Contents
Report 8 of the 05 December 2005 meeting of the Corporate Governance Committee and summarises recommendations made to update and enhance the joint MPA/MPS Risk Management Strategy following a review undertaken by the Director of Risk Management in conjunction with the Treasurer.
Warning: This is archived material and may be out of date. The Metropolitan Police Authority has been replaced by the Mayor's Office for Policing and Crime (MOPC).
See the MOPC website for further information.
Joint review of Risk Management Strategy
Report: 8
Date: 05 December 2005
By: Commissioner and Treasurer
Summary
This report summarises recommendations made to update and enhance the joint MPA/MPS Risk Management Strategy following a review undertaken by the Director of Risk Management in conjunction with the Treasurer.
A. Recommendation
That members approve a revised Joint MPA/MPS Risk Management Strategy, noting the reasons for the various changes from the original.
B. Supporting information
Background
1. MPA Corporate Governance Committee adopted an overarching MPA/MPS risk management strategy in September 2004. This strategy provides a framework for managing risk within the MPA and MPS. The MPA exercises oversight and monitoring of MPS risk management through this Committee and its link to the MPS Corporate Governance Strategic Committee (CGSC).
2. As requested by Members, the joint risk management strategy has been reviewed and updated by the Director of Risk Management in conjunction with the Treasurer. The remainder of this report sets out the detailed changes and the reason for each change. A two stage review was undertaken:
- As the MPA/MPS risk management strategy is based on the ALARM [1] template risk management strategy, it was ascertained that no changes had been made to the ALARM template since the MPA/MPS strategy document had been prepared;
- A detailed line-by-line review of the MPA/MPS strategy.
3. The revised strategy is set out at Appendix 1. For ease of reference, the changes to the original text are highlighted (underlined italics). In summary, the revised strategy is substantially the same as the original which remains good practice however the opportunity has been taken to bring the document up to date and to make certain enhancements. Where a change has been made more than once, only the first instance has been highlighted.
| Ref | Proposed change | Reason for change |
|---|---|---|
| 6 | “Corporate Risk Management Group” changed to “Business Risk Management Group” | To avoid confusion between corporate health and safety risk assessments and corporate business risks / risk registers |
| 6 | A reference to the “Authority” has been changed to “MPA/MPS” | Reflecting the joint status of the strategy (corrects drafting error) |
| 8 | “Corporate Governance Committee” instead of “Audit & Risk Committee” | Reflects change in committee nomenclature |
| 8 | Reference to the Director of Internal Audit auditing the MPS risk management system included | Reflects an important element of the Internal Audit role that the original strategy was silent on |
| 8 | MPS Management Board role description expanded to include reference to quarterly reports | Reflects agreed process |
| 8 | Reference to MPS Investment Board incorporated | New committee the decisions of which are informed by risk management input |
| 8 | MPS Corporate Governance Strategic Committee role description expanded to include reference to monitoring of audit high-risk recommendations, and oversight of quarterly MB risk reports and MPS statement on internal control | Reflects agreed process |
| 8 | Reference to Diamond Risk Management Committee (DCC risk management system) | Reflects existing process for identifying and mitigating potential risks to the reputation of the Met |
| 10 | Reference to “options being considered” added to situations where risk management in decision making processes is required | Reflects agreed process |
| 12 | Confirms that the risk registers and statement on internal control will be aligned with business planning | Reflects an agreed objective |
| 13 | Reference to “project management” expanded to refer to programmes | Included, for avoidance of doubt, that programmes are covered |
| 15 | New paragraph stating objective to integrate risk management within competency frameworks | Reflects an agreed objective |
| 18 | Refers to the development of a “Quick Guide” to the risk management framework | Reflects a recent development |
| 19 | Now includes reference to risk management process measures | Reflects agreed process |
C. Race and equality impact
Risk management has a role to play in improving our position on equality and diversity through an improved focus on the risk of failure to achieve equality and diversity targets and emphasis on continuous improvement.
D. Financial implications
No explicit costs however additional interventions to further mitigate risk exposures may involve expenditure.
E. Background papers
None
F. Contact details
Report author: Nick Chown, Director of Risk Management
For information contact:
MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18
Appendix 1
MPA/MPS Risk Management Strategy
Purpose, aims and objectives
1. The Purpose of this Risk Management Strategy is to effectively manage potential opportunities and threats to the Authority and the Service achieving their objectives.
2. This Risk Management Strategy will achieve this purpose through:
- Integration of risk management into the culture of the Authority and Service.
- Raising awareness of the need for risk management by all those connected with the delivery of services (including partners, suppliers and contractors).
- Enabling the Authority and Service to anticipate and respond to changing social, environmental and legislative conditions.
