Business risk management team update

Report: 10
Date: 22 March 2007
By: Commissioner and Treasurer

Summary

A report on progress made by the MPS in the areas of corporate governance, business risk management, and insurance management.

A. Recommendation

That

1. members note progress to end January 2007 on corporate governance, business risk management, and insurance management (Appendix 1); and
2. the progress as captured by the Audit Commission / ALARM risk management Key Performance Indicator (Appendix 2).

B. Supporting information

1. This report includes a report on activity since the previous update report (Appendix 1) and an update on progress made in relation to compliance with the Audit Commission / ALARM KPI as at end January 2007 (Appendix 1.

Corporate governance

2. The MPA Treasurer, MPA Director of Internal Audit, and MPS Director of Risk Management have met to consider MPS corporate governance. The next step in the process of developing an overarching corporate governance framework, as anticipated to be required by CIPFA/SOLACE and the MPA, is the preparation of a policy framework by the Treasurer, which will inform further MPS work in this area. This will be brought to this Committee after the CIPFA/SOLACE framework has been published.

3. Members may recall that following a report to MPS Management Board by the Director of Strategy, Modernisation and Performance, it has been decided to focus current activity in the area of MPS corporate governance on the following areas, an update on each of which is now provided.

1. Development of an approach to managing MPS corporate risks – Section C of this report provides a full update on this activity area.
2. Deployment of the MPS Key Internal Control Framework – Assurance activity underpinning the 2006/07 MPS Statement on Internal Control is being based for the first time on the key controls in the new framework.
3. Deployment of control self-assurance in respect of MPS corporate policy implementation – Implemented by MPS Strategy Unit.
4. Continuing development (with the MPA) of an MPA/MPS governance framework and work to prepare for the evolution of Statements on Internal Control into Statements on Governance as required by CIPFA/SOLACE – Awaiting CIPFA/SOLACE governance framework.

MPS business risk management maturity progress including progress on corporate risk management

4. Details were provided in the previous quarterly report of the MPS objective to attain maturity Level 5 (‘Baseline Standard’) business risk management by end March 2007. This followed the successful attainment of Level 4 (‘Moving Towards Integration’) by end March 2006.

5. As Members were advised earlier, the development of good practice corporate risk management in the MPS is both a critical, and challenging, element of the programme for achieving Level 5 (“Minimum Standard”) business risk management by the self-imposed target deadline of end March 2007 (this report was drafted on 2 March 2007). In the update to the previous meeting, Members were advised of some major developments including the inauguration of the MPS Corporate Risk Review Group. The Business Risk Management Team (BRMT) had also undertaken benchmarking of the corporate risk management process.

6. The corporate risk management benchmarking confirmed, amongst other matters, that the MPS had followed generally accepted good practice in setting up its Corporate Risk Review Group. The main conclusion is that we are generally out of step with other forces in that the top team does not own a register of corporate business risks or a top-sliced set of risks from the register. However, in other respects our business risk management processes generally follow good practice. It was particularly noted that 14 out of 23 Home Office force risk management review groups included police authority personnel. The MPA Chief Executive has subsequently accepted an invitation to join the MPS Corporate Risk Review Group (CRRG).

7. The MPS membership of CRRG comprises of the DAC or equivalent police staff post for each Business Group. The group is chaired by the Director of Strategy, Modernisation & Performance with the Director of Risk Management in support. It meets in advance of each monthly MPS Management Board (MB) meeting. Participation, not least from operational Business Groups, has been very constructive and engaging to date. It is intended that CRRG will provide a conduit into MB, filtering the business risks reported upwards.

8. Following two meetings of CRRG and an extensive series of meetings held by the Director of Risk Management with key personnel across the MPS, a report on corporate risk management was submitted to MB on 6 February 2007. The report included a set of proposed MB level business risks/areas of risk. (The MPS already has a register of corporate risks owned at Business Group level and it simply remains to identify risks to be ‘owned’ by MB members.)

9. Although the risks reported to MB in February were not agreed, the following action has been / is being taken, demonstrating MB commitment to a solution:

