RISK MANAGEMENT

TOOLKIT

Rev. 2009

CONTENTS

1.

Introduction

2.

Risk Management Process One page summary

3.

What is risk?

4.

What is business risk management?

5.

Risk appetite and tolerance thresholds

6.

Process

7.

Who should be involved?

8.

Working through the 4 stages of the risk assessment process

.1 Risk identification
.2 Risk analysis and evaluation
.3 Risk control
.4 Risk monitoring and review

9.

Escalating risks

10.

Early warning indicators

11.

Risk assessments

12.

Risk registers

13.

Summary

APPENDICES
1.

Sources of risk

2.

Glossary of terms

3.

Business continuity

4.

Partnerships

5.

Risk rating matrix

6.

Risk register

7.

Example risk assessment

1.

INTRODUCTION

The diverse range of activities undertaken by the Council involves making decisions and
taking risks. Part of why KCC has been so successful is because it encourages and
supports well-managed risk taking by recognizing that innovation and opportunities to
improve public services requires risk taking provided that we have the ability, skills,
knowledge and training to manage those risks well. Risk management is therefore at the
heart of what we do.
We cannot always decide upon the activities with which we are involved. In the private
sector, high impact/high likelihood risks can be avoided by opting out of that part of the
business. In the public sector that option may not exist due to statutory responsibilities.
Risk management therefore plays an important role in helping to manage risks and
opportunities in a practical and cost effective manner.
Some risks will require very little management whereas others will require a more managed
and structured approach. This toolkit is designed to help in this process and describes a
simple methodology to maximise the opportunity to achieve expected results.
This toolkit will work through the following questions:
What do you want to achieve?
What can stop you achieving your target?
How big is the risk?
What is the chance of it happening?
What has been done about it?
What else do you need to do about it?

This toolkit is provided to assist with the management of operational risks however examples
of strategic risks are also provided for information.
Guidance is also provided on business continuity planning and the management of risks
within partnerships.

2.

Risk Management - Process One Page Summary

PROCESS
Monitor
and
Review

Identify

Maximise opportunities that will help to deliver them.

Council
objectives
Plan &
action

Manage threats that may hinder delivery of priorities.

Process is a continuous cycle.

Assess

1. Identify
What could go wrong?
What type of risk is it?
What category is it?
When to think about risks?

Best done in groups

Use available documents, e.g. business plans etc
Think about the risk e.g. If we do not review and manage our

budget there is a risk of overspending

Corporate, operational, partnership or project?
Political, economic, social, technological, legislative,

environmental, competitive, customer/citizen, reputation,

partnership.
Consider risks when setting objectives, improving services,
early stages of project/partnership planning etc

2. Assess
Likelihood

How likely is it to happen?

What would the impact be?
Likelihood x Impact = Risk rating

Very
likely
Likely

Possible

Unlikely

Very
Unlikely

RISK RATING
MATRIX

5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor

10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate

15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant

20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious

25
High
20
High
15
Medium
10
Medium
5
Low
5
Major

Impact

3. Plan & implement controls

What should be done to reduce
the risk?
Who owns the risk?
What else do you need to do
about it?
4. Monitor and Review
Are the controls effective?
Has the risk changed?
Is there something new?

Rank risks in order of priority

Concentrate on high ranked risks first
Look at reducing the likelihood and impact
Options to control tolerate / treat / transfer / terminate
Devise contingency plans for risks that remain high even with
controls

Few risks remain static.

Existing risks may change.
New issues and risks may emerge

3.

WHAT IS RISK?

Wherever there is a decision or action to be taken, there lies a risk potential.

There are many definitions for risk of which the following is just one example:
Risk is the chance of something happening that will have an impact on objectives
This means that risk can be seen as a negative threat or a positive opportunity
A threat is anything that could hinder the achievement of business goals or the delivery of
customer / stakeholder expectations. Its not always a bad thing, as there is no activity without
risk, its in the very nature of things. What is bad is when its a surprise and has an adverse
impact on the whole enterprise or where there is an event that seriously affects a stakeholder.
Opportunities are often described as the added benefits arising from the implementation of the
opportunity benefits that are over and above the achievement of the original objective.
Opportunities may be wider than this and encompass the opportunity to add benefit by
deliberately taking risks through choice.
Some people confuse risk and hazard. A hazard is the source or origin of the event. For
example, a swimming pool filled with sharks is a hazard. Its only when someone might fall in
does it become a risk. There can be many hazards around but it is only when people,
systems, property etc are exposed to them that they become risky.
4.

WHAT IS BUSINESS RISK MANAGEMENT?

Put simply, business risk management is the culture, organizational structure and ongoing
processes of managing the risks around the provision of services or development of the local
economy. Its about getting the right balance between innovation and change on the one hand
and the avoidance of shocks and crises on the other in a consistent and systematic way.
Equally, risk management can also help identify opportunities and implementing measures
aimed at increasing the prospects of success.
The benefits of a robust approach to risk management will help to manage risks so that:

There is an increased focus on what needs to be done to meet objectives

Better use of resources
Better management of change programmes
Innovation is supported
Results are achieved first time of trying
Competitiveness is improved
Improved quality of service delivery
Enhanced ability to justify actions taken
Protection of reputation

KCC has published its Risk Management Strategy which describes the framework for
managing risk. A key element of this is to have a consistent approach in how we identify and
control risks through risk assessment. This is known as the process and is described in the
following sections.

