Risk Management in service planning and projects

RISK MANAGEMENT
Every DECISION WE MAKE INVOLVES RISK Even doing nothing may involve risk Aim: To manage not remove risk To take managed risks To encourage innovation and managed risk taking
To achieve desired outcomes

All organisations exist to achieve their objectives.

The purpose of risk management is to manage the barriers to achieving these objectives.

today

objectives

Why Risk Management?

Corporate Governance Statutory requirements- eg: health/safety Ensure best use of public resource To prevent/minimise the unexpected To ensure delivery of service To realise and maximise opportunities

Response to Risk
Transfer
Conventional insurance, paying a third party to take the risk in another way. (Max 20% risk insurarable)

Tolerate
Ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained

Treat
Actions instigated from within the organisation (although their effects may be felt outside of the organisation) which are designed to contain risk to acceptable levels.

Terminate
Some risks will only be treatable, or containable to acceptable levels, by terminating the activity

RISK: I.T. Migration Project Physical Security

Risk Owner: David Dickinson
A B
cLikelihood

Risk Number

Current Risk Score C2

Target Risk Score D3 D3 E3

Risk Description Increased potential for theft Both internal and external- increased attractiveness of IS items.

C D E F IV

+
C2 C2

Interim storage arrangements for new and old hardware

Environment Agency

Inadequate insurance cover to protect both new and old equipment during transitional period and increase of equipment.

III II Impact

C= significant

3= Critical.

Consequences: Potentially severe disruption of service. Loss of finance. Reputation.

Required management action/control IS Management to ensure that enough solution and stickers are ordered prior to commencement of the rollout. Also ensure all equipment is correctly marked. I.S. to ensure that Risk Services are consulted prior to delivery of the storage units. Responsibility for action Sharon Parkinson and David Dickinson Critical success factors & KPIs Review frequency Key dates

Action/controls already in place/agreed to provide All new equipment to be marked with Smartwater

Adequacy of action/ control to address risk Limited May act as deterrent.

All hardware adequately marked

Location of storage container to be pre agreed to ensure most secure location Hiring of secure container unit

Effective

Sharon Parkinson and David Dickinson Secure location

Effective

I.S. to ensure container is suitable and secure. IS need to check specification with Insurers Relocation/ realignment of existing CCTV provision may be necessary for storage period.

Sharon Parkinson and David Dickinson

Secure storage

Weekly

CCTV located within area of storage containers

Limited cover but can be effective as both deterrent and to identify prevent attempted theft

Sharon Parkinson and David Dickinson Secure storage

Continuous

Action/controls already in place Internal security staff to be briefed and to provide increased monitoring of area Use of old equipment inventory. New Equipment inventory to be produced. Appropriate insurance cover to offset any potential loss via theft

Adequacy of action/ control to address risk Effective

Required management action/control Provision of extra security may be necessary at times of increased risk. Extension of building security alarm to storage holds

Responsibility for action Sharon Parkinson and David Dickinson

Critical success factors & KPIs Awareness and increased security monitoring Alarmed facility

Review frequency

Key dates

Effective

Sharon Parkinson and David Dickinson

Effective Although total loss not fully protected Limited Staff may be shadowed. Not all buildings have access control

IS to ensure that the insurance policy covers the extra units being held during the transitional period Additional security may be required during installation at buildings without secure access control. IS to determine where units are to be stored on these sites prior to commencement of rollout IS to liaise with Risk Services to produce agreed instructions

Sharon Parkinson and David Dickinson

Adequate insurance value

Door entry systems to prevent unauthorised access

Sharon Parkinson and David Dickinson

Secure access

All staff to be reminded of basic security measures

Limited if required actions not enforced i.e. closing of blinds, etc

Sharon Parkinson and David Dickinson

Increased awareness

THE RISK MANAGEMENT CYCLE

Inspections, interviews, workshops, analysis of data
RISK IDENTIFICATION

Testing, reviewing actions, planning, reporting

MONITORING

RISK ANALYSIS

Understanding, quantification

RISK MANAGEMENT PRIORITISATION

Contingency planning, Decisions controls, training, procedures, inspection

Agreement How likely, how bad?

