Beruflich Dokumente
Kultur Dokumente
Risk Management
& Business
Continuity
Manual
2011 - 2014
Page 1 of 14
Contents
Purpose
Introduction
Risk Appetite
7-8
9-10
10
Glossary of Terms
12
Budget
13
Quality Assurance
13
Review
13
Addendums
Draft V.10
Page 2 of 14
Purpose
1.1 This is the Milton Keynes Council Risk Management and Business Continuity
Manual Plan 2011-2014. It sets out the processes that the Council has in place to
ensure the effectiveness of risk management and business continuity across the
Council at a time of increasing pressure on budgets and performance.
1.2 Effective Risk Management and Business Continuity will allow us to:
Ensure the Council is resilient and has plans in place to ensure continuity of
service(s)
1.3 Ultimately, effective risk management and business continuity forms an important
element of good business management and service provision and will ensure that
the Council maximises its opportunities and minimises the impact of the risks it
faces, thereby improving the ability to deliver the priorities and ultimately improve
outcomes for residents.
1.4 The Council recognises the need to improve the resilience of the organisation
against known and perceived threats, risks and disruption to both planned and
unplanned events and it does this by employing the expertise within the Risk and
Business Continuity Team. This team oversees the management of the process to
ensure Risk and Business Continuity is embedded into the culture of the
organisation.
1.5 Corporate Leadership Team and senior management have the responsibility to
ensure that Milton Keynes Council manages its risks and is protected in the event
that a disruption occurs which may have a detrimental effect on its services.
Everybody has a responsibility for both Risk and Business Continuity Management.
Introduction
Draft V.10
Page 3 of 14
Risk Appetite
3.1 Risk Appetite refers to the Councils unique attitude towards risk taking, which in
turn dictates the amount of risk that it considers acceptable. The Councils risk
tolerance threshold has been agreed by Corporate Leadership Team (CLT) and is
set out below in Figure 1;
Above the line
Report
Likelihood
Consequence
Figure 1 MKC Risk Tolerance Threshold
Figure 1 illustrates that any threat, which scores residually1 above a 10, should be
specifically managed, monitored and reported (see the section on Reporting for details)
and further action taken to manage the threat down to2 an acceptable level.
A residual score takes in to account active controls i.e. it is the level of risk still remaining after mitigating action has been
implemented
Programmes and Projects may choose a different risk appetite.
Draft V.10
Page 4 of 14
3.2 An established Risk Appetite enables the Council to prioritise risk management
action by focussing response planning, monitoring and control activities on the risks
that are deemed highest.
3.3 It is recognised that the Council might be prepared to accept a higher than usual
proportion of risk in one area if the balance of risk is acceptable, and if the potential
benefits are great. Risk Appetite can therefore be varied for specific risks.
3.4 It should be noted that some risks are unavoidable and it is not within the ability of
the organisation to completely manage them to a tolerable level - for example many
organisations have to accept that there is a risk arising from terrorist activity which
they cannot control. In these cases the Council has made Business Continuity
Plans to alleviate these associated pressures.
3.5 The risk appetite will be monitored by the Risk and Business Continuity Team and
will be formally reviewed in conjunction with the Risk and Business Continuity
Steering Group alongside the review of this Strategic Plan.
Draft V.10
Risk Owners will review their risks in GRACE (both Service and Project) to an
agreed quarterly timetable aligned to the CLT Challenge sessions.
A member of the Risk and Business Continuity Team will meet with every
Assistant Director at least once per quarter to review each Service Groups key
risks. Assistant Directors will be required to review the risks above the agreed
Risk Tolerance Threshold at service, team and project level, taking action on
any risks which require attention. Assistant Directors will identify the top risks
to be submitted to the Challenge sessions for each Service Group including
any risks requiring escalation to CLT.
Service Group risks will be sent to the relevant Director and presented to the
next CLT Challenge session.
The CLT Challenge session will review the Service Group risks.
CLT will review the Strategic Risks and a summary of all Service Group risks
every quarter following that quarters CLT Performance Challenge sessions.
Page 5 of 14
The Risk and Business Continuity Team will highlight any common themes
appearing across the Council and any key gaps in risk assessments.
