FINAL

Protected
Internal Audit
Report
Risk Management
Document Details:

Reference: Report no. from 2.25

monitoring sheet

Date: 29th May 2015

This report is not for reproduction publication or disclosure by any means to unauthorised persons.
 Internal Audit Report Risk Management

1. Executive Summary
1.1 Introduction
1.1.1 As part of the 2014/15 Internal Audit Plan an audit of Risk Management was
carried out.

1.1.2 The Councils approach to risk and risk management was subject to an in depth
review in early 2014. The Corporate Risk Management Group that is chaired by
the Business Planning and Performance Manager and includes representatives
from each Directorate, led the review. This comprehensive review resulted in a
number of fundamental changes to the way risks were managed and reported.
The key elements can be summarised as follows:

The number of corporate risks were reduced from 24 to 10 with some risks
being combined to provide a more focused approach and others being
devolved to directorate level risk registers;

The introduction of a Transformation Risk Register (TRR) to run in parallel

with the Corporate Risk Register (CRR). Both registers contain four 'Shared
Risks' that impact both corporately and on organisational transformation;

'Risk Appetite' was included as part of the overall risk assessment based on a
five point scale ranging from low to high; the inclusion of risk appetite enables
the Council to determine the amount of risk it is willing to take to achieve its
strategic objectives and to enable tolerance levels to be set that ensure risks
remain within the agreed parameters and the Council is not exposed to
unnecessary risk.

1.1.3 The review also aligned Directorate Risk Registers with the Corporate Risk
Registers and provided a context through which directorates construct their own
risk assessments to inform decision-making about business planning,
transformation and service delivery.

1.1.4 Since the 2014 review, the Council has continued to work to further embed
processes for managing risk across the organisation.

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

1.2 Overall Opinion

1.2.1 At a Corporate and Directorate level the Council have put in place a robust
approach to risk management.

1.2.2 Procedures and processes have been introduced to ensure that the Directorate
Risk Registers are aligned with the Corporate Risk Register. There are formal
processes for monitoring strategic and operational risks and at a Management
level risk ownership is clearly defined.

1.2.3 There is a logical approach to assessing risks with a consistent approach to

oversight at a Directorate, Corporate and Cabinet level.

1.2.4 Existing risks are monitored and emerging risks are assessed for their impact on
the delivery objectives of the Corporate Strategy. Risk management is formally
considered by Directorates monthly, and at a Corporate level, quarterly. The
Audit and Governance Committee receive a report at the end of quarters 2 and 4
each year. The Committees role is to review and where appropriate challenge the
report prior to it being presented to Cabinet.

1.2.5 The Councils flexibility to react to changing priorities was demonstrated in the
Adult Social Care service area where the frequency of SLT management
meetings, at which risk management is considered was increased from monthly
to every 2 weeks. This was in response to the impact that the increased pressure
on hospital services was having on care provision..

1.2.6 The Council have created a Transformation Risk Register to collect and assess
risks directly related to the move from a predominantly a provider organisation to
commissioning organisation. In line with aspirations for the new operating model,
key elements of this process are monitored using programme and project
management techniques including Highlight Reports that are used to monitor
known and emerging risks for each defined project using heat maps, .

1.2.7 Where there is less clarity is at a Service Area level. As part of the audit we
looked at 5 Service Areas and while each had in place processes and procedures
for Risk Management, in some instances there was no clear line of sight to the
Directorate Risk Register. It was noted that while each Service Area had
considered its operational risks and health and safety issues, there was an
inconsistent approach to strategic risks that could impact on service delivery
such as the impact of loss of key workforce skill sets both in house and from third
parties. Were the Corporate approach to risk management to be cascaded down
through the organisation, this would enable a link between the corporate strategic
view of risk and the dynamic risk environment experienced by those delivering
front line services.

1.2.8 There is a view that risk management is the province of management as they are
the risk owners, however, the value of fully engaging the front line workforce in
the management of risk should not be underestimated. These are the people who

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

are dealing with third parties and in the course of their work may pick up
invaluable intelligence that could highlight an emerging or changing risk.

1.2.9 The other area where a fully engaged workforce is critical is information security
and combating the risks associated with data breaches either accidentally or
deliberately. However, for a robust information security management system the
Council needs to better understand the data and information it holds and uses.
The Council should consider embarking on a project to implement a data
classification process, this will make it possible to establish the value, risk and
cost associated with the data it holds.

1.2.10 It is noted that the Council have been proactive in respect of assessing
information security risks following the recent ICO review, however, moving
towards becoming a commissioning organisation is likely to expose the Council to
additional risks of deliberate intrusion events, whether, mischievous or calculated
to attack the Council or its Private Sector partners. In the latest Lloyds register of
corporate risks, Cyber Threats or intrusion is now rated the third greatest concern
for Corporate Boards. While the Council, as a public sector organisation may
question the relevance of this, the commissioning model it is moving towards will
lead to much closer working arrangement with its private sector partners. This will
undoubtedly involve sharing access to IT systems and the data and should a
private sector partners systems be compromised this could also compromise
certain of the Councils IT systems. If this happens then it could result in
significant reputational damage and should the office of the Information
Commissioner become involved, then possibly a large fine also.