- Introduction of robust framework and procedures for identification, evaluation, prioritisation, control and monitoring of risk, and the reporting and recording of events, based on good practice.
- Minimisation of the cost of insurable risk.
3. To achieve these aims and objectives, the following strategy is proposed;
- Develop an Authority Risk Profile, allocate ownership of risks in the profile to members of MPA SMT and take appropriate steps to mitigate each risk
- Develop a Service Risk Profile, allocate ownership of risks in the profile to members of MPS SMT and take appropriate steps to mitigate each risk
- Establish clear accountabilities across the MPA/MPS for managing risk, roles and reporting lines
- Acquire and develop the necessary skills and expertise to provide a centre of excellence for risk management
- Provide for risk assessment in all MPA/MPS decision-making processes
- Ensure that the resource allocation framework allocates (targets) resources for risk management as may be necessary from time to time
- Ensure appropriate consideration of risk within all reviews of performance and subsequent improvement plans.
- Develop toolkits, procedures and guidelines for risk management for use across the Authority and Service
- Develop arrangements to measure performance of risk management activities against the aims and objectives
- To make all partners, suppliers and contractors aware of the MPA/MPS expectations for risk management, both generally as set out in its risk management strategy, and more specifically in particular areas of service delivery.
Accountabilities, roles and reporting lines
4. A framework will be implemented that will address the following issues:
- The different types of risk – operational and business
- Where risks should be managed
- Authority and Service roles and accountabilities for managing risk
- The need for a “driving force” within the MPA/MPS
- Prompt reporting of accidents, losses etc
5. The guiding principle behind MPA/MPS risk management is that wherever possible it should be embedded within existing management process
6. To enhance the MPA/MPS ability to mainstream risk management the Service will establish a Business Risk Management Group that will be the “driving force” behind developing and implementing the MPA/MPS Risk Management Strategy. This group will be led by the Director of Risk Management.
7. The Director of Risk Management will service the MPS Corporate Governance Strategic Committee and Management Board on all risk management matters. Each Management Board member will nominate an appropriate senior member of staff to undertake a Risk Management Sponsorship and Liaison role, acting as a link between their Business Group and the Corporate Risk Management Group. Sponsors for risk management will also be allocated at MPS OCU level.
8. The Director of Internal Audit will advise the MPA Corporate Governance Committee and Full Authority on all internal control matters. Each MPA Senior Management Team member will make arrangements for a Risk Management Sponsorship and Liaison role to link with the Director of Internal Audit. The Director of Internal Audit will audit the MPS risk management system as may be necessary from time to time.
Framework for risk management reporting lines
| Group role | Group role | |
|---|---|---|
| MPA Full Authority | To receive an annual report on the effectiveness of MPA/MPS internal control and risk management and to approve the statement on internal control and risk management within the annual report and accounts | |
| MPA Finance Committee | To formally approve the Risk Management Strategy on behalf of the Full Authority | |
| MPA Corporate Governance Committee | To keep the MPA/MPS system of internal control and risk management under continuous review, and to be responsible for the preparation of the annual report on the effectiveness of MPA/MPS internal control and risk management | |
| MPA Senior Management Team | To deploy the Risk Management Strategy and to identify, evaluate, prioritise, control and monitor the risks to the achievement of the MPA corporate strategy
To consider and agree the MPA/MPS Statement on Internal Control |
|
| MPS Management Board | To manage risks to the achievement of MPS corporate strategy, objectives and targets, develop and maintain the MPS Corporate Business Risk Register on a quarterly basis supported by the Business Risk Management team, and receive an annual report on the effectiveness of MPS internal control and risk management. | |
| MPS Investment Board | To consider corporate business risks when making investment decisions | |
| MPS Corporate Governance Strategic Committee | To be responsible to Management Board for the deployment within the MPS of the Risk Management Framework, maintain oversight of MPS internal control and risk management environment, to receive quarterly reports from the Director of Risk Management and Director, MPA Internal Audit on risk management and internal control respectively, to monitor the MPS response to Internal Audit high-risk recommendations, to oversee the preparation of the quarterly corporate business risk reviews, the annual report on internal control and risk management for Management Board, and the MPS statement on internal control | |
| DCC reputation risk management system including Diamond Risk Management Committee | To regularly monitor potential risks to the reputation of the Metropolitan Police and to recommend action to mitigate risk exposures from time to time | |
| MPS Business Groups and OCUs | Business Groups - To appoint an SMT level risk management sponsor to be responsible for ensuring risk awareness within the Business Group, for the deployment of the MPS risk management framework,
and to be the central point of contact for the Business Risk Management Group
OCUs – To appoint an SMT level risk management Sponsor to be responsible for ensuring risk awareness within the OCU, for the deployment of the risk management framework, and to be the central point of contact for risk management issues |
|
| MPA Officers, MPS Police Officers and Police Staff | To identify, evaluate, prioritise, control and monitor risks effectively within the scope of their remit and to report individual risks to their line manager where escalation may be required to ensure that a risk is managed appropriately |
Skills and expertise
8. Having established roles and accountabilities for risk management, the Authority and the Service must ensure that they have the skills and expertise necessary. This will be achieved by a programme of embedding risk management within existing training and learning opportunities that addresses the individual needs of staff – this programme will not be “one size fits all”.
