5. How we manage the risk
Having identified a risk and assessed its impact and probability, the next step in the process is to develop actions to manage the risk. These are referred to as ‘control actions’. Controls are intended to help in mitigating either the impact or likelihood of the risk.
An example of a control action follows:
- Failure to adequately anticipate or respond to a major health or environmental incident
Example of a control action to mitigate the risk
- Effective local plan for emergencies - the emergency planning officer has drawn up emergency plans for key council staff
It maybe that a risk will need more than one control action and in more complex issues where, for example, the risk of inadequate ICT resilience is identified, the controls needed are both more sophisticated and numerous, and will be part of a whole array of measures that need to be taken.
In light of the control actions that have been put in place the risk now needs to be re-assess to find the level of ‘residual risk’ (see section 2 for definition). Using the likelihood and impact tables (appendices A and B) determine the likelihood and impact of the risk with the controls in place. Again multiply those scores together and using the risk matrix (appendix C) identify the residual risk score.
Consider the action to be taken after determining the residual risk
ACTION TO BE TAKEN AFTER DETERMINING RESIDUAL RISK
|12 - 16||High||Immediate action required|
|6 - 9||Medium||Evaluate effectiveness of current controls and actions and implement any improvements necessary before next review period|
|1 - 4||Low||Limited action, incorporate into current plans|
Determine whether there are any opportunities within the risk assessment process. An example is the Cranbrook and East of Exeter redevelopment and regeneration initiatives in that the project has contributed to the creation of jobs, improvement of infrastructure, play parks for children and shops and local amenities. At an operational level there may be risks associated with a ‘lack of staff resources’ in a particular area. However this creates an opportunity for the council to implement HR solutions such as secondment and / or restructuring.
Determine who will ultimately be responsible for the risk. This roll will involve monitoring the control actions and writing the reviews on our internal SPAR.net system. This person is called the responsible officer.
Enter the risk information into SPAR.net the corporate risk register database that records details and ownership of identified risks and their associated control actions. Refer to the SPAR risk guidance and or the management information officer for help with data entry.