1. The Commissioner has proposed that MPS corporate risk management should focus on the following: “Risks to the organisational reputation of the Metropolitan Police, particularly those concerned with public or staff safety, performance, finance or probity”
2. The Deputy Commissioner has:
   • Tasked the Director of Strategy, Modernisation & Performance to clarify the MPA’s requirements for the management of corporate risks
   • Tasked each Business Group head to outline to him by 9 March the processes they have in place to ensure the robust identification and management of corporate risks (it is expected that CRRG will act in an advisory capacity to all Business Groups and be positioned to add value through a particular focus on cross-cutting business risks)
   • Tasked the Director of Risk Management to review the responses from the Business Groups in the light of good practice and provide the Deputy with a composite view by 19 March.
3. The Director of Strategy, Modernisation and Performance met with Len Duvall and Lord Harris to ensure that the MPS was clear as to the MPA’s requirements for risk management. It is our understanding that the Authority requires assurances that our approach to risk management across the organisation is "codified" and consistent (a process we are quality assuring at present – see item (b) above), and wish to have exposure to "top-level corporate risks" on a regular basis, so that they can be clear that we are managing the organisation as a whole within a proper risk management framework. The precise way in which we will provide this assurance has yet to be specified and agreed with the Authority, however, it is envisaged that this may comprise a brief monthly update of top-level risks for the MPA Chair, MPA Corporate Governance Committee Chair, and MPA Chief Executive together with a more formal report to each (quarterly) meeting of the Corporate Governance Committee.

10. The MPS will have deployed a robust approach for reporting its corporate risks to the MPA by the time of the next Corporate Governance Committee meeting.

11. In view of the foregoing, the MPS will not achieve Level 5 maturity by the end of the current financial year. However, we will have defined the required risk management processes by then and have a process in place to ensure that any gaps are filled in a timely manner. Given the challenge faced in reaching Level 5 maturity within such a tight time-frame (12 months from achieving the previous level) it is felt that good progress is being made.

Audit Commission/ALARM key performance indicator

12. An update to the Audit Commission / ALARM risk management Key Performance Indicator (KPI) at end January 2007 is at Appendix 2. The committee is reminded again that the ‘green’ status of the majority of the indicators does not reflect the developing nature of the process.

Insurance management

13. The insurance programme continues to mature to reflect the risk exposure of the MPS/MPA. (See sections 7) to 12) of Appendix 1 for an activity update).

C. Race and equality impact

The MPS business risk management process requires diversity risks and impacts to be identified and managed, enhancing the ability of the MPS to respond to the diversity imperative.

D. Financial implications

All work undertaken by BRMT is funded from existing budgets. Interventions to reduce risk exposures identified as a result of the deployment of the business risk management process may have financial implications.

E. Background papers

None

F. Contact details

Report author: Nick Chown, Director of Risk Management, MPS.

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1

Progress report – end January 2007

This report covers the three areas where the Business Risk Management Team (BRMT) provides the MPS with a professional lead i.e. corporate governance, business risk management and insurance management. It also includes sections on the Outsourcing Programme, where support is provided in relation to risk management and insurance, and the development of national risk management standards for the police service.

Business Risk Management

1. Statement on Internal Control (SIC) - The task of preparing the 2006/7 MPS SIC is on track. For the first time we are seeking assurance in respect of the controls in the MPS Key Internal Control Framework (which was deployed after the previous SIC was prepared).

2. Corporate, Business Group and (B)OCU risk registers – Phase 1 of the engagement programme of business risk management presentations to OCUs has been completed. The second phase of the engagement programme – quality assuring the risk registers and the process and buy-in that supports the registers – is currently being piloted with TP. Since the phase 2 pilot began we have visited 22 Borough risk register authors and made 6 follow-up visits to Borough Commanders. A key piece of feedback from these meetings is that the Boroughs would like us to do more of this support work. However, given the demands on the small team that is not a realistic possibility. We have therefore considered alternative ways of working. A proposal to refocus the team’s support activity on the Business Group Headquarters and achieve a skills transfer to the HQs to enable them to support their own OCUs and Departments was subsequently put to, and supported by, the Director of Strategy, Modernisation and Performance’s (B)OCU Commander Reference Group. We are now proposing to review with the Business Groups how this transition is to be achieved.

In the update to the previous meeting, Members were advised of some major developments including the inauguration of the MPS Corporate Risk Review Group. BRMT had also undertaken benchmarking of the corporate risk management process. The corporate risk management benchmarking confirmed, amongst other matters, that the MPS had followed generally accepted good practice in setting up its Corporate Risk Review Group. The main conclusion is that we are generally out of step with other forces in that the top team does not own a register of corporate business risks or a top-sliced set of risks from the register. However, in other respects our business risk management processes generally follow good practice. It was particularly noted that 14 out of 23 Home Office force risk management review groups included police authority personnel. The MPA Chief Executive has subsequently accepted an invitation to join the MPS Corporate Risk Review Group (CRRG).

The membership of CRRG comprises of the DAC or equivalent police staff post for each Business Group. The group is chaired by the Director of Strategy, Modernisation & Performance with the Director of Risk Management in support. It meets in advance of each monthly MPS Management Board meeting. Participation, not least from operational Business Groups, has been very constructive and engaging to date. It is intended that the CRRG will provide a conduit into MB, filtering the business risks reported upwards.

