CORPORATE RISK MANAGEMENT STRATEGY

EXECUTIVE SUMMARY
South Yorkshire Passenger Transport Executives financial position requires stringent management and at times difficult decisions over resource priorities. It is important, therefore, that the maximum amount of resources is channelled into achieving the Transport Executives objectives. There are, however, risks or threats to us achieving these objectives. Risks are inevitable and, in practice, cannot be avoided. Risks, therefore, have to be managed, understood and controlled if we are to meet our objectives. The management of risks is not a new concept to the Transport Executive as risks are often managed throughout the organisation, either consciously or sub-consciously. However, there is no common corporate framework to facilitate a consistent and logical approach, which should lead to better decision-making and better use of resources. We are also obliged, under the process of corporate governance, to account for our actions to the electorate. To achieve compliance with best practice, we need to ensure that we have a robust system of risk management in place. Consequently, the Transport Executive needs to be pro-active and prepared in the way we manage our risk portfolio. Incorporating a formal approach to risk management in our day to day operations will enable us to deliver our responsibilities and work towards achieving our objectives. In fact, management of risks is key to ensuring that we fulfil our objectives. By adopting a more formal, systematic approach there are many key benefits which accrue to the Transport Executive. These are identified in the strategy document.

1
1.1

INTRODUCTION
This document forms South Yorkshire PTEs risk management strategy. It sets out: What is meant by risk management; The benefits and constituent parts of good risk management; How Risk Management interacts with the objectives of the Transport Executive; The range of risks facing the Transport Executive What needs to be done to implement the strategy and how this will be monitored The roles and responsibilities of various key individuals and groups in relation to risk management;

1.2

The strategy states the aims and objectives of the Transport Executive regarding the management of its risks in the short to medium terms. WHAT IS RISK MANAGEMENT? Risk is the threat that an event or action will adversely affect an organisations ability to achieve its objectives and to successfully execute its strategies. Risk management is the process by which significant risks are identified, evaluated and controlled. It has critical links to the following areas: corporate governance community focus structures and processes standards of conduct service delivery arrangements effective use of resources

2 2.1

Risk Management Risk management is about making the most of opportunities (making the right decisions) and about achieving objectives once those decisions are made. This is achieved through transferring risks, controlling risks, and living with risk. Risk management is not just about insurance not least because 80% of risks faced by organisations are not insurable. Certainly risk transfer is part of risk management, but so is risk retention and control. Source: Solace/Zurich Municipal

3
3.1

THE BENEFITS OF GOOD RISK MANAGEMENT Good risk management supports the achievement of our objectives and has a crucial role to play in ensuring that the Transport Executive is well run. The key benefits to each individual and business unit of a systematic approach to risk management are: Supporting tools and techniques to identify and appraise risk The ability to communicate and share risk; The ability to take on more risk where appropriate and control this better; and A better understanding of risks.

3.2

3.3

As an organisation we have a financial incentive to improve our control of risks. We currently spend over 300k per annum on insurances and on small insurance claims. Insurance costs rose by 33% in 2002/3. If we are able to identify our real risks and only insure where we are unable to manage the risk we can save money. In the same period Barnsley MBC managed to avoid any increase in insurance costs, despite the huge rises in premiums in the industry, through better informed risk management. WHAT ARE THE CONSTITUENT PARTS OF GOOD RISK MANAGEMENT? Risk management is an integral part of good governance and is a process whereby: There is shared awareness and understanding within the Transport Executive of: the nature and extent of the risks it faces; the extent and categories of risks regarded as acceptable (as SYPTE has a wide portfolio of risk it is not possible to formulate a single threshold to all risk. Risks will need to be examined on an individual basis); the likelihood and potential impacts of the risk materialising; our ability to reduce the incidence of impact on the organisation of risks that do materialise.

