Risk Management E-learning Module Welcome to the City & County of Swansea's e-learning module for Risk Management. This course enables you to better understand what risk management is and how it is implemented throughout the Council. There are many good reasons to choose to study by elearning. You can learn at you own pace, you will not be ruled by time constraints, you can stop and start as you wish and you can learn almost anywhere (as long as you have a PC/laptop).
What I need to do Work your way through each part of the course by reading the content on each page then clicking the red arrow at the bottom of the page to move forward. It should not take more than 45 minutes to complete. The structure of the course is as follows: • What is a Risk? • Why Risk Management? • Difference between Risks & Issues? • Types of Risks • Risk Responsibilities • Corporate Risk Management Cycle • Risks within Projects Throughout you will find some questions to help check your knowledge and make the course interactive. Your answers are not recorded or shared with anyone else. However, on every page of the module you have the opportunity to provide feedback to ensure we are providing users with the most up-to-date and relevant information. This learning aims to help managers, members and employees at all levels apply risk management principles consistently across their area of responsibility. Clear identification and assessment of risks will lead to more effective use of resources and direct improvements to the services we provide to our customers, as well as improving corporate governance and performance. Before you start, grab a pen and paper to write some answers down. Good Luck City & County of Swansea User.
What is a Risk?
Let's start by identifying what is a risk?
In simple terms, it's anything that might arise that will stop us from achieving something. We all come across risk in our personal lives but probably without thinking about it! When you travelled to work this morning, did you think about the risks involved? No! Not consciously. But hopefully this e-learning module will help you consider and manage risks! What ever you do on a day-to-day basis, there will probably be a risk attached to it. REMEMBER: it’s the risk you've not seen coming that are the worst ones. So, in the context of the City & County of Swansea, what is the definition of a risk? Bear in mind that risks may not always be negative due to the fact avoiding risks may sometimes mean missing opportunities. Here is the Councils' definition: "Risk is an event, action, or lack of action that could adversely affect the Council's ability to achieve objectives and to successfully execute its strategies. Risk arises as much from failing to capture opportunities whilst pursuing business objectives as it does from a threat that something bad will happen". Your Responsibility The Council recognises that all staff have a responsibility to manage risks effectively in order to reduce uncertainty in achieving goals and objectives and to benefit from opportunities. As a Council, we need to ensure risk management has been integrated successfully, has the necessary support, is addressed in an appropriate way and is successful. All staff need to accept the culture and the change that goes with risk management for it to embed into the Council. REMEMBER: Risk Management is Good Management Now use your computer mouse to click the arrow and move on. Be aware of any risks around this! There could be a threat from hitting your cup of coffee over!!!!
Why Risk Management?
Let's face it, business is risky. Every organisation has its own unique set of risks to assess.
There's the risk of delays in service delivery, the risk of poorly maintained plant and equipment, financial risks and then there is the risk of failure with regard to health and safety. Overlook these and the consequences are severe, ranging from fines through to job losses. We simply can't afford to make a mistake. Risk management within the Council is essential because certain information about the business is often unknown. Potential risks that can be identified as early as possible have a better chance of being assessed and managed before it impacts our services. Thus, a good risk management process is proactive in nature, and is fundamentally different than crisis management (or problem solving), which is reactive. Risk management is an important skill that can be applied to a wide variety of services. In an era of downsizing, consolidation, shrinking budgets, increasing technology and shorter development times, risk management can provide valuable insights to help key service personnel plan for risks. What is Risk Management? The term 'risk management' incorporates all the activities required to identify and control the exposure to risk which may have an impact on the achievement of the City & County of Swansea's business objectives. Risk assessment seeks to answer four simple related questions: 1. 2. 3. 4.
What can go wrong? How bad could it be? Is there a need for action? How often does it need control?
It is not usually possible to eliminate all risks but staff have a duty to protect the Council as far as reasonably practical. Competent risk management requires a special kind of foresight - you need to be able to see the unseen, expect the unexpected and predict the unpredictable.
Difference between Risks & Issues
As we mentioned at the beginning of the tutorial, in simple terms, a risk is anything that might arise that will stop us from achieving something.