The Risk Management Cycle

Identify
Control Monitor

Review

RISK IDENTIFICATION

RISK PROFILING
MONITORING RISK ANALYSIS RISK MANAGEMENT

PROBABILITY OR LIKELIHOOD

A
B C D
6 2
1

PRIORITISATION

E
F IV III

II

SEVERITY OR IMPACT

OUR RISK MANAGEMENT STRUCTURE

Strategy Strategic Risk Register Service Plans- operational risks and mitigation of strategic risks CMT and OE Overseeing risk management Corporate Risk Management Group Accounts and Audit Committee- scrutiny Risk Based Audit programme

RISK MANAGEMENT: OUR KEY PLAYERS

Member Portfolio and Champion Tony Roberts CMT Champion Keith Stedman Officer Champion and corporate facilitator- Ian Harrison Managers- Service planning and delivery All employees Corporate Audit Section- Risk based Audit programme

Opportunities
Risk management also adds value: It enables us to maximise opportunities, to take managed risks To innovate, pathfind, explore new ways of service delivery. To manage risks we may have to take more risks, we may have to innovate.

WHAT ABOUT INSURANCE?

Risk Management is not just about insurance

80%

of risks faced by organisations are not insurable!

Chance or choice - SOLACE/ZMMS

RISK IDENTIFICATION

PHYSICAL RISK
MONITORING RISK ANALYSIS

CONSEQUENCES Reputation Accidents Increase in premiums Destruction of property Resources diverted from services Theft
RISK MANAGEMENT PRIORITISATION

THE RISKS vulnerabilities or triggers

Claims & liabilities Poor utilisation

Staff turnover Death

Physical hazards incl fire and flood Inappropriate fleet usage Inadequate security of premises Inherent property defects Poor maintenance Lack of proper training Staff risks from public Safety of parks / cemeteries Equipment usage and defects Lack of overall and properinspection Physical and assessment Partner practices Work practices (site work to workstation work)

THE RISK MANAGEMENT CYCLE

Inspections, interviews, workshops, analysis of data
RISK IDENTIFICATION

Testing, reviewing actions, planning, reporting

MONITORING

RISK ANALYSIS

Understanding, quantification

RISK MANAGEMENT PRIORITISATION

Contingency planning, Decisions controls, training, procedures, inspection

Agreement How likely, how bad?

Step 4: Example of a Management Action Plan (MAP)

A B

Owned by:

Date:

Likelihood

C D E F IV III II Impact I

Risk Number

Current Risk Score

Target Risk Score

Description

Action/controls already in place

Adequacy of action/control to address risk

Required management action/control

Responsibility for action

Critical success factors & KPIs

Review frequency

Key dates

What is Risk Management?

What can go wrong Identify

How good or bad can it get

What can we do about it

Assess and measure

Respond

Service planning RM
Identify, where relevant, how your service area can and will mitigate the Councils Strategic Risks
Identify, quantify and prioritise those risks to your service planning.

2. Types of risk and risk identification

RISK IDENTIFICATION

SCOPE OF RISK
MONITORING RISK ANALYSIS

Political

RISK MANAGEMENT PRIORITISATION

Economic

Social

Technological

Legislative/ Regulatory

Environmental

Competitive

Customer/ Citizen

Managerial/
Professional

Financial

Legal

Partnership/ Contractual

Physical

Political
Arising from the political situation
Political make-up (majority party, hung council, key opposition parties) Stability of political situation Election cycles (power shifts, undue influence on electioneering) Recent or proposed changes to political structure Political personalities Leadership issues (lack of strong leadership, concentration of power into the hands of a few, imbalance of power)

Economic
Arising from the national, local and organisation specific economic situation
Borrowing and lending situations Interest rates Strength of investments Budgetary position (eg, weak, not sustainable) Key employment sectors (e.g. over reliance on key industries/employers) Poverty indicators

Social
Arising from the national and local demographics/ social trends
Demographic profile (age, race, etc) Residential patterns and profile (e.g. temporal, commuter belt, state of housing stock, public/private mix) Health statistics/trends Leisure and cultural provision Crime statistics/trends Children at risk

