ANNEX C

Risk Management
& Business
Continuity
Manual
2011 - 2014

Produced by the Risk

Business
Producedand
by the
Risk and
Continuity
Team
Business Continuity
Team
April
2011
February 2011
Draft V.10

Page 1 of 14

Contents

Purpose

Introduction

Risk Appetite

Procedure for escalation reporting process

Service Plans and Projects

Roles and Responsibilities

7-8

Risk & Business Continuity Management Outcomes

9-10

Equality Impact Assessment

10

Glossary of Terms

12

Budget

13

Quality Assurance

13

Review

13

Addendums

Risk and Business Continuity Policy

Risk Management Process

Business Continuity Process

Risk and Business Continuity Steering Group Terms of Reference

Draft V.10

Page 2 of 14

Purpose

1.1 This is the Milton Keynes Council Risk Management and Business Continuity
Manual Plan 2011-2014. It sets out the processes that the Council has in place to
ensure the effectiveness of risk management and business continuity across the
Council at a time of increasing pressure on budgets and performance.
1.2 Effective Risk Management and Business Continuity will allow us to:

Increase confidence in achieving the priorities and outcomes at all levels

Agree levels of acceptable threats and how these will be handled

Reduce the potential for lost opportunities

Ensure the Council is resilient and has plans in place to ensure continuity of
service(s)

1.3 Ultimately, effective risk management and business continuity forms an important
element of good business management and service provision and will ensure that
the Council maximises its opportunities and minimises the impact of the risks it
faces, thereby improving the ability to deliver the priorities and ultimately improve
outcomes for residents.
1.4 The Council recognises the need to improve the resilience of the organisation
against known and perceived threats, risks and disruption to both planned and
unplanned events and it does this by employing the expertise within the Risk and
Business Continuity Team. This team oversees the management of the process to
ensure Risk and Business Continuity is embedded into the culture of the
organisation.
1.5 Corporate Leadership Team and senior management have the responsibility to
ensure that Milton Keynes Council manages its risks and is protected in the event
that a disruption occurs which may have a detrimental effect on its services.
Everybody has a responsibility for both Risk and Business Continuity Management.

Introduction

2.1 Aims and Objectives

2.1.1 The aim of this strategic plan is to improve the Councils ability to deliver its
strategic priorities by managing its threats, enhancing its opportunities and
creating an environment that allows innovation and adds value.
2.1.2 Objectives:
(1) Ensure the management of risk is embedded as part of the Councils culture
(2) Provide a consistent and accessible means of recording risk evaluations and
action plans which facilitates the sharing of risk information.

Draft V.10

Page 3 of 14

(3) Ensure a framework for identifying, evaluating controlling reviewing and

reporting risks across the Council is implemented and consistent in all areas
of the Council
(4) Allow risks to be understood and prevent a risk averse culture approach within
the Council
(5) Ensure the Councils resilience to the risks arising from its partners,
contractors and supply chain
(6) Communicate the Councils approach to Risk Management and its alignment
with Service Planning to stakeholders
(7) Ensure the Councils approach includes full compliance with Business
Continuity provisions within the Civil Contingencies Act 2004
(8) Ensure that all services have an agreed and managed set of documents
(Business Continuity Plan) to help them cope with any interruption to normal
service processes.

Risk Appetite

3.1 Risk Appetite refers to the Councils unique attitude towards risk taking, which in
turn dictates the amount of risk that it considers acceptable. The Councils risk
tolerance threshold has been agreed by Corporate Leadership Team (CLT) and is
set out below in Figure 1;
Above the line
Report

Likelihood

Below the line

Monitor

Consequence
Figure 1 MKC Risk Tolerance Threshold

Figure 1 illustrates that any threat, which scores residually1 above a 10, should be
specifically managed, monitored and reported (see the section on Reporting for details)
and further action taken to manage the threat down to2 an acceptable level.

