Gedling Borough Council
Use of Resources Assessment 2008-09
KLOE 2.4 – Does the organisation manage its risks and maintain a
sound system of internal control?
The organisation:
Has effective risk management, which covers partnership working;
In an increasingly dynamic and complex public sector environment, it is
important that Public Sector employees are encouraged to approach their
work with creativity and a desire to innovate. At the same time, however,
consideration must be given to protecting the public interest and maintaining
public trust by delivering services based on a combination of economy,
efficiency and effectiveness.
The Council’s approach to Risk Management has been developed with this
core objective in mind. It’s purpose is to:
Provide guidance to advance the use of a more corporate and systematic
approach to risk management,
Contribute to building a risk-smart workforce and environment that allows
for innovation and responsible risk-taking while ensuring legitimate
precautions are taken to protect the public interest, maintain public trust
and ensure effective due diligence,
Propose a set of risk management practices that departments can adopt
for their specific circumstances, aims and objectives.
Application of the strategy is designed to strengthen management practices,
decision making and priority setting to better respond to the public’s needs.
Moreover, practising integrated risk management is expected to support the
desired cultural shift towards a risk-smart workforce and environment. More
specifically, implementation of the strategy will:
Support the Council’s governance responsibilities by ensuring that
significant risk areas associated with policies, programs, aims and
objectives are identified and assessed, and that appropriate measures are
in place to mitigate risks and to benefit from opportunities;
Improve results through better informed decision making based on
innovation and responsible risk taking;
Strengthen accountability by demonstrating that levels of risk associated
with polices, programs, aims and objectives are explicitly understood.
The Council has developed a Risk Management Strategy (
2.4.1), which
provides an integrated approach to risk management, based on the Councils
aims and objectives.
The key elements of the Strategy are outlined below:
Corporate risks are aligned to the aims and objectives of the Council (
2.4.1).
Bi-annual facilitated risk sessions are held with service and section heads to
identify and review strategic and departmental risks (
2.4.2). Risk Registers
are developed and subject to ongoing review, these are aligned to corporate
risks (
2.4.3). Risk registers are reviewed and evaluated using comprehensive
and formal techniques (
2.4.4 and
2.4.5).
Development of an integrated assurance process incorporating control gaps
identified within the strategic and operational risk registers, audit reviews and
other sources of assurance (H&S, external review / accreditation bodies), all
of which are aligned to the corporate risks (
2.4.1).
Development of a Corporate Risk Scorecard, which provides a real time,
holistic and integrated source of assurance against the Council’s objectives
and the supporting corporate risk profile (
2.4.6).
Quarterly reporting and review of the Corporate Risk Scorecard into the
Senior Management Team and Audit Committee. The process allows for
interim, real time reports to be produced as required in support of key projects
or specific decision making issues (
2.4.7).
This integrated and real time approach to Risk Management is a key enabler
in ensuring the process is embedded within the performance management
(cross reference KLOE 2.1 – implementation of COVALENT) and planning
processes (
2.4.8).
The terms of reference of the Audit Sub Committee include specific
responsibilities for Risk Management (
2.4.9).
Risk Management refresher training has been provided during March 2009
(5th and 12th). Specialist external trainers were procured to deliver the two
sessions. The sessions were primarily focused on members, however, the
basic concepts and techniques element were appropriate to management
attendees (
2.4.10 and
2.4.11).
The Risk Management process supports and is embedded within strategic
policy decisions (
2.4.12,
2.4.13 and
2.4.14).
The Risk Management process also specifically considers risks associated
with key partnerships (
2.4.12,
2.4.13,
2.4.14,
2.4.15,
2.4.16,
2.4.17 and
2.4.18).
The key outcome of this approach is that officers and members have a better
understanding of the risk management process (specifically the reporting
process) and, therefore, the current assurance levels against each corporate
risk allowing them to make informed decisions and develop timely action plans
for risk mitigation or opportunistic strategies (partnership working) in pursuit of
the delivery of corporate aims and objectives.
Specific examples of key outcomes include:
Project risks (e.g. LSVT) identified and monitored – effective project
implementation and delivery of project benefits (
2.4.18).
Identification and pursuit of opportunities (upside risks) identified (e.g.
partnership working – Building Control, Payroll, Disaster Recovery) (
2.4.12,
2.4.13 and
2.4.14).
More timely response to risk mitigation activities – early identification of
current budget constraints and causes (Leisure Income constraints, Energy
and Fuel costs). This has been a crucial benefit of the risk management
process, providing early identification of the current budget pressures on the
Corporate Risk Scorecard submitted to Senior Management and Members via
the Audit Sub Committee (
2.4.19 and
2.4.20). The early identification of cost
(fuel and energy) and revenue (leisure and building control income)
pressures, was a key enabler behind the Authority’s ability to respond quickly
and proactively in developing the 2009-10 budget and the medium term
financial strategy.
There is a more proactive approach to risk management across the Authority
as a result of the greater clarity and understanding of the process and
responsibilities. Risks are increasingly being identified and evaluated in
between the bi-annual formal risk register reviews. This has been a key driver
behind:
Improved performance against aims and objectives (07-08 outturn).
Effective delivery of project benefits (partnership working – LSVT / GTP
/ Payroll).
Increasing public satisfaction with council services (07-08 survey
results).
Has a clear strategy and effective arrangements, including allocation of
appropriate resources, to manage the risk of fraud and corruption; and
GBC has counter fraud and corruption strategies in place (
2.4.21,
2.4.22,
2.4.23,
2.4.24 and
2.4.25), which have been subject to member approval.