Technological
Arising from technological change /organisational technological situation
Capacity to deal with technological changes/egovernment targets Current use of/reliance on technology Current or proposed technology partners State of architecture Current performance and reliability Security and standards, e.g. on back-up and recovery

Legislative/Regulatory
Arising from current and potential legal changes and the organisations regulatory environment
Preparedness for new legislation and regulations including Europe, e.g. Human Rights Act, DETR guidelines Exposure to regulators e.g. auditors/inspectors

Environmental
Arising from inherent issues concerned with the physical environment Nature of environment (urban, rural, mixed) Land use green belt, brown field sites Waste disposal and recycling issues Pollution issues, e.g. contaminated land Exposure to drainage problems/flooding/erosion/subsidence/ landslip Traffic problems/congestion

Competitive
Arising from the organisations competitive Spirit and the competitiveness of services, etc Position in league tables Relationships with neighbours and partners, e.g. competitive or collaborative Plaudits held/sought, e.g. Beacon Council status Success in securing funding Nature of service provision Competition for service users, e.g. leisure, car parks

Customer/Citizen
Arising from the need to meet current and changing needs and expectations of customers and citizens Extent and nature of consultation with/involvement of community, e.g. community groups, local businesses, focus groups, citizens panels, consultation on new democratic structures, Council Tax levels, etc Relationship with community leaders, tenant groups and opposition groups Community needs v Organisational objectives Visibility of services e.g. environmental, refuse collection, Service delivery feedback / complaints

Professional/Managerial
Arising from the need to be managerially and professionally competent Views arising from peer reviews e.g. from consultancy reviews and internal audit Professional/managerial standing of key officers Stability of officer structure/management teams Organisational competency and capacity Individual competency and capacity Performance management structure Key staff changes and personalities Staff recruitment and retention Turnover, absence, stress levels

Financial
Arising from the financial planning and Control framework

Financial situation of authority Level of reserves Adequacy of grant settlements Budgetary policy and control Delegation of budget and financial disciplines Monitoring and reporting systems Use and sustainability of other sources of income , e.g. revenue from fines

Legal
Arising from possible breaches of legislation Legal challenges and claims Adequacy of legal support Boundaries of corporate & personal liabilities Sufficient reserves to defend legal challenge Damage to reputation arising from legislation breach

Physical
Arising from physical hazards associated with people, buildings, vehicles, plant and equipment Nature and state of asset base including record keeping Commitment to health, safety and well-being of staff, partners and the community Accident record keeping Maintenance practices Responsibility as managers

Partnership/Contractual
Arising from partnerships and contracts Key strategic partners from public, private and voluntary sectors Accountability frameworks and partnership boundaries Any PFI schemes or other large scale projects involving joint ventures Outsourced services Relationships with contractors Procurement arrangements / contract renewal policy

3. Profiling and Prioritisation

To profile and prioritise risks according to likelyhood and impact
To concentrate on key risks and target controlling resources

Identifying risk

Looking ahead!

Techniques for identifying risk

workshops brainstorming self assessment checklists organisation charts process flow charts Prompt lists

What risks and were they managed?

Millennium Dome Iraq involvement Rail privatisation ? New Council depot ? Millennium Bridge- Newark? Job evaluation ?

DOME
Partnership/Contractural Reputation Political Competitive Financial/ Economic

Show StrategicRisk Register

HORIZON SCANNING
Pandemic Flu Re-organisation New leisure and Museum centres Oil Dependency- Fuel prices Security of Kelham Hall Global warming Ageing population

Step 2: Analysis A strategic risk scenario

Vulnerability
The council is facing challenging financial circumstances. There are a number of issues on the horizon including pay awards, changes to grant mechanisms, review of flood defence funding and review of waste contract

RISK IDENTIFICATION

MONITORING

RISK ANALYSIS

RISK MANAGEMENT PRIORITISATION

Trigger
Financials situation gets depreciably worse (be specific)

Consequence
Resources diverted from services Services reduced Managers cannot deliver on changed budgets Public complaints rise PIs not achieved Audit criticism Stress and sickness increases Productivity reduces Council Tax has to rise Room for manouvre removed

Cause

Event

Consequences

Step 2: Analysis a strategic risk scenario

Vulnerability Trigger Consequence
The Council has waste Targets not met within management the prescribed time limit. responsibilities and is required to meet challenging government recycling targets.

