Meeting documents
Devon County Council - Committee Report
Code No: SC/13/32
Related Documents:
PDF Version Supplementary Information
SC/13/32
Audit Committee
28 November 2013
Annual Report of the Corporate Risk Management Group
Report of the Head of Services for Communities
1. Recommendations
Audit Committee to:
(a) Monitor the effective development and operation of risk management in the Council
(b) Note progress in addressing Internal Audit recommendations;
(c) Consider and note updates to risk registers
2. Summary
This report provides an update on risk management practice in the Council in the form of the annual report of the Corporate Risk Management Group
3. Introduction
The approach to development and operation of risk management during 2013 has been to follow action points set out by Corporate Leadership Team Change Programme Review Board (CLT/CPRB) in response to an Internal Audit report on risk management arrangements.
4. Internal Audit findings and Council responses
As part of the 2012/13 Internal Audit Plan an evaluation of risk management arrangements operating across the Council was undertaken by the Devon Audit Partnership that lead to the following findings that were reported in January 2013:
The audit opinion was given that overall, risk management arrangements within Devon County Council are considered to be "Working". This describes a definition of Audit Assurance Opinion Level based on Alarm's National Performance Model for Risk Management. Working is the middle of five levels.
It was found that the Risk Management Framework follows recommended best practice and would if implemented completely ensure the effective management of risk to council objectives. However the current risk management framework is not completely embedded within the culture of the organisation.
The evaluation found that Council Leadership and Senior Management respond to risk as part of day to day management, with the Corporate Leadership Team and Audit Committee effectively challenging the management of high level risks, however to be effective the process is reliant on the flow of complete and accurate risk information. This review has found that the true benefit of Risk Management is not currently being realised. Due to the sensitivity, complexity of risk and a lack of capacity to own and manage them, there is a reluctance to capture completely all risks to strategic and service objectives. This is preventing the flow and utilisation of risk information which may put the council at risk of the glass ceiling effect[1].
Although Senior Management are clear about the Partnerships in which they are involved there is no demonstrable evidence that the risks to DCC of working in each partnership have been evaluated. All the risks need to be evaluated and there should be a common understanding of risk appetite of each partner organisation at the outset.
A report from Corporate Risk Management Group to CLT/CPRB in April 2013 recommended that the Council embed risk management through local ownership of and better communication of risks. Risks should be identified and recorded at an early stage within strategic and business planning. A specific role within Heads of Service management teams to ensure identification of risk, to record hot issues and escalate.
CLT/CPRB recorded a set of action points for Heads of Service to ensure greater corporate consistency in risk management and to embed risk management through local ownership of and better communication of risks.
In response, reports have been received by the Leadership Teams of People, Place and Corporate Services that recommended in each case the adoption of a consistent approach to risk management across the Council and that a zero-based review of risk registers should be carried out in each area. These proposals were adopted in each case and resulted in the identification and assessment of the risks faced by the organisation in the light of the considerable changes in organisational structure and challenges brought about by reduced funding. The risks have been prioritised and the most significant of those reported to Corporate Leadership Team with the recommendation that those form the Corporate Risk Register.
A formal response to the recommendations made by the Devon Audit Partnership to improve risk management practice is being prepared by Corporate Risk Management Group. This will be followed by a report to Corporate Leadership Team from Internal Audit.
The content of the refreshed Corporate, People, Place and Corporate Services risk registers are provided as Appendices A D. These will be regularly monitored at leadership teams and action taken to escalate or reduce the management of the risks to the appropriate level according to changes in perceived risk to the Council.
The Risk Management Policy Statement has been brought up to date and approved by the Corporate Leadership Team and Heads of Services. This is provided as Appendix E.
Corporate Risk Management Group will provide exception reports to future meetings of Audit Committee as necessary to provide information on significant changes recorded on risk registers in addition to providing an annual report on risk management.
5. Risk management updates from areas of risk specialism
5.1. Finance
The Outturn Statement and the Statement of Accounts have been approved by the Cabinet and Audit Committee respectively. Both indicate that for the 2012/13 financial year controls and risk mitigation proved effective in producing spending marginally below target. Publication of the audited Statement of Accounts without material alteration demonstrates that underlying arrangements to ensure a high standard of financial governance continue to be in place.