You might find it useful to use problem solving techniques as you proceed through the stages
of the process.
5. RISK APPETITE / TOLERANCE THRESHOLDS
Before identifying and assessing risks consideration should be given to the amount and type
of risk that you can or are prepared to accept, tolerate, or can be exposed to at any point in
time. The level of risk that you are prepared to accept is known as your risk appetite. Within
KCC there will be many different risk appetites due to the diverse range of activities. For
example there may be zero appetite for taking risks in relation to activities associated with
child protection. For new initiatives there will likely be a greater appetite for risk taking in order
to bring about change. The level of risk appetite at any level will be dictated by the level of risk
appetite at the next senior level. The levels of appetite that can be taken at any one level
should be made clear and communicated. As a strict rule the risk appetite at one level must
never exceed that of any senior levels. Working with defined risk appetites is a developing
area and where this has not been confirmed it might be useful to use levels of authority as a
guide.
The degree of residual risk you are prepared to accept forms the basis of your tolerance
threshold and should be set below your risk appetite. Risks that exceed your pre defined risk
appetite should not be allowed to exist. Risks that exceed your tolerance threshold should be
referred to a senior management for instruction as to how to proceed. Risk appetite and
tolerance thresholds are not always easy to describe and are more easy to apply to financial,
programme or project risks however by trying to describe and implement appetites and
tolerance thresholds you will demonstrate increased governance over risks. Appendix 5 can
be used as guidance.

6.

PROCESS

There are four stages to the risk assessment process:-

Objectives

Risk Appetite
/ Tolerance thresholds

Process
1
Risk Identification
What can happen?
How could it happen?

4
Risk Monitoring
Monitor & review the
effectiveness of controls and
review the risk profile

2
Risk Analysis
Determine the
likelihood/impact in order
Estimate the level of risk

3
Plan & Implement
how to
organisations,Determine
contractors,
treat the risk

If you work with other

partnerships etc you will probably find that
they use a similar core process approach which helps simplify working across organisational
boundaries. You will also find that a common language is used when referring to risks. See
Appendix 2 for Glossary of Terms.
7.

WHO SHOULD BE INVOLVED?

The best people to identify and control risks are those who are directly responsible for the
activity. Ideally, the group identifying the risks should contain the risk owner i.e. the person
who will be responsible for actually designing and implementing controls and able to provide
early warning of difficulties.
Where activities and associated risks cut across other directorates, partners, external
organisations, etc it may be prudent to consult with them where they can influence the level of
risk, outcome or output.
8.

WORKING THROUGH THE 4 STAGES OF THE RISK ASSESSMENT

PROCESS
Identifying the risk

In order to manage risk it is necessary to know what risks exist or might occur. Understanding
where risks might exist and how to deal with them helps to ensure that all the positive things
we plan do happen and that we identify and prevent any of the negative things from occurring
that could stop or cause us to revise these plans or cause harm.
When thinking about risks you can look at events such as the failure of a database, criminal
prosecution, increase in demand for services or a process such as the management of health
and safety, financial control or client care management.
First, set out the objectives of the activity to be examined. It may help to have key documents
available such as the current annual business operating plan, medium term plan, project brief,
performance indicators etc. Using these documents you can start to identify your risks.
You should think about risks in terms of
Event
For example:

Consequence

Impact

Break in leads to theft of server which leads to loss of data

Or

Staff absence prevents compliance with statutory

duties resulting in clients not receiving critical services

As you proceed through this process you will start to build up a list of risks.

Risks can be broken down into two categories strategic and operational.
Strategic risks
are those arising from major events
which could impact across the whole of
the Council e.g. major overspend or
serious damage to the reputation of the
Council. Their sources of origin include:

Operational risks
are those arising from the day-to-day
management of activities within
directorates and less likely to impact
upon other directorates or the Council as
a whole. Their sources of origin include:

Political
Economic
Social
Technological
Legislative
Environmental
Competitive
Customer/stakeholders
Professional
Financial
Legal
Physical
Contractual
Technological
Environmental

Most risks will fall into the operational category. The process for managing strategic and
operational risks is identical however accountability for strategic risks lies with the Chief
Executive Officer and the Chief Officers Group whereas operational risks lie with directorate
managers.
To help facilitate discussion the above sources of risk are expanded in Appendix 1.

Risk Analysis & Evaluation

Having compiled a list of risks it is necessary to assess which of these are going to pose the
greatest threat (or opportunity) and this is done by looking at both impact (what harm might
result from the risk) and likelihood (chance of the risk occurring).