These are made available to staff, members and the public on the intranet,
and are frequently reinforced via team briefs and articles in the GEN. They
are also included within the Employee handbook (
2.4.26).
There is a proactive programme of counter fraud and corruption work, which is
adequately resourced within the Revenue Services section. Details of fraud
activity are provided to senior management and members, and on an annual
basis to the Audit Sub Committee (
2.4.27).
Fraud is managed as a corporate risk, and is identified within both strategic
and operational risk registers (
2.4.3), and as a corporate risk within the
Corporate Risk Scorecard under the Financial Risk categories (corporate risks
1 and 2) (
2.4.6).
Fraud is comprehensively risk assessed as part of the Authorities Risk
Management Strategy and procedures (
2.4.1,
2.4.2,
2.4.3,
2.4.4,
2.4.5).
GBC participates in the National Fraud Initiative and works with third parties
(e.g. DWP) to identify and investigate data matches (
2.4.28). Fair Processing
Notices have been issued (adopting the Audit Commission’s 3 tiered
approach), notifying data subjects of this use of data, and has a
comprehensive process for following-up NFI data matches.
To help ensure fair collection and debt recovery the Authority has developed a
Fair Collection and Debt Recovery Policy (
2.4.28a), and an Overpayments
Policy (
2.4.28b)
There is an anti fraud / whistleblowing policy in place which has been made
available to all staff and members and is available on the website (
2.4.29). All
reported incidents are recorded on incident logs, detailing, the nature of the
incident and action taken.
The authority also has an approved Anti-Money Laundering policy (
2.4.29a)
and supporting procedures.
Successful cases are routinely publicised (local press), including details of
successful recovery of losses.
Has a sound system of internal control including internal audit.
GBC has developed and implemented an holistic and transparent approach to
its Governance procedures, in particularly in the production of its Annual
Governance Statement (AGS). The primary purpose of this process is to
increase knowledge and awareness of Governance responsibilities of
management and provide a clear and unambiguous approach for
management to formally acknowledge and confirm assurance with respect to
their roles and responsibilities.
The key elements (
2.4.30) of the approach are:
Risk and Control Assurance Statements are produced for each Head of
Service (
2.4.31 and
2.4.32), and separate assurance statements for the Chief
Executive, Deputy Chief Executive, section 151 Officer and Monitoring Officer
(
2.4.33,
2.4.34,
2.4.35 and
2.4.36).
These are based on the Authorities Standing Orders and Financial
Regulations (
2.3.1a) and require each senior officer to provide signed
assurance that compliance has been maintained throughout the financial year.
Facilitated review sessions are held between the Audit & Risk Manager and
each Service Head (who consults with their own management teams).
Outputs from the assurance process are considered alongside internal and
external audit findings, control gaps identified within the risk management
process (which includes review of other assurance providers, both internal &
external), and also the Governance Report, which is an annual review of
Governance procedures undertaken by the section 151 Officer and Monitoring
Officer (
2.4.37,
2.4.38,
2.4.39 and
2.4.40).
The Governance review is primarily based on the CIPFA/SOLACE principles
of good governance to which, the Authorities Service Plan is aligned.
The Annual Internal Audit Letter (
2.4.41), provides a further key input into the
production of the AGS (
2.4.42).
Internal Audit undertakes an annual self-assessment of the effectiveness of its
processes. This review is best on the CIPFA Code of Practice Standards
(
2.4.43,
2.4.44 and
2.4.45). The process is subject to review and sign off by
the S151 Officer, Chair of the Audit Sub Committee and via a peer review
undertaken by a neighbouring authority (
2.4.46).
This provides an integrated, holistic and transparent approach to the
Governance Process in support of the production of the Annual Governance
Statement.
The AGS, Annual Internal Audit Report and the Governance Framework
reviews are submitted to the Senior Management Team, Cabinet and the
Audit Sub – Committee for review.
The Council has an established Audit Committee function with agreed terms
of reference (
2.4.9). These are subject to annual review.
All Internal Audit reports are submitted in full to the Audit Committee, along
with quarterly submissions of the Corporate Risk Scorecard (
2.4.6), and a
summary of progress of audit recommendations (
2.4.47).
Internal Audit maintains a comprehensive register of all recommendations
(
2.4.48), which is aligned to the corporate risks included in the Corporate Risk
Scorecard, providing an integrated and holistic view of risk across the
Authority.
All Internal Audit reviews consider the adequacy of relevant procedure notes.
Issues are highlighted in Audit reports, provided to the Audit Committee, and
included in the Audit Recommendations register (
2.4.48). Cross reference
KLOE’s 1.1, 1.2 and 1.3 for specific examples of financial procedure notes.
The Audit Committee members can and frequently do provide challenge to
officers (
2.4.49 and
2.4.50).
The Audit Committee comprises a well-balanced membership, which includes
professionally qualified members. Training on Risk Management has been
provided to members (
2.4.10 and
2.4.11). The Committee Chairman also
attended a Better Governance forum, entitled Effective Audit Committee’s, in
2007-08.
The audit committee receive appropriate external reports (e.g. Audit
Commission and other inspectorate reports e.g. IIP) (
2.4.7 and
2.4.49).
GBC has a corporate Business Continuity Plan supported by appropriate
Departmental Plans (
2.4.51). This is supported by the Disaster Recovery
Plan (
2.4.52 and
2.4.53). Testing is undertaken annually (October 2008, with
a further test scheduled for May 2009), as part of the Disaster recovery
arrangements procured from Adam Continuity Management.