A residual score takes in to account active controls i.e. it is the level of risk still remaining after mitigating action has been
implemented
Programmes and Projects may choose a different risk appetite.

Draft V.10

Page 4 of 14

3.2 An established Risk Appetite enables the Council to prioritise risk management
action by focussing response planning, monitoring and control activities on the risks
that are deemed highest.
3.3 It is recognised that the Council might be prepared to accept a higher than usual
proportion of risk in one area if the balance of risk is acceptable, and if the potential
benefits are great. Risk Appetite can therefore be varied for specific risks.
3.4 It should be noted that some risks are unavoidable and it is not within the ability of
the organisation to completely manage them to a tolerable level - for example many
organisations have to accept that there is a risk arising from terrorist activity which
they cannot control. In these cases the Council has made Business Continuity
Plans to alleviate these associated pressures.
3.5 The risk appetite will be monitored by the Risk and Business Continuity Team and
will be formally reviewed in conjunction with the Risk and Business Continuity
Steering Group alongside the review of this Strategic Plan.

Risk Procedure for Escalation - Reporting Process

4.1 Risk Escalation

4.1.1 A cyclical process of risk reporting and escalation has been agreed by CLT. A
Quarterly timetable has been established that has been aligned to the CLT
Performance Challenge sessions with Assistant Directors. The process will be
communicated to staff on a regular basis.
4.1.2 Following each quarters CLT Challenge session a quarterly overview report will
be presented to CLT, including a review of the Councils Strategic Risks.
4.1.3 The key elements to support this process are set out below;

Draft V.10

Risk Owners will review their risks in GRACE (both Service and Project) to an
agreed quarterly timetable aligned to the CLT Challenge sessions.

A member of the Risk and Business Continuity Team will meet with every
Assistant Director at least once per quarter to review each Service Groups key
risks. Assistant Directors will be required to review the risks above the agreed
Risk Tolerance Threshold at service, team and project level, taking action on
any risks which require attention. Assistant Directors will identify the top risks
to be submitted to the Challenge sessions for each Service Group including
any risks requiring escalation to CLT.

The above reviews will include consideration of Business Continuity

arrangements.

Service Group risks will be sent to the relevant Director and presented to the
next CLT Challenge session.

The CLT Challenge session will review the Service Group risks.

CLT will review the Strategic Risks and a summary of all Service Group risks
every quarter following that quarters CLT Performance Challenge sessions.

Page 5 of 14

The Risk and Business Continuity Team will highlight any common themes
appearing across the Council and any key gaps in risk assessments.

A summary report will then be submitted to the next scheduled Audit

Committee.

Risk, Business Continuity and Service Plans

5.1 The effective management of risk and business continuity is an essential part of
Service Planning and Performance Management. As such the Corporate
Leadership Team have agreed a method of aligning the Risk Management and
Business Continuity processes to the Service Planning Process. This is set out
below in Figure 2.
Figure 2 Alignment of Risk Management to Service Planning

Risk Management

Service Planning

Corporate
Strategic Risk

Council
Plan

Corporate
Plan

Service
Group
Top Risks

Service
Group
Plan

Service Group
Plan

Operational
Risks

Draft V.10

Team Plan

Business Continuity
Planning

Operational
Plan

Page 6 of 14

5.2 Risks at each Service Planning level should be adequately assessed and recorded
in GRACE, with a report from GRACE to be appended to the relevant Service Plan.
5.3 This alignment produces an embedded Risk and Business Continuity Management
structure across all levels of the Council that is considered and reviewed at the
same time as the Service Plans, during appraisals, one to one reviews and team
meetings.
5.4 This requires Services to ensure that their risks, both threats and opportunities, are
regularly reviewed and that this review is documented in GRACE.