1.2.11 Based on all of the above findings it is felt that an overall audit opinion of
Significant assurance is appropriate.

1.3 Looking Forward

1.3.1 There is the consideration of the next phase from Transition to Delivery, while
there has been a great deal of good work done to prepare for this change at a
structural level by recognising the requirement of a strong client side with the
right level of skills that is supported by key functions such as finance, legal and
HR. As part of its Market Intelligence and Market Management programmes the
Council should give greater consideration to the risks and opportunities
associated with Supplier Management.

1.3.2 The Council should consider putting in a process for identifying and monitoring
Business Critical Suppliers as distinct from focusing on Business Critical
Services. This process should not only encompass performance and qualitative
measures but look at supplier health seeking to gather information on financial
resilience, resourcing issues and risk appetite for the market sector.

1.3.3 Once a supplier has been contracted the Council should consider how it wants to
manage risks. Whether it wants to form joint risk management teams with the

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

supplier or monitor from afar. The ultimate decision will be driven by an

assessment of the criticality of the service and or individual supplier.

Overall Audit Opinion

Full assurance Full assurance that the system of internal control meets
the organisations objectives and controls are
consistently applied.

Significant Significant assurance that there is a generally

assurance sound system of control designed to meet the
organisations objectives. However, some
weaknesses in the design or inconsistent
application of controls put the achievement of some
objectives at some risk.

Limited Limited assurance as weaknesses in the design or

assurance inconsistent application of controls put the achievement
of the organisations objectives at risk in some of the
areas reviewed.

No assurance No assurance can be given on the system of internal

control as weaknesses in the design and/or operation of
key control could result or have resulted in failure(s) to
achieve the organisations objectives in the area(s)
reviewed.

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

2. Summary of Conclusions
2.1 The conclusion for each control objective evaluated as part of this audit was as
follows:
Control Objective Assurance
Full Significant Limited None

CO1: The council has clear and effective

structures, processes, policies and strategies in
place for risk management.

CO2: The council has a corporate approach to the

identification and evaluation of risk which is
understood by all staff.

CO3: The council has well defined procedures for

recording and reporting risk.

CO4: Risk Management processes and procedures

are embedded within Directorates.

CO5: Risk Management processes and procedures

are fully considered and support the achievement
of Programmes, Projects and partnership working.

CO6: Managers are accountable for managing their

risks and results are considered as part of their
performance including a clear link between the
balanced scorecard and the risk management
approach.

CO7: There is an effective mechanism to provide

Councilors and senior officers with the necessary
assurance that controls and mitigating actions are
actually being delivered.

2.2 The recommendations arising from the review are ranked according to their level of
priority as detailed at the end of the report within the detailed audit findings.
Recommendations are also colour coded according to their level of priority with the
highest priorities highlighted in red, medium priorities in amber and lower priorities in
green. In addition, the detailed audit findings include columns for the management
response, the responsible officer and the time scale for implementation of all agreed
recommendations.

2.3 Where high recommendations are made within this report it would be expected that
they should be implemented within three months from the date of the report to ensure
that the major areas of risk have either been resolved or that mitigating controls have
been put in place and that medium and low recommendations will be implemented
within six and nine months respectively.

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

3. Limitations Regarding The Scope of The Audit

3.1 The following areas did not form part of this audit:
We did not seek to test risk awareness at an operational level

4. Acknowledgements
4.1 Audit would like to thank all involved for their assistance during this review

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

5. Detailed Audit Findings

Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
CO2: The council has a corporate approach to the identification and evaluation of risk which is understood by all staff.
1 Medium The Corporate Approach to Failure to identify Implement risk awareness It is acknowledged that front CRMG
managing risk has not been and monitor sessions for all staff. line staff manage routinely representative.
rolled out to all front line staff changing and specific risks in respect of June 2015 for
emerging risks in a their operational duties and communication
timely manner that these may differ in to managers.
nature to corporate risks
encountered and the Ongoing work
processes employed. to ensure this is
Managers in directorates are sustained over
required to maintain their risk time.
registers in accordance with
the corporate approach and
where appropriate ensure
that the golden thread is
achieved from the Corporate
and Directorate risk registers.

To achieve this with front line

staff will require an initial
exercise of awareness-
raising across the
organisation with all
managers advocating this
and reinforcing it over time.
This will be coordinated and
promoted through the
Corporate Risk Management
Group (CRMG).

