Business Risk Management Team update

Report: 13
Date: 19 June 2006
By: Commissioner and Treasurer

Summary

A report on progress made by the MPS in the areas of corporate governance, business risk management and insurance management.

A. Recommendation

That

1. members note progress to end April 2006 on corporate governance, business risk management, and insurance management (Appendix 1); and
2. note progress as captured by the Audit Commission / ALARM risk management Key Performance Indicator (Appendix 2).

B. Supporting information

1. This paper includes a report on activity since the previous update report (Appendix 1) and an update on progress made in relation to compliance with the Audit Commission / ALARM KPI as at end April 2006 (Appendix 2).

MPS business risk management maturity progress

2. The MPS business risk management work programme for 2005/6 had the objective of taking the Service to Level 4 - ‘Moving Towards Integration’ - of its Business Risk Management Maturity Model by end March 2006. This was based on the view that the activity successfully completed within 2004/05, had moved the MPS to Level 3 - ‘Centrally Co-ordinated’ - by end March 2005. A one page, highlight version of the maturity model is at Appendix 3.

3. It has been reported to Management Board that the activity successfully completed within 2005/6, particularly the engagement programme of visits to most OCUs and Departments and the training, has successfully achieved Level 4 business risk management. Proposals have now been made to enable the MPS to attain maturity Level 5 (‘Baseline Standard’) business risk management by end March 2007. Moving to Level 5 is a major challenge requiring attainment, inter alia, of the following:

• High business risk awareness across the Service
• An energetic communications and training programme exists to sustain the high level of risk awareness that has developed
• Risk registers are in general seen as a useful element of the management process and actively used as a management tool corporately and locally
• Emerging business risks are being identified proactively before they cause significant damage or have the potential to cause such damage
• All Business Groups have achieved integration and competency baseline requirements
• The Service is continuously "raising the bar" in terms of the efficiency and effectiveness of its business risk management process.

4. Although it is a stretching challenge for the Service to attain Level 5 ‘Baseline Standard’ business risk management by end March 2007, its business risk management work programme is based on the desire to get as close to achieving this target as possible with existing resource.

Business continuity management

5. This is a particular challenge as the Service has yet to achieve Level 4 business continuity management, the requirements of which are:

• The Service has a high level of preparedness for an event with serious implications for business continuity including robust continuity plans
• Business Groups have completed tests on their business continuity plans, and their plan updating methods have proven to be effective.

6. A review of the previous approach to business continuity management has highlighted the need to broaden the scope of business continuity plans, with a greater focus on operational impact and increased consideration of mitigation and contingency planning. Thus through 2006/7 all plans will be re-visited to not only consider the impact of loss of facilities and IT, but also loss of people (especially in the event of a flu pandemic) and failure within the critical supply and the inter-departmental logistical support chains.

7. We have adopted the principle of not targeting a particular maturity level until we are sure that we have achieved the level below. BRMT will therefore work together with the CO3 Business Continuity Team towards the objective of achieving Level 4 business continuity management by end March 2007.

Corporate risk register

8. Management Board considered the refreshed Corporate Risk Register at its awayday on 31 January. MB noted the report and commented that the risk register did not yet seem to capture the right group of issues. The Director of Strategy, Modernisation and Performance was tasked to undertake further work on the Corporate Risk Register to identify the key risks to the Service.

9. The Director of Risk Management has subsequently developed proposals for a new approach to maintaining the register that have been approved by the Deputy Commissioner. The Deputy has written to his Management Board colleagues, and other key players, requesting support for the process.

10. Further details are in section 2 “Corporate, Business Group and (B)OCU risk registers” of the progress report at Appendix 1.

11. The Director of Risk Management has a personal objective for 2006/7 to “Ensure that the Corporate Risk Register is seen as a useful element of the management process and is actively used as a management tool.”

Audit Commission/ALARM key performance indicator

12. An update to the Audit Commission / ALARM risk management Key Performance Indicator (KPI) at end April 2006 is at Appendix 2.