Risk and Projects

5.5 Projects are typically more risky than everyday business as usual; it is therefore
essential that risks are considered from the outset and managed effectively
throughout the project. As such, the Risk and Business Continuity Team work very
closely with the Councils Portfolio Office to ensure projects have the correct
support they need to effectively manage their risks.
5.6 The Quarterly risk reporting process applies to all projects and reports from
GRACE should be appended to Highlight Reports.
5.7 Projects Boards may choose that they want to receive reports on risk more
frequently than once per quarter. This should be agreed in advance and form part
of the START document.

Roles and Responsibilities

6.1 Everyone in the Council should have an awareness of Risk and Business
Continuity Management. We all need to be aware of the roles and responsibilities in
identifying and managing risks and responding to business continuity incidents.
6.2 Clear identification of roles and responsibilities will ensure the successful adoption
of Risk and Business Continuity Management and demonstrates that these two
services are embedded into the culture of the Council enabling the organisation to
be risk aware and resilient.
Cabinet

Draft V.10

Appoint a Member to gain understanding and promote Risk and Business Continuity
Management and their benefits throughout the Council.
Ensure that decisions taken in Cabinet Reports have been adequately reviewed for
risks both threats and opportunities.

Page 7 of 14

Corporate Leadership Team/Chief Executive

Agree Milton Keynes Councils Risk and Business Continuity Management Manual,
adopting overall responsibility for the Councils Risk and Business Continuity
Management.
Manage and review the Corporate Strategic Risks
Review the risk process and risks arising from Service Groups as part of the CLT
Performance Challenge sessions (or other process)
Monitor key programme and project risks through the Portfolio Office reporting
arrangements
Ensure that the Council complies with the Corporate Governance requirements,
including the Annual Governance Statement and the Civil Contingencies Act 2004
Ensure that the Council has adequate business continuity plans in place at all levels
where appropriate
Take part in annual Business Continuity Rehearsals.
CLT and core function managers will form a Senior Incident Management team that
will be convened in the event a serious incident.
Ensure risk lessons are understood and disseminated, in regard to difficult issues
that arise

Audit Committee

Ensure a robust Risk Management and Business Continuity process is in place

throughout the Council.
Agree and endorse the Risk Management and Business Continuity Strategic Plan.
Review and comment on the annual Risk and Business Continuity Report issued by
the Risk and Business Continuity Team.
Ensure risk lessons are understood and disseminated, in regard to difficult issues
that arise.
Review Risk Registers for any matters of specific concern.

Programme/Project Managers

To ensure programme/project risk registers are maintained using GRACE.

To ensure risks are assessed from the Councils perspective.
To contact the R&BC team to ensure a consistent approach to risk management from
the onset of a programme/project.

Risk Management & Business Continuity Team

Draft V.10

Support the Council and its services in the effective development, implementation
and review of the Councils Risk Management and Business Continuity processes.
Proactively promote and communicate risk management and business continuity to
services
Undertake risk management and business continuity activity through training,
rehearsals and direct support across the whole organisation
Ensure compliance with legislation, Civil Contingencies Act 2004
Monitor the effectiveness of the Risk and Business Continuity Strategic Plan
Report routinely to CLT and Audit Committee on arising risks (Horizon scanning)

Page 8 of 14

Service Group Leads\Assistant Directors

Review their risks with Heads of Service

Ensure that services complete risk assessments using the agreed methodology
Ensure that the GRACE database is kept up to date for their service areas
Ensure the production, rehearsal and maintenance of Business Continuity Plans for
their Services are up-to-date.
To be a member of the Divisional Incident Management Team

Head of Service

Ensuring staff are aware of their roles and responsibilities with relation to both risk
and business continuity.
Use risk management to inform outcomes in the Service Planning process.
Report systematically and promptly to their Assistant Directors any perceived new
risks or opportunities, delayed actions of failings in existing control measures.
Using the agreed system of alignment with Service Planning report to their ADs on
the progress of Actions Plans/mitigations.
Update GRACE by reviewing risk owners, scoring, mitigations and action plans.
Participation in the production, rehearsal and maintenance of Incident Management
and/or Business Continuity Plans for their Services are up-to-date.
To be a member of the Incident Management Team.