So, what if this potential threat becomes an active problem requiring to be dealt with now. Is it still a risk? Well, if this risk has not been managed properly or nothing could have been done to stop it and it has impacted the Council, it is now an issue. The best way to remember the difference is that: • •
Risks MAY occur and you can put controls in to stop it happening. Issues HAVE occurred and can't be stopped so decisions must be made.
Another working definition that has been mentioned recently is "if you can smell it, it's a risk. If you're in it, it's an issue" Think about it!! Anyway, here's a little test to ensure you understand the difference. Pen and paper ready! Read the following 9 statements and decide if they are risks or issues! 1. Part of the funding had to be withdrawn from the Project today; 2. Insufficient resources available to undertake office tasks; 3. There is a danger that the IT system will not be implemented on time; 4. If the tender comes in over price, the Project may have to be reviewed; 5. Weather forecast next week is likely to affect the grass cutting; 6. The Directors secretary has left the Council. She needs to be replaced; 7. The Contractors have not turned up for work for the past three days; 8. If in-house IT services are outsourced, there could be possible strikes; 9. The Team Leader has lost the trust of his Head of Service. Just in case you are struggling, here's one answer for you! When you've finished, click the arrow to get all the answers. Hope you are making an effort to join in!! 1. It's an Issue.
Test Answers - Difference between Risks & Issues
Here's the answers people!! I've got a feeling you've done well! 1. Part of the funding had to be withdrawn from the Project today - Issue 2. Insufficient resources available to undertake office tasks - Issue 3. There is a danger that the IT system will not be implemented on time - Risk 4. If the tender comes in over price, the Project may have to be reviewed - Risk 5. Weather forecast next week is likely to affect the grass cutting - Risk 6. The Directors secretary has left the Council. She needs to be replaced - Issue 7. The Contractors have not turned up for work for the past three days - Issue 8. If in-house IT services are outsourced, there could be possible strikes - Risk 9. The Team Leader has lost the trust of his Head of Service – Issue That was Easy Peasy Lemon Squeezy. You've completed 20% of the e-learning already! Now move on to read about the different types of risks and who is responsible. Click the arrow!
Types of Risks
There are many different types of risk that must be controlled throughout the Council to ensure an effective risk management framework is in place. Risk management should be most applied where critical decisions are being made. Decisions about risk vary depending on whether they relate to long, medium or short term goals as follows: Corporate Risks (Strategic - Long term goals)
Risks associated with strategic direction may not become apparent until well into the future so they need to be reviewed on a regular basis as these decisions are usually concerned with long term goals. Risks that have a potential impact on the Council as a whole are documented and managed via a Corporate Risk Register. This is reviewed by the Corporate Management Team (CMT) every six months to ensure the business is aligned and responsive to the marketplace. A Strategic Risk Group is in place to ensure corporate risks are responded too and they will drive the implementation of the risk management framework throughout the Council. This group is made up from members of the various areas of the Council where risk plays a fundamental part in their daily work. Programme and Project Risk (Medium term goals) Medium term goals are usually addressed through Programmes and Projects that bring about business change. Decisions on these need to be undertaken more frequently than strategic risks especially in relation to time and cost. If they stand any chance of being successful, Programme/Project Managers (these are the people who lead and manage Programmes and Projects on a day-to-day basis) are expected to create and maintain a Risk Tracker to ensure all risks are identified, controlled and responded too. They are responsible for implementing and embedding the risk management framework, reporting risks and escalating risks above their agreed tolerance levels to senior management. Directorate Risks (Operational - Short term goals) At this level, the emphasis is on short term goals to ensure ongoing continuity of our services. However, decisions on risks at this level must support medium and long term goals. Risks that have a potential impact on a Directorate (day to day) will be documented and managed via a Directorate Risk Register. This will be frequently monitored at
Departmental Management Teams (DMT) and by Performance & Financial Monitoring (PFM). A Risk Co-ordinator for every Directorate will be in place to ensure risks are responded too and they will drive the implementation of the risk management framework (a list of Risk Co-ordinators can be found at the end of this e-learning tool). Some work should have already taken place with regards to identifying risks within a service through the completion of service plans. This is a document that states the key work that the service will undertake for that year. NOTE: All these Risk Registers are live databases that are storing the most significant Strategic and Directorate risks of our Council, helping us to assess, control, manage and eliminate risks of any type. These databases are accessible to only authorised users and accessed via the web. Health & Safety Risks There is an obligation contained in the Health and Safety at Work Act 1974 to ensure so far as reasonably practicable the health, safety and welfare of our employees and others who may be affected by our undertakings. There is also a formal duty to undertake risk assessments as required under the Management of Health and Safety at Work Regulations 1999. The City & County of Swansea Health and Safety Policy, underwrites our commitment to these responsibilities and duties that we each have to deliver. The methods and arrangements that are put in place to ensure that hazards and risks are identified, evaluated and sensibly controlled to a reasonable practicable level follows a similar format to business risk management. However, this is primary legislation that may need specific information, instruction, training and support to ensure we are complying with our Health and Safety Policy. If you require further help and advice contact Corporate Health and Safety. Getting an idea how BIG risk management is within the Council. Keep reading Keep learning!!