Following two meetings of CRRG and an extensive series of meetings held by the Director of Risk Management with key personnel across the MPS, a report on corporate risk management was submitted to MB on 6 February 2007. The report included a set of proposed MB level business risks/areas of risk. (The MPS already has a register of corporate risks owned at Business Group level and it simply remains to identify risks to be ‘owned’ by MB members.)

Although the risks reported to MB in February were not agreed, the following action has been / is being taken, demonstrating MB commitment to a solution:

1. The Commissioner has proposed that MPS corporate risk management should focus on the following: “Risks to the organisational reputation of the Metropolitan Police, particularly those concerned with public or staff safety, performance, finance or probity”
2. The Deputy Commissioner has:
   • Tasked the Director of Strategy, Modernisation & Performance to clarify the MPA’s requirements for the management of corporate risks
   • Tasked each Business Group head to outline to him by 9 March the processes they have in place to ensure the robust identification and management of corporate risks (it is expected that CRRG will act in an advisory capacity to all Business Groups and be positioned to add value through a particular focus on cross-cutting business risks)
   • Tasked the Director of Risk Management to review the responses from the Business Groups in the light of good practice and provide the Deputy with a composite view by 19 March.
3. The Director of Strategy, Modernisation and Performance met with Len Duvall and Lord Harris to ensure that the MPS was clear as to the MPA’s requirements for risk management. It is our understanding that the Authority requires assurances that our approach to risk management across the organisation is "codified" and consistent (a) process we are quality assuring at present – see item b) above), and wish to have exposure to "top-level corporate risks" on a regular basis, so that they can be clear that we are managing the organisation as a whole within a proper risk management framework. The precise way in which we will provide this assurance has yet to be specified and agreed with the Authority, however, it is envisaged that this may comprise a brief monthly update of top-level risks for the MPA Chair, MPA Corporate Governance Committee Chair, and MPA Chief Executive together with a more formal report to each (quarterly) meeting of the Corporate Governance Committee.

3. Business risk management awareness/training rollout – The ‘business as usual’ roll-out of risk management training continues. We have now also trained a cadre of senior police officers (mostly superintendents and chief inspectors) across all business groups to assist the mainstreaming of risk management across the Service. A number of suitably skilled officers within the four operational business groups CO, SCD, SO & TP were identified and invited to attend training to a higher level in business risk management. These invitations were followed up by an advert on the front page of Aware with four course dates outlining the objectives of the training course. The advert prompted a good response and some requests from police staff to be included in the Cadre which led to an additional training date being scheduled. Five pilot Cadre courses were run. A total of 34 delegates (28 police officers and 6 police staff) attended. The courses were well received with 85% of delegates rating the personal benefit from this course as good or excellent and 97% of delegates rating their overall satisfaction as good or excellent. Feedback sheets requested the following data and asked delegates for comments on the strengths and areas for improvement of the course.

CADRE risk training feedback

The cadre training feedback has been analysed, with its strengths and weaknesses identified to assist with continuous improvement of the training process. Various recommendations based on the analysis have been made by the BRMT trainer, all of which have been agreed.

4. Business Risk Management Standard Operating Procedure (BRM SOP) – The BRM SOP has been reviewed and an updated version published that incorporates suggestions made by our customers and guidance on the risk management ‘bow-tie’ technique that has been received so well across the organisation in both operational and non-operational areas since first introduced last year. The new SOP is based on risk registers containing no more than ten risks to ensure a proper strategic focus (there is no restriction on the number of risk registers) with a mandatory requirement for all risks to be bow-tied.

5. ‘Risk Managers Together’ initiative – BRMT has brought together practitioners involved in various fields of risk management from across the Met – including business continuity planning (CO3), information security (DoI), physical security (SO16), safety and health (HR) and operational risk assessment – to join up activity and demystify risk management. The first product of this initiative will be a central ‘risk’ intranet site on Aware with an explanation as to the respective roles of the various teams and links to their own sites. A standard glossary of risk management terms will feature on the central site. We aim to have the site up and running by April 07. Further products will emerge in due course.

6. Support to DoI led ‘gold group’ – BRMT proposed that a gold group set up by DoI to deal with a recent major incident would benefit from having a risk register. This proposal was accepted and a member of the team facilitated the development and management of a register. This has proved the effectiveness of risk registers in a gold group situation.

