Risk management

Report: 08
Date: 22 April 2004
By: the Treasurer and Commissioner

Summary

This report confirms the Metropolitan Police Service Management Board decision to achieve good practice risk management over a period of three years including priority action to enable the Metropolitan Police Authority to comply with the internal control and risk management requirements of the Accounts and Audit Regulations, 2003 and ensure that the MPS can meet its statutory requirements under the proposed Civil Contingencies Act.

MPA Internal Audit lead on internal control matters, MPS Corporate Risk Management Group (CRMG) on risk management. Partnership working between the two teams will ensure a fully integrated approach.

The report makes proposals in relation to the Authority’s role in risk management.

A. Recommendation

That

1. members note and endorse the risk management arrangements agreed by the MPS Management Board;
2. recommend to the Authority that a revised Audit and Risk Management Committee should take the MPA’s responsibility for oversight and monitoring of risk management; and
3. comment on the draft MPA/MPS Risk Management Strategy set out at Appendix 2.

B. Supporting information

Background

1. In July 2000, the Authority’s Finance Planning and Best Value Committee agreed on the recommendation of the MPA Treasurer that there should be a strategic review of risk management in the MPS. Willis were eventually appointed to carry out that review which took place during 2001. Willis’s final report was considered by an ad hoc group of MPA members in February 2002. The group endorsed the recommendation that, as a first step, a Director of Risk Management should be appointed in the MPS.

2. As a result, Nick Chown took up the new post of Director of Risk Management from May 2003. His post is located within the Deputy Commissioner’s Command heading up the Corporate Risk Management Group (CRMG) and reporting to DAC Richard Bryan. With the support of the Treasurer, the Director of Risk Management has been working to put in place appropriate risk management processes. The programme of activity to mainstream risk management at Appendix 1 was approved by the MPS Management Board on 2 March 2004.

Requirement

3. The value of risk management stands on its own merits. However there is also now a requirement under the Accounts and Audit Regulations 2003 for the MPA to have ‘a sound system of internal control which facilitates the effective exercise of (its) functions and which includes arrangements for the management of risk’. A statement of internal control has to be published with the Authority’s annual accounts commencing with 2003/04.

MPS arrangements

4. The arrangements agreed by MPS Management Board, as set out in Appendix 1, build on the work done previously by Willis to establish a Corporate Risk Profile as a first step towards enhancing the MPS business risk management capability. The programme of future activity is sponsored by the Deputy Commissioner, led by CRMG, and designed to achieve good practice risk management over a three year period to end March 2006 in accordance with a Risk Management Maturity Model developed by CRMG. It will ensure compliance with the risk management provisions of the Accounts and Audit Regulations 2003 and the contingency planning requirements of the proposed Civil Contingencies Act. The activity at Appendix 1 is the work required during 2004/05.

5. In support of the requirement for the MPA to review internal control and risk management annually, the MPS Corporate Governance Strategic Committee (CGSC) will report quarterly to Management Board on the current status of internal control and risk management within the MPS, such reviews to be facilitated by the work programmes of CRMG and MPA Internal Audit. Ownership of risks will be taken by Management Board members and BOCU commanders. Risk profiles will be prepared at Business Group and BOCU level and feed into the Corporate Risk Profile.

Proposed MPA arrangements

6. The MPA needs to exercise oversight and monitoring of MPS risk management. Because of its close linkage with systems of internal control, risk management is most appropriately located with audit. It is therefore suggested that the remit of the present Audit Panel should be expanded and that group be re-named the Audit and Risk Management Committee.

7. The Authority needs to adopt an overarching risk management strategy to provide a framework within which the work of both the MPA and the MPS fits. A draft strategy is attached at Appendix 2. Members’ comments are invited so that the strategy can be finalised, together with any further input from the MPS, for approval by the Authority at a later date.

8. The revised Audit and Risk Management Committee would receive regular reports flowing through from the MPS’s internal corporate governance arrangements focussing particularly on the Corporate Risk Profile, the programme of risk management actions and monitoring progress.

9. In order to support the statement of internal control that the Authority is obliged to publish in future it will be necessary for the Commissioner to provide a letter of assurance on internal control and risk management annually starting with the 2004/05 year. Again, this letter would be informed by the work of the MPS CGSC.