Risk and Business Continuity Management Outcomes

7.1 To support the strategic plan, the key objectives for the next 3 years are set out
below to develop the risk maturity level/direction of travel of the organisation. These
outcomes are based on best practice and follow the CIPFA guidelines. The ongoing strategy will always ensure that MKC will fulfil its obligations under the Civil
Contingencies Act 2004.
Level

2011/12

2012/13

2013/14

Quarterly risk reviews with

senior management and
Audit Committee and
Cabinet.
Senior management
enforcing the use of risk
management as a business
tool to ensure informed
decision making.
Quarterly review of BC
requirements with ADs.

STRATEGY &
POLICY
Are there clear
strategies and
policies for risk and
business continuity?

New strategy and policy

written and agreed

Strategic Plan and policy

reviewed to ensure
compliance

Full review of Strategic Plan

and policy (what is working
and what needs to be
amended/added)

PEOPLE
Are people
equipped and
supported to

Establishment of Steering
Committee.
Training established as
requirement for all new staff.

Steering Committee
proactively support the
development of R&BC.
All relevant employees

Risks managed utilising full

functionality within GRACE
enabling R&BC team to
provide analytical reports to

Draft V.10

Senior management and

Members use risk
management to continually
improve the services offered
by MKC.
Embedded business
continuity throughout the
organisation.

Target End 2013

Senior management and

Members proactively
engaged in the
management of risks.
Risk becomes a
fundamental tool within
change management
processes.
Senior management
have full awareness of
Strategic BC plans and
respective roles and
responsibilities through
scenario based
rehearsal.

Target End 2012

Target End 2011

LEADERSHIP &
MANAGEMENT Do
senior management
and Members
support and
promote risk and
business continuity
management?

Page 9 of 14

manage risk and

business continuity
well?

Member training schedule

established.
E Learning available.
Project Managers training.
Senior management and
operational teams to have
completed desk-based BC
scenario.

have the skills to

manage risks to the
Council (using GRACE).
All Project Managers
have attended training.
All Members on
Committees or with
delegated powers have
attended Risk
Management training.

Senior Management.
Training in RM maintained for
all Members and established
for all new Members as part
of the induction process.

PARTNERSHIP,
SHARED RISK &
RESOURCES
PROCESSES
Are there effective
arrangements for
managing risks with
partners?

Liaison with Procurement

Team to establish database
for all suppliers with details of
reliance from and to MKC.
Ensure Mouchel have
effective BC plans.
Risks arising from
partnerships are assessed

Supply chain resilience

established for all
suppliers of services to
MKC. BC Plans
reviewed with critical
suppliers.
Establish continual
exercising of plans with
Mouchel.

BC Plans reviewed for all

suppliers.
BC Plans agreed for critical
suppliers to be aligned with
MKC BC requirements and
rehearsed as appropriate.

PROCESSES
Does the
organisation have
effective risk and
business continuity
management
processes to
support the
business?

Clear processes for R&BC

developed.
GRACE established as
database to record and
manage risks across the
Council.
Investigate use of potential
databases to record and
store BC Plans.
R&BC team involved in initial
stages of any programme of
work or project.

All relevant employees

to proactively use
GRACE to manage risks
to MKC.
All Committee Reports
include/attach GRACE
risk report.
Database established
and maintained for all
BC Plans.

All Council activities have

entries in GRACE that are
regularly reviewed.
R&BC team to carry out
cross-cutting analysis of
risks.
All Committee Reports refer
to GRACE database for
Members to review.

RISK HANDLING &

ASSURANCE
Are risks handled
well and does the
organisation have
assurance that risk
and business
continuity
management
is delivering
successful
outcomes and
supporting creative
risk-taking?