Likelihood

When assessing risks you are simply looking at what might happen, the chances of it
happening and when. This assessment can be achieved through rating each risk. A 5x5
matrix is used for this purpose. By considering these factors and giving each risk a score you
will quickly be able to rank these and identify which need early and closer attention.
Very likely

Likely

Possible

Unlikely

Very
Unlikely

RISK RATING MATRIX

5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor

10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate

15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant

20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious

25
High
20
High
15
Medium
10
Medium
5
Low
5
Major

Impact

Each risk identified should first be scored according to the potential level of likelihood and
impact without controls to give the inherent risk value and then again with existing controls in
place and working to give the residual risk value (what is left). If there are no controls in
place the residual risk can only be scored as you proceed through stage 3.
Risks will fall into three categories:
LOW

MEDIUM

HIGH

16

8 15

16 - 25

For example: Staff absence prevents compliance with statutory

duties resulting in clients not receiving critical services

Inherent - Impact = 5 x Likelihood = 4

Residual - Impact = 5 x Likelihood = 3

Risk ranking = 20 (HIGH)

Risk ranking = 15 (MED)

Identified risks should be recorded. If you are dealing with one particular activity it may be
appropriate to simply record details of risks within a risk assessment.
When recording risks across a range of activities a risk register should be prepared. Any entry
within a register can also be supported by a risk assessment which sets out any barriers to
success and describes controls in more detail to help monitor them. Templates are provided
in Appendix 6 & 7 for this purpose.
An example of an entry within a risk register at business unit level may be:
Ref
No.

Source

Event

Building is
located in
a high
crime area

Break in leads to
theft of IT
systems
resulting in the
loss of
information

Planned
Outcome
Secure
site

Accountable
Manager
Assistant
Director

Existing
Controls
- intruder
alarm
system

New Task
/ Actions

Date

inherent
Rating
I=3
L= 5
R= 15
MED

Residual
rating
I= 3
L= 3
R=9
MED

When a risk is recorded it should be given a reference number. This reference number should
remain with the risk until it no longer exists to provide an audit trail.

Risk Control

Having identified and assessed a risk it is then necessary to decide on what initial or further
action needs to be taken to control it or overcome barriers to ensure you achieve your
objective. The residual rating attributed to each risk should be rescored on the assumption
that the controls have been implemented are and effective.

Those risks with HIGH residual scores will need early and closer attention and should be
addressed as a priority. It may be that some high risks will remain HIGH even with controls in
place. These risks should be considered against your risk appetite and tolerance thresholds.
The level of tolerance should be established if not already done. For example the risk
tolerance line could be set where MEDIUM risks butt up against HIGH risks on the 5x5 matrix.
Any risks that exceed this tolerance threshold should be referred immediately to the next level
of management for guidance. Risks beyond the tolerance threshold can only be accepted with
the permission of the next level of management.
Tolerance

Only a workable number of risks should be focused upon at any one time - probably anything
up to 10. Hopefully there wont be many HIGH risks in which case MEDIUM risks can also be
considered. Any remaining risks can be dealt with as more immediate risks drop out of the
top 10 once appropriate controls have been introduced and are working. As part of this
process you should identify which of the controls are more critical in terms of their
effectiveness. It may be helpful to list controls in order of their criticality.
Although those risks requiring early or closer attention have been identified there may be
other risks that are suitable for a quick fix and can be quickly and easily controlled. These
should be dealt with if possible particularly where they will have a real impact upon the overall
effectiveness of control measures.
The courses available to control risks are:
Action:
Evaluated level of
risk

Tolerate
Treat
Transfer
Terminate

Accept with
existing level of
controls?

Yes
or
No

Tolerate
Treat
Transfer
Terminate

Do nothing special and continue as planned. The ability to do anything may

be limited or the cost of taking action may be disproportionate to the potential
benefit gained.
Introduce control procedures to increase the chance of success
Share the exposure of risk with insurance or contractor. The relationship with
a contractor needs to be carefully managed as it may not be possible to fully
transfer all risks and some aspects might remain such as reputational risk.
Withdraw from the activity if possible

Controlling risks will be a process of reducing impact and / or likelihood.

Suggested controls might include:Impact

Business continuity plans

Contractual agreement
Fraud control planning
Good public relations
Minimising exposure to the
source of risk

Likelihood

Contract conditions
Process controls and inspections
Project management
Preventative maintenance
Effective internal controls
Supervision
Structured training programme

Any controls should always be proportional to the risk and over control avoided. Loss control
initiatives can be expensive and time consuming to initiate and it is therefore important to try
and ensure that they are likely to be successful and will not cost more than the losses they are
designed to avoid or mitigate.
Controls should be clearly described to avoid ambiguity and any obstacles or barriers that
might arise and affect them should be explored along with early warning indicators. Controls
should be recorded in the order of their critically upon the achievement of the outcome for
ease of identification.
Target dates for completion of aspects of control, reporting of progress etc should be made
clear and recorded where possible.
Some risks might seem too difficult to tackle because they are controversial, political, too big

or too specialist. These should not be avoided but dealt with in a positive but proportional
way by considering factors such as the opportunity to improve them, ease of improvement,
cost of improvement and breadth of community affected.
Even with controls some degree of residual risk may remain in which case business continuity
plans might need to be considered to reduce impact and ensure that the service can function
even if something awful is happening. See Appendix 3

Risk monitoring and review

Few risks remain static and it is important to know and understand what is happening. This
can be achieved through regularly monitoring progress and formally reviewing risks in order
to:
Gain assurance that progress is being made towards controlling risks and the
effectiveness of controls
Monitor changes to the risk profile brought about by circumstances and business priorities
i.e. new legislation
A suggested monitoring period might be every three months with a more formal review period
annually. The frequency will be dependent on the circumstances and environment around the

risks. Within a rapidly changing environment monthly monitoring and three monthly reviews
may be more appropriate.
When monitoring and reviewing risks you need to be clear about how this is to be undertaken.
It may help to develop a set of questions for example:

Are the key risks still relevant?