5.1 The effective management of risk and business continuity is an essential part of
Service Planning and Performance Management. As such the Corporate
Leadership Team have agreed a method of aligning the Risk Management and
Business Continuity processes to the Service Planning Process. This is set out
below in Figure 2.
Figure 2 Alignment of Risk Management to Service Planning
Risk Management
Service Planning
Corporate
Strategic Risk
Council
Plan
Corporate
Plan
Service
Group
Top Risks
Service
Group
Plan
Service Group
Plan
Operational
Risks
Draft V.10
Team Plan
Business Continuity
Planning
Operational
Plan
Page 6 of 14
5.2 Risks at each Service Planning level should be adequately assessed and recorded
in GRACE, with a report from GRACE to be appended to the relevant Service Plan.
5.3 This alignment produces an embedded Risk and Business Continuity Management
structure across all levels of the Council that is considered and reviewed at the
same time as the Service Plans, during appraisals, one to one reviews and team
meetings.
5.4 This requires Services to ensure that their risks, both threats and opportunities, are
regularly reviewed and that this review is documented in GRACE.
6.1 Everyone in the Council should have an awareness of Risk and Business
Continuity Management. We all need to be aware of the roles and responsibilities in
identifying and managing risks and responding to business continuity incidents.
6.2 Clear identification of roles and responsibilities will ensure the successful adoption
of Risk and Business Continuity Management and demonstrates that these two
services are embedded into the culture of the Council enabling the organisation to
be risk aware and resilient.
Cabinet
Draft V.10
Appoint a Member to gain understanding and promote Risk and Business Continuity
Management and their benefits throughout the Council.
Ensure that decisions taken in Cabinet Reports have been adequately reviewed for
risks both threats and opportunities.
Page 7 of 14
Agree Milton Keynes Councils Risk and Business Continuity Management Manual,
adopting overall responsibility for the Councils Risk and Business Continuity
Management.
Manage and review the Corporate Strategic Risks
Review the risk process and risks arising from Service Groups as part of the CLT
Performance Challenge sessions (or other process)
Monitor key programme and project risks through the Portfolio Office reporting
arrangements
Ensure that the Council complies with the Corporate Governance requirements,
including the Annual Governance Statement and the Civil Contingencies Act 2004
Ensure that the Council has adequate business continuity plans in place at all levels
where appropriate
Take part in annual Business Continuity Rehearsals.
CLT and core function managers will form a Senior Incident Management team that
will be convened in the event a serious incident.
Ensure risk lessons are understood and disseminated, in regard to difficult issues
that arise
Audit Committee
Programme/Project Managers
Draft V.10
Support the Council and its services in the effective development, implementation
and review of the Councils Risk Management and Business Continuity processes.
Proactively promote and communicate risk management and business continuity to
services
Undertake risk management and business continuity activity through training,
rehearsals and direct support across the whole organisation
Ensure compliance with legislation, Civil Contingencies Act 2004
Monitor the effectiveness of the Risk and Business Continuity Strategic Plan
Report routinely to CLT and Audit Committee on arising risks (Horizon scanning)
Page 8 of 14
Head of Service
Ensuring staff are aware of their roles and responsibilities with relation to both risk
and business continuity.
Use risk management to inform outcomes in the Service Planning process.
Report systematically and promptly to their Assistant Directors any perceived new
risks or opportunities, delayed actions of failings in existing control measures.
Using the agreed system of alignment with Service Planning report to their ADs on
the progress of Actions Plans/mitigations.
Update GRACE by reviewing risk owners, scoring, mitigations and action plans.
Participation in the production, rehearsal and maintenance of Incident Management
and/or Business Continuity Plans for their Services are up-to-date.
To be a member of the Incident Management Team.
7.1 To support the strategic plan, the key objectives for the next 3 years are set out
below to develop the risk maturity level/direction of travel of the organisation. These
outcomes are based on best practice and follow the CIPFA guidelines. The ongoing strategy will always ensure that MKC will fulfil its obligations under the Civil
Contingencies Act 2004.
Level
2011/12
2012/13
2013/14
STRATEGY &
POLICY
Are there clear
strategies and
policies for risk and
business continuity?
PEOPLE
Are people
equipped and
supported to
Establishment of Steering
Committee.
Training established as
requirement for all new staff.
Steering Committee
proactively support the
development of R&BC.
