3. How we identify risks
The majority of risks are identified at the annual service planning days where barriers to specific business objectives can easily be recognised. All staff have a duty to report emerging risks to their managers or heads of service at any time. Risks can raise and be identified when the following events occur:
- internal or external processes change
- staff/councillors leave and or restructuring takes place
- partners change or restructure
- legislation is revised or introduced
- the social and or economic climate alters
- an incident occurs
To help in the risk identification process a range of the most common risk assessment techniques are set out below. These can be used as part of the service planning process or when an event as outlined above occurs.
Questionnaires and checklists
Individually designed questionnaires and check lists to collect information to assist with the recognition of the significant risks
Workshops and brainstorming
Collection and sharing of ideas and discussion around the events that could impact on the objectives
Audit and inspection reports
To understand and check that processes and procedures are in place and working
Flowcharts and dependency analysis
Analysis of processes and operations with the organisation to identify critical components that are key to success
SWOT and PESTLE analyses
Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental (PESTLE) analyses offer structured approaches to risk recognition
The following are areas of risk which have to be assessed by directors, heads and corporate managers.
- Fraud, theft or corruption – including, falsification of records, misuse of resources (including computer hardware/ software) and a criminal act falling within the Fraud Act (for example, false representation, failure to disclose information, abuse of position)
- Non- compliance with statutory requirements or legislation – including, unawareness of legislative requirements and ignoring legislative requirements
- Non- compliance with council policy or procedures – including, breaches to financial regulations or contract standing orders, non-compliance with council policies including the council’s code of conduct for staff and councillors and failure to follow manuals, procedures and guides
- Change management – including, new council initiatives and/or new ways of working changes to existing policies or new policies
- Disclosure of sensitive information – including, council ‘not for publication’ matters made public, failure to dispose of confidential waste appropriately, external/ internal attack on computer hardware/ software and errors or omissions affecting externally published material
- Insufficient resources – including, absence or sickness, unfilled vacancies, deficient or lack or computer resources, insufficient funding, recruitment and retention difficulties
- Poor performance management – including failure to measure or meet externally set performance targets, failure to meet internally set performance targets, failure to benchmark costs and performance and failure to set achievable goals and targets.
We have two categories of risk - strategic and operational (see section 2 for a definition of these). There is a relationship between the two classes of risk which means that the cumulative effect of the unsuccessful management of operational risks will eventually represent a strategic risk. For example, the failure of a number of key services or the significant loss of resources.
Expressing the risks as a statement is often harder than it first seems. It may require rethinking some basic assumptions about a situation and re-evaluating the elements that are most important. For example “lack of staff” is not in itself the complete risk but a consequence of another action. Try to identify the root cause, ask, “why is there a lack of staff” and develop it into a risk that expresses how the issue will impact upon achievement of our strategic objectives.
When writing a risk description, try to include these three parts: event – consequence – impact. This will ensure that the focus, there therefore the action, is placed on the event.
For example:
The lack of performance information, public consultation and forward planning, leads to a fragmented approach to service development and our ability to meet recycling targets by 2011 might not be achieved, resulting in financial penalties to the Council.