Have some risks become issues?
Has anything occurred which could impact upon them?
Has the risk appetite or tolerance levels changed?
Are performance / early warning indicators appropriate?
Are the controls in place effective?
Have risk scores changed and if so are they decreasing or increasing?
If risk profiles are increasing what further controls might be needed?
If risk profiles are decreasing can controls be relaxed?

Where objectives have not been achieved or are not on course to be achieved the cause(s)
should be investigated to inform and improve the risk assessment process. At the next formal
review of the risk the rating attributed to the risk should again be considered. At this stage you
may wish to review your risk appetite or tolerance levels to ensure they remain appropriate.
The review and monitoring process of risks should be integrated into existing organisational
and business planning processes so that it adds value and supports the successful
achievement of objectives and not just seen as a bolt on.
9.

ESCALATING RISKS

There will be occasions when risks should be shared with more senior managers. These will
automatically include risks that exceed your tolerance thresholds. Residual risks that are
rated as HIGH, i.e. with a combined score of 16+, should also be referred up to the next level
of management to advise upon the appropriate level of control. HIGH residual rated risks
should not remain without the permission of the next senior level of management.
Directorate management teams should have in place a process which allows for risks at any
level to be escalated upwards to enhance their level of control.

Business unit
risks

Service unit
risk register

Directorate
risk register

Where a risk is escalated to a more senior level it should be considered along with all other
risks at this new level and possibly included within the higher level risk register.
Using a system whereby risks can be escalated allows senior managers to better target their
attention and resources towards key activities.

10.

EARLY WARNING INDICATORS

The sooner you know something is not going to plan or events are happening around you that
will impact upon objectives the quicker you will be able to take corrective action and get back
on target or amend your course of action / priorities to reflect changing circumstances.
Early warning indicators are used as a way of measuring change in local critical areas so that
if pre-defined levels (tolerance levels or appetite) are reached, corrective action will be
triggered. To be effective they need to be monitored on a regular basis and the findings
presented in such as way that the information can be quickly assimilated.
Early warning indicators should be specific to the risk and should not be confused with Key
Performance Indicators.
Indicators should be reviewed and updated to ensure they remain appropriate.
When establishing an indicator you should establish from the outset what information is to be
collected, the reporting frequency and trend or tolerance thresholds.
Early warning indicators can be applied to strategic and operational risks.
risks they can be set to measure activity such as:

For operational

Achievement of service quality levels

Achievement of volume targets
Achievement of time targets
Achievement of revenue targets
Levels of safety incidents or injury
Achievement of key milestones
Delivery of planned activities on time and on budget

Points to consider when establishing / reviewing indicators:

Are all critical business systems clearly defined?
Do early warning indicators exist for critical business systems?
Do early wanting indicators exist for programmes and projects?
Do early warning indicators exist for operational activities?
Is there a balanced set of indicators, including financial indicators?
Are indicators examined by decision makers with the authority to take corrective action
on a regular cycle?
Are the results of monitoring early warning indicators presented in a concise,
consistent manner so that the impact of the information is readily understood?
Are the indicators updated to reflect changes within the activity?
Are the indicators inward and outward looking?

Early warning indicators can also be used to identify opportunities

11.

RISK ASSESSMENTS

Although there are some similarities in the information recorded within risk assessments and
risk registers both documents actually serve a specific purpose. Risk assessments tend to
look at one particular element of a risk recorded against an objective in detail and its
associated controls whereas registers summarise risks and their controls across a project, unit
or directorate.
It may be necessary to complete a number of risk assessments to support a single objective
especially where elements may be under the control of different teams.
Risk assessments should be used to assess the level of risk associated with the objective and
inform the process for refreshing risk registers
All risk assessments associated with objectives within business plans should be kept updated
throughout the year as necessary. They will also be used by Internal Audit to inform the
Annual Audit Progamme and provide the basis for testing the extent and effectiveness of
controls and provide evidence that risk management methodology is being complied with.
Key project and partnership risks should be included within this process as they will have their
sources of origin in business objectives.
12.

RISK REGISTERS

Risk registers provide an immediate record of all the identified risks, key controls and their
status resulting from their assessment in terms of likelihood and impact across a wider pool of
risks.
Risks registers should be monitored by management teams. Risks included within directorate
registers should be closely monitored by senior management teams.
The critical risks that can affect the Council as a whole should be recorded within the Strategic
Risk Register which is monitored by Directorate Resource Managers on behalf of the Chief
Officer Group which is made up of the Chief Executive and Managing Directors of the Council.
13.

SUMMARY

Working through this toolkit provides a simple basic methodolgy to help identify and manage
business threats and opportunities that might arise.
It is important to ensure that continuous risk assessment feeds into any decision making and
therefore business process.
It may be helpful to understand how managing risk through this process fits in with the overall
framework for managing risk throughout the Council. Details of this can be found in the
document Risk Management Strategy.
If you would like further advice about the risk management process contact the Corporate
Risk & Insurance Manager or your directorate lead officer for risk management.