Quarterly AD reviews include

review of Action Plans for
Service Level risks.
Quality checks in place for
Corporate Dashboard
Projects and Service
Planning.
BC Plans are reviewed.
R&BC team to be involved
with OTP Board to consider
risks through transformation
and resultant service
continuity issues
(dependency mapping).

Provide assurance that

risks are being
adequately managed
and resilience is in
place(in line with best
practice). Quarterly
report to CLT moves
from the process of RM
to the effectiveness of
the Actions Plans and
Risk Mitigations.
BC Report on the
resilience of plans.

Council moves from being a

risk adverse organisation to
one that is risk aware.
Information obtained from
GRACE provides a database
of measures that can be used
to generate risk mitigations.
BC Plans are rehearsed and
improved taking into account
dependencies.

OUTCOMES &
DELIVERY
Does risk and
business continuity
management
contribute to
achieving
outcomes?

Quality checks in place for

Corporate Dashboard
Projects and Service
Planning.
RM becomes part of all
Cabinet and Committee
reports.
Services to be aware of what
they require for continuity of
service.

RM integral to the
decision making
process.
BC Plans allow for
services to have
confidence in continuity
of service.

Effective risk management

enctheages achievement of
Corporate Objectives.

7.2 Budget
7.2.1 There is no specifically allocated budget for the promotion, training or
development of Risk Management & Business Continuity. However, it has been
agreed that any savings made on the Councils insurance covers will be used to:

Draft V.10

Fund the Risk and Business Continuity Team to provide training to staff
across the organisation
Promote Business Continuity Planning and resilience to the wider business
community, to comply with the Councils legal duties under the Civil
Contingencies Act 2004 (via the Milton Keynes Business Resilience
Forum).

Page 10 of 14

Publicise the Risk and Business Continuity newsletter (Risk & Reward)
Upgrade of the Risk Management Software system (GRACE)
Purchase/development of any new software that may be necessary to
create robust business continuity plans
Ensure that the Risk and Business Continuity Team receive an adequate
level of training and development in order to ensure their levels of
professionalism are kept up-to-date.

7.3 Quality Assurance

7.3.1 Governance is the system by which the Council controls their functions and
relates to the community. The Risk Management and Business Continuity
Strategic Plan forms part of the Councils Corporate Governance arrangements.
7.3.2 In order to ensure the performance of Risk Management and Business Continuity
the following measures will be taken:

Quarterly review of the risk register by the Corporate Leadership Team.

Annual end of year Report to the Audit Committee, including progress
made in the previous twelve months and action plans for the forthcoming
twelve months.
Regular (at least every two years) Audit of the process and data.
Regular (at least every two years) benchmarking against other similar local
authorities.

7.4 Review
7.4.1 It is recognised that Risk Management and Business Continuity processes need
to be constantly reviewed. In the changing face of Local Government both known
and yet to become apparent, Risk Management and Business Continuity will
become an increasingly complex and essential element of a successful
organisation. The Risk Management and Business Continuity Policy & Strategic
Plan will be reviewed on an annual basis to ensure that it still meets the
requirements of the Council.

Equalities Impact Assessment

Decision Title: Risk & Business Continuity Management Strategic Plan
Author: John Pettitt

Date: 1st July 2011

a) Is this a key decision as defined by the Forward Plan ( a major

planning decision or one that affects a sizeable number of staff?
(Significant)

Yes / No

By sizeable we mean a decision that is a general change for all staff

even if it effects only some, a decision that would affect over 50
people or a decision that is specifically about a protected
characteristic
b) Does the decision affect people with one or more of the equality

Draft V.10

Yes / No

Page 11 of 14

protected characteristics? (Relevant)

Protected Characteristics are: Age, Disability, Gender
Reassignment, Pregnancy and Maternity, Race, Religion and Belief,
Gender, and /or Sexual Orientation. Locally we have added Deprived
/ Socio Economic Disadvantage Groups

Draft V.10

Page 12 of 14

Glossary of Terms - Business Continuity

Business Continuity (BC)
The strategic, tactical and operational capability of the Council to plan for and respond to incidents and
business disruptions in order to continue service/operations.