10. An appropriate risk management strategy is required for the MPA’s direct responsibilities. A draft is attached at Appendix B. The performance management framework for risk management is work in progress and will be submitted to MPS CGSC for approval. Nick Chown will facilitate a workshop to profile the risks to the achievement of the emerging MPA corporate strategy, the output of which will inform that strategy.

The Director of Risk Management will be assisting MPA management to develop a risk profile based on the Authority’s emerging corporate strategy. This will facilitate appropriate management of risk in relation to the achievement of the MPA’s own direct objectives.

C. Race and Equality impact

Risk management has a role to play in improving our position on equality and diversity through an improved focus on the risk of failure to achieve equality and diversity targets and emphasis on continuous improvement.

D. Financial implications

1. The programme of work to mainstream risk management is to be funded from existing budgets. The cost of the small central MPS resource engaged on deploying risk management is a trivial percentage of the potential financial impacts of unmanaged risk exposures and can be regarded as an investment in building the future Service.

2. A particular focus for financial savings is insurable risk management. The Director of Risk Management will be ensuring that risk management measures address the need to secure reductions in financial claims and losses and support the achievement of cost-effective insurance arrangements.

MPA Insurance Group is reviewing a recommendation from Nick Chown to increase the current property insurance policy deductible from £1m to £5m from renewal 2004 and set up a formal MPA self-insurance fund along insurance company lines managed by CRMG.

E. Background papers

• MPS Management Board report MB(04)25

F. Contact details

Report author: Peter Martin, Treasurer, MPA; Nick Chown, Director of Risk Management, MPS.

For more information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 2

Draft - Proposed MPA Risk Management Strategy

Purpose, aims and objectives

1. The Purpose of this Risk Management Strategy is to effectively manage potential opportunities and threats to the Authority achieving its objectives.

2. This Risk Management Strategy will achieve this purpose through:

• Integration of risk management into the culture of the Authority and Service
• Raising awareness of the need for risk management by all those connected with the delivery of services (including partners, suppliers and contractors)
• Enabling the Authority and Service to anticipate and respond to changing social, environmental and legislative conditions.
• Introduction of robust framework and procedures for identification, evaluation, prioritisation, control and monitoring of risk, and the reporting and recording of events, based on good practice.
• Minimisation of the cost of insurable risk.

3. To achieve these aims and objectives, the following strategy is proposed;

• Develop an Authority Risk Profile, allocate ownership of risks in the profile to members of MPA SMT and take appropriate steps to mitigate each risk
• Develop a Service Risk Profile, allocate ownership of risks in the profile to members of MPS SMT and take appropriate steps to mitigate each risk
• Establish clear accountabilities across the MPA/MPS for managing risk, roles and reporting lines
• Acquire and develop the necessary skills and expertise to provide a centre of excellence for risk management within the Service
• Provide for risk assessment in all MPA/MPS decision-making processes
• Ensure that the resource allocation framework allocates (targets) resources for risk management as may be necessary from time to time
• Ensure appropriate consideration of risk within all reviews of service performance and subsequent improvement plans.
• Develop toolkits, procedures and guidelines for risk management for use across the Authority and Service
• Develop arrangements to measure performance of risk management activities against the aims and objectives
• To make all partners, suppliers and contractors aware of the Authority’s expectations for risk management, both generally as set out in its risk management strategy, and more specifically in particular areas of service delivery.

Accountabilities, roles and reporting lines

4. A framework will be implemented that will address the following issues:

• The different types of risk – operational and business
• Where risks should be managed
• Authority and Service roles and accountabilities for managing risk
• The need for a “driving force” within the Service
• Prompt reporting of accidents, losses etc

5. The guiding principle behind MPA/MPS risk management is that wherever possible it should be embedded within existing management process

6. To enhance the MPA/MPS ability to mainstream risk management the Service will establish a Corporate Risk Management Group that will be the “driving force” behind developing and implementing the Authority’s Risk Management Strategy. This group will be led by the Director of Risk Management.

7. The Director of Risk Management will service the MPS Corporate Governance Strategic Committee and Management Board on all risk management matters. Each Management Board member will nominate an appropriate senior member of staff to undertake a Risk Management Sponsorship and Liaison role, acting as a link between their Business Group and the Corporate Risk Management Group. Sponsors for risk management will also be allocated at MPS BOCU level.

