You are in:

Contents

Report 9 of the 14 September 2007 meeting of the Corporate Governance Committee and highlights progress made by the MPS in the areas of corporate governance, business risk management and insurance management.

Warning: This is archived material and may be out of date. The Metropolitan Police Authority has been replaced by the Mayor's Office for Policing and Crime (MOPC).

See the MOPC website for further information.

Business Risk Management Team update

Report: 9
Date: 14 September 2007
By: Treasurer and Commissioner

Summary

A report on progress made by the MPS in the areas of corporate governance, business risk management and insurance management.

A. Recommendation

That

  1. members note progress to end July 2007 on corporate governance, business risk management, and insurance management; and
  2. note progress as captured by the Audit Commission / ALARM [1] risk management Key Performance Indicator.

B. Supporting information

1. This report includes a report on activity since the previous update report (Appendix 1) and an update on progress made in relation to compliance with the Audit Commission / ALARM KPI as at end July 2007 (Appendix 2).

Corporate governance

2. A detailed first draft gap analysis of the new CIPFA / SOLACE governance framework has been undertaken. The MPS has most of the essential elements of a corporate governance framework in place. As previously reported, the development of an overarching MPS corporate governance framework, and any filling of gaps, is being held in abeyance pending publication of specific guidance for police authorities on deploying the CIPFA / SOLACE governance framework. When the police authority guidance is available, we will update the gap analysis (reflecting MPA input on the first draft). In the meantime, the Director of Risk Management (in his ALARM capacity) has submitted comments on the risk management section of the guidance to the Association of Police Authorities, as has the MPA Treasurer on both corporate governance and risk management issues.

3. In relation to the change in the Authority’s Standing Orders, the scheme of delegation is being revised. This is to be completed by 1 October 2007.

4. The 2006/07 MPS Statement on Internal Control (SIC) has been completed and submitted to the MPA. We will review progress on the SIC action plan quarterly. We will also consider the implications for the SIC process of the required evolution of the statement into a statement on governance.

MPS business risk management maturity progress including progress on corporate risk management

5. It has already been reported to Members that the Corporate Risk Review Group (CRRG) is developing into its role well. CRRG has now met seven times (monthly meetings) and has led some key developments.

  1. A set of ‘top X’ (currently eleven) corporate business risks has now been approved by Management Board. Each risk is owned by a member of MB. On behalf of MB, CRRG will ensure that each risk is the subject of suitable analysis, that existing risk mitigation actions are reviewed in terms of their adequacy and effectiveness, with recommendations made as necessary.
  2. Monthly corporate risks reports, based on the debate at CRRG, are now submitted by the Director of Risk Management to MB and then to the Chair and Chief Executive of the MPA and the Chair of the MPA Corporate Governance Committee. This process commenced in June 2007.
  3. The Director of Risk Management has developed a framework for the management of corporate business risks, which has been agreed by CRRG. He has subsequently been tasked to develop governance arrangements and standard operating procedures around the use of the ‘bow-tie’ risk analysis tool in relation to corporate business risks.

6. The Director of Risk Management has undertaken a series of meetings with the Business Group risk leads (one only remains outstanding). These meetings were primarily to review the position regarding deployment of process to identify and manage corporate business risks on behalf of MB, and to review those ‘top X’ risks owned by each head of Business Group. Whilst some work remains to be done, that was expected, and there are no areas of concern. In view of the good progress being made by the Business Groups, and the developments referred to in paragraph C. 1. above, it can be reported that we remain on course to achieve Level 5 (“Minimum Standard”) business risk management maturity by the end of the current financial year.

Corporate risk register

7. We reported earlier that a thorough review of the format of the Corporate Risk Register [2] will be undertaken at the appropriate juncture. This task will follow immediately after approval of the governance arrangements and SOP for corporate business risks referred to at paragraph C. 1. (c) above.

Audit Commission / ALARM key performance indicator

8. An update to the Audit Commission / ALARM risk management Key Performance Indicator (KPI) at end July 2007 is at Appendix 2. The committee is again reminded that the ‘green’ status of the majority of the indicators is not an accurate picture of the business risk management process.

Insurance management

9. The insurance programme continues to mature to reflect the risk exposure of the MPS/MPA. (See sections 9 to 14 of Appendix 1 for an activity update).

10. The insurance policy portfolio is due for renewal on 1 October 2007. The Director of Strategic Finance, supported by the Assistant Director of Risk Management, will report to the MPS MB with the MPA Deputy Treasurer reporting to the MPA Finance Committee in September on the outcome of the marketing of the insurances.

C. Race and equality impact

The MPS business risk management process requires diversity risks and impacts to be identified and managed, enhancing the ability of the MPS to respond to the diversity imperative.

D. Financial implications

All work undertaken by BRMT is funded from existing budgets. Interventions to reduce risk exposures identified as a result of the deployment of the business risk management process may have financial implications.

E. Background papers

None

F. Contact details

Report author: Nick Chown, Director of Risk Management, MPS.

