Corporate Risk Team work programme

Report: 9
Date: 05 December 2005
By: Commissioner

Summary

This is a report on the MPS Corporate Risk Team 2005/06 work programme covering:

• business risk management, based on the MPS Business Risk Management Maturity Model
• insurance management.

A. Recommendation

That

1. the Committee receive a report on the MPS Corporate Risk team’s current work programme; and
2. receive a further report at its March meeting.

B. Supporting information

1. This report is submitted in response to a request from members at the October meeting of the committee for a report on the Corporate Risk Team’s annual work programme. It covers business risk management and insurance, which were the two areas where the team provided a professional lead for the Service at the commencement of the 2005/06 financial year. The team took on a professional lead role in the area of corporate governance from October 2005. A short section on corporate governance is therefore also included.

Business risk management

2. The Corporate Risk Team’s business risk management activity is derived from a maturity model developed by the team. The key to maturity models is the fundamental business value derived by an organisation as it progresses up the scale (e.g. better decisions, faster delivery, and improved on-time, on-budget performance). Integrating risk management into existing business processes mitigates risk by becoming part of business as usual.

3. A risk management maturity model can answer some key questions:

• how mature is our existing risk management process?
• to what do we aspire? What does a mature process look like?
• what evolutionary path do we want to follow to get there?

4. What are the key factors influencing the development of a sustainable risk management process and which would therefore be essential components of a maturity model?

• Organisation-wide commitment, driven from the top down, to drive and fund risk management, grounded in the recognition that the accountability for managing risk rests with every officer and staff member in the Service.
• Dedicated corporate ‘centre of excellence’ staffed by professionals to set standards and function as internal consultants, trainers, and facilitators supporting the business group management teams and their people in discharging individual accountabilities in achieving the mandated standards.
• Development of an organisation-wide infrastructure that reinforces the value and importance of the discipline, including the presence of well-articulated strategy and standards, action plans to achieve the strategy and standards and a variety of communications vehicles to keep the message in front of management teams on a continuing basis.

5. A six-level maturity development sequence (Appendix 1) has been adopted. Levels one to three represent the basics needed to launch a sustainable organisation-wide risk management process. Levels four to six represent the evolutionary path of the maturing risk management process.

6. It is important to ensure that we have fully achieved each current target maturity model level before planning to go to the next level i.e. we are taking the journey up the model levels one step at a time. By the end of 2004/05 it was determined that the Service had reached Level 3 on the maturity model and we were therefore ready to plan to reach Level 4. The main requirements to achieve Level 4 are to have a risk management infrastructure fully in place and to ensure the engagement of all (B)OCUs and departments. The move from Level 3 to Level 4 is thus probably the most challenging period for the Service in the context of mainstreaming business risk management. The Corporate Risk Team is focusing on a programme of visits to all (B)OCUs and departments over the coming months. We shall be concentrating on quality assuring our risk registers and the processes used to prepare the registers. Where no risk register is yet in place the focus will be on engaging management in the task of managing business risk.

7. The following table sets out the various tasks involved in the mainstreaming of business risk management across the Service, highlights (in bold italics) the main tasks associated with the achievement of Level 4, and indicates the current status of each task through the use of colour coding.

Corporate Risk Team Work Programme tables (see supporting material)

Insurance management

7. The MPA has renewed its insurance programme for 12 months with effect from 1 October 2005. Despite tough market conditions and the potentially large water damage claim at Jubilee House, all policies except for one were renewed on the basis of existing terms. Liability premiums remained the same as last year, despite increases in wage roll exposure and this was partly due to the maturing of the relationship with the liability market. There are some property requirements that were imposed on the MPA by the property insurers due to the recent water damage incident and a strategy has been put in place to meet those requirements. Work is progressing on the business interruption review, ensuring that the property programme aligns with the MPA estate leasing arrangements, reviewing the risk funding requirements, budget allocation project, education of officers and staff on specific insurance requirements, as well as reinforcing external relationships through regular meetings with property and liability underwriters.

Corporate governance

8. Following the taking on by the Corporate Risk Team of a professional lead role in relation to corporate governance, DAC Richard Bryan has tasked the Director of Risk Management to develop an operating framework for the MPS Corporate Governance Strategic Committee (CGSC) including consideration of the respective roles and responsibilities of the committee and the MPA Corporate Governance Committee. As a first step, a comparison and gap analysis of the following has been undertaken:

• Good Governance Standard for Public Services (good practice guide)
• Statement on Internal Control for 2004/05 (sets out the areas the MPA/ MPS CGSC ‘Blueprint’ (work programme)) is focusing on at present)

9. A first draft comparison/gap analysis document is currently with various key players for review. Proposals will then be made to the February 2006 meeting of CGSC. The March 2006 meeting of MPA Corporate Governance Committee will be fully briefed on the development of the operating framework.