Test – Identifying Risks
Who do you think is responsible for identifying risks?
From the following list of staff, who do you think has a duty to identify risks within the City & County of Swansea. Chief Executive? Corporate Directors? Elected Members? Heads of Service? Team Leaders? Office Staff? The Risk Manager? Health & Safety Officers? Programme/Project Managers? The Cleaners? Write your answers down on your piece of paper then move onto the next page for the answer.
Risk Responsibilities
If you wrote down everyone on that list then well done. REMEMBER, we are all responsible to identify risks within and outside our area of work.
Let's take a quick look at some key responsibilities: Chief Executive and Directors • Key champions and overall responsibility for risk management within the Council; • Considers risks associated with key decisions they are required to take; • Review the Corporate Risk Register on a six monthly basis; • Meet monthly as a Strategic Programme Board to view and make decisions on any escalated risks relating to the key Programmes and Projects being undertaken by the Council. Strategic Risk Group • Manage the Corporate Risk Register on behalf of CMT; • Engage with Members in the management of risk process; • Ensure Directorates have a nominated officer who will act as a Risk Co-ordinator; • Ensure appropriate training is undertaken on the process of risk management (Yes. Done this. You're on it!!). Council Officers • Identify opportunities and manage risk effectively in their jobs and report risk management concerns to their line managers; • Report any incidents or 'near misses' to line managers. • Be responsible to identify risks ensuring they are documented on relevant risk registers/trackers/reporting templates. Directorate Risk Co-ordinators • Manage the Directorate Risk Register at DMT/PFM meetings ensuring all key Directorate risks are identified, managed and responded to in a timely and effective manner; • Co-ordinate and advise on risks within their Directorates; • Actively consult with the Strategic Risk Group on a frequent basis. Internal Audit • Use risk registers to inform internal audit planning; • Monitor effectiveness through management assurance; • Consult Heads of Service annually to identify auditable business risks;
• •
Undertake a risk assessment for each service/system; Prepare annual internal statement of control.
Project Manager • Identify initial Project risks when creating the Business Case as part of Starting a Project; • Create a Project Risk Tracker to manage the risks and then continuously manage the document throughout the lifecycle of the Project; • Escalate unresolved risks to a higher authority; • Identify key risks that other Projects can learn from when creating the Lessons Learned Report as part of Closing a Project.
Test – Identifying Responsibilities
Another quick test so get your pen and paper ready. Don't go back to get the answers!!! All you have to do is match the responsibilities with the key roles which you have just read about. Here are 12 responsibilities that must be undertaken within the City & County of Swansea. 1. 2. 3. 4. 5. 6. 7.