13. As approved by Corporate Governance Committee in March 2006, the current KPI will be augmented (not replaced) by an enhanced set of measures incorporating a focus on the quality of the risk management process.

14. The new measures are an element of a risk management model for the police service under development by the ALARM Policing Sector Group. The Audit Commission will be consulted along with other key external stakeholders. The MPS Business Risk Management Team (BRMT) is developing an approach to measuring the quality of the process that produces risk registers. The new quality measures will be available during the autumn.

MPA Internal Audit high-risk recommendations

15. Members will recall that BRMT took on the task of monitoring outstanding Internal Audit high-risk recommendations as an interim measure to plug a gap in existing MPS Inspection Liaison & Analysis Unit (ILAU) monitoring activity. Responsibility for monitoring audit recommendations has now been formally transferred to ILAU. BRMT will exercise their MPS corporate risk oversight role in relation to issues raised by Internal Audit in liaison with ILAU.

C. Race and equality impact

The MPS business risk management process requires diversity risks and impacts to be identified and managed, enhancing the ability of the MPS to respond to the diversity imperative.

D. Financial implications

All work undertaken by BRMT is funded from existing budgets. Interventions to reduce risk exposures identified as a result of the deployment of the business risk management process may have financial implications.

E. Background papers

None

F. Contact details

Report author: Nick Chown, Director of Risk Management, MPS.

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1

Progress report – March 2006

This report covers the three areas where the Business Risk Management Team (BRMT) provides the MPS with a professional lead i.e. corporate governance, business risk management and insurance management. It also includes sections on the Outsourcing Programme, where support is provided in relation to risk management and insurance, and the development of national risk management standards for the police service.

Business Risk Management

1) Statement on Internal Control (SIC) - BRMT hosted a 2005/6 SIC Working Group meeting on the 27 January 2006 to introduce the process for information gathering which will form the basis of this year’s MPS SIC. Alterations to the template and key control areas were discussed but as the process worked well last year, it was agreed that we would proceed on the same basis this year. Completed control templates (including comments on last year’s action plans) were submitted to BRMT by 31 March. A working draft MPS SIC based on the completed templates has been reviewed by the Director Strategy, Modernisation and Performance and is now with the Deputy Commissioner for review prior to submission to the Commissioner for signature. This draft has also been submitted to the Chair of the MPA Corporate Governance Committee and MPA Treasurer for review and comment. All milestone dates relating to the preparation of the 2005/6 MPS SIC have been met.

2) Corporate, Business Group and (B)OCU risk registers – A significant number of risk registers have now been developed at (B)OCU and Business Group level to complement the existing Corporate Risk Register. BRMT are in the midst of an extensive engagement programme seeking increased buy-in to the business risk management process across the Service. The programme began with sessions with DAC TP and the Business Managers for the other Business Groups. The next stage was to meet with all the OCU commanders and department heads. The majority of OCUs and departments have been visited by end April. It is expected that the remaining visits will have been undertaken by end July. The general response has been very positive.

The refreshing of the Business Group and (B)OCU risk registers is being undertaken this year as an integral element of the MPS Integrated Planning Process. Sessions with OCU commanders and department heads have placed a particular focus on reviewing both the existing risk registers and the process in each area of the business for maintaining the registers. The deadlines for completing the risk registers this year were as follows:

• (B)OCU risk register deadline – end March 2006
• Business Group risk register deadline – end April 2006.

The risk register submission rate during this year’s planning round is substantially higher than the previous year, largely due to the extensive engagement programme. It will be necessary to maintain direct involvement with OCUs and departments to ensure that the risk registers become part of “business as usual” and that the process is a sustainable one.