All relevant employees
Draft V.10
LEADERSHIP &
MANAGEMENT Do
senior management
and Members
support and
promote risk and
business continuity
management?
Page 9 of 14
Senior Management.
Training in RM maintained for
all Members and established
for all new Members as part
of the induction process.
PARTNERSHIP,
SHARED RISK &
RESOURCES
PROCESSES
Are there effective
arrangements for
managing risks with
partners?
PROCESSES
Does the
organisation have
effective risk and
business continuity
management
processes to
support the
business?
OUTCOMES &
DELIVERY
Does risk and
business continuity
management
contribute to
achieving
outcomes?
RM integral to the
decision making
process.
BC Plans allow for
services to have
confidence in continuity
of service.
7.2 Budget
7.2.1 There is no specifically allocated budget for the promotion, training or
development of Risk Management & Business Continuity. However, it has been
agreed that any savings made on the Councils insurance covers will be used to:
Draft V.10
Fund the Risk and Business Continuity Team to provide training to staff
across the organisation
Promote Business Continuity Planning and resilience to the wider business
community, to comply with the Councils legal duties under the Civil
Contingencies Act 2004 (via the Milton Keynes Business Resilience
Forum).
Page 10 of 14
Publicise the Risk and Business Continuity newsletter (Risk & Reward)
Upgrade of the Risk Management Software system (GRACE)
Purchase/development of any new software that may be necessary to
create robust business continuity plans
Ensure that the Risk and Business Continuity Team receive an adequate
level of training and development in order to ensure their levels of
professionalism are kept up-to-date.
7.4 Review
7.4.1 It is recognised that Risk Management and Business Continuity processes need
to be constantly reviewed. In the changing face of Local Government both known
and yet to become apparent, Risk Management and Business Continuity will
become an increasingly complex and essential element of a successful
organisation. The Risk Management and Business Continuity Policy & Strategic
Plan will be reviewed on an annual basis to ensure that it still meets the
requirements of the Council.
Yes / No
Draft V.10
Yes / No
Page 11 of 14
Draft V.10
Page 12 of 14
Critical Activities
Those activities which have to be performed to deliver the key services and which enable the Council to
meet the most important and time sensitive objectives.
Emergency Planning
Development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other
actions in the event of civil emergency. (Emergency Planning Unit)
Exercise
Rehearse the roles of team members and staff, and test the recovery or continuity of the Councils
systems (e.g. technology, telephony, administration) to demonstrate business continuity competence and
capability.
Incident
An event and/or perception that has the capacity to lead to loss of or a disruption to the Councils
operations, services or functions which, if not managed, can escalate into an emergency, crisis or
disaster.
Resilience
The ability of the Council to resist being affected by an incident.
Stakeholder
Individual or group having an interest in the performance or success of the Council e.g. citizens of Milton
Keynes, partners, employees, members, government and regulators.
Draft V.10
Page 13 of 14
Control
Measure that is in place now, and working, to minimise the risk and reduce the residual risk score.
GRACE
Governance, Risk And Control Evaluation software used by the Council to record, manage and report on
all risk registers.
Horizon Scanning
Systematic examination of potential threats, opportunities and likely future developments which are at the
margins of current thinking and planning.
Opportunity
An uncertain event that could have a favourable impact on objectives or benefits.
Potential Consequence
Outcomes that may occur if a risk were to be realised.
Risk
An uncertain event or set of events which, should it occur, will have an effect on the achievement of
objectives.3
Risk Management
Systematic application of principles, approach and processes to the tasks of identifying and assessing
risks, and then planning and implementing risk responses.4
Risk Owner
Individual responsible for the management and control of all aspects of individual risks, including the
implementation of the controls taken in respect of each risk.
Risk Register
A record of all identified risks relating to an initiative, including their status and history. See GRACE.
Risk Review
Regular monitoring and update of individual risks, recorded formally on GRACE.
Threat
An uncertain event that could have a negative impact on objectives or benefits.
Trigger
Possible causes for a risk.
Vulnerability (Likelihood)
An assessment of the current situation as to how probable you believe it is that the risk will occur.
3
4
Office of Government Commerce (OGC), Management of Risk (M_o_R) Guidance For Practitioners, 2007
OGC, M_o_R Guidance For Practitioners, 2007
Draft V.10
Page 14 of 14