10. As a member of CGSC, the Director of Internal Audit will have the opportunity to ensure that the framework fully reflects the role of MPA Corporate Governance Committee.

C. Race and equality impact

There are no adverse impacts on race and equality, however, the risk management process requires diversity risks and impacts to be identified enhancing the Service’s ability to respond to the diversity imperative.

D. Financial implications

1. All work is being undertaken from existing budgets.

E. Background papers

None

F. Contact details

Report author: Nick Chown, Director of Risk Management

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1

Six-level maturity development sequence

A six-level business risk management maturity development sequence has been adopted. Levels one to three represent the basics needed to launch a sustainable organisation-wide business risk management process. Levels four to six represent the evolutionary path of the maturing process towards the mainstreaming of the management of business risk and the joining up of the various functions.

Level 1: Locally driven

Risk management has not yet been recognised as strategically important by senior management and risk awareness is very low. There is no centrally coordinated support function. If the organisation has a risk management policy, it is not enforced effectively or consistently. Individual business groups are "on their own" to organise, and implement risk management. The ability to identify and mitigate risks to corporate objectives is generally low as is the state of preparedness.

Level 2: Limited central planning

At least one business group has recognized the strategic importance of risk management and has begun efforts to increase executive and organisation-wide awareness. At least one internal or external risk management professional is available to support the efforts of the participating business groups. The general level of risk awareness is low except for certain senior managers who are trying to make a case for a structured, organisation -wide risk management process. The ability to identify and mitigate risks to the achievement of corporate objectives, and the state of preparedness, may be moderate for participants but remains relatively low across the majority of the organisation. Senior management may see the value of a structured risk management process but are unwilling to make it a priority, although they may have a project under way to assess the business case for it.

Level 3: Centrally planned

Participating business groups have instituted a rudimentary risk management process, mandating at least limited compliance to policy and standards, and practice. Risk awareness is improving but is still patchy. A central risk management function has been established, which is attempting to deliver standards and support to the participating business groups. The central function is likely to be under resourced. Audit findings are being used to reinforce the case for improvement. Interest in leveraging the work already done is being promoted as a business driver for launching an organisation- wide risk management process. Several business groups have achieved a significant ability to identify and mitigate risks in their areas. However, the organisation as a whole is at best moderately capable of managing corporate risks.

Level 4: Moving to integration

Senior management understands and is fully committed to the strategic importance of an effective risk management process. Risk awareness is increasing across all levels of the organisation. An enforceable, practical risk management policy and framework has been adopted. A suitably resourced central function has been created to govern the process and support all business groups. Risk management policy, practices and processes are being standardised across the organisation. Risk management integration and competency baselines have been developed and integration / competency development programmes are under way. However, significant work remains to develop a robust control environment, and not all emerging risks are being identified proactively. All critical business processes have been identified and continuity plans for their protection have been developed across the organisation. Business groups are beginning to test their continuity plans for critical processes and are routinely updating plans.

Level 5: Baseline standard

Risk awareness is high across the organisation. Risk profiles and audit reports no longer highlight major deficiencies in the risk and control environment or shortcomings in business continuity arrangements. Examples of strategic and competitive advantage achieved from the risk management process are highlighted in periodic communications. Emerging risks are being identified proactively before they cause significant damage or have the potential to cause such damage. All business groups have achieved the integration and competency baseline requirements. An energetic communications and training programme exists to sustain the high level of risk awareness that has developed. Business groups have completed tests on all elements of their business continuity plans, and their plan updating methods have proven to be effective. The organisation is continuously "raising the bar" in terms of the sophistication of its risk management process. It has a high level of preparedness for handling a crisis.

Level 6: High added value

All business groups have a measurably high degree of risk management process integration and individual competency. Complex risk mitigation strategies are formulated and deployed successfully. Cross-functional coordination has led to a highly ‘joined up’ approach to risk management across internal boundaries. Tight integration with the organisation’s planning, performance management, and change control processes keeps the organisation’s risk and control environment at an optimum level together with a high state of preparedness for a crisis, despite radical and rapid change in the business environment. Innovative practices, tools and techniques are piloted and incorporated into the risk management process on a continuous basis.

Annex 1 (see supporting material)

Send an e-mail linking to this page

Feedback