Review the Corporate Risk Register on a six monthly basis Report any incidents or 'near misses' to Line Managers Consult Heads of Service annually to identify auditable business risks Identify initial risks when developing a Business Case Co-ordinate and advise on risks within their Directorates Manage the Corporate Risk Register on behalf of CMT Ensure Directorates have a nominated officer who will act as a Risk Coordinator 8. Create a Risk Tracker to manage risks 9. Engage with Members in the management of risk process 10. Key champions and overall responsibility for risk management within the Council 11. Manage the Directorate Risk Register at DMT/PFM meetings 12. Undertake a risk assessment for each service/system Here are the key roles. Now, match them up (in other words, who does what?). (A) Project Manager (B) Strategic Risk Group (C) Council Officers (D) Directorate Risk Co-ordinator (E) Internal Audit (F) Chief Executive and Directors Just in case your are struggling, here's one answer for you! When you've finished, click the arrow to get all the answers. Hope you have made an effort to join in!! 1. Review the Corporate risk register on a six monthly basis - Answer (F)
Test Answers – Identifying Responsibilities
Here's the answers people. Top Marks again? 1. Review the Corporate risk register on a six monthly basis - Answer (F) 2. Report any incidents or 'near misses' to line managers - Answer (C) 3. Consult Heads of Service annually to identify auditable business risks Answer (E) 4. Identify initial risks when developing a Business Case - Answer (A) 5. Co-ordinate and advise on risks within their Directorates - Answer (D) 6. Manage the Corporate Risk Register on behalf of CMT - Answer (B) 7. Ensure Directorates have a nominated officer who will act as a Risk Coordinator - Answer (B) 8. Create a Risk Tracker to manage risks - Answer (A) 9. Engage with Members in the management of risk process - Answer (B) 10. Key champions and overall responsibility for risk management within the Council - Answer (F) 11. Manage the Directorate Risk Register at DMT/PFM meetings - Answer (D) 12. Undertake a risk assessment for each service/system- Answer (E) Here is a reminder of the key roles: (A) Project Manager (B) Strategic Risk Group (C) Council Officers (D) Directorate Risk Co-ordinator (E) Internal Audit (F) Chief Executive and Directors I hope you matched at least 6 of them otherwise you need to go back and read the risk responsibilities page again. All the clever ones that got at least 6 correct, click the arrow to move on!
Risk Management Cycle
Well done, you have completed over 50% of the e-learning so far. The final part takes a look at the Corporate Risk Management Framework that has been set up throughout the Council - the Risk Management Cycle. To ensure there is a consistent approach to risk management within the Council, we have adopted a 'Four Step' Risk Management Cycle that should be promoted and used authority wide.
The aim of the risk cycle is to improve decision making through a better understanding of risks and their likely impact. This will provide a disciplined environment through the application of principles, approach and processes. One of the key tasks and responsibility of key individuals is to manage risks, evaluate their potential consequences and determine the most effective methods of controlling and responding to them. This is when the risk cycle (inset) comes into effect.
The Risk Cycle The four steps within the Risk Cycle are as follows: Step 1 - Risk Identification This is about describing the risk in order to fully understand what the risk is and how it will impact the Council if it is not dealt with. Once identified, all risks are then entered into the relevant Risk Register/Tracker to ensure records are kept and risks are managed. When wording risks, the Council suggests using the "If and Then" statement. The "If" being the risk and the "Then" being the impact if it's not dealt with. Here is an example: "IF the weather continues to be severe THEN the Project will fall behind with progress which could result in spending more money" It is important to ensure when writing a risk that you only describe one risk and you do not entangle other risks within the wording. The clearer the risk is written, the better understanding people will have and the more likely the right decisions are made. Let's move on to Step 2...
Risk management Cycle – Risk Evaluation There are two factors that determine how important a risk is - The chances of it happening (likelihood) and the cost or consequences if it does (impact). Step 2 - Risk Evaluation looks at both of these factors. Within the Council, a RAG (Red, Amber, Green) status is used to evaluate the likelihood and Impact factors and it is important to recognise that each RAG colour represents a particular meaning as follows:
Many Council staff already use the RAG status on various templates as its very visual and easy to use. Time should be taken on each risk to think about it's likelihood and impact and what colour should be used to evaluate its status. Assessing the level of risk against likelihood and impact enables the Council to identify which of the many risks deserve the greatest attention and resource. Countermeasures When evaluating risk, there is a need to identify what is going to be put in place to stop the risk happening. This is called putting in countermeasures. Again, all countermeasures should be detailed in the relevant Risk Registers/Trackers. Communication of risk is vital and all levels of management need to be kept informed of which risks are important and what the measures are. Risk Proximity When considering the risk's likelihood, another aspect that needs to be taken into account is the amount of time you have to stop the risk before it impacts the Council. This prediction is called the risk's proximity. Some risks will be predicted to be further away than others and so attention should be focused on the more immediate ones first. NB: It is very important that the proximity of each risk is stated so dates can be continuously monitored.