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1

Progress report – end July 2007

This report covers the three areas where the Business Risk Management Team (BRMT) provides the MPS with a professional lead i.e. corporate governance, business risk management and insurance management. It also includes sections on the Outsourcing Programme, where support is provided in relation to risk management and insurance, and the development of national risk management standards for the police service.

Business Risk Management

1. Statement on Internal Control (SIC) - The 2006/7 MPS SIC has been completed, signed off by the Commissioner and submitted to the MPA.

2. Business risk registers – Work on developing the process for identifying and managing corporate business risks has progressed as follows:

  1. A set of ‘top X’ (currently eleven) corporate business risks has now been approved by Management Board. Each risk is owned by a member of MB. On behalf of MB, CRRG will ensure that each risk is the subject of suitable analysis, that existing risk mitigation actions are reviewed in terms of their adequacy and effectiveness, with recommendations made as necessary.
  2. Monthly corporate risks reports, based on the debate at CRRG, are now submitted by the Director of Risk Management to MB and then to the Chair and Chief Executive of the MPA and the Chair of the MPA Corporate Governance Committee. This process commenced in June 2007.
  3. The Director of Risk Management has developed a framework for the management of corporate business risks, which has been agreed by CRRG. He has subsequently been tasked to develop governance arrangements and standard operating procedures around the use of the ‘bow-tie’ risk analysis tool in relation to corporate business risks.
  4. The Director of Risk Management has undertaken a series of meetings with the Business Group risk leads (one only remains outstanding). These meetings were to review the position regarding deployment of process to identify and manage corporate business risks on behalf of MB, review those ‘top X’ risks owned by each head of Business Group, and discuss how best BRMT can support each Business Group risk lead. Whilst some work on deploying process remains to be done, that was expected, and there are no areas of concern. Support to Business Groups will consist primarily of bespoke training, briefing sessions, facilitating a limited number of risk workshops to achieve a skills transfer, and the continuing provision of advice and guidance as required from time to time.

3. Business risk management training and risk workshops – The ongoing rollout of risk management training continues. We continue to receive very positive responses from delegates to both course content and the quality of Jo Collins’ presentation. A large part of the team’s time is now spent in facilitating risk workshops where we mostly use the bow-tie (risk) and butterfly (risk and opportunity) analysis tools. Examples are the workshops undertaken in respect of each of the themes within the Corporate Strategic Assessment (which has been particularly useful in terms of identifying cross cutting issues) and workshops delivered for the Olympics Security Directorate (OSD) including the OCU command team. (We continue to work closely with the OSD risk manager. The team are acting as mentors for the risk manager in addition to providing advice, guidance and facilitation services. We are reviewing with OSD the future demand for risk management services, including our own ability to support OSD as its work ramps up.)

4. Risk bow-tie and butterfly analysis tools - Due to the success of these analysis tools we will be developing new standard operating procedures to leverage the value added. We are also undertaking preliminary discussions with PwC and a software house (RiskHive) over the possible development of software to enable bow-ties to be developed on the fly and to incorporate a simple means of prioritising the output to enable a focus of scarce resource on key controls. We have previously reported that the new techniques have met with a great deal of enthusiasm, which significantly enhances our ability to mainstream risk management. We said that we expected to report on the development of a revised bow-tie based risk register SOP at the September meeting. We think that the following are likely to be the key elements of an approach to risk registers based on bow-ties:

  1. The register is likely to consist of an index, a set of bow-ties, a risk and control matrix to map controls against risks, and an action plan
  2. The bow-ties will contain details of the risks, causes, consequences, controls (both preventative and mitigating) and risk / control owners
  3. The index will incorporate any details from the old line by line registers that must be retained but which cannot be captured on the bow-ties themselves
  4. The matrix, which when fully developed will assist in the identification of key controls, will be not be mandatory at this juncture
  5. Whilst it will remain a mandatory requirement to have an action plan, an OCU will have the option to use an existing action planning process.
    Work continues and output will feature in future quarterly reports.

5. ‘Risk Managers Together’ initiative – Following the introduction of the central ‘risk’ intranet site on AWARE and the development of a risk management training course ‘primer’, the group is focusing its limited resources on a project to review existing MPS operational risk assessment methodologies. The objective is to see if it will be possible to develop a standard approach to operational risk assessment. At this early stage, it appears that quantified (scored) risk assessments may be amenable to standardisation along the following lines:

  1. Generic guidance on undertaking risk assessment using a standard scoring system and other standard elements
  2. Generic risk assessment template / format
  3. Library of checklists applicable to each business area involved.
    Work continues and the output will feature in future quarterly reports.

6. Support to DoI led ‘gold group’ – As previously reported, BRMT has proved the effectiveness of risk registers in a (non-operational) gold group situation. We are now working with colleagues to determine the criteria to be used to decide where the use of a risk register will add value in a gold group setting and to determine how risk management tools may enhance the handling of critical incidents. Two meetings have been held with Commander Steve Allen in this regard as a result of which we will be attending some future gold groups and an MPS critical incident training course to enhance our understanding of the crisis management process and better enable us to identify elements of our toolkit that may add value in this context.