4 4.1

There is regular and ongoing monitoring and reporting of risk including early warning mechanisms. An appropriate assessment is made of the cost of operating particular controls relative to the benefit obtained in managing the related risk. The Transport Executive will conduct, at least annually, a review of the effectiveness of the systems of internal control in place. The Transport Executive reports publicly on the results of the review and explains the action that it is taking to address any significant concerns that it has identified.

4.2

The process should be ongoing, embedded in our culture and have the potential to reorient us around performance and improvement. It is not about eliminating risk but about understanding risk and managing it more effectively, thereby enhancing performance. OVERRIDING RISK MANAGEMENT AIM The Transport Executives goal in Risk Management is that risk should only be accepted where it is in the furtherance of the goals of the Transport Authority. All activities undertaken by the Transport Executive should be examined to ensure that the risks that are part of the activities have been examined and evaluated, and that the appropriate action has been taken to mitigate these wherever possible. Not only must the Transport Executive identify and analyse the potential, significant risk consequences of the actions that it takes, but equally, if not more importantly, it must assess the risks of not undertaking a particular action or activity HOW DOES RISK MANAGEMENT INTERACT WITH THE GOALS OF THE TRANSPORT AUTHORITY? We need to manage risk in order to help ensure that we can achieve our goals and meet our priority challenges Risk management will influence the way we allocate resources in trying to achieve our goals THE RANGE OF RISKS FACING SOUTH YORKSHIRE PTE The range of risks facing the Transport Executive can be categorised into strategic and operational. These are listed below:-

5. 5.1

5.2

6.

6.1

6.2

7.1

Strategic Risks These are risks that are associated with the development of our key objectives, and will include:Political: changes in political control or significant policy changes at a national or local level (eg. change in national policy on tram schemes or local commitment to bus priorities) Economic: changes in the economic climate leading to, for example, lower employment levels and hence lower peak travel demand or lower profitability for bus companies. Social: unanticipated effects of changes in demographic, residential or social trends. Technology: unanticipated technological change might render significant investments obsolete or undermine key assumptions (eg. the environmental sustainability of car travel) Legislative: legislative change at UK or European level could place significant new obligations on the Executive or render particular practices illegal. Environmental: unexpected adverse environmental impacts of our service delivery (eg energy efficiency, pollution, recycling etc). 5

Best Value: inability to achieve the four Cs in service delivery. Customers: unexpected changes in the needs and expectations of our customers. 7.2 Operational Risks These are risks that are faced in the day to day delivery of the Transport Executives services, and will include: Professional: risks associated with the professional competence of our officers; Financial: inadequate financial planning resulting in lack of funding Legal: breaches of legislation Physical: fire hazards, lack of security, inadequate health and safety measures, etc. Contractual: failure of our contractors to deliver services to an agreed cost and quality specification. Technological: over-reliance on IT and other operational equipment. Environmental: pollution, noise or the energy efficiency of ongoing service operations. Reputational: the organisations reputation and public perception of service including its efficiency and effectiveness Partnership: risks that projects or activities will not be delivered effectively to cost or on time because of the complexity of partnership working or failure of a partner in some aspects of delivery.

7.3

The above categories represent a brief outline of the major elements of risk facing the Transport Executive. It is important to review the above risks and their potential impact on each other as well as trying to alleviate the individual categories of risk. THE RISK MANAGEMENT PROCESS There are a number of critical steps in the process of identifying and managing risk within the Transport Executives activities. These are as follows:

8 8.1

Identifying risks There is a need to identify the potential risks that may arise if informed decisions are to be made about policies or service delivery methods. They may be general, relating to the environment within which we work, or specific, relating to a key area of service delivery. The range of key risks are identified in Section 7 of this document.

Analysing risks Available data should be used to provide information to help assess the likelihood of any risk arising or the potential impact on our activities.

Profiling risks Risks can then be profiled according to their likelihood and severity.

Prioritising action based on the approach to risk Action can then be determined based on our tolerance and aversion to risk balanced against the availability of limited resources.

Determining action on risk A course of action can then be determined based on whether the risk should be avoided, eliminated, reduced, transferred, or accepted.