During the meetings with the Business Group Business Managers a thorough review of each Business Group risk register was undertaken. This enabled the discussion of ‘emerging’ risks in each area of the business as well as the identification of risks where further activity was required. In addition, the corporate risks were reviewed with a particular focus on risks affecting each Business Group. This process was used to update the register of corporate risks. A report on the refreshed corporate risk register and emerging risks was considered by Management Board at their May 2006 awayday. MB require further work to be done on the corporate risk register to ensure that the risks continue to reflect the most important issues faced by the Service. A new process for escalating risks to Management Board has been agreed with the Deputy Commissioner. A key element of this process will be the involvement of the DACs and Business Managers in each Business Group acting as a “filter”. The Deputy has written to his Management Board colleagues, the DACs and Business Managers outlining the process and requesting full co-operation to enable the Corporate Risk Register, and the associated process for reviewing and managing corporate risks, to be reinvigorated. The Director of Risk Management will hold a series of meetings with each Business Group to enable the Corporate Risk Register to be refreshed prior to the July 2006 MB awayday.

3) Business risk management awareness/training rollout – BRMT continue to deploy risk management training sessions. It has previously been reported that bringing the training in-house has led to a substantial increase in the quality of the training delivery in addition to achieving a substantial annual cost saving. It has previously been reported that the headline Key Performance Indicator is that 81% of all delegates rate the courses as either “good” or “excellent”. The quality of the training is being maintained. We are increasingly receiving requests for specific courses for individual OCUs in addition to the generic training. [The National Centre for Policing Excellence has recently requested the MPS BRMT to deliver training for its staff based on the emerging NCPE risk management ‘model’. This is an encouraging development. The small number of courses involved can be deployed from existing resource without any adverse impact on the MPS work programme.]

Going forward, the proposed inclusion of business risk competencies within the MPS deployment of the National Competency Framework must be adequately supported by training materials for officers and staff at all levels. This involves a ‘step change’ in risk management training delivery by the MPS and will require innovation to deploy the required training from existing resource (staffing and budgets). See also section 13) below.

4) Business Risk Management Standard Operating Procedure – The latest six monthly review of the BRM SOP has been undertaken. Feedback from customers of the SOP and its associated MS Excel spreadsheet risk register tool continues to be positive. No significant changes were required to the SOP other than in relation to the development and maintenance of the Corporate Risk Register. Enhancements to the SOP in relation to the review and management of corporate risks will be implemented after Management Board’s consideration of the revised Corporate Risk Register at their July 2006 awayday.

Insurance management

5) Personal insurance invalidation indemnity policy – In January 2006 Finance Committee approved the indemnity for a further 12 months. Various enhancements to the policy were approved by the Committee and it was also noted that the formatting of the policy and its associated Standard Operating Procedure would be reviewed. Since the Committee met BRMT has redrafted the policy and SOP in conjunction with Accident Claims Branch. All amendments agreed by Finance Committee have been incorporated in the latest version.

It may be recalled that the MPA indemnity excludes ‘unaffordable events’ (events that involve mass claims that exceed the Authority’s self-insurance limits). This principle will apply to all other forces that introduce similar indemnities. The MPS is continuing to work towards the objective of a Central Government indemnity in relation to events that are unaffordable to an individual police authority, brigade or ambulance service. Following action taken by the former President of ACPO, Sir Chris Fox, prompted by a letter from the MPS sponsor, DAC Peter Clarke, various other forces have either put in place a personal insurance invalidation indemnity policy along the lines of the MPA model or are in the process of doing so. ACPO have yet to receive a positive response from Ministers to the issue of a Central Government indemnity. The Director of Risk Management will now review the current situation in this regard and identify the next steps.

BRMT and Accident Claims Branch continue to promote and make presentations on the PIIP (recent Masterclass to SO13) as well as receiving and responding to requests for advice and guidance on personal insurance indemnities from various of the other forces.

6) Insurance programme renewal – The process for renewing the insurance programme commenced with an initial 2006 insurance strategy meeting in January 2006 involving the MPA, MPS and Willis Insurance Brokers. This meeting agreed the strategy and process for this year’s renewal. All policies, limits and deductible levels were discussed. A further insurance strategy meeting has been arranged for June 2006. In the meantime, the necessary steps to achieve renewal (including legal compliance) are underway.

7) Business interruption (BI) and IT reviews – Both of these projects are on-going. The DoI are in the process of finalising the IT sums insured at the top 20 locations. The BI review is requiring a refresh approach due to the various constituent parts of the organisation from which data needs to be collected but this is in hand. The results from both these reviews will help inform the level of insurance cover that the MPA should purchase.