7. Partnership risk management – Corporate partnership management guidance is under development by Territorial Policing. The Business Risk Management Team has developed a procedure for managing risks in a partnership context which has been submitted to TP. The guidance, including risk management procedure, has undergone a period of consultation. We will make any necessary changes to the risk management procedure based on feedback received via the consultation.

8. Risk management competencies for officers and staff – Liaison with Skills for Justice remains slow. With the proposed release of the new British Standard on Risk Management and the new Criminal Justice System risk forum being established (see item 19), it is hoped that these 2 new vehicles will be used to help push the risk management competencies with Skills for Justice.

Insurance Management

9. Personal insurance invalidation indemnity policy (PIIP) – A paper is being drafted for MPS MB to note the current position on the mass claims exclusion and the discretionary scheme option. A further paper will be submitted to the MPA Finance Committee, hopefully the September 2007 meeting.

10. Insurance programme –. The insurance tender document is now with underwriters following insurer “educational” visits to Hendon, Gravesend and Wimbledon Tennis Championships. Positive feedback had been received from Willis as to the benefits underwriters achieved from this proactive engagement process.

11. Insurance Broker Tender – The Restricted Notice has been published in OJEU and discussions continue between MPA, ACB, BRMT and Procurement on PQQ and tender response scoring systems.

12. Liability claims handling – Following a business case analysis, it has been agreed that the Accident Claims Branch (ACB) is to become part of the Directorate of Legal Services with effect from October 2007. Work continues to transfer to Legal Services all liability claims handled by ACB where the sum claimed exceeds £5,000.

13. BRMT, ACB and HR continue discussions with the South East and Eastern Region Police Insurance Consortium and their insurance brokers, George Burrows, about the feasibility of introducing a personal lines insurance scheme for MPS staff, PCSOs and Specials. Issues still being discussed include; potential workload demands on MPS, charges by Logica CMG, ability of the scheme to demonstrate best value, IT security, vetting of third parties, FSA compliance.

14. Other insurance matters – Pandemic insurance matters continue to be discussed with the GLA. Five MPS locations were the subject of property insurance surveys by Willis (and Mitsui) and recommendations flowing from this will be incorporated in to a work plan.

Outsourcing Programme Support (Risk Management and Insurance)

15. Outsourcing programme – BRMT continue to support the Outsourcing Programme with advice and guidance on risk and insurance matters, subcontracting specialist insurance work to Willis. This ensures that contracts and specifications include robust insurance provisions.

Corporate Governance

16. MPS Key Internal Control Framework – As previously reported, the development of an overarching MPS corporate governance framework is being held in abeyance pending publication of specific guidance for police authorities on deploying the CIPFA / SOLACE governance framework. The Director of Risk Management (in his ALARM capacity) has submitted comments on the risk management section of the police authority guidance to the Association of Police Authorities.

The 2006/07 MPS Statement on Internal Control (SIC) has been completed and submitted to the MPA. We will review progress on the SIC action plan quarterly. We will also consider the implications for the SIC process of the required evolution of the statement into a statement on governance.

We understand from the APA that the MPA/MPS statement on internal control ‘model’ (involving the preparation of a force statement in addition to the published statement) is to be adopted by CIPFA for the new statement on governance.

Development of National Risk Management Standards for the Police Service

17. Work with National Policing Improvement Agency (NPIA) – There has been no work with NPIA during the reporting period.

18. National business risk management framework for the police service – This project is being led by the ALARM Policing Sector Group. A draft framework has been out for consultation with key stakeholders during the reporting period. That draft has been updated to reflect feedback received. In particular, the document has been strengthened around the role of the police authority and police authority treasurer at the request of the Association of Police Authorities. ALARM will continue to seek support for the national framework. To that end the Chief Executive of ALARM will be addressing the forthcoming ACPO / Home Office / NPIA conference on risk management, and the new ALARM Policing Sector Group Chair and the MPS Director of Risk Management will be running a workshop at the conference.

Criminal Justice System Risk Forum

19) Representatives of Her Majesty’s Courts Service are seeking to inaugurate a risk forum for all the constituent parts of the Criminal Justice System (CJS). The Director of Risk Management has accepted an invitation to chair the new group. The group’s inaugural meeting will take place in the autumn of 2007 (but not all CJS entities have signed up as yet). AC Tim Godwin - in his capacity as Chair of the London Criminal Justice Board - has been apprised of this development. At Mr Godwin’s request, the Director of Risk Management has made initial contact with the Chief Executive of the London Criminal Justice Board, Andrew Morley. Draft terms of reference are being prepared. If all CJS organisations participate in this forum, an end-to-end process view of CJS risk should be achievable.

Footnotes

1. ALARM is the National Forum for Risk Management in the Public Sector. [Back]

2. The Corporate Risk Register consists of the ‘top X’ risks owned by members of MB together with the corporate risks owned and managed on behalf of MB by the Business Groups. [Back]

Supporting material

  • Appendix 2
    [PDF]    Audit Commission / ALARM risk management key performance indicator

Send an e-mail linking to this page

Feedback