SOURCES OF RISK

Appendix 1

The examples given are neither prescriptive or exhaustive.

SOURCES OF STRATEGIC RISK
(PESTLE expanded)
Definition - Risks that may be potentially damaging to the achievement of KCCs
objectives
Political Associated with the failure to deliver either local or central government policy, or to meet the
local administrations commitment. Examples of nature of risk:Wrong political priorities
Decision based on incorrect information
Not meeting government agenda
Unfulfilled promises to electorate
Too slow or failure to modernise
Community planning oversight/errors
Economic Affecting the ability of the Council to meet its financial commitments. These include internal
budgetary pressures, inadequate insurance cover, external macro level economic changes (e.g. interest
rates, inflation etc) or the consequences of proposed investment decisions. Examples of nature of risk:General/regional economic problems
Treasury risk

High cost of capital

Missed business and service opportunities

Social Relating to the effects of changes in demographic, residential or socio-economic trends on the
Councils ability to deliver its objectives. Examples of nature of risk:Failing to meet the needs of disadvantaged
Failures in partnership working
communities
Problems in delivering life-long learning
Impact of demographic change
Crime and disorder
Technological Associated with the capacity of the Council to deal with the pace / scale of technological
change, or its ability to use technology to address changing demands. They may also
include the consequences of internal technological failure on the Councils ability to deliver
its objectives. Examples of nature of risk:Obsolescence of technology
Breach of confidentiality
Hacking or corruption of data
Failure in communications
Legislative Associated with current or potential changes in national or European law. Examples of
nature of risk:Inadequate response to new legislation
Judicial review
Intervention by regulatory bodies
Human Rights Act breaches
and inspectorates
Environmental Relating to the environmental consequences of progressing the Councils strategic
objectives (e.g. in terms of energy, efficiency, pollution, recycling, landfill requirements,
emissions etc). Examples of nature of risk:Impact of Local Agenda 21 policies
Impact of planning &transportation policies
Noise, contamination and pollution
Competitive Affecting the competitiveness of the service (in terms of quality or cost) and / or its ability
to deliver Best Value. Examples of nature of risk:Take over of services by government
Failure of bids for government funds
Agencies
Failure to show best value
Customer / citizen Associated with the failure to meet the current and changing needs and
expectations of customers and citizens. Examples of nature of risk:Lack of appropriate consultation

Bad public and media relations

SOURCES OF OPERATIONAL RISK

Those risks that may be encountered in the day to day provision of services
Professional Associated with the particular nature of each profession. Examples of nature of risk:Inefficient/ineffective management processes
Lack of business continuity plan
Inability to implement change
Non achievement of Best Value
Lack of control over changes to service provision Bad management of partnership working
Inadequate consultation with service users
Failure to manage and retain service
Failure to communicate effectively with
contracts
employees
Poor management of externally funded
projects
Financial Associated with financial planning and control and the adequacy of insurance arrangements.
Examples of nature of risk:Failure of major projects
Ineffective/inefficient processing of documents
Missed opportunities for income/grants
Inadequate insurance cover
Legal Related to possible breaches of legislation.

Failure to prioritise, allocate appropriate

budgets and monitor
Inadequate control over expenditure
Inadequate control over income
Examples of nature of risk:-

Not meeting statutory duties/deadlines

Failure to comply with European directives on

Failure to implement legislative change

Misinterpretation of legislation

Procurement of works, supplies and services

Exposure to liability claims e.g. motor
Breach of confidentiality/Data Protection Act
accidents, wrongful advice
Physical Related to fire, security, accident prevention and health and safety. Examples of nature of
risk:Violence or aggression
Loss of physical assets
Non compliance with Health & Safety legislation
Criminal damage to assets e.g.vandalism
Injury at work
Failure to maintain and upkeep land
Loss of intangible assets
and property
Contractual Associated with the failure of contractors to deliver services of products to the agreed cost
and specification. Examples of nature of risk:Non compliance with procurement policies
Poor selection of contractor
Over reliance on key contractors/suppliers
Poor contract specification, deficiencies
Failure of outsourced provider to deliver
Inadequate contract terms & conditions
Failure to monitor contractor
Quality issues
Technological Relating to reliance on operational equipment (e.g. IT systems or equipment) or
machinery. Examples of nature of risk:Failure of big technology related project
Breach of security of networks and data
Crash of IT systems affecting service delivery
Failure to comply with IT Security Policy
Lack of disaster recovery plans
Bad management of intranet / website
Environmental Relating to pollution, noise or energy efficiency of ongoing service operation.
Examples of nature of risk:Impact of Local Agenda 21 policies
Noise, contamination and pollution
Crime & Disorder Act implications
Inefficient use energy and water
Incorrect storage/disposal of waste
Damage caused by trees, tree roots etc
Human Resources Associated with staffing issues (e.g. recruitment / retention, sickness management,
change management, stress related risk analysis). Examples of nature of risk:Capacity issues
Over reliance on key officers
Failure to recruit/retain qualified staff
Lack of employee motivation/efficiency

Failure to comply with employment law

Poor recruitment /selection processes
Lack of training
Lack of succession planning

Glossary of Terms
APPENDIX 2

Benefits
Business Continuity Plan
Business risk
Consequence
Contingency
Control (control
measures)
Corporate Governance
Early warning indicator
Hazard