RISK IDENTIFICATION

MONITORING

RISK ANALYSIS

RISK MANAGEMENT PRIORITISATION

Financial penalties through taxation Budgets vired from other services Other services have to be reduced or council tax has to be increased Inspection / audit criticism Adverse media reporting Council seen as failing Reputation of the Council on environmental issues suffers Friction between members and officers Officer resources diverted into fire fighting

Step 2: Analysis Sample operational risk scenario

MONITORING RISK MANAGEMENT

RISK IDENTIFICATION

RISK ANALYSIS

PRIORITISATION

Vulnerability
The Council has no formal policy regarding the management of asbestos material. The council has numerous properties including council houses, leisure centres and offices.

Trigger

Consequence

Asbestos is present Staff / workers harmed in council properties Public liability claims and harms somebody Resources diverted from services to considering claims Reputation of council damaged OR Tenants seriously harmed Claims etc

Risk Assessment
A 6 point map of the process:
1. 2. What do you want to achieve? - Objective.
Eg: Ensure understanding and embedding of risk management

What can stop you achieving it? - Hazard.

Perceived lack of importance Time constraints Inadequate Resources

3. 4. 5. 6.

How likely is it to happen? - Probability. How big will it be? - Impact. What can be done to eliminate the threat? - Control. What do you do about it? Action/Improvement/Intervention

RISK IDENTIFICATION

MONITORING

RISK ANALYSIS

Step 3: Prioritise

Accurately assessing the relative significance of risks

Likelihood / Probability X Impact / Severity

RISK MANAGEMENT PRIORITISATION

3.RISK PROFILING/prioritisation
PROBABILITY OR LIKELIHOOD

RISK IDENTIFICATION

MONITORING

RISK ANALYSIS

RISK MANAGEMENT

A
B C D
6 2
1

PRIORITISATION

E
F IV III

II

SEVERITY OR IMPACT

Risk Profile:Newark and Sherwood DC

RISK IDENTIFICATION

New Leisure Centre project

A

MONITORING

RISK ANALYSIS

2
1 3 6 4
IV

RISK MANAGEMENT PRIORITISATION

Likelihood:
A: B: C: D: E: F: I: II: III: IV: Very High High Significant Low Very Low Almost Impossible Catastrophic Critical Marginal Negligible

Impact:

L i k e l i h o o d

B C

D E F III II I

7 5 8

Impact
The teams risks have been mapped against the teams appetite

4. Management Action Planning

Developing Risk Response

Defining enhancement steps for opportunities and responses to threats.

Treating / Responding to Risk

appoint champio n what can we do about it? prepare action plans how to prevent losses

how to limit if goes wrong

Step 4: Example of a Management Action Plan (MAP)

A B

Owned by:

Date:

Likelihood

C D E F IV III II Impact I

Risk Number

Current Risk Score

Target Risk Score

Description

Action/controls already in place

Adequacy of action/control to address risk

Required management action/control

Responsibility for action

Critical success factors & KPIs

Review frequency

Key dates

5.Monitor and Review

At intervals agreed within your management plan When there is change If the controls are not working

Service planning RM
Identify, where relevant, how your service area can and will mitigate the Councils Strategic Risks
Identify, quantify and prioritise those risks to your service planning.

Step 4: Example of a Management Action Plan (MAP)

A B

Owned by:

Date:

Likelihood

C D E F I

Risk Number

Current Risk Score

Target Risk Score

Description

IV III II Action/controls Impact already in place

Adequacy of action/control to address risk

Required management action/control

Responsibility for action

Critical success factors & KPIs

Review frequency

Key dates

TO BE INCLUDED IN SERVICE PLAN TEMPLATE

Service Planning- within template

Identify, where relevant, how your service and service plans can and will mitigate strategic risks Identify and quantify risk Profile and Prioritisation Management action Plans Monitor and review Full ppt on Risk Man site on intranet

Projects: Points to Remember

The Risk Management Process enables:

Ability to make better informed decisions on project adoption or avoidance or expending resource. Better information and confidence. Best chance of minimising project and enterprise failure.