8) Self-insurance fund development – Version 3 of the risk funding report from the external risk funding expert has been reviewed by BRMT, MPS Finance Services and the MPA Treasurer. A final meeting has been arranged between all parties to agree the varying methodologies currently used. This exercise has confirmed that existing provisions for self-insured losses and claims are essentially adequate on the basis both of accounting and insurance industry standard analytical techniques.

9) MPS insurance and compensation claim budgets – Work is underway to develop a scheme of devolved insurance and compensation claim budgets. By ensuring that an element of costs is borne by the area of the business giving rise to the costs we aim to encourage preventative risk management. In line with insurance principles the corporate centre will assume responsibility for costs above an agreed sum. A pilot exercise in five OCUs is due to commence in the summer of 2006. The pilot involves providing quality claims statistics for those areas as well as running a ‘shadow’ devolved budget scheme alongside the existing budgeting process for 12 months. Pilot results will be monitored quarterly and a full review undertaken at the end of the exercise.

10) Other insurance matters – Clarity has been given to the liability underwriters as to the MPS fire officers role at the Palace of Westminster and related activities, the property underwriters were given a tour of NSY, and substantial progress has been made on the Willis survey recommendations of 6 key locations.

Outsourcing Programme Support (Risk Management and Insurance)

11) Outsourcing programme – BRMT continue to support the Outsourcing Programme with advice and guidance on risk and insurance matters, subcontracting specialist insurance work to Willis. This ensures that contracts and specifications include robust insurance provisions.

Corporate Governance

12) MPS Corporate Governance Framework – The Director of Risk Management has been tasked to develop a Corporate Governance Framework for the MPS based on personal accountabilities. Following ‘in principle’ approval of an outline draft framework from the Deputy Commissioner and Director of Strategy, Modernisation and Performance a draft was submitted to Management Board for consideration. MB have approved the direction of travel and requested a further report in July 2006. The current framework remains a working draft that can be adjusted as necessary prior to the intended publication in Autumn 2006. The framework has been shared with the Chair of the MPA Corporate Governance Committee, MPA Treasurer, and MPA Director of Internal Audit for review and comment.

Development of National Risk Management Standards for the Police Service

13) Work with National Centre for Policing Excellence – A significant meeting took place in March 2006 between ACC Peter Townshend of NCPE and the MPS Director of Risk Management. At this meeting the following strategy was agreed:

• NCPE will participate with the National Forum for Risk Management in the Public Sector (ALARM) Policing Sector Group in developing a national model for business risk management in the police service
• NCPE wish the MPS BRMT to work closely with their implementation teams in developing the risk management content of existing and future doctrine, and MPS BRMT have undertaken to provide such assistance
• NCPE wish BRMT to assist Centrex in the development of awareness and training on business risk management for leadership development training programmes for the police service, and MPS BRMT have undertaken to work with Centrex on this
• NCPE accepted ‘in principle’ MPS BRMT’s offer of a short term, part time attachment of one of its senior risk management advisers to NCPE to facilitate progress.

It has subsequently been agreed to attach a member of BRMT to NCPE on a short term, part time basis from June 2006 to focus on the development of a modular approach to risk management for use in connection with future NCPE doctrine.

14) National business risk management model for the police service - HMIC have recommended that the National Centre for Policing Excellence (NCPE) consider the MPS risk management model for deployment across the forces emerging from the restructuring of the forces in England and Wales. The ALARM Policing Sector Group is working on a national standard for risk management in the police service. The ALARM group is receiving valuable pro bono assistance from PricewaterhouseCoopers. A workshop was held in November 2005 from which a first draft outline standard emerged. A further workshop in January 2006 further developed the outline standard. Version 2 of the outline model will be published in June 2006. NCPE have agreed to participate in the next stages of the development programme. In response to a request, the Director of Risk Management has written to NCPE formally inviting them to nominate a member or members of their implementation teams to join the ALARM Policing Sector Group working party.

Send an e-mail linking to this page

Feedback