The measurable improvement resulting from an outcome

perceived as an advantage by one or more stakeholders
A plan for the fast and efficient resumption of essential
business operations by directing recovery actions of specific
recovery teams
A threat to the achievement of a business objective / benefit
The outcome of an event.
An action or arrangement that can be put into place to minimise
the impact of a risk should it occur.
Any action, procedure or operation undertaken to contain a risk
to an acceptable level.
The method by which an organisation directs and controls its
functions and relates to its community
A measure to identify a trend
A description of the source of the risk i.e. the event or situation
that gives rise to the risk. Also known as source of risk

Identifying risks
Impact
Inherent risk
Issue

Likelihood
Mitigation (Plan)

Objective
Operational risks
Opportunity
Outcome

Periodic review
Project risks

Proximity (of risk)

Residual risk
Responsible manager
Risk

The process by which events that could affect the achievement

of objectives, are analysed and described and listed
Impact is the result of a particular threat or opportunity actually
occurring
The exposure arising from a specific risk before any risk
controls have been applied.
An event or concern that has occurred or is taking place and
should be addressed (as opposed to a risk which has not yet,
or might not occur)
This is the evaluated likelihood of a particular threat of
opportunity actually happening
A strategy that decreases risk by lowering the likelihood of
a risk event occurring or reducing the impact of the risk
should it occur.
Something worked towards or striven for, a goal.
Risks associated with the day-to-day issues that an
organisation might face as it delivers its services.
An uncertain event that could have a favourable impact on
objectives or benefits
The result of change, normally affecting real world behaviour or
circumstances. Outcomes are desired when a change is
conceived. Outcomes are achieved as a result of the activities
undertaken to effect the change
A review that occurs at specified regular time intervals.
Risks associated with a specific activity, which has defined
goals, objectives, requirements, a life cycle, a beginning and an
end.
The time factor of a risk i.e. the occurrence of risks will be due
at particular times, and the severity of their impact will vary
depending on when they occur
The risk remaining after the risk control has been applied
Manager who has responsibility for taking specified action
An uncertain event or set of events that, should it occur, will
have an effect on the achievement of objectives. This could be
an opportunity as well as a threat.

Risk appetite
Risk evaluation
Risk identification
Risk management
Risk
prioritisation
matrix
Risk owner
Risk perception
Risk profile
Risk source
Risk register
Risk strategy
Risk tolerance
Strategic risks

Terminate
Threat
Tolerate
Transfer
Treat

The level of residual risk that the Council is prepared to accept,

tolerate or be exposed to at any point in time
The process of understanding the net effect of the identified threats and
opportunities on an activity when aggregated together
Determination of what could pose a risk; a process to describe and list
sources of risk (threats and opportunities)
The culture, organisational structure and ongoing processes for the
management of risk.
The number of levels of likelihood and impact chosen against
which to measure the risk and identify methods of management of the
risk.
A role or individual responsible for the management and control of all
aspects of individual risks, and has authority to implement the measures
required. May also be known as Accountable Manager
The way in which a risk is viewed based on a set of values or concerns
Describes the types of risk faced by an organisation and its exposure to
these risks
A description of the source of the risk i.e. the event or situation that
gives rise to the risk
A record of all identified risks relating to an area of activity which
includes their status and mitigating controls.
The overall organisational approach to risk management.
The threshold of risk exposure, which with appropriate approvals, can
be exceeded but which when exceeded will trigger some form of
response (e.g. reporting the situation to senior management for action)
Risks concerned with where the organisation wants to go, how it plans
to get there and how it can ensure survival. A risk which should it occur,
will have a significant impact upon the Council.
A risk response to a threat. A deliberate decision to stop an activity
which generates a risk.
An uncertain event that could have a negative impact on objectives or
benefits
A response to a threat. A deliberate decision to retain the threat.
A risk response for a threat whereby a third party takes on the
responsibility for an aspect of the threat
A risk response to a threat. Proactive actions are taken to reduce the
threat.

Appendix 3
BUSINESS CONTINUITY PLANNING
The likelihood of some risks occurring remains high even with controls in place. Where these risks
may also have a high impact an action plan should be devised to cope with the event to restore
services that support and are provided by the Council. In such cases Business Continuity
Planning (BCP) should be considered.
Business continuity planning (BCP) is one of the ways in which high impact risks can be managed.
Its purpose is to enable managers to plan for how they will respond both immediately and in the
longer term should there be a major disruption or interruption to their service. The BCP process
provides an early opportunity to identify single and weak points that may jeopardise service
delivery
Having a plan will enable you to better manage those risks where it is extremely difficult to reduce
the impact should the event occur. These are probably the risks where impact and probability
produce a combined rating of 20 or more using the KCC risk ranking matrix.
Should an event occur it may be your responsibility to get a service back operational as quickly as
possible, identify and implement interim arrangements, communicate with those that may be
affected etc.
For example how do you tell your staff about the event, how do you tell the
community or clients that you cannot provide their service that day or for a longer period, how do
you meet important deadlines, what are your critical systems, suppliers and services, who might be
expected to provide physical help, advice etc and how do you get in contact? These are just
examples of some of the questions that you may need to deal with.
It is essential that you are able to respond sensibly and with minimum wasted effort and resources.
This can be best achieved by planning your response in advance with your business continuity
team. Going through a business impact analysis will illustrate where the risks are highest and the
potential impacts greatest. This will then enable you to identify potential problems and guard
against them developing into even greater disruptions through measured planning.
Possible areas for consideration might include:
Main event / cause