Controlling risk Once appropriate action is determined for each risk, the process of controlling that risk can commence. This will involve either minimising/eliminating the risk and/or alleviating its potential impact.

Monitoring and reporting on progress Progress in managing risks should be monitored on an ongoing basis with risks added to the portfolio as soon as they are identified. They should then be reported so that losses are minimised and intended actions are achieved. 8.2 Risk management needs to be seen as a continuous process. It is essential that the incidence of risk is reviewed to see whether it has changed over time or whether new risks have emerged.

9 9.1

THE KEY ELEMENTS OF THE RISK MANAGEMENT FRAMEWORK It is vital that everybody understands the role that they play in effective risk management. In other words every officer, director and non-executive director of the Transport Executive together with elected Members of the Transport Authority is responsible for ensuring effective risk management. A matrix showing the group/individual roles and responsibilities for risk management is shown at Appendix A, together with some short notes on roles and responsibilities.

10.

ACTION REQUIRED TO IMPLEMENT THIS STRATEGY

10.1 Adoption of the strategy by Management Team, Management Board and Executive Board 10.2 The formation of a Risk Management Project Implementation Team whose objective is to facilitate implementation of the risk management strategy. 10.3 10.4 10.5 The identification of risks The assessment of risks Promoting awareness/training 7

10.6 10.7 10.8

Integration into the business planning process Challenge and review of the process Reporting

PL/HAH/f:\reports/aaj03rep

Appendix A Group/Individual Roles and Responsibilities

Risk Management Project Team Management Board Service Managers Support services (eg finance, human resources, legal) Service providers (employees of the PTE, of contractors and of partners involved in service delivery or support)

Framework, Strategy and Process

What is risk? Why manage it?

Identifying Risk
What can happen? How can it happen?

Analysing Risk
What is the likelihood and impact?

Providing advice and support to the Executive Management Team and members Providing advice and support . Challenging the process Providing advice and support

Determining the framework, strategy and process

Providing advice and support

Identifying strategic and cross-business risks Analysing strategic and cross-business risks Profiling strategic and cross-business risks Determining the risk appetite and prioritising strategic and cross-business risks Determining action on strategic and cross-business risks Delegating

Identifying service risks

Providing advice and support

Maintaining awareness of risks and feeding these into the formal processes Maintaining awareness of the impact and cost of risks and feeding information and data into the formal processes

Analysing service risks

Profiling Risk
Ranking of risks

Providing advice and support Providing advice and support

Profiling service risks Prioritising action on service risks

Providing advice and support. Responsibility for Core Functions of Risk Management. Providing advice and support

Prioritising Action based on the Risk Appetite

How to control and treat risks with the resources available

Providing advice and support

Determining Action on Risk

What do we do?

Determining action on service risks Delegating responsibility for control Ensuring adequate

Providing advice and support

Risk Management Project Team

Management Board

Service Managers

Support services (eg finance, human resources, legal)

Service providers (employees of the PTE, of contractors and of partners involved in service delivery or support)

Controlling Risk
How do we do it?

responsibility for control Controlling Corporate risk.

Monitoring and reporting on progress

Co-ordinating the results for reporting to the Management Team and elected Members

Reporting to external stakeholders on risk

Monitoring progress on managing strategic and cross-business risks and reviewing the implementation of the risk management framework, strategy and process Reporting to external stakeholders on the framework, strategy, process and effectiveness

service continuity plans are in place Controlling Service Risk and those Risks delegated by Management Team Monitoring progress on managing service risks Reporting to the departmental management team

Providing advice and support, and controlling specific risk areas.

Controlling risk in their jobs

Providing advice and support

Monitoring progress on managing job related risks Reporting to the Service Manager

Executive Board

Ensures that management implements an adequate Risk Management framework. Ensures that an effective ongoing process for Risk Management is in place.
Approves Risk Management policy. Receives management reports.

PTA
f:\reports/aaj03rep

10