Most of the content on this intranet is made up of ex county council information due to the county intranet being turned off. Please read the blog to find out more about how we have developed this new intranet and where you can go to find information that relates to you.
Risk Management Roles and Responsibilities
Information about risk management roles and responsibilities.
Risk Management is the responsibility of everyone within the Council.
A summary of the key roles and responsibilities required to embed, support and use the Risk Management Framework are outlined below.
Elected Members
The key roles and responsibilities in relation to Risk Management for Elected Members are set out below:
Audit Committee
- Deliver assurance over the governance of risk, including leadership, integration of risk management into wider governance arrangements and the top-level ownership and accountability for risks.
- Keep up to date with the risk profile and the effectiveness of risk management actions.
- Monitor the effectiveness of risk management arrangements and support the development and embedding of good practice in risk management.
Executive Briefing
- Keep Executive informed of the risk profile and the effectiveness of risk management actions.
Member Risk Champion/Portfolio Holder
- Review progress of the management of Strategic Risks.
- Ensure consideration of risk in agreeing the organisation's vision and direction of travel.
Council Officers
The key roles and responsibilities in relation to Risk Management for Council Officers and Employees alike are set out below:
Senior Leadership Team
- Overall leadership and accountability for the effective delivery of the Council’s risk management function in accordance with HM Government and industry best practice.
- Consider and approve the Council's Risk Management Framework and Improvement Plan on an annual basis.
- Ensuring the Strategic Risk Register is a live and up to date record of the current risk exposure.
- Set the tone for risk management, promote the benefits of effective risk management, lead by example in embedding the risk management framework, and provide assurance that a strong control framework and good governance arrangements are in place.
- Establish a supportive risk aware culture where risk can be effectively assessed and managed.
- Regularly discuss and review the strategic risk register and associated risk reports.
- Monitor progress against significant operational risks.
- Provide oversight and resolution for the escalation of key risks from the Transition and Transformation Board and Capital Programme Board(s).
- Receive updates on projects and programmes considered by the Strategic Programme Panel.
Assistant Directors
- Ensure adherence with risk management requirements.
- Champion the benefits of effective risk management.
- Take ownership for risks within their function and service areas and ensure risk registers are in place, regularly discussed, reviewed, updated, planned activity is delivered and risks escalated as appropriate.
- Ensure a risk aware culture is developed across their respective service areas.
Programme Management Office
- Formal governance arrangements for the monitoring and reporting of Corporate and Service transformation programme risks are in place, with a Gateway approach from project concept, definition, delivery and closure phases.
- The Gateway approach is overseen by the Strategic Programme Panel, the Transition and Transformation Board and the Capital Programme Board(s).
- Decisions taken at the Strategic Programme Panel are reported to the Senior Leadership Team. Following approval, updates on progress of projects and key risks to delivery are reported to SLT, Executive and Overview and Scrutiny committees.
- Inter Authority Agreement Joint Officer Board, Joint Executive and Joint Overview and Scrutiny Committees oversee the risks related to Joint Disaggregation Programme with Westmorland and Furness Council highlighted by individual Project Delivery Groups via the Joint Disaggregation Group.
Head of Internal Audit and Risk Management/Risk Manager
- Champion the development of an effective risk management culture and support the embedding of risk management within Directorates and across Council Services.
- Advocate and monitor adherence to the Risk Management Framework through oversight, engagements and dialogue with risk owners and training events.
- Annually review arrangements for risk management and governance and advocate best practice in risk management through training and awareness. Develop appropriate awareness and training materials in order to develop risk capability within the Council.
- Provide advice and guidance on governance, risk management and assurance through the three lines model, mapping assurance to ensure a complete and efficient assurance framework is established.
- Oversee the escalation of risks from Directorate/ Service areas to Senior Leadership Team for monitoring and for consideration of inclusion onto the Strategic Risk Register. Identify and monitor any strategic emerging risks.
- Produce Strategic Risk Reports for each Audit Committee meeting.
- Maintain ongoing clarity that management are responsible for risk management through documented processes and ongoing communication.
- Prevent Internal Audit being named as risk owner for risks (other than those for the Internal Audit and Risk Management Service itself).
- Ensure all Internal Audit work on Risk Management is advisory in nature for responsible management approval.
- Produce a risk-based audit plan that takes into account the corporate, service, project and partnership risks identified across the Council.
- Provide an informed, independent annual opinion on the effectiveness of the Risk Management arrangements across the authority.
- Provide Senior Management and Elected Members with independent, objective assurance that the Council has adequate and effective systems of risk management, internal control and governance.
Internal Audit
- Produce a risk-based audit plan that takes into account the corporate, service, project and partnership risks identified across the Council.
- Provide an informed, independent annual opinion on the effectiveness of the Risk Management arrangements across the authority.
Service Managers
- Ensure adherence with the minimum risk management requirements.
- Identify and act upon the key risks that could significantly impact on the achievement of their service priorities and objectives.
- Encourage risk aware behaviours with staff and be open about risk taking so that response actions can be agreed.
- Regularly review and report on risk response actions and escalate risks as required.
All Employees
- Have an understanding of the risks that impact their role and local working environment and be able to manage those risks adequately for their own personal Health, Safety and Wellbeing.
- Have an understanding of the key risks that affect their service delivery and achievement of their objectives and being aware of what contribution they make to mitigate or control the risks that support service outcomes.
The Three Lines Model Applied to Risk Management
The Institute of Internal Auditors (IIA) endorses 'The Three Lines Model' to help organisations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management, focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defence” and protecting value.
Key risk management roles in The Three Lines Model:
The Governing Body includes the Senior Leadership Team, which determines the organisational appetite for risk, and the Audit Committee / Executive, which have oversight of risk management, including internal control.
Management First Line roles:
- Leads and direct actions (including managing risk) and application of resources to achieve the objectives of the organisation.
- Maintain a continuous dialogue with the governing body, and reports on: planned, actual, and expected outcomes linked to the objectives of the organisation and risk.
- Establishes and maintains appropriate structures and processes for the management of operations and risk (including internal control).
- Ensures compliance with legal, regulatory, and ethical expectations.
Management Second Line roles are to provide complementary expertise, support, monitoring, and challenge related to the management of risk, including:
- The development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level.
- The achievement of risk management objectives, such as: compliance with laws, regulations, and acceptable ethical behaviour; internal control; information and technology security; sustainability; and quality assurance.
- Provides analysis and reports on the adequacy and effectiveness of risk management (including internal control).
Internal Audit:
- Maintains primary accountability to the governing body and independence from the responsibilities of management.
- Communicates independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control) to support the achievement of organisational objectives and to promote and facilitate continuous improvement.
- Reports impairments to independence and objectivity to the governing body and implements safeguards as required.
External assurance providers:
- Provide additional assurance to satisfy legislative and regulatory expectations that serve to protect the interests of stakeholders.
- Satisfy requests by management and the governing body to complement internal sources of assurance.