Result

Loss of premises / access to premises

Financial loss

Breach of confidentiality

Loss of reputation or public confidence

Failure / corruption of IT

Failure to deliver a service

Continuity of support from suppliers

Failure to respond to an event

Loss of key documentation / data

Impact on stakeholders

Loss of skills / people

Failure to comply with legal obligations

 Creation of legal liabilities

It may not be possible to predict the actual nature of the event that may cause the disruption but by
thinking about your response in advance you should be able to use and adapt this information to inform
your actions. You should also remember that you may not be dealing with a crisis in isolation and those

officers or contractors upon whom you reply within your own plan may themselves be
in a similar situation.
When preparing a plan it should address the procedure to recover functionality within
a defined time frame dependant upon the Councils need. Managers are used to
making decisions in response to ad hoc events and it might be more helpful if the
plan is kept quite simple but with key points identified to prompt action along with
details of who to contact for assistance outside of your own team. For example,
finance managers are best placed to assist with making decisions on the release of
funding and payment of invoices in an emergency, Corporate Communications can
deal with media management, Personnel & Development can advise on staffing
issues, ISG can advise on IT and so on.
KCC is reliant upon many other organisations and contractors to help deliver its
services. Where there is a dependency upon any of these it may be appropriate to
ensure that they too have a plan to deal with any disruption and that it supports your
own response.
Once you have a plan you will need to ensure that it is regularly reviewed, tested and
accessible in an emergency.
If you would like to find out more about preparing a business continuity plan please
contact KCCs business continuity advisers on 01622 221974 or 01622 694803

Appendix 4
PARTNERSHIPS
Partnership working is playing an increasingly important role in our policy
development and service delivery. In recent years, the focus for many public, private,
voluntary and community organisations has been on the opportunities offered by
partnership or joint working arrangements. Indeed, many new funding sources
relating to a wide range of issues can only be accessed by the demonstration of
multi-partner approaches.
Working in partnership usually means committing resources such as officer time or
direct funding to develop and deliver desired outcomes. It may not be easy and,
whilst there are opportunities there are also risks. It is therefore important to
understand and manage these in so far as they affect both the partnership and
Council. The assessment of risks within partnerships therefore needs to be inward
and outward looking. Risks to the partnership should be assessed and recorded
within the partnership risk registers whereas risks to the Council should be assessed
and recorded in directorate risk registers as appropriate.
To help officers maximize the opportunities of working within partnerships and
managing the associated risks a guide has been prepared and is available on KNET
by searching under Risk Management.

The guide includes advice on:

how to define a partnership
how partnership working is managed both strategically and within individual
partnerships,
why there is a need to enter into a partnership,
how to set one up, and
how to understand the risks and their impact upon the Council and individuals.
The focus of the guide is currently on risk within partnerships and aims to set out a
consistent approach to the risk management of key partnerships including the
development, establishment, management and monitoring of partnerships. It is not
intended to be prescriptive but demonstrate good practice. The process must be
proportionate to the risks that each partnership poses to KCC. For the more complex
partnerships specialist legal, financial and tax advice should be sought to ensure that
your partnership is properly structured to deliver your objectives.

Appendix
5

Likelihood

Risk Rating Matrix

Very likely

Likely

Possible

Unlikely

Very
Unlikely

RISK RATING MATRIX

5
Low
4
Low
3
Low
2
Low
1
Low

10
Medium
8
Medium
6
Low
4
Low
2
Low

15
Medium
12
Medium
9
Medium
6
Low
3
Low

20
High
16
High
12
Medium
8
Medium
4
Low

25
High
20
High
15
Medium
10
Medium
5
Low

Minor

Moderate

Significant
Impact

Serious

Major

Likelihood Assessment Matrix

Factor
Very likely

Score
5

Likely

Possible

Unlikely

Very Unlikely

Indicators
Regular occurrence
Circumstances frequently encountered i.e. daily/weekly/monthly
The risk is current & is almost certain to happen within the next
twelve months
Likely to happen at some point within the next 1-2 years
Circumstances occasionally encountered (once/twice a year)
Has happened in past
Reasonable possibility it will happen within next 3 years
May have happened in the past
Unlikely to happen in 3+ years
Has happened rarely/never before

Impact Assessment Matrix

Suggested areas that might be impacted upon along with examples of potential risks. These can be used or added to as necessary.
Risk

Score
5

Major

Serious

Effect on Service
Complete breakdown in
service delivery with severe,
prolonged impact on
customer service affecting
the whole organisation.

Minor

Litigation leading to sizeable

increase in responsibilities.

A large financial loss over

50% of budget

Failure of a strategic
partnership

Substantial adverse national

media leading to Officer(s)
&/or Elected Member(s)
forced to resign &/or Audit
Commission enquiry

Multiple civil uninsured or

criminal actions with
payments / fines above
150k

Intervention in a key service.

Criticism of a key process,.