Business Continuity Plan (BCP)

A documented collection of procedures and information that is developed compiled and maintained in
readiness for use in an incident to enable the Council to continue to deliver its critical services at an
acceptable level.

Business Continuity Management

The holistic management process that identifies potential threats to the Council and the impacts to
operations that those threats, if realised, might cause, and which provides a framework for building
organisational resilience with the capability for an effective response that safeguards the interests of its
key stakeholders, reputation, brand and services.

Business Continuity Management System

Part of the overall management system that implements, operates, monitors, reviews, maintains, and
improves business continuity. (Risk & Business Continuity Team)

Business Impact Analysis

The process of analysing business functions and the effect that a business disruption might have upon
them.

Critical Activities
Those activities which have to be performed to deliver the key services and which enable the Council to
meet the most important and time sensitive objectives.

Emergency Planning
Development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other
actions in the event of civil emergency. (Emergency Planning Unit)

Exercise
Rehearse the roles of team members and staff, and test the recovery or continuity of the Councils
systems (e.g. technology, telephony, administration) to demonstrate business continuity competence and
capability.

Incident
An event and/or perception that has the capacity to lead to loss of or a disruption to the Councils
operations, services or functions which, if not managed, can escalate into an emergency, crisis or
disaster.

Incident Management Plan (IMP)

A clearly defined and documented plan of action for use at the time of an incident, typically covering the
key personnel, resource, services and actions needed to implement the incident management process.

Resilience
The ability of the Council to resist being affected by an incident.

Stakeholder
Individual or group having an interest in the performance or success of the Council e.g. citizens of Milton
Keynes, partners, employees, members, government and regulators.

Draft V.10

Page 13 of 14

Glossary of Terms - Risk Management

Action Plan
A forward plan of specific actions (new controls) planned to further reduce the residual risk score.

Control
Measure that is in place now, and working, to minimise the risk and reduce the residual risk score.

Control Strategic Plan

Approach that you are taking to the management of a particular risk. i.e. Treat Threat/ Tolerate Threat/
Transfer Threat/ Terminate Threat/ Seek Opportunity/ Ignore Opportunity

GRACE
Governance, Risk And Control Evaluation software used by the Council to record, manage and report on
all risk registers.

Horizon Scanning
Systematic examination of potential threats, opportunities and likely future developments which are at the
margins of current thinking and planning.

Opportunity
An uncertain event that could have a favourable impact on objectives or benefits.

Potential Consequence
Outcomes that may occur if a risk were to be realised.

Raw Risk Score

A worst case scenario score for a risk, assuming no controls are in place.

Residual Risk Score

The level of risk still remaining after active controls have been implemented.

Risk
An uncertain event or set of events which, should it occur, will have an effect on the achievement of
objectives.3

Risk Management
Systematic application of principles, approach and processes to the tasks of identifying and assessing
risks, and then planning and implementing risk responses.4

Risk Owner
Individual responsible for the management and control of all aspects of individual risks, including the
implementation of the controls taken in respect of each risk.

Risk Register
A record of all identified risks relating to an initiative, including their status and history. See GRACE.

Risk Review
Regular monitoring and update of individual risks, recorded formally on GRACE.

Threat
An uncertain event that could have a negative impact on objectives or benefits.

Trigger
Possible causes for a risk.

Vulnerability (Likelihood)
An assessment of the current situation as to how probable you believe it is that the risk will occur.
3
4

Office of Government Commerce (OGC), Management of Risk (M_o_R) Guidance For Practitioners, 2007
OGC, M_o_R Guidance For Practitioners, 2007

Draft V.10

Page 14 of 14