hazard Risk)

24

Description Political Risks


Risk of changes to national or local policies which impact on the Council’s objectives and Corporate Business Plan (Control Risk)

Legislative barriers to the Council's planned actions; Required actions which were previously unplanned; Need for additional expenditure.

Stewart Carruth

Internal Controls Priority based budgeting and option appraisal; Undertaking sector analysis in annual updates to Business Plans; Scenario planning and sensitivity testing.

Mitigating Actions Rolling sector analysis / horizon scanning in business planning; Sensitivity testing of scenarios; Management of risks in decision making; Promotion of the City's and Council's interests with political decision makers.

Business Plan Actions Linked Risks CG014 Risk that legislative changes are not effectively planned for. (Control Risk)

25

Description Technological Risks


Risk of major business systems failure (Hazard Risk)

The Council is unable to meet its statutory requirements to provide services and to ensure

the safty and care of vulnerable groups. The Council is unable to carry out all or some normal day-to-day administrative, financial and communication processes.

Paul Fleming

Internal Controls Disaster recovery / business continuity policies and plans. Continual monitoring of effectiveness of hazard prevention arrangements. Monitoring of external provider contractual arrangements.

Mitigating Actions

Disaster recovery plan. Provision of additional generator to ensure continuing power to central communications facility. Air conditioning. Fire prevention provisions. Contract with external provider includes: Requirement to sustain 50 top business systems. Recovery required on a time objective and point objective basis. Contractor based on two sites with planned provision of connectivity from both (triangulation).


CG0012 We will improve our corporate ICT infrastructure to support the business in cost effective ways.

Linked Risks

CG004 Risk that effective business continuity and disaster recovery arrangements are not in place. (Hazard Risk)

CG012 Risk of poor ICT security and operational arrangements. (Hazard Risk)

Documents

1. PURPOSE OF REPORT 2. RECOMMENDATION(S) 3. FINANCIAL