Project Risk Management

Or what can go wrong!

Some apparent problems

Without historical data, how can you measure risk? There are so many risks, how is it possible to establish the impact on a project? Information overload - how is it possible to know which are the important risks?

Typical project risk categories

procurement
planning commercial & financial

project scope site parameters

programme construction

contractual environmental
client (corporate) operational design

Risky Projects

Principles of Project Management What is a project?

An activity with a starting point, clear objectives and an end point Every project has a desired tangible outcome and a clear timeframe within which the objectives must be achieved

Whose Responsibility?
Project(s) are the responsibility of a single person or body

Whose Ownership?
Clear defined ownership and management allocation

Some apparent problems

Without historical data, how can you measure risk? There are so many risks, how is it possible to establish the impact on a project? Information overload - how is it possible to know which are the important risks?

Principles of Project Management

Projects Always have:

Starting Point Defined Objectives Time Constraints Something new Tangible outcome End Point

Recent Project Calamities

Portcullis House, Westminster: 85m to 275m
The Scottish Parliament: 40m to 400m

Some Construction Project Risk reasons

no two projects are the same no two sites are similar there is never an opportunity to perfect the process or practice human element with skilled & manual labour many differing firms over a long period many locations for assembly many differing skills uncertainty of market not like a car assembly teams often have not worked together

Level of uncertainty %

Project risk exposure

Cost impact of risk Inception Feasibility Design Construct

Risk influence & cost of mitigation measures

When to carry out risk management

Cost of risk mitigation

Opportunity to influence risk drivers

Inception Feasibility Design inception Construct

Risk Identification
Determining which risks are likely to affect the project and documenting the characteristics of each

A Risk to what?
To your team or project from outside From your team or project to the owner / client To the stakeholders from the project

Response Options
Are carried out by risk champions and will include these responses:
Retain
Reduce

Avoid
Transfe r

Share

The 6 Steps for an Action Plan

Set specific goals Define activities, resources needed Set a timetable Forecast outcomes, contingency plans Formulate a detailed plan of action Implement and supervise, evaluate

Ten steps to risk control

identify the objective identify the risks assess identify mitigation actions assess residual & secondary risks estimate costs identify cost benefits consider ownership decide what to do monitor, repeat & update register

Lets Summarise Project Risk Management

Risk Managements major contribution

Owing to increasing costs, greater time pressures and new challenges, loss probability is increasing. This leads to a stronger need for comprehensive Project Risk Management RM will make a major contribution to successful completion of a project: Within budget Within time schedule With minimised losses

Summarising Risk Management

Create a risk aware environment, Identify & measure, hold regular reviews, Prepare action plans, identify champions, Maintain a risk register, keep an audit trail, Focus on key risk items & prioritise, A continuous process, meet regularly to monitor progress

Projects: Points to Remember

Success or Failure

Projects: Points to Remember

Have systems in place to analyse risk. Set-up early warning mechanisms. Effective risk management Vs adverse effects of not managing risk effectively. Have management processes and regular reporting on organisational and project risks.

Projects: Points to Remember

Senior Management to have real-time information on project status (risks & opportunities). Early identification leads to project success; ignorance is not bliss! Identify major project risks before project approval and resource commitment. Project Management is both an art and a science!

Projects: Points to Remember

Risk Registers provide basis for mapping a Risk Response Plan. E.g. Risk Response can range from avoidance to acceptance. Over-cautious approach results in potential business benefits being denied. Reporting and Communication is vital.

Risk Profile:Newark and Sherwood DC

RISK IDENTIFICATION

New Leisure Centre project

A

MONITORING

RISK ANALYSIS

2
1 3 6 4
IV

RISK MANAGEMENT PRIORITISATION

Likelihood:
A: B: C: D: E: F: I: II: III: IV: Very High High Significant Low Very Low Almost Impossible Catastrophic Critical Marginal Negligible

Impact:

L i k e l i h o o d

B C

D E F III II I

7 5 8

Impact
The teams risks have been mapped against the teams appetite