9. The programme will include relatively high level risk appreciation for Senior Police Officers and Police Staff, risk appreciation for more junior Police Officers and Police Staff, more detailed and intensive courses focusing on good practice in risk management for the Risk and Quality Assurance community, and specialist risk training where necessary (e.g. Business Continuity Planning).
Risks and decision making processes
10. Risk needs to be addressed at the point at which decisions are being taken. Where MPA Officers, MPS Police Officers and Police Staff are required to make decisions they should be able to identify, evaluate, prioritise and control the risks associated with options being considered, recommendations being made and action being taken. This necessitates the mainstreaming of risk management within training as described in the preceding section.
11. In addition to actually managing risks when making decisions, the MPA/MPS need to be able to demonstrate that reasonable steps have been taken to consider the risks involved in a decision. Where decisions are requested through reports to MPA committees, MPS Management Board and Strategic Committees risks must be addressed appropriately within these reports, ensuring that a suitable balance is struck between the efficiency of the decision making process and the need to address risk.
Supporting continuous improvement
12. Risk Management will be incorporated into MPA/MPS business planning processes with a risk assessment of all business aims being undertaken as part of drawing up business plans. Risk registers and the statement on internal control will be aligned with business planning processes. Risk control measures will be fed into Service Improvement Reviews.
Integrating risk management with programme/project management
13. A consistent approach to identifying, evaluating, prioritising, controlling and monitoring risk will be adopted and included in MPA/MPS programme and project management methodologies. This will be used in all significant MPA/MPS programmes and projects, including the development of Authority/Service strategies.
Integrating risk management with performance management
14. Risk Management will be integrated into the existing performance management system.
Integrating risk management within national competency frameworks
15. Risk management will be integrated into existing police officer and police staff competency frameworks.
Best value reviews
16. Before making recommendations, it is essential that risks are properly addressed in order to deliver the intended benefits. Each individual review must demonstrate this when submitted for approval through the Best Value process.
Involvement of elected members
17. Members have a key contribution to make to the assessment of risks to the objectives of Authority corporate strategies and their input will be obtained to all risk assessment exercises relating to Authority objectives. Members will be involved in the annual MPA review of MPA/MPS internal control and risk management.
Toolkits, procedures and guidelines
18. A Risk Management Framework will be issued by the Business Risk Management Group under the auspices of the MPS Corporate Governance Strategic Committee and will be available to all MPS Police Officers and Police Staff. This will provide guidance on all aspects of risk management and will be a practical “toolkit” that will introduce a consistent methodology to be followed throughout the Authority and the Service. The framework will be reviewed at least twice a year and on the occurrence of any major operational change/restructuring. A concise ‘Quick Guide’ to the key features of the framework will be published.
Monitoring the impact of risk management
19. A performance management framework will be developed to monitor the impact of risk management activities and the success of the Risk Management Strategy itself. Individual indicators will be developed to measure achievement of the aims and objectives of risk management. The Audit Commission / ALARM risk management assessment criteria will be used to assess the risk management process. Quality assurance mechanism developed by the Business Risk Management Group will be used to assess the quality of the implementation of the process across the MPS.
Key Risk Indicators
20. For each risk on the MPA/MPS risk profiles a Key Risk Indicator (KRI) will be used to monitor the effectiveness of risk mitigation activity ensuring that a suitable balance is struck between the efficiency of the risk monitoring process and the extent of the risk exposure in each case. KRIs may be existing or new measures as necessary.
Risk management across external boundaries
21. The Authority has long since seen the potential benefits and rewards from partnership working including with suppliers and contractors. It also recognises the risks involved. Whilst these risks can be managed by the Authority through formal contracts that clearly allocate risks to the appropriate parties, failure by either or any one of those parties to manage their risks can have serious consequences for the other(s).
22. Before entering into partnership, joint working or business contract arrangements, the prospective partners, suppliers or contractors should be requested for full details of their approach to risk management and asked to provide appropriate minimum evidence to support their response to integrate into existing procurement arrangements.
Footnotes
1. ALARM is the acronym used by the National Forum for Risk Management in the Public Sector (formerly the Association of Local Authority Risk Managers). [Back]
Send an e-mail linking to this page
Feedback