Looking forward, the key risk facing the Council continues to be finding budget reductions measures to meet increasingly tight financial targets that can be achieved in both a cost effective and efficient way. Work is continuing through the autumn to achieve this. By the time the budget is set and the medium term financial strategy is refreshed and approved by the Council in February appropriate measures will be in place.
5.2. Health and Safety
Health, Safety and Wellbeing risk management, when effectively undertaken, is a management discipline aimed at loss minimisation, increasing productivity and improving the quality of service delivery. Consequently effective health, safety and well-being risk management is critical to the success of the Council and the Council's Risk Management Strategy and the Council's Strategy for Improvement and Efficiency.
The annual report on progress for 2012-13 and a detailed action plan for 2013-14 was presented to the Devon Health & Safety Panel on 17th September 2013. The report identifies a number of achievements and initiatives throughout the Council since the previous report.
Achievements include a reduction in the rate of accidents to employees, which saw a fall in the overall number of violent incidents; the completion of a risk mapping exercise to remove unnecessary burden on trivial risk activities and to focus on significant areas of risk. A new more streamlined H meeting and communication structure was also implemented and a full online pre-employment and management referral computer system implemented within occupational health to reduce costs and to speed up referrals for sickness absence.
Challenges in the past 12 months include a number of regulatory and standards changes that have occurred which required amendments to be undertaken to DCC's policies, guidance and actions and whilst the overall number of incidents have reduced, there have been some notable or high profile incidents that have brought DCC health and safety arrangements under scrutiny, however, none of these incidents resulted in any regulatory enforcement against DCC and the Devon Health & Safety Panel continue to closely monitor the performance of health and safety standards across the organisation.
5.3. Information Governance
The Council's top five information risks are as follows:
Fines and Compensation for Damages caused by Data Protection Act Breaches
Imperfect Sharing about Vulnerable (or Potentially Vulnerable) People
Information during service divestments, take-overs and mergers.
Failure to adhere to information management standards
Information Governance Capacity and Resources
The council received 91 security incidents in 2012/13. This represents a 63% increase since the previous year. Of these incidents, 7 have been serious enough to be notified to the Information Commissioner's Office.
Key achievements in mitigation of the risks:
Data Protection Act e-training was rolled out across the Council in the 3rd and 4th quarter of 2012/13. As a result of significant management support, the Council achieved an exceptional completion rate of 98%. Information sharing e-training has also been rolled out across People Services, achieving an outstanding completion rate of 90%. The success of this training at raising staff knowledge and awareness has been reflected in the increase in enquiries, requests for advice and a significant increase in security incidents reported to the Information Governance Team (94% increase during the 4th quarter, immediately following the training).
Freedom of Information Act & Subject Access Compliance Rates: As a result of a centralised process (approved by Corporate Leadership Team July 2012), additional resource and a robust performance management procedure put in place within the Information Governance Team, Freedom of Information Act (FOI) and Data Protection Act (Subject Access) request compliance rates have significantly improved. FOI compliance has increased from 66% in 2011/12 to 85% in 2012/13 (compliance for the first quarter 2013/14 is 98%). Subject Access compliance has increased from 42% in 2011/12 to 60% in 2012/13 in spite of receiving a 40% increase in the number of requests received (compliance for the first quarter 2013/14 is 100%).
The top priorities for 2013/14 are to:
Manage security incidents (investigations, training and preventative work) as effectively as possible given the continuing increase in workload and the capacity and resource within the team.
Increase FOI response compliance rates from 85% to 90%, and Subject Access Request (SAR) response compliance from 60% to 85%. FOI requests have a legal deadline of 20 working days. SAR requests have a legal deadline of 40 calendar days.
5.4. Insurance
The premiums for most of DCC's insurance policies for 2013 were only increased slightly from the previous year. However, the premium for our Public Liability Insurance was double the previous year's figure and only two insurers were prepared to quote for our business. This was due to the fact that a very large highways claim went against us and goes to show how just one claim can have an overall adverse effect.
The vast majority of claims that we receive are for vehicle damage due to potholes on the highway. We are receiving an unprecedented amount of these at the moment and the cause is a couple of very bad winters in succession, coupled with a lack of finance to maintain the roads to the standard that we would ideally like. Every other highway authority in the country is in the same position but Devon suffers the most due to the fact that we have one of the largest highway networks.