Risk Matrix When evaluating the likelihood and impact of risks through meetings, workshops or as an individual, the risk matrix (inset) can be used to help plot the risks.
This is a simple mechanism to increase visibility of risks and assist management decision making. It is a graphical representation of information, found on a tab within the risk tracker template. Risks should be plotted onto the matrix in terms of their impact and likelihood.
Happy to move forward? Let's view Step 3 and 4...
Risk Management Cycle - Risk Response & Control Once risks have been identified and adequate control measure assessed, decisions need to be taken on how to respond to specific risks by taking action to improve the outcome.
Step 3. Risk Response will help this process. Possible responses to risk should include one of the four T's as follows: Transfer - Transferring some aspects of risk is a recognised method either by paying a third party to take it on or if available, an insurance policy. Tolerate - Perhaps nothing can be done at a reasonable cost to stop the risk, although, ideally, the risk should be monitored by using the relevant Risk Register/Tracker template to ensure it remains acceptable. Treat - Treating the risk – take action to control it in some way by applying containment of contingent actions. Within this categorisation: • •
Containment actions are those which lessen the likelihood of the risk or the consequences, and are applied before the risk materialises. Contingent actions are those which are put into place after the outcome from the risk has happened (therefore becoming an issue needing quick decisions). Here the focus is on reducing the impact of the risk. These actions can be pre-planned so that people know what to do in advance.
Terminate - By doing things differently and thus removing the risk, where it is either feasible or practical to do so. 4 Step - Risk Monitoring & Control This final step is all about making sure the risks are continually monitored and controlled so regular tracking is required to ensure the effectiveness of all the actions taken. That's it really. Four simple steps to ensure all risks within the Council are adequately identified, evaluated, responded too and controlled. Ready for another test? Let's move on!
Test – Risk Management Cycle Here is a quick test on the information you have just read on the Risk Management Cycle. Get your pen and paper ready!
Q1. What are the four steps of the risk management cycle? Q2. What is the standard statement used within the Council to identify risks? Q3. Give an example of a risk within your work area using the statement mentioned above. Q4. When a Project risk is identified, what Council template is used to document it? Q5. When evaluating risks, there are two factors that determine how important a risk is. What are they? Q6 What method is used to evaluate these two factors? Q7 What does the word countermeasures mean in risk terms? Q8 What does the word proximity mean in risk terms? Q9 When responding to risks, the 4 T's method is used. What are the 4T's and their meanings? Click the arrow to get all the answers. Hope you are still making an effort to join in!! Is there a risk of you falling asleep yet?
Test Answers – Risk Management Cycle Here are the answers people. I'll be "well impressed" if you got all these right (There may be a risk to the Council regarding losing you and your skills!) Q1. What are the four steps of the risk management cycle? Answer: Risk identification, Risk Evaluation, Risk Response & Risk Monitoring and Control Q2. What is the standard statement used within the Council to identify risks? Answer: "IF and THEN" statement Q3. Give an example of a risk within your work area using the statement mentioned above. Answer: IF we don't have a standard risk management process within the Council THEN our auditors will provide a negative report to management. Q4. When a Project risk is identified, what Council template is used to document it? Answer: Risk Tracker Q5. When evaluating risks, there are two factors that determine how important a risk is. What are they? Answer: Likelihood & Impact Q6 What method is used to evaluate these two factors mentioned above? Answer: RAG Status Q7 What does the word countermeasures mean in risk terms? Answer: It's what is going to be put in place to stop the risk happening Q8 What does the word Proximity mean in risk terms? Answer: It's the amount of time you have to stop the risk before it impacts the Council Q9 When responding to risks, the 4 T's method is used. What are the 4T's and their meanings? Answer: - Transfer (transferring the risk to another party to deal with) - Tolerate (can't do nothing to stop the risk happening) - Treat (put some actions in place to control the risk) - Terminate (do something different to remove the risk) You have now completed 90% of the e-learning so keep going to the end!!