Insurance management

7. Personal insurance invalidation indemnity policy (PIIP) – The PIIP was renewed by February Finance Committee subject to further consideration of the maximum payment limit in the light of advice received from our tax advisers that payments under the indemnity would attract tax and National Insurance. The MPS insurance manager has subsequently been tasked to investigate the possibility that treating the indemnity policy as a discretionary scheme may avoid the necessity for payments to be grossed up to allow for tax and NI. A new draft of the PIIP Policy and SOP has been completed. BRMT and Accident Claims Branch (ACB) continue to promote the PIIP.

8. Insurance programme – Post renewal of the main insurance programme in October 2006, the insurance policy register has been issued and premiums paid. Discussions have started between the external insurance brokers (Willis), MPA and MPS as to the strategy to be developed for the 2007 renewal when the liability long term agreement is due to expire. As part of this strategy, potential and existing insurance companies will be asked to attend a briefing and visits are being arranged to Hendon, Gravesend and Hyde Park to show key aspects of MPS work. (Previous visits of this nature have proved most successful in ‘demystifying’ policing for insurance underwriters and encouraging insurers to quote.)

9. Insurance Broker Tender – Discussions continue between MPA, ACB, BRMT and Procurement as to finalising the timetable, specification and scoring system.

10. Insurance Strategy Group terms of reference - The MPA/MPS quarterly Insurance Strategy Group has compiled terms of reference to make the focus of the Group more strategic. This includes outlining the risk financing strategy and options for the insurance structure going forward.

11. Liability claims handling - Following a review of external legal advice, MB agreed that all liability claims handled by ACB in excess of £5,000 will henceforth be handled by Legal Services.

12. Other insurance matters –The potential VRES contract for removal of vehicles from TfL land has insurance implications which are receiving attention. There are developments amongst other forces relating to the promotion of an insurance package for non-Federation personnel i.e. Staff, PCSOs and Specials and a report is being prepared to see if this may work for the MPS. One of the new helicopters has been provisionally accepted but the suppliers/agents (McAlpines) continue to insure this until full acceptance.

Outsourcing Programme Support (Risk Management and Insurance)

13. Outsourcing programme – BRMT continue to support the Outsourcing Programme with advice and guidance on risk and insurance matters, subcontracting specialist insurance work to Willis. This ensures that contracts and specifications include robust insurance provisions.

Corporate Governance

14. MPS Key Internal Control Framework – The MPA Treasurer, MPA Director of Internal Audit, and MPS Director of Risk Management have met to consider MPS corporate governance. The next step in the process of developing an overarching corporate governance framework, as required by CIPFA and the MPA, is the preparation of a policy framework by the Treasurer which will inform further MPS work in this area.

Following a report to MPS Management Board by the Director of Strategy, Modernisation and Performance, it has been decided to focus current activity in the area of MPS corporate governance on the following areas.

• Development of an approach to managing MPS corporate risks – A full update on this activity area has been set out under item 2) above.
• Deployment of the MPS Key Internal Control Framework – Assurance activity underpinning the 2006/07 MPS Statement on Internal Control is being based for the first time on the key controls in the new framework.
• Deployment of control self-assurance in respect of MPS corporate policy implementation – Implemented by MPS Strategy Unit.
• Continuing development (with the MPA) of an MPA/MPS governance framework and work to prepare for the evolution of Statements on Internal Control into Statements on Governance as required by CIPFA/SOLACE – Awaiting CIPFA/SOLACE framework.

Development of National Risk Management Standards for the Police Service

15. Work with National Centre for Policing Excellence (NCPE) – We are continuing to liaise with the NCPE (NPIA). We were consulted in connection with draft guidance on firearms risk assessment and submitted comments following a review of the document. We have shared the draft national risk management framework with NCPE. Amendments to reflect the requirement for either the Home Office or ACPO to commission policing doctrine have been made at NCPE’s request and a revised version of the framework has been made available.

16. National business risk management framework for the police service – As mentioned above, a second draft framework has been produced to reflect input from NCPE (NPIA) regarding the commissioning of policing doctrine from them. The draft framework is currently out for consultation with external stakeholders (Association of Chief Police Officers, Association of Police Authorities, Audit Commission, Her Majesty’s Inspectorate of Constabulary, Home Office, and the Police Authority Treasurers Society, in addition to NCPE). An initial deadline for responses/comments on the document has been extended to 5 March 2007. There has been some slippage in this project and the ALARM Police Service Risk Management Forum will not meet its self-imposed objective to have finalised a draft framework by end March 2007. However, good progress is being made bearing in mind that all work on framework development is undertaken in the contributors’ own time. We are in contact with the ACPO President’s chief of staff with a view to a meeting with Ken Jones at which to raise the issue of ‘ownership’ of risk management by an ACPO Business Area (probably Performance Management). Sponsorship of risk management doctrine can be considered once ownership of risk management at ACPO level has been resolved.

Send an e-mail linking to this page

Feedback