Policy Risk management policy

Show all parts of this policy

5. How we manage the risk

Having identified a risk and assessed its impact and probability, the next step in the process is to develop actions to manage the risk. These are referred to as ‘control actions’. Controls are intended to help in mitigating either the impact or likelihood of the risk.

An example of a control action follows: 

Risk title

  • Failure to adequately anticipate or respond to a major health or environmental incident

Example of a control action to mitigate the risk

  • Effective local plan for emergencies - the emergency planning officer has drawn up emergency plans for key council staff

It maybe that a risk will need more than one control action and in more complex issues where, for example, the risk of inadequate ICT resilience is identified, the controls needed are both more sophisticated and numerous, and will be part of a whole array of measures that need to be taken.

In light of the control actions that have been put in place the risk now needs to be re-assess to find the level of ‘residual risk’ (see section 2 for definition).  Using the likelihood and impact tables (appendices A and B) determine the likelihood and impact of the risk with the controls in place. Again multiply those scores together and using the risk matrix (appendix C) identify the residual risk score.

Consider the action to be taken after determining the residual risk 


12 - 16 High Immediate action required
6 - 9 Medium Evaluate effectiveness of current controls and actions and implement any improvements necessary before next review period
1 - 4 Low Limited action, incorporate into current plans

Determine whether there are any opportunities within the risk assessment process. An example is the Cranbrook and East of Exeter redevelopment and regeneration initiatives in that the project has contributed to the creation of jobs, improvement of infrastructure, play parks for children and shops and local amenities.  At an operational level there may be risks associated with a ‘lack of staff resources’ in a particular area. However this creates an opportunity for the council to implement HR solutions such as secondment and / or restructuring.

Determine who will ultimately be responsible for the risk. This roll will involve monitoring the control actions and writing the reviews on our internal SPAR.net system.  This person is called the responsible officer.

Enter the risk information into SPAR.net the corporate risk register database that records details and ownership of identified risks and their associated control actions. Refer to the SPAR risk guidance and or the management information officer for help with data entry.