8. The Director of Internal Audit will advise the MPA Audit and Risk Committee and Full Authority on all internal control matters. Each MPA Senior Management Team member will make arrangements for a Risk Management Sponsorship and Liaison role to link with the Director of Internal Audit.

Framework for risk management reporting lines

Skills and expertise

8. Having established roles and accountabilities for risk management, the Service must ensure that it has the skills and expertise necessary. It will achieve this by a programme of embedding risk management within existing training and learning opportunities that addresses the individual needs of staff – this programme will not be “one size fits all”.

9. The programme will include relatively high level risk appreciation for Senior Police Officers and Police Staff, risk appreciation for more junior Police Officers and Police Staff, more detailed and intensive courses focusing on good practice in risk management for the Risk and Quality Assurance community, and specialist risk training where necessary (e.g. Business Continuity Planning).

Risks and decision making processes

10. Risk needs to be addressed at the point at which decisions are being taken. Where MPA Officers, MPS Police Officers and Police Staff are required to make decisions they should be able to identify, evaluate, prioritise and control the risks associated with recommendations being made and action being taken. This necessitates the mainstreaming of risk management within training as described in the preceding section.

11. In addition to actually managing risks when making decisions, the MPA/MPS need to be able to demonstrate that reasonable steps have been taken to consider the risks involved in a decision. Where decisions are requested through reports to MPA committees, MPS Management Board and Strategic Committees risks must be addressed appropriately within these reports, ensuring that a suitable balance is struck between the efficiency of the decision making process and the need to address risk.

Supporting continuous improvement

12. Risk Management will be incorporated into MPA/MPS business planning processes with a risk assessment of all business aims being undertaken as part of drawing up business plans. Risk control measures will be fed into Service Improvement Reviews.

Integrating risk management with project management

13. A consistent approach to identifying, evaluating, prioritising, controlling and monitoring risk will be adopted and included in MPA/MPS project management methodologies. This will be used in all significant MPA/MPS projects, including the development of Authority/Service strategies.

Integrating risk management with performance management

14. Risk Management will be integrated into the existing performance management system.

Best value reviews

15. Before making recommendations, it is essential that risks are properly addressed in order to deliver the intended benefits. Each individual review must demonstrate this when submitted for approval through the Best Value process.

Involvement of elected members

16. Elected Members have a key contribution to make to the assessment of risks to the objectives of Authority corporate strategies and their input will be obtained to all risk assessment exercises relating to Authority objectives. Members will be involved in the annual MPA review of MPA/MPS internal control and risk management.

Toolkits, procedures and guidelines

17. An MPS Risk Management Framework will be issued by CRMG under the auspices of the Corporate Governance Strategic Committee and will be available to all MPS Police Officers and Police Staff. This will provide guidance on all aspects of risk management and will be a practical “toolkit” that will introduce a consistent methodology to be followed throughout the Service. The framework will be reviewed at least twice a year and on the occurrence of any major operational change/restructuring.

Monitoring the impact of risk management

18. A performance management framework will be developed to monitor the impact of risk management activities and the success of the Risk Management Strategy itself. Individual indicators will be developed to measure achievement of the aims and objectives.

Key risk indicators

19. For each risk on the MPA/MPS risk profiles a Key Risk Indicator (KRI) will be used to monitor the effectiveness of risk mitigation activity ensuring that a suitable balance is struck between the efficiency of the risk monitoring process and the extent of the risk exposure in each case. KRIs may be existing or new measures as necessary.

Risk management across external boundaries

20. The Authority has long since seen the potential benefits and rewards from partnership working including with suppliers and contractors. It also recognises the risks involved. Whilst these risks can be managed by the Authority through formal contracts that clearly allocate risks to the appropriate parties, failure by either or any one of those parties to manage their risks can have serious consequences for the other(s).

21. Before entering into partnership, joint working or business contract arrangements, the prospective partners, suppliers or contractors should be requested for full details of their approach to risk management and asked to provide appropriate minimum evidence to support their response to integrate into existing procurement arrangements.

Send an e-mail linking to this page

Feedback