Risks within Projects
There are many Projects undertaken within the Council and a fundamental element of good Project Management is identifying risks. The Project Manager
The Project Manager is the person who leads and manages a Project on a day-to-day basis and part of his/her work is to manage the risk that the Project brings. There is always likely to be some difference between what is expected and what eventually happens when delivering Projects because of the risks and uncertainties that materialise. As a result, potential risk should be identified as soon as possible. Just think how many risks the Liberty Stadium Project had (inset). Business Case Risks are first identified right at the very beginning of a Project through the completion of a Business Case (this template is used to identify what the Project is going to produce ensuring that it is the right sort of investment, affordable, and value for money). This is to inform management of the potential risks the Project may bring before commitment is given to proceed. Risk Tracker The Project Manager will then create a Risk Tracker to document and manage all Project risks. He/she will use this template on a day-to-day basis to help manage and make decisions on risks. The Project Manager will normally suggest "Owners" for each risk and these should be the person best situated to keep and eye on the risk ensuring that they clearly understand their role, responsibility and accountability with regard to the management of the risk. The Project Manager has the job of keeping a watching brief over all risks and checking that the defined actions/monitoring are taking place and are effective. Project Board This Board (made up of staff at Management status) are the key decision making bodies of a Project and any "High Level" decisions within the Project will have to be made by them. On a monthly basis, the Board is kept up-to-date with Project progress via the completion of a Highlight Report by the Project Manager. Within this report, the Project Manager will detail any risks that needs a decision made on (which he/she can't make) or they are just being sent for information purposes. Project Teams
To ensure the Project Manager gets a true reflection of Project progress to create the Highlight report, he/she will ask each of their teams (who do the actual project work) to complete a Checkpoint Report. Within this report will be any new risks or changes to old ones. Closing Risks When an entry in the relevant risk tracker is no longer considered a threat to the Project, the risk will be closed. The risk tracker will be updated accordingly with sufficient detail on the reasoning behind the closure. NOTE: The entry in the tracker will not be physically removed (for audit and historic purposes) but greyed out and hidden if required. Guess what! It's nearly the end, move on to the final page! wipeeeeeee.
And Finally‌ Thanks very much for staying with us and completing this e-learning module for risk management. We hope you have found it interesting and have an understanding of why it is important to undertake risk management within the Council. We would love to get some feedback from yourselves regarding this e-learning module so please click the Feedback link and complete the online form. At least send us your name so we can update our records with the names of staff who have undertaken the elearning process. As you see from the downloads on the right hand side of the screen, further information is available to read regarding risk within the Council. You can also visit our Risk Management website: http://staffnet/risk management Here is a list of the various Risk Co-ordinators within the Council nominated by the relevant Directorates. Click on their names if you would like to e-mail them. Name
Directorate Name
Contact Number
Alison Lewis
Environment
6974
Michael Powney
Resources
6796
Julie Sheppard
Education
7178
Sue Reed
Regeneration & Housing
5415
Katrina Guntrip
Social Services
6659
Strategic Risk Group Here are the staff who make up the Strategic Risk Group. Click on their names if you would like to e-mail them. Name
Job Title
Contact Number
Jeremy Stephens
Head of Performance & Strategic Projects
6849
Paul Thomas
Resilience Manager
7420
Len Amos
Strategic Programme Office Manager
6131
Richard Rowlands
Performance Manager
7570
Paul Beynon
Chief Auditor
6463
Michael Powney
Process Quality Manager
6796
Once again, thanks for your time. If you know of any members of staff who have not got access to a PC and would like to view this information, download this E-learning tool from the right hand side of the screen and pass them a hard copy. Remember to assess all the risk when cooking your tea tonight! If you are like me the risk is: IF the chip shop is shut down THEN my kids will starve as I can't cook!
Happy Days!!!