Sizeable financial loss

up to 50% of budget

Disruption to service delivery

for one of more directorates
for 3 5 days.

Large scandal.

Widespread disgruntlement

High level of complaints at

the corporate level across
several service areas
National adverse publicity /
bad press
Criticism of an important
process/service

Extensive damage to a
critical building or
considerable damage to
several properties from one
source
Inability to deliver popular
policies due to budgetary
constrictions.

People

Disruptive impact on service

at business unit level

Criticism of a secondary
process/service
Embarrassment contained
within the business unit

Noticeable financial loss

Slight damage to one
property

Effect on project
objectives

Death of several people.

Complete failure of a project

Multiple uninsured civil

litigation or criminal actions
with payments / fines of
50k - 150k

RIDDOR reportable major

injuries to several people or
death of an individual.

Extreme delay

Multiple uninsured civil

litigation or criminal actions
with payments / fines of
25k - 50k

RIDDOR reportable major

injury to an individual

Important impact on project

or most of expected benefits.
Considerable slippage.
Possible impact on overall
finances / programme.

Low value / high volume

litigation

Superficial first aid injuries

discomfort to more than one
person

Adverse effect to project.

Slippage requires review
finances / short term
programme.

Superficial first aid injury or

discomfort to an individual

Minimal impact to project.

Minor slippage

Substantial damage to one

part of a critical building
Embarrassment contained
within the Directorate

Localised disgruntlement
Small impact on customer
service which may result in
complaints to the business
unit

Total loss of a critical

building

Local bad press

Can handle but with

difficulty
Small setback management headache

Nuisance
Disgruntlement by a few

RM:Toolkit Rev.2009

Compliance
with law / contracts

A substantial failure in
accountability or integrity.

Disrupted service delivery

from one directorate for up
to 3 days.

Moderate

Financial &
Resources

A vote of no confidence in
one service area.

Failure of an operational
partnership

Significant

Reputation

Departmental fine of 5k 25k

Small financial loss

Low value / volume litigation

Negligible property damage

Departmental fine below 5k

RISK REGISTER
Appendix 6
Ref

Source

RM:Toolkit Rev.2009

Event

Planned
Outcome

Acc table
Manager

Existing Controls

New Tasks/
Actions

Date

Inherent
rating

Residual
rating

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

I=
L=
R=

Appendix

Managing Business Risks - Risk Assessment

7
This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity

Completed by: J Smith

Personnel Manager

Business/Service Objective:
Date completed: 01.04.2009
To ensure that employees, visitors and contractors remain safe whilst on KCC
property
Risk
No.

Challenges to the achievement

of the business objective
(Risks)

RM:Toolkit Rev.2009

Assessment of Inherent Risk

Likelihood
(Probability)

Risk

Very
likely
Likely

Possible

Unlikely

Very
Unlikely

RISK RATING MATRIX

Risk Control Measures

With NO controls in place

Impact
(Severity)

Risk Ranking Matrix

Likelihood

KCC Directorate / Unit : CED Personnel & Development

What can be done to reduce the threat

to the achievement of the
R
business/service objective?
a
t
i
n
g

5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor

10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate

15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
Impact

20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious

25
High
20
High
15
Medium
10
Medium
5
Low
5
Major

Assessment of Residual Risk

With all control measures implemented
Impact
(Severity)

Likelihood
(Probability)

Revd Risk
Rating

List your existing control measures:

6

Health and safety risk

management controls are
appropriate and implemented

16
HIGH

Contractors manage their

activities so as not to cause
harm to themselves or others

9
MED

6
LOW

Health & safety policy developed and

implemented
Local Health & safety representatives
Contractors required to provide
evidence of appropriate health &
safety procedures
List what else could be done to reduce
the risk further
Programmed auditing of KCC and
contractors health & safety
procedures

EXAMPLE

Improved training and promotion of

health & safety

Managing Business Risks - Risk Assessment

This document is designed to assist in identifying and assessing actions necessary to control risks around a particular objective or activity

Completed by:

Business/Service Objective:

Date completed:

Risk Ranking Matrix

Likelihood

KCC Directorate / Unit :

Very
likely
Likely

Possible

Unlikely

Very
Unlikely

RISK RATING MATRIX

Risk
No.

Challenges to the achievement

of the business objective

RM:Toolkit Rev.2009

Assessment of Inherent Risk

With NO controls in place

Risk Control Measures

5
Low
4
Low
3
Low
2
Low
1
Low
1
Minor

10
Medium
8
Medium
6
Low
4
Low
2
Low
2
Moderate

15
Medium
12
Medium
9
Medium
6
Low
3
Low
3
Significant
Impact

20
High
16
High
12
Medium
8
Medium
4
Low
4
Serious

25
High
20
High
15
Medium
10
Medium
5
Low
5
Major

Assessment of Residual Risk

With all control measures implemented

(Risks)

Impact
(Severity)

Likelihood
(Probability)

Risk
R
a
t
i
n
g

What can be done to reduce the threat

to the achievement of the
business/service objective?

List your existing control measures:

List what else could be done to reduce

the risk further

RM:Toolkit Rev.2009

Impact
(Severity)

Likelihood
(Probability)

Revd Risk
Rating

RM:Toolkit Rev.2009