The main plus point for us is that we are still only receiving very few Employer's Liability claims and our insurers always comment on how impressed they are with the low numbers.
The other area of increase is for claims on behalf of children who have been injured at school. It seems that in the current litigious society, parents are looking for compensation whenever a child falls over at school or is involved in any other sort of mishap. If a child is injured at school, a solicitor's letter almost inevitably follows.
5.5. Emergency Planning
The work of the Emergency Planning team alongside the associated work delivered through the Highways Operations Control Centre, the Flood Risk Management Team, Marine and Coastline management and wider social care infrastructure remains key to planning for and responding to major incidents, emergencies and other factors with implications on business continuity. The severe and lengthy flooding events in 2012 demonstrated again a positive and proactive response, but highlighted the need for even more robust community led resilience arrangement. To this end over 50 high risk community flood plans have been developed with communities to ensure an effective response from agencies. Communities have been encouraged to develop local plans and this has been facilitated by external funding and support. We are working with the University of Exeter to look at the progress of this work and the wider and longer term benefits for community development.
We continue to work well across the Local Resilience Forum with other agencies and our direct support of some District Councils in this area has been productive. Our involvement in the recent Short Sermon exercise to test response to an incident in the naval dockyard has brought learning and opportunities to further mitigate associated risks.
A new cost effective incident logging and cascade system to quickly alert key responders has added to our overall capability. We will shortly be undertaking a formal review of all associated risks and mitigations and it is hoped given the progress over the last year, that our risks will be better understood and possibly reduced. We have recruited additional staff and volunteers to support rest centres that may be required in the event of significant incidents.
6. Risk management implications arising from the transfer of Public Health
The Health and Social Care Act 2012 brought about the transfer of the health improvement function of public health and elements of the health protection and public healthcare function from Primary Care Trusts (now abolished) to top tier local authorities on 1 April 2013. The Act gives each authority a statutory duty to take such steps as it considers appropriate to improve the health of its local population.
As a result of these changes, Devon County Council has the responsibility for commissioning a range of services that were previously commissioned and provided by NHS bodies. Therefore, the Council is now an important part of the health service and as such, under the NHS Act 2006, has a statutory duty to have regard to the NHS Constitution when exercising its public health functions.
Furthermore, the Local Authorities (Public Health Functions and Entry to Premises by Local Healthwatch Representative) Regulations 2013 identifies a number of public health functions which Devon County Council is mandated to provide. These are:
Weighing and measuring of children (the National Child Measuring Programme)
Health check assessment (NHS Healthcheck)
Sexual health services
Public health advice service (providing expertise and advice to the Clinical Commissioning Group)
Protecting the health of the local population
In addition to the above there are a number of services that Devon County Council is funded for through a ring-fenced budget for public health, based on a local assessment of health needs identified through the Joint Strategic Needs Assessment. The council has a statutory duty to provide these services under section 2B of the NHS Act 2006.
A Strategic Framework for Public Health is being finalised that outlines Devon County Council's public health priorities and an associated three-year work programme. Assurance arrangements are described in the framework document including processes for risk identification, assessment, management and escalation aligned to the Council's arrangements. Devon County Council's risk identification and assessment tools have been adapted to make them fit for purpose for public health. Assurance arrangements have taken into account recommendations from the Devon Audit Partnership's draft cross-directorate audit report on risk management processes. Lead officers are currently identifying risks against delivery of the work programme which will be managed through the Council's Performance Management System, SPAR.net.
In order to provide adequate risk mitigation and controls for health protection assurance, Devon County Council through the Director of Public Health requires oversight of a health protection system involving several external partners. Therefore a Health Protection Sub-Committee of the Health and Wellbeing Board for Devon has been formed and is awaiting formal mandate by this Board.
John Smith
Head of Services for Communities
Appendices
Appendix A Corporate Risk Register
Appendix B People Risk Register
Appendix C Place Risk Register
Appendix D Corporate Services Risk Register
Appendix E Risk Management Policy Statement
Electoral Divisions: All
Cabinet Member for Community and Environmental Services:
Councillor R Croad
Chief Executive: Dr Phil Norrey
Contact for enquiries: Pip Tucker
Room No. G43
Tel No: (01392) 383000
[1] An invisible barrier that prevents the flow of risk information between operations and strategic decision makers