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

Ref. Priority Findings
2 Medium Not all Service Area risk
registers are up to date and in
line with the Corporate and
Directorate Risk Registers.
Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
Disconnect between Ensure that the current risk Further awareness-raising CRMG -
service areas and management model is rolled within Directorates to ensure Ongoing
their directorates that out to a Service Area level. consistency of the corporate
could result in risks approach to be implemented
being overlooked or to ensure Service Area risk
resources expended registers are compliant.
unnecessarily
monitoring low
priority risks.

CO4: Risk Management processes and procedures are embedded within Directorates.
3 Medium The Council has not Unable to focus The Council should The issue of Data Corporate
implemented a data investment in undertake a programme of Classification is already Information
classification programme. information risk Data Classification to ensure being addressed as part of Governance
management in that key information receives the work of the Corporate Board March
areas of greatest the right level of protection. Information Governance 2016
risk. In a worst case This should be forward Board (CIGB) who will
this could lead to a looking and considers the oversee implementation. A
breach of Data value of data in terms of risk current review of the
Protection or and cost of safeguarding. Information Asset Register
conversely an and work to rationalise
inefficient approach software applications will
to managing support this process.
information risk

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
CO5: Risk Management processes and procedures are embedded within Directorates.

4 Medium The Corporate and Directorate
Risk Registers do not include
Cyber Threats.
Data breach, The Council should consider As Priority 3 above, this is Corporate
whether as a result potential Cyber Threats in being addressed by the Information
of the actions of a its analysis of risk. CIGB who are seeking Governance
disgruntled employee assurances around Board
or an external source Information Security. An September
will result in Information Governance Risk 2015
reputational damage Register has been produced
and financial loss. and this will include 'Cyber
Threats' if the risk is deemed
significant to be included.

There are a number of

controls in place that meet
Government requirements
which are routinely checked
for compliance.
5 Medium There is the consideration of the Failure to achieve all As part of its Market The work currently being CRMG /
next phase from Transition to the potential benefits in Intelligence and Market undertaken by the Commercial Commercial
Delivery, while there has been a terms of cost savings Management programmes the Team will provide further clarity Team
great deal of good work done to and efficiency. Council should give greater as to how risks will be managed
prepare for this change at a consideration to the as part of supplier relationships.
structural level by recognising risks/benefits directly
the requirement of a strong associated with maintaining A market risk analysis is being
client side with the right level of good Supplier Relationships. developed for all markets for Commercial
skills that is supported by key The traditional approach is to commissioned services and Team Ongoing
functions such as finance, legal penalise suppliers for failure, those services which will be
and HR. The focus should now an alternate approach could commissioned in the future.
move to identifying ways of be to reward for over This is being developed in line
fostering enhanced achieving. Additionally the with the commissioning
performance through positive Council may want to consider programme.
supplier relationships. working closer with suppliers
to define future delivery
strategies and models.

10

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

Ref. Priority Findings Risk Arising/ Recommendation Management Response Responsibility Recommendation
Consequence and Timescale Implemented
(Officer & Date)
6 Medium A great deal of work has gone Failure to manage risk The Council should consider Category and supplier CRMG /
into identifying key services, but associated with failure putting in a process for management processes are Commercial
has the Council is moving to the of a key supplier. identifying and monitoring being developed as part of the Team - ongoing
next phase it is important to Business Critical Suppliers as review of the contracts register
differentiate between key distinct from Business Critical
services and key suppliers, ie: Services. This process should
those suppliers that would be not only encompass
difficult to replace, thus putting performance and qualitative
services, either front line or measures but look at supplier
support at risk. health seeking to gather
information on financial
resilience, resourcing issues
and risk appetite for the
market sector.

7 Medium A great deal of work has gone Failure to achieve all Once a supplier has been Risks associated with service CRMG /
into identifying strategic risks the potential benefits in contracted the Council should delivery will be managed Commercial
associated with service delivery terms of cost savings consider how it wants to through effective supplier Team - Ongoing
in a commissioning environment and efficiency. manage risks. Whether it relationships working with the
but as the Council moves into wants to form joint risk central commercial function,
the delivery phase it is important management teams with the strategic Commissioners and
to consider, in each instant the supplier or monitor from afar. 3rd parties.
best model for managing risk. The ultimate decision will be
This typically involves the driven by an assessment of
Council assessing risks the criticality of the service
associated with delivery but and or individual supplier.
often a more successful model
involves working with the
supplier to form a joint risk
approach.

11

www.worcestershire.gov.uk
 Internal Audit Report Risk Management

Key to Priorities

High This is essential to provide satisfactory control of serious risk(s)

Medium This is important to provide satisfactory control of risk

Low This will improve internal control

Limitations relating to the Internal Auditor's work

The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the
course of our audit and to the extent that every system is subject to inherent weaknesses such as human error or the deliberate
circumvention of controls. Our assessment of the controls which are developed and maintained by management is also limited to
the time of the audit work and cannot take account of future changes in the control environment.